tivoli identity managerpublib.boulder.ibm.com/tividd/td/itim/sc32-1750-01/... · manager, node...
TRANSCRIPT
Tivoli® Identity Manager
Server Installation and Configuration Guide for WebSphere Environments
Version 4.6
SC32-1750-01
���
Tivoli® Identity Manager
Server Installation and Configuration Guide for WebSphere Environments
Version 4.6
SC32-1750-01
���
Note:
Before using this information and the product it supports, read the information in Appendix F, “Notices,” on page 145.
First Edition (June 2005)
This edition applies to version 4.6 of Tivoli Identity Manager and to all subsequent releases and modifications until
otherwise indicated in new editions.
This edition merges and replaces SC32-1148-02 and SC32-1147-03.
This product includes Adaptx, a free XSLT Processor. (C) 1998-2002 Keith Visco and Contributors.
© Copyright International Business Machines Corporation 2003, 2006. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . vii
Who should read this book . . . . . . . . . vii
Publications and related information . . . . . . vii
Tivoli Identity Manager library . . . . . . . vii
Prerequisite product publications . . . . . . ix
Related publications . . . . . . . . . . . x
Accessing publications online . . . . . . . xi
Accessibility . . . . . . . . . . . . . . xi
Support information . . . . . . . . . . . xi
Conventions used in this book . . . . . . . . xi
Typeface conventions . . . . . . . . . . xii
Operating system differences . . . . . . . xii
Definitions for HOME and other directory
variables . . . . . . . . . . . . . . xii
Special terms . . . . . . . . . . . . xiv
Chapter 1. Overview of the Tivoli Identity
Manager Environment . . . . . . . . . 1
Tivoli Identity Manager components . . . . . . 1
Adapters overview . . . . . . . . . . . 2
WebSphere Application Server products . . . . 2
Database server products . . . . . . . . . 3
Directory server products . . . . . . . . . 4
HTTP server and WebSphere Web Server plug-in 4
Configuration options . . . . . . . . . . . 4
Single-server configurations . . . . . . . . 4
Cluster configuration . . . . . . . . . . 5
Overview of the installation . . . . . . . . . 7
Planning activities for deployments at large sites . . 9
Chapter 2. Installing and configuring a
database . . . . . . . . . . . . . . 11
Before you install the database product . . . . . 11
Installing and configuring IBM DB2 Universal
Database . . . . . . . . . . . . . . . 12
Recording user data and ensuring that
installation succeeds . . . . . . . . . . 12
Installing the required fix packs . . . . . . 13
Configuring the DB2 server . . . . . . . . 13
Configuring the DB2 JDBC driver . . . . . . 16
Determining the correct service listening port and
service name . . . . . . . . . . . . . 18
Tuning performance . . . . . . . . . . 19
Installing and configuring the Oracle database . . . 19
Before you create a database . . . . . . . . 20
Creating the Tivoli Identity Manager database . . 21
Starting the Oracle product and the listener
service . . . . . . . . . . . . . . . 23
Installing and configuring SQL Server 2000 on the
Windows operating system . . . . . . . . . 23
Preparing to install SQL Server 2000 . . . . . 23
Installing SQL Server 2000 . . . . . . . . 23
Configuring SQL Server 2000 . . . . . . . 24
Chapter 3. Installing and configuring a
directory server . . . . . . . . . . . 25
Before you install the directory server product . . . 25
Installing and configuring IBM Tivoli Directory
Server . . . . . . . . . . . . . . . . 25
Installing IBM Tivoli Directory Server . . . . 25
Installing the required fix packs . . . . . . 26
Setting up the IBM Tivoli Directory Server . . . 26
Avoiding port conflicts . . . . . . . . . 31
Installing and configuring Sun ONE Directory
Server . . . . . . . . . . . . . . . . 31
Installing the Sun ONE Directory Server . . . . 31
Configuring the Sun ONE Directory Server . . . 32
Chapter 4. Installing and configuring
WebSphere Application Server . . . . 33
Before you install the WebSphere Application Server 33
Meeting installation requirements . . . . . . 33
Solaris: Setting additional kernel parameters for
WebSphere embedded messaging . . . . . . 33
AIX: Validating port 9090 is available for the
WebSphere Application Server administrative
host . . . . . . . . . . . . . . . . 34
UNIX: Creating groups and users before
installing WebSphere embedded messaging . . . 34
Installing the WebSphere Application Server base
product, IBM HTTP Server, and WebSphere Web
Server plug-in . . . . . . . . . . . . . 35
Installing the IBM HTTP Server . . . . . . . 36
Creating a cluster configuration . . . . . . . 36
Installing the deployment manager . . . . . 37
Installing the WebSphere Application Server base
product on each node . . . . . . . . . . 37
Adding nodes to a cell . . . . . . . . . 38
Verifying that the deployment manager, node
agents, and JMS servers are running . . . . . 38
Creating a cluster . . . . . . . . . . . 39
Resolving port conflicts . . . . . . . . . . 40
Optionally configuring security for Tivoli Identity
Manager . . . . . . . . . . . . . . . 40
Configuring security manually for single-node
deployments before installing Tivoli Identity
Manager . . . . . . . . . . . . . . 41
Configuring security manually for multi-node
deployments before installing Tivoli Identity
Manager . . . . . . . . . . . . . . 42
Disabling security . . . . . . . . . . . 45
Moving the HTTP server out of the cell for
additional security . . . . . . . . . . . 45
Chapter 5. Installing Tivoli Identity
Manager in a single-server
configuration . . . . . . . . . . . . 47
Before you begin . . . . . . . . . . . . 47
© Copyright IBM Corp. 2003, 2006 iii
Overview of the installation program in a
single-server configuration . . . . . . . . . 48
Starting the installation wizard . . . . . . . 50
Completing the installation wizard pages . . . 50
Responding to major installation actions . . . . 52
Verifying that the Tivoli Identity Manager Server
is operational . . . . . . . . . . . . . 56
UNIX: Sourcing the DB2 Universal Database
profile . . . . . . . . . . . . . . . 57
Optionally installing a language pack . . . . . 58
Preparing to install adapters . . . . . . . . 58
Chapter 6. Installing Tivoli Identity
Manager in a cluster configuration . . . 61
Before you begin . . . . . . . . . . . . 61
Overview of the installation program in a cluster
configuration . . . . . . . . . . . . . . 62
Starting the installation wizard . . . . . . . . 65
Completing the installation wizard pages . . . . 65
Responding to major installation actions . . . . . 68
Starting a cluster . . . . . . . . . . . . 72
Verifying that the Tivoli Identity Manager Server is
operational . . . . . . . . . . . . . . 72
UNIX: Sourcing the DB2 Universal Database profile 73
Optionally installing a language pack . . . . . . 74
Changing cluster configurations after Tivoli Identity
Manager is installed . . . . . . . . . . . 74
Expanding a cluster using a new computer . . . 74
Removing cluster members . . . . . . . . 75
Generating the WebSphere Web Server plug-in
configuration file . . . . . . . . . . . 75
Preparing to install adapters . . . . . . . . . 76
Chapter 7. Configuring the Tivoli
Identity Manager Server . . . . . . . 77
Configuring the Tivoli Identity Manager database 77
Completing the database configuration windows 77
Manually starting the DBConfig database
configuration tool . . . . . . . . . . . 78
Configuring the directory server . . . . . . . 79
Completing the directory server configuration
windows . . . . . . . . . . . . . . 79
Manually running the ldapConfig configuration
tool . . . . . . . . . . . . . . . . 79
Configuring commonly used system properties . . 80
Manually starting the system configuration tool 80
General tab . . . . . . . . . . . . . 80
Directory tab . . . . . . . . . . . . . 82
Database tab . . . . . . . . . . . . . 83
Logging tab . . . . . . . . . . . . . 84
Mail tab . . . . . . . . . . . . . . 84
UI tab . . . . . . . . . . . . . . . 85
Security tab . . . . . . . . . . . . . 86
Optionally configuring security after installing Tivoli
Identity Manager . . . . . . . . . . . . 87
Mapping an administrative user to a role . . . 88
Ensuring that the was.policy file exists . . . . 88
Updating the system user and the EJB user . . . 88
Running Java 2 security on single-node
deployments . . . . . . . . . . . . . 89
Running Java 2 security on multi-node
deployments . . . . . . . . . . . . . 89
Modifying system properties during normal
operation . . . . . . . . . . . . . . . 90
Modifying system properties with the system
configuration tool . . . . . . . . . . . 90
Modifying system properties manually . . . . 90
Modifying system properties with the Tivoli
Identity Manager GUI . . . . . . . . . . 91
Chapter 8. Troubleshooting and
verifying the installation . . . . . . . 93
Correcting problems starting the installation . . . 93
Verifying the installation . . . . . . . . . . 93
Testing the database connection . . . . . . 94
Ensuring that the directory server is running . . 95
Ensuring that the HTTP server is running . . . 96
Ensuring that WebSphere embedded messaging
is running . . . . . . . . . . . . . . 97
Ensuring that the WebSphere Application Server
is running . . . . . . . . . . . . . . 98
Checking the Web browser operation . . . . . 99
Troubleshooting the Tivoli Identity Manager
startup . . . . . . . . . . . . . . 100
Logs and directories . . . . . . . . . . . 102
Chapter 9. Uninstalling the Tivoli
Identity Manager Server . . . . . . . 105
What is not removed . . . . . . . . . . . 105
Before you begin . . . . . . . . . . . . 105
Steps to uninstall the Tivoli Identity Manager
Server . . . . . . . . . . . . . . . . 105
Verifying that the Tivoli Identity Manager Server is
uninstalled . . . . . . . . . . . . . . 106
Manually removing components . . . . . . . 106
Manually removing the Tivoli Identity Manager
Server from the WebSphere Application Server . 106
Manually removing other files or directories . . 106
Ensuring that Tivoli Identity Manager objects
are removed from the Sun ONE Directory
Server . . . . . . . . . . . . . . . 107
Appendix A. Installation images and
fix packs . . . . . . . . . . . . . 109
Installation images . . . . . . . . . . . 109
Verifying the fix pack level . . . . . . . . . 109
Obtaining fix packs . . . . . . . . . . . 110
Appendix B. Worksheets . . . . . . 111
Tivoli Identity Manager information for the
database . . . . . . . . . . . . . . . 111
Tivoli Identity Manager information for the
directory server . . . . . . . . . . . . . 112
Tivoli Identity Manager information . . . . . . 113
WebSphere Application Server: single-server
installation . . . . . . . . . . . . . . 114
WebSphere Application Server: cluster installation 114
iv IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Appendix C. Upgrading from Tivoli
Identity Manager Version 4.5.1 to
Version 4.6 . . . . . . . . . . . . 115
Processes and settings that the upgrade process
preserves . . . . . . . . . . . . . . . 117
Processes and settings that are not preserved, or
require manual upgrade . . . . . . . . . . 117
Before you begin . . . . . . . . . . . . 118
Upgrading a single-server configuration . . . . 119
Upgrading a cluster configuration . . . . . . 121
Post-migration tasks . . . . . . . . . . . 123
Preserving customized data manually . . . . . 123
Upgrading Crystal Reports . . . . . . . . . 124
Correcting upgrade problems . . . . . . . . 124
Appendix D. Steps that the installation
program takes to configure the
WebSphere environment . . . . . . 127
Before you begin . . . . . . . . . . . . 127
Configuring resources for the Tivoli Identity
Manager Server . . . . . . . . . . . . 128
Setting environment properties . . . . . . 128
Setting transaction service properties . . . . 129
Creating J2C authentication data entries . . . 129
Creating the JDBC driver and the WebSphere
Application Server data source . . . . . . 130
Creating Tivoli Identity Manager JMS objects at
the cell level . . . . . . . . . . . . . 131
Creating Tivoli Identity Manager JMS objects at
the server level . . . . . . . . . . . . 132
Creating message listener ports . . . . . . 134
Configuring the internal JMS server . . . . . 137
Updating the JVM classpath . . . . . . . 137
Overriding client encoding . . . . . . . . 138
Deploying and configuring the Tivoli Identity
Manager J2EE application . . . . . . . . . 138
Deploying Tivoli Identity Manager on the
WebSphere Application Server . . . . . . . 138
Configuring application classloader settings . . 139
Regenerating the WebSphere Web Server plug-in 139
Configuring the JAAS login module . . . . . 139
Configuring the JAAS login module for JNDI
feed . . . . . . . . . . . . . . . 139
Appendix E. Support information . . . 141
Searching knowledge bases . . . . . . . . . 141
Search the information center on your local
system or network . . . . . . . . . . . 141
Search the Internet . . . . . . . . . . 141
Obtaining fixes . . . . . . . . . . . . . 142
Contacting IBM Software Support . . . . . . 142
Determine the business impact of your problem 143
Describe your problem and gather background
information . . . . . . . . . . . . . 143
Submit your problem to IBM Software Support 144
Appendix F. Notices . . . . . . . . 145
Trademarks . . . . . . . . . . . . . . 146
Glossary . . . . . . . . . . . . . 149
Index . . . . . . . . . . . . . . . 155
Contents v
|||
vi IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Preface
This guide for the IBM
® Tivoli
® Identity Manager Server describes how to install
and configure the Tivoli Identity Manager Server in a WebSphere® environment.
Who should read this book
This book is intended for system and security administrators who install, maintain,
or administer software on their computer systems. Readers are expected to
understand system and security administration concepts. Additionally, the reader
must understand administration concepts for the following types of products:
v Database server
v Directory server
v Application server
v Messaging support
v IBM HTTP Server
Publications and related information
Read the descriptions of the Tivoli Identity Manager library. To determine which
additional publications you might find helpful, read the “Prerequisite product
publications” on page ix and the “Related publications” on page x. After you
determine the publications you need, refer to the instructions in “Accessing
publications online” on page xi.
Tivoli Identity Manager library
The publications in the Tivoli Identity Manager technical documentation library are
organized into the following categories:
v Release information
v Planning for installation, configuration, and customization
v Online user assistance
v Server installation and configuration
v Problem determination
v Technical supplements
v Adapter installation and configuration
Release Information:
v IBM Tivoli Identity Manager Release Notes
Provides software and hardware requirements for Tivoli Identity Manager, and
additional fix, patch, and other support information.
v IBM Tivoli Identity Manager Documentation Read This First Card
Lists the Tivoli Identity Manager publications.
Planning for installation, configuration, and customization:
IBM Tivoli Identity Manager Planning for Deployment Guide describes the
components, functions, and capabilities of the product, explains how the product
can impact the infrastructure of an organization, recommends guidelines for
© Copyright IBM Corp. 2003, 2006 vii
managing the implementation of the product, and recommends strategies for
integrating identity management capabilities into a production environment.
Online user assistance:
Provides online help topics and an information center for all Tivoli Identity
Manager administrative tasks. The information center includes information that
was previously provided in the IBM Tivoli Identity Manager Configuration Guide and
the IBM Tivoli Identity Manager Policy and Organization Administration Guide.
Server installation and configuration:
IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere
Environments provides installation and configuration information for Tivoli Identity
Manager.
Configuration information that was previously provided in the IBM Tivoli Identity
Manager Configuration Guide is now included in either the installation guide or in
the IBM Tivoli Identity Manager Information Center.
Problem determination:
IBM Tivoli Identity Manager Problem Determination Guide provides problem
determination, logging, and message information for the Tivoli Identity Manager
product.
Technical supplements:
The following technical supplements are provided by developers or by other
groups who are interested in this product:
v IBM Tivoli Identity Manager Performance Tuning Guide
Provides information needed to tune Tivoli Identity Manager Server for a
production environment. It is available on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list, and then, click the IBM Tivoli
Identity Manager link. Browse the information center for the Technical
Supplements section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web site:
http://www.ibm.com/developerworks/
Adapter installation and configuration:
viii IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
The Tivoli Identity Manager Server technical documentation library includes
documentation for the adapter components of a Tivoli Identity Manager
implementation. Locate adapter documentation on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list, and then, click the IBM Tivoli
Identity Manager link.
Locate Tivoli Identity Manager adapters on the Web at:
http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home
Skills and training:
Education solutions for Tivoli Identity Manager cover these topics:
v Planning
v Basic and Advanced Administration
v Installation and Configuration
v Workflows
You also have the option of requesting custom training that is tailored to your
needs. For more information, road maps, and schedules, access this IBM Tivoli
Education Web site:
http://www.ibm.com/software/tivoli/education
You can also e-mail these education delivery addresses:
v Americas: [email protected]
v Asia Pacific: [email protected]
v Europe, the Middle East, and Africa (EMEA): [email protected]
Additional skills and technical training information might be available at these
Web sites
v IBM Professional Certification
http://www.ibm.com/certify/
Search on ″identity manager″ to locate available classes and certification
offerings.
v Virtual Skills Center for Tivoli Software on the Web at:
http://www.cgselearning.com/tivoliskills/
v Tivoli Technical Exchange on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html
Prerequisite product publications
To use the information in this book effectively, you must have knowledge of the
products that are prerequisites for Tivoli Identity Manager Server. Publications are
available from the following locations:
v Operating systems
– IBM AIX®
Preface ix
http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm
– Sun Solaris
http://docs.sun.com/db?q=solaris+9
– Red Hat Linux™
http://www.redhat.com/docs/
– Microsoft® Windows Server™ 2003
http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers
– IBM DB2 Universal Database™
- Support: http://www.ibm.com/software/data/db2/udb/support.html
- Information center:
http://publib.boulder.ibm.com/infocenter/db2help/index.jsp
- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main
- DB2® product family: http://www.ibm.com/software/data/db2
- Fix packs:
http://www.ibm.com/software/data/db2/udb/support/downloadv8.html
- System requirements:
http://www.ibm.com/software/data/db2/udb/sysreqs.html– Oracle
http://www.oracle.com/technology/documentation/index.html
http://otn.oracle.com/tech/index.html
http://otn.oracle.com/tech/linux/index.html
– Microsoft SQL Server 2000
http://www.msdn.com/library/
http://www.microsoft.com/sql/v Directory server applications
– IBM Tivoli Directory Server Version 5.2: http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm Version 6.0: http://publib.boulder.ibm.com/infocenter/tiv2help/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml
– Sun ONE Directory Server
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52v IBM WebSphere® Application Server
Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/
v WebSphere embedded messaging
http://www.ibm.com/software/integration/wmq/
v IBM HTTP Server
http://www.ibm.com/software/webservers/httpservers/library.html
Related publications
Information that is related to Tivoli Identity Manager Server is available in the
following publications:
x IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, redbooks, and announcement letters.
The Tivoli Software Library is available on the Web at:
http://www.ibm.com/software/tivoli/literature/
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available from the
Glossary link of the Tivoli Software Library Web page at:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Accessing publications online
IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli software information center
Web site. Access the Tivoli software information center at the following Web
address:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z list, and then click the IBM Tivoli Identity
Manager link to access the product library.
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe Reader to print letter-sized
pages on your local paper.
Accessibility
The product documentation includes the following features to aid accessibility:
v Documentation is available in convertible PDF format to give the maximum
opportunity for users to apply screen-reader software.
v All images in the documentation are provided with alternative text so that users
with vision impairments can understand the contents of the images.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides the following ways for you to obtain the support you need:
v Searching knowledge bases: You can search across a large collection of known
problems and workarounds, Technotes, and other information.
v Obtaining fixes: You can locate the latest fixes that are already available for your
product.
v Contacting IBM Software Support: If you still cannot solve your problem, and
you need to work with someone from IBM, you can use a variety of ways to
contact IBM Software Support.
For more information about these ways to resolve problems, see Appendix E,
“Support information,” on page 141.
Conventions used in this book
This reference uses several conventions for special terms and actions and for
operating system-dependent commands and paths.
Preface xi
Typeface conventions
This guide uses the following typeface conventions:
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip:, and Operating system considerations:)
v Keywords and parameters in text
Italic
v Words defined in text
v Emphasis of words (words as words)
v New terms in text (except in a definition list)
v Variables and values you must provide
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Changed text
Changed text is indicted by a vertical line (|) in the margin.
Operating system differences
This guide uses the UNIX® convention for specifying environment variables and
for directory notation.
When using the Windows® command line, replace $variable with %variable% for
environment variables and replace each forward slash (/) with a backslash (\) in
directory paths. The names of environment variables are not always the same in
Windows and UNIX. For example, %TEMP% in the Windows operating system is
equivalent to $tmp in a UNIX operating system.
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
Definitions for HOME and other directory variables
The following table contains the default definitions that are used in this guide to
represent the HOME directory level for various product installation paths. You can
customize the installation directory and HOME directory for your specific
implementation. If this is the case, you need to make the appropriate substitution
for the definition of each variable represented in this table.
The value of path varies for these operating systems:
v Windows: drive:\Program Files
v AIX: /usr
v Other UNIX: /opt
xii IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
||
Path Variable Default Definition Description
DB_INSTANCE_HOME Windows:
path\IBM\SQLLIB
UNIX:
v AIX, Linux: /home/dbinstancename
v Solaris: /export/home/dbinstancename
The directory that
contains the
database for Tivoli
Identity Manager.
LDAP_HOME v For IBM Tivoli Directory Server Version
5.2
Windows:
path\IBM\LDAP
UNIX:
– AIX, Linux: path/ldap
– Solaris: path/IBMldaps
v For IBM Tivoli Directory Server Version
6.0
Windows:
path\IBM\LDAP\V6.0
UNIX:
– AIX, Solaris: path/IBM/ldap/V6.0
– Linux: opt/ibm/ldap/V6.0
v For Sun ONE Directory Server
Windows:
path\Sun\MPS
UNIX:
/var/Sun/mps
The directory that
contains the
directory server
code.
IDS_instance_HOME For IBM Tivoli Directory Server Version
6.0
Windows:
drive\
ibmslapd-instance_owner_name
The value of drive might be C:\ on
Windows systems. An example of
instance_owner_name might be ldapdb2.
For example, the log file might be
C:\idsslapd-ldapdb2\logs\ibmslapd.log.
UNIX:
INSTANCE_HOME/idsslapd-instance_name
On Linux and AIX systems, the default
home directory is the
/home/instance_owner_name directory. On
Solaris systems, for example, the directory
is the /export/home/ldapdb2/idsslapd-ldapdb2 directory.
The directory that
contains the IBM
Tivoli Directory
Server Version 6.0
instance.
Preface xiii
Path Variable Default Definition Description
HTTP_HOME Windows:
path\IBMHttpServer
UNIX:
path/IBMHttpServer
The directory that
contains the IBM
HTTP Server code.
ITIM_HOME Windows:
path\IBM\itim
UNIX:
path/IBM/itim
The base directory
that contains the
Tivoli Identity
Manager code,
configuration, and
documentation.
WAS_HOME Windows:
path\WebSphere\AppServer
UNIX:
path/WebSphere/AppServer
The WebSphere
Application Server
home directory
WAS_MQ_HOME Windows:
path\ibm\WebSphere MQ
UNIX:
path/mqm
The directory that
contains the
WebSphere MQ
code.
WAS_NDM_HOME Windows:
path\WebSphere\DeploymentManager
UNIX:
path/WebSphere/DeploymentManager
The home directory
on the deployment
manager
Tivoli_Common_Directory Windows:
path\ibm\tivoli\common\CTGIM
UNIX:
path/ibm/tivoli/common/CTGIM
The central location
for all
serviceability-related
files, such as logs
and first-failure data
capture
Special terms
The following special term is used in this information:
UNIX and Linux
The term UNIX means both UNIX and Linux systems. A Linux-specific
label is used only when required for clarity.
xiv IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Chapter 1. Overview of the Tivoli Identity Manager
Environment
This section provides a brief, high-level description of Tivoli Identity Manager
components and prerequisite products, including an overview of basic
configurations that you must consider before installing Tivoli Identity Manager.
This publication includes instructions for the supported UNIX, Linux, and
Windows operating systems. Not all of this information may be appropriate for
your choice of operating system or combination of products. To determine the
supported combinations of prerequisite products, release levels, and fix pack
specifications, refer to the IBM Tivoli Identity Manager Release Notes, which takes
precedence over this document.
This book focuses on the tasks that you must complete in order to configure and
use Tivoli Identity Manager, such as creating a database or an LDAP suffix. This
book provides links to the more extensive, prerequisite information that you must
obtain and the steps that you must complete to install middleware, before you can
install Tivoli Identity Manager.
Tivoli Identity Manager components
Tivoli Identity Manager provides life cycle management of user accounts on
remote resources, using adapters to provide communication. The Tivoli Identity
Manager product:
v Provides user accounts to authorized users on one or more resources to which
Tivoli Identity Manager adapters are connected
v Runs in a WebSphere Application Server environment, either in a single-server
or clustered configuration
v Stores historical and pending data in a database server
v Stores user account and organizational data in an LDAP directory server
v Provides administration from a client interface in a Web browser that
communicates through an HTTP server, such as IBM HTTP Server, and a
WebSphere Web Server plug-in
A basic configuration is similar to Figure 1 on page 2.
© Copyright IBM Corp. 2003, 2006 1
Adapters overview
The Tivoli Identity Manager Server and its adapters enable you to provision
identities to a set of heterogeneous resources, which may be operating systems,
data stores, or other applications. Adapters were called agents in previous Tivoli
Identity Manager releases.
An adapter is a program that provides an interface between a managed resource
and the Tivoli Identity Manager Server. Adapters function as trusted virtual
administrators on the target platform for account management. For example,
adapters perform such tasks as creating accounts, suspending accounts, and
modifying account attributes.
A Tivoli Identity Manager adapter can be either agent-based or agentless:
Agent-based adapter
Deploys its adapter code onto the managed resource with which it is
designed to communicate.
Agentless adapter
Deploys only on the server, separate from the managed resource with
which it is designed to communicate.
WebSphere Application Server products
The WebSphere Application Server is the primary component of the WebSphere
environment. The WebSphere Application Server runs a Java™ virtual machine,
Tivoli Identity Managerdatabase
IBM HTTP ServerWebSphere WebServer Plug-in
WebSphere Application ServerTivoli Identity Manager ServerJDBC driver
Managed resourceTivoli Identity Manageradapter
Client(browser) } }
}
LDAPdata store
Figure 1. Tivoli Identity Manager components
2 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
providing the runtime environment for the enterprise application code. The
application server provides containers that specialize in enabling the execution of
specific Java application components.
The Tivoli Identity Manager application runs on a single-server configuration with
the WebSphere Application Server base product. Tivoli Identity Manager
application also runs in a larger cluster configuration that is composed of one or
more WebSphere Application Servers and a deployment manager that manages a
cluster.
Additional server processes run in a WebSphere Application Server environment,
such as the Java Message Service (JMS, sometimes called the jmsserver process or
the JMS server) that provides the WebSphere embedded messaging. The JMS server
enables the Tivoli Identity Manager application to exchange information with other
applications by sending and receiving data as messages.
For additional information about the WebSphere Application Server products, refer
to additional documentation cited in “Prerequisite product publications” on page
ix.
Database server products
Tivoli Identity Manager stores transactional and historical data in a database
server. For example, the Tivoli Identity Manager provisioning processes use a
relational database to maintain their current state as well as their history.
Computers that communicate with the database require a Java Database
Connectivity driver (JDBC driver). A JDBC driver is used to connect a Java-based
application to a database. For example, a JDBC driver enables a Tivoli Identity
Manager Server on a local computer or on another computer to communicate with
the data source. Tivoli Identity Manager supports JDBC driver types that connect
to corresponding databases.
The supported JDBC drivers include:
DB2 Universal Database
DB2 UDB supports a Type 2 JDBC driver. Several DB2 products include
this driver. Installing the DB2 UDB server automatically installs the JDBC
driver. To enable Tivoli Identity Manager to access a remote DB2 UDB
server, install this DB2 runtime client, which also includes the JDBC driver.
Oracle database
The Oracle database supports a Type 4 (Oracle thin) JDBC driver. No JDBC
driver configuration is required when the Oracle database is on a remote
computer. The Tivoli Identity Manager installation program requires the
location of this JDBC driver.
Before you install the Tivoli Identity Manager Server, obtain this JDBC
driver (ojdbc14.jar) from your Oracle Database Server installation in the
ORACLE_HOME/ora92/jdbc/lib/ directory. Alternatively, you can
download the driver from this Web site:
http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html
Microsoft SQL Server 2000 database
The SQL Server 2000 database supports a Type 4 JDBC driver. No JDBC
driver configuration is required when the SQL Server 2000 database is on a
Chapter 1. Overview of the Tivoli Identity Manager Environment 3
remote computer. The Tivoli Identity Manager package includes this driver
and the installation program installs the driver automatically.
For more information on supported database server products, refer to the IBM
Tivoli Identity Manager Release Notes.
Directory server products
Tivoli Identity Manager stores the current state of the managed identities in an
LDAP directory, including user account and organizational data.
For more information on supported directory server products, refer to the IBM
Tivoli Identity Manager Release Notes.
HTTP server and WebSphere Web Server plug-in
An HTTP server, such as IBM HTTP Server, and a WebSphere Web Server plug-in
enable access to the Tivoli Identity Manager Server. The WebSphere Web Server
plug-in is a component that is installed onto an HTTP server. The WebSphere Web
Server plug-in handles the assignment of tasks to specific cluster members, taking
incoming requests and transporting them to the appropriate Web resource. The
plug-in allows the Web server to communicate requests for dynamic content, such
as servlets, to the WebSphere Application Server.
Configuration options
Before you install the Tivoli Identity Manager application, you must determine
how to configure WebSphere Application Server, either in a single-server or a
cluster configuration.
Single-server configurations
A single-server configuration includes the WebSphere Application Server base
product and other required applications on one computer. You must ensure that
the computer has the required memory, speed, and available disk space to meet
the workload.
A single-server configuration requires the following components and products:
v WebSphere Application Server base product, which includes the WebSphere
embedded messaging server and client
v Tivoli Identity Manager Server
v An HTTP server
v The WebSphere Web Server plug-in
v A directory server
WebSphere Application ServerTivoli Identity Manager ServerIBM HTTP ServerWebSphere Web Server plug-inLDAP data storeTivoli Identity Manager databaseJDBC driver
}
Figure 2. Single-server configuration on one computer
4 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
v A database server
v A JDBC driver
Optionally, you can install the WebSphere Application Server base product and the
Tivoli Identity Manager Server on one computer and install all other required
applications on one or more additional computers, in a configuration similar to
Figure 3.
In this configuration, the computer that has the Tivoli Identity Manager Server
requires the following components and products:
v WebSphere Application Server base product, which includes the WebSphere
embedded messaging server and client
v A JDBC driver
The following components and products run on additional computers:
v A database server
v A directory server
v An HTTP server
v A WebSphere Web Server plug-in
For tuning recommendations that place applications on separate computers, refer
to the IBM Tivoli Identity Manager Performance Tuning Guide technical supplement.
For more information on a single-server configuration, see Chapter 5, “Installing
Tivoli Identity Manager in a single-server configuration,” on page 47.
Cluster configuration
A cluster configuration contains WebSphere Application Server nodes, which are
logical groups of one or more application servers on a computer. Nodes reside
within an administrative domain called a cell, which the deployment manager
manages. A node agent manages all managed processes on the node by
communicating with the deployment manager to coordinate and synchronize the
configuration. The deployment manager is the administrative process that provides
a centralized management view and control for all elements in the cell, including
the management of clusters.
IBM HTTP ServerWebSphere Web Server plug-in
WebSphere Application ServerTivoli Identity Manager ServerJDBC driver
Tivoli Identity Managerdatabase LDAP
data store
}
Figure 3. Single-server configuration on multiple computers
Chapter 1. Overview of the Tivoli Identity Manager Environment 5
The Tivoli Identity Manager application assumes that these common features
describe every cluster member:
v The operating system is the same.
For example, all Tivoli Identity Manager cluster members run on the IBM AIX
operating system. To avoid problems with secure communication and certificate
configuration, do not use more than one operating system type within a Tivoli
Identity Manager cluster.
v The ITIM_HOME directory is identical. For example, the ITIM_HOME directory
on every cluster member that runs on the IBM AIX operating system is
/usr/IBM/itim.
The Tivoli Identity Manager application does not support a vertical cluster
configuration, which has more than one cluster member within a WebSphere
Application Server node.
In a configuration such as Figure 4 on page 7, each computer shape represents one
WebSphere node on one computer. The configuration specifies the deployment
manager on one computer. The remaining applications are configured on
additional computers.
WebSphere Application Server also permits you to install both the WebSphere
Application Server base product and the deployment manager on the same
computer. You must ensure that the computer has the required memory, speed,
and available space to meet the additional load.
The following describes the cluster configuration in Figure 4 on page 7:
v On the computer where you want to have the deployment manager, install the
following components and products:
– The deployment manager
– The Tivoli Identity Manager Server
– A JDBC driverv A cluster member is an instance of a WebSphere Application Server in a cluster.
On each cluster member, install the following components and products:
– WebSphere Application Server base product, which includes the WebSphere
embedded messaging server and client
– Tivoli Identity Manager Server
– A JDBC driverv On one or more additional computers that are not in the cluster, install the
following components and products:
– A database server
– A directory server
– An HTTP server and the WebSphere Web Server plug-in
This is an example configuration only. An alternative topology might configure
these components on computers that are all inside the cluster.
6 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
For more information on configuring clusters, see “Creating a cluster
configuration” on page 36.
Overview of the installation
The installation has an extended sequence of activities that are illustrated in
Figure 5 on page 8.
Tivoli Identity Manager cell
Tivoli Identity Manager cluster
WebSphere Application Server baseTivoli Identity Manager ServerJDBC driver
}}
}IBM HTTP ServerWebSphere Web
Server plug-in
WebSphereApplication ServerNetwork DeploymentJDBC driver
}
Tivoli Identity Managerdatabase
LDAPdata store
Figure 4. Cluster configuration on multiple computers
Chapter 1. Overview of the Tivoli Identity Manager Environment 7
The process varies depending on whether installation is for a single-server or
cluster configuration.
The major steps to install, configure, and test Tivoli Identity Manager are:
1. Determining the Tivoli Identity Manager Server topology. The information in
this chapter describes the major configuration choices.
6.Install Tivoli Identity
Manager Server
7.Configure database,
LDAP, WebSphereApplication Server
8.Test Tivoli IdentityManager Server
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
2.Operating
systemready?
1.Configuration
known?
3.Database
ready?
4.Directory
serverready?
5.WebSphereApplication
Serverready?
Updateoperating system
Specifyconfiguration
Install, configuredatabase for
Tivoli Identity Manager
Install, configuredirectory server
Install, configureWebSphere
Application Server
Figure 5. Major steps in installation
8 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
2. Ensuring that the operating system is at the level that Tivoli Identity Manager
requires. For more information on software and hardware requirements, refer to
the IBM Tivoli Identity Manager Release Notes.
3. Ensuring that the database server is installed and preconfigured. See Chapter 2,
“Installing and configuring a database,” on page 11 for steps to prepare the
database.
4. Ensuring that the directory server is installed and preconfigured. See Chapter 3,
“Installing and configuring a directory server,” on page 25 for steps to prepare
the directory server.
5. Determining that the WebSphere Application Server is ready. See Chapter 4,
“Installing and configuring WebSphere Application Server,” on page 33 for
steps to prepare the WebSphere Application Server in a single-server or cluster
configuration.
6. Installing the Tivoli Identity Manager application on one of these
configurations:
v Single-server. For more information, see Chapter 5, “Installing Tivoli Identity
Manager in a single-server configuration,” on page 47.
v Cluster. For more information, see Chapter 6, “Installing Tivoli Identity
Manager in a cluster configuration,” on page 61.
For steps to upgrade an existing installation of Tivoli Identity Manager, see
Appendix C, “Upgrading from Tivoli Identity Manager Version 4.5.1 to Version
4.6,” on page 115.
7. Configuring the database, the directory server, and the WebSphere Application
Server for the Tivoli Identity Manager Server. For more information, see
Chapter 7, “Configuring the Tivoli Identity Manager Server,” on page 77.
8. Resolving problems that happened during installation and startup. For more
information, see Chapter 8, “Troubleshooting and verifying the installation,” on
page 93.
Planning activities for deployments at large sites
In large organizations, there are additional tasks that require planning before you
deploy Tivoli Identity Manager. For more information, refer to the IBM Tivoli
Identity Manager Planning for Deployment Guide.
To prevent initial deployment problems, consider providing a variation of the
following planning activities that are appropriate for your site, in advance of
installing Tivoli Identity Manager and also subsequent cumulative fixes:
v Establish a working practice that provides comprehensive and relevant Tivoli
Identity Manager information to all of the specialists who install middleware.
For example, have the team meet regularly to enumerate their problems and
share their solutions.
v To ensure coordination, designate one person as a focal point for concerns that
flow between your site and IBM customer support specialists.
v If possible, reduce the number of specialists who install and configure the
applications. If specialists cannot be reduced in number, encourage
communication flow between specialists:
– Provide a comprehensive library or list of FTP or Web sites for prerequisite
installation and configuration information.
– Ensure that the specialist installing Tivoli Identity Manager has root or
Administrator authority for the prerequisite middleware.
Chapter 1. Overview of the Tivoli Identity Manager Environment 9
– Ensure that all elements of the system or solution have sufficient privileges to
provide accounts.
– Support a centralized problem and solution database that identifies
troubleshooting actions and assigns action owners.
– Maintain a common library of scripts that automate start up.
– Create a change control database that coordinates all customization activities.
– Determine a working practice in which specialists provide a record of critical
values in the worksheets similar to the ones that this publication provides.
Ensure that all specialists have access to and use a common worksheet that
centralizes the information.
For example, each installation chapter in this manual provides a checklist of
prerequisites that must be installed, configured, and running before you begin
installation. Additionally, Appendix B, “Worksheets,” on page 111 provides a
centralized collection point for critical values such as user IDs, passwords,
and security settings. The IBM Tivoli Identity Manager Release Notes specifies
prerequisite levels and fix packs or patches.
10 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Chapter 2. Installing and configuring a database
The Tivoli Identity Manager application stores transactional and historical data,
including schedules, access control item definitions (ACIs), and audit data in a
database. This chapter focuses on configuring a Tivoli Identity Manager database
prior to Tivoli Identity Manager installation. The supported releases and required
fix packs for the supported databases are described in the IBM Tivoli Identity
Manager Release Notes.
The information in this chapter is not a substitute for the more extensive,
prerequisite documentation that is provided by the database product. For more
information that you are assumed to know, refer to these sources:
v IBM DB2 Universal Database
http://www.ibm.com/software/data/db2/udb/support.html
http://publib.boulder.ibm.com/infocenter/db2help/index.jsp (Information
center)
http://www.ibm.com/software/data/db2
http://www.ibm.com/software/data/db2/udb/support/downloadv8.html
http://www.ibm.com/software/data/db2/udb/sysreqs.html (Operating system
prerequisites)
http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main
v Oracle
http://www.oracle.com/technology/documentation/index.html
http://otn.oracle.com/tech/index.html
http://otn.oracle.com/tech/linux/index.html
v Microsoft SQL Server 2000
http://www.msdn.com/library/
http://www.microsoft.com/sql/
Before you install the database product
Before you install the database product, complete these steps:
v Read the installation information that the database product provides.
v Ensure that your installation meets the product hardware and software
requirements.
v All required operating system patches are in place.
v Ensure that kernel settings are correct for some operating systems, such as the
Solaris operating system. Each database application specifies its own
requirements, such as additional operating system values. Before installing the
application, refer to its documentation for these additional settings. For example,
these Web sites describe kernel settings that DB2 UDB requires:
– AIX
None required.
– Linux
http://publib.boulder.ibm.com/infocenter/db2help/topic/com.ibm.db2.udb.doc/start/t0008238.htm
© Copyright IBM Corp. 2003, 2006 11
– Solaris
http://publib.boulder.ibm.com/infocenter/db2help/topic/com.ibm.db2.udb.doc/start/t0006476.htm
Installing and configuring IBM DB2 Universal Database
This section describes installing and configuring IBM DB2 Universal Database (DB2
UDB). The configuration steps in this section create a new database for later use by
the Tivoli Identity Manager Server installation program, which populates the
database with data objects.
You can install DB2 UDB on the same computer with Tivoli Identity Manager or
on a separate computer. If you install DB2 UDB on a separate computer, you must
install a DB2 runtime client on the computer on which you install Tivoli Identity
Manager. For more information, see “Configuring the DB2 JDBC driver” on page
16.
Tivoli Identity Manager requires DB2 UDB to run with a required level of the DB2
fix pack. For more information on installing DB2 UDB and any fix packs, refer to
the IBM Tivoli Identity Manager Release Notes and also to documentation that the
database product provides. For example, access these Web sites:
http://www.ibm.com/software/data/db2/udb/support.html
http://www.ibm.com/software/data/db2/udb/support/downloadv8.html
Recording user data and ensuring that installation succeeds
The DB2 UDB installation requires that you specify some system data, such as the
DB2 administrator user ID and password. The installation wizard provides both
status reports and an initial verification activity.
Recording user names and passwords on UNIX systems
Installing DB2 UDB creates the default DB2 instance. Table 1 shows the default
values that are created. Record this information, which is required to configure the
DB2 UDB database that Tivoli Identity Manager uses. For an example of the
database tab that requires this information, see Figure 17 on page 83. For
worksheets that describe database fields required for the Tivoli Identity Manager
configuration, such as the database name, see “Tivoli Identity Manager information
for the database” on page 111.
Table 1. Field values on UNIX systems
Fields on UNIX systems Value
DB2 instance name (user ID) db2inst1
DB2 instance password A user-defined value
DB2 instance home directory v UNIX: /home/db2inst1
v Solaris: /export/home/db2inst1
Recording user names and passwords on Windows systems
Installing DB2 UDB creates the default DB2 instance. Table 2 on page 13 shows the
default values that are created.
12 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Table 2. Field values on Windows systems
Fields on Windows systems Value
DB2 instance name DB2
Administrative user ID db2admin
Password A user-defined value
Verifying the installation
The installation wizard provides a status report when the installation is complete.
Additionally, run the DB2 First Steps operation to verify the installation is
successful. To start the operation, complete these steps:
v Windows
Click Start –> Programs –> IBM DB2 –> Set-up Tools –> First Steps.
v UNIX
Enter this command:
– AIX
/usr/opt/db2_08_01/db2fs
– Other UNIX
/opt/IBM/db2/V8.1/db2fs
Installing the required fix packs
If your version of DB2 UDB requires a fix pack, obtain and install the fixes that are
available at these DB2 UDB support Web sites:
http://www.ibm.com/software/data/db2/udb/support.html
http://www.ibm.com/software/data/db2/udb/support/downloadv8.html
Verify that the correct fix pack is installed on both the database server and the
database client computers.
v On Windows, enter the db2level command:
db2level
v On UNIX systems, log on as the DB2 instance owner and enter the db2level
command:
su - DB2_instance_ID
db2level
The value of DB2_instance_ID is the DB2 instance owner such as db2inst1.
For more information on these steps, refer to the IBM Tivoli Identity Manager Release
Notes and also to documentation that the DB2 UDB fix pack provides.
Configuring the DB2 server
Configure the DB2 server before you install the Tivoli Identity Manager Server. The
DB2 UDB settings described in this chapter are initial settings that might require
runtime adjustment. For more information, refer to the IBM Tivoli Identity Manager
Performance Tuning Guide technical supplement.
Configuring the DB2 server requires the following steps:
1. “Creating a user on Windows and UNIX systems” on page 14 or “Creating a
user on a Linux system” on page 14
Chapter 2. Installing and configuring a database 13
2. “Creating the Tivoli Identity Manager database”
3. “Ensuring that TCP/IP communication is specified” on page 15
4. “AIX only: Setting EXTSHM for DB2 UDB connections” on page 15
Creating a user on Windows and UNIX systems
Create an operating system user named enrole on the computer on which the DB2
server is installed. The Tivoli Identity Manager Server uses the user ID enrole to
access the database. No special privileges are required for this user. Ensure that a
password change is not required at the next logon and that the password never
expires.
To create a user, follow these steps:
1. As root or as Administrator, start the system management tool for your
operating system.
v AIX: SMIT or SMITTY
v Solaris: admintool
v Windows: Click Start –> Administrative Tools –> Computer Management
–> Local Users and Groups –> Users.2. Add a new user enrole and set the user’s password.
3. Exit the system management tool.
4. Test the user access. Ensure that you can log on with the user ID enrole
without encountering a password reset.
5. Proceed to the next step, “Creating the Tivoli Identity Manager database.”
Creating a user on a Linux system
You can use the console command interface or the GUI utility to create a user on
Linux. To create a user by using the console command interface on a Linux (Red
Hat) operating system, enter the following command:
adduser -d /home/enrole -p password enrole
The -d switch specifies the home directory. The entry enrole specifies the user ID
that is created.
Proceed to the next step, “Creating the Tivoli Identity Manager database.”
Creating the Tivoli Identity Manager database
You can specify any name for the Tivoli Identity Manager database, such as
itimdb. To create the Tivoli Identity Manager database, follow these steps:
1. Open a DB2 UDB command window.
v UNIX: Log on as the DB2 instance owner and enter db2 to open a DB2
command window.
v Windows: Click Start –> Run, and enter db2cmd. When the DB2 command
window opens, enter db2.2. In the DB2 command window, enter these commands to create the database:
create db itim_dbname using codeset UTF-8 territory US
update db cfg for itim_dbname using applheapsz 2048
update db cfg for itim_dbname using app_ctl_heap_sz 1024
The value of itim_dbname is a name such as itimdb. For more information, refer
to the IBM Tivoli Identity Manager Performance Tuning Guide technical
supplement.
3. Stop and start the DB2 server to reset the configuration.
14 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
After you have created the Tivoli Identity Manager database and reset the
configuration, stop and start the DB2 server to allow the changes to take effect.
Enter the following commands:
db2stop
db2start
If entering db2stop fails and the database remains active, enter db2 force
application all to inactivate the database. Enter db2stop again.
Ensuring that TCP/IP communication is specified
Installing DB2 UDB specifies TCP/IP communication by default. To confirm that
TCP/IP communication is specified on the DB2 server and also on the DB2 client,
follow these steps:
1. Enter the following command:
db2set -all DB2COMM
2. If a tcpip entry is not in the list that was returned, enter the following
command, including tcpip and any other values that were returned in the list
that the command provided:
db2set DB2COMM=tcpip,values_from_db2set_command
For example, if the db2set -all DB2COMM command returned values such as
npipe and ipxspx in the list, specify these values again when you enter the
db2set command the second time:
db2set DB2COMM=tcpip,npipe,ipxspx
If the operating system is AIX, proceed to the next step, “AIX only: Setting
EXTSHM for DB2 UDB connections.” Otherwise, proceed to “Configuring the DB2
JDBC driver” on page 16.
AIX only: Setting EXTSHM for DB2 UDB connections
If the DB2 server is on the AIX operating system, ensure that you set the EXTSHM
environment variable to ON. This action increases the number of shared memory
segments to which a single process can be attached.
Tivoli Identity Manager processes might not be able to connect with DB2 UDB if
DB2 UDB runs out of shared memory segments on the AIX operating system. The
Tivoli Identity Manager log file contains the following error message:
[IBM][CLI Driver]SQL1224N A database agent could not be started to
service a request, or was terminated as a result of a database system
shutdown or a force command. SQLSTATE=55032
The EXTSHM environment variable must be exported both in the shell where the
client application is started and also in the shell where the database is started. A
client application can be the WebSphere Application Server, the node agent, or the
deployment manager.
To export the EXTSHM environment variable, complete these steps:
1. On the shell where the WebSphere Application Server is started, set the
environment variable EXTSHM by entering the following statement:
export EXTSHM=ON
Also add this statement to the etc/profile file of the root user from which the
WebSphere Application Server is started.
2. On the shell where the database is started, such as a shell of db2inst1, enter the
following commands to configure the EXTSHM environment variable:
export EXTSHM=ON
db2set DB2ENVLIST=EXTSHM
Chapter 2. Installing and configuring a database 15
3. To ensure that the environment variable is always set, also add the following
line to the DB_INSTANCE_HOME/SQLLIB/userprofile file:
export EXTSHM=ON
Configuring the DB2 JDBC driver
In a single-server configuration, the DB2 server might be on a remote computer on
which Tivoli Identity Manager Server is not installed. Alternatively, the DB2 server
might be on the local computer, on which you install Tivoli Identity Manager
Server. If the DB2 server is on a remote computer, you must install and configure
the DB2 runtime client. You should also install the required fix pack.
In a cluster configuration, assuming that the DB2 server is on a remote computer,
you must install and configure the DB2 runtime client and apply the required fix
pack on these computers:
v The computer that has the deployment manager.
v Each cluster member on which you expect to install Tivoli Identity Manager
Server.
Installing and configuring the DB2 runtime client
Complete these steps to install and configure the DB2 runtime client:
1. Install and configure the DB2 runtime client and the required fix pack.
2. Catalog the database. The catalog operation creates a database alias on the local
DB2 client for the actual database on the DB2 server. An application running on
the same system as the database client uses the database alias defined in the
catalog to access the database.
Complete the following steps:
a. Open a DB2 UDB command window.
v UNIX: Log on as the DB2 instance owner and enter db2 to open a DB2
command window.
v Windows: Click Start –> Run, and enter db2cmd. When the DB2
command window opens, enter db2.b. In the command window, enter this command on one line to define the
communication protocol and the local node alias:
catalog tcpip node local_db2node_alias remote db2server_hostname
server service-name|portnumber
The parameters and variables include:
node local_db2node_alias
A local alias for the node to be cataloged. This is an arbitrary name
on the user’s workstation that is used to identify the node.
remote db2server_hostname
The host name or IP address of the node on which the target
database resides.
server service-name|portnumber
The service name or the port number of the DB2 server instance.
The default value of the DB2 UDB port number is 50000. For more
information, see “Determining the correct service listening port and
service name” on page 18.Use TCP/IP as the communication protocol. Do not use other protocols
such as named pipes or NetBIOS.
c. Enter the following command on one line to define the local database alias:
16 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
catalog database database_name as local_database_alias
at node local_db2node_alias
The parameters and variables include:
database database_name
The name of the database on a remote computer. The value of
database_name is the value of itim_dbname, such as itimdb that was
specified when the database was created on the DB2 server.
local_database_alias
An arbitrary local alias for the remote database.
node local_db2node_alias
A local alias for the node. This is the local node alias that is set in
the previous step 2b on page 16.d. To test that the cataloging command was successful, enter the following
command:
connect to itim_dbname user db_admin_name using db2_admin_pwd
The value of itim_dbname is a name such as itimdb. The value of
db_admin_name is db2inst1 on UNIX systems, and db2admin on Windows
systems.
If the connection is successful, information is returned that identifies a local
database alias, such as itimdb. If the connection fails, complete these steps:
1) Ensure that connect command uses the correct values for the user ID
and password.
2) Ensure that connect command uses the correct value for the database
name.
3) Ensure that the TCP/IP communication protocol is defined in
DB2COMM. For more information, see “Ensuring that TCP/IP
communication is specified” on page 15.
4) Ensure that the correct database service name and listening port are
used, and that the listening port is active. For more information, see
“Determining the correct service listening port and service name” on
page 18.
Enabling encrypted data transmission between the DB2 server
and client
To specify the authentication type to use encrypted data for incoming connections
at the database server, update the configuration of the srvcon_auth value to enable
the DATA_ENCRYPT attribute. For example, type this command at a DB2
command window on the DB2 server:
update database manager configuration using srvcon_auth data_encrypt
Additionally, to enable the DB2 client to send encrypted data to the DB2 server,
type this command on one line at a DB2 command window on the DB2 client:
catalog database database_name as local_database_alias at node local_db2node_alias
authentication data_encrypt
For more information about these parameters, see “Installing and configuring the
DB2 runtime client” on page 16.
JDBC drivers for a WebSphere Application Server on 64-bit
operating systems
Although the WebSphere Application Server at Version 5.1 can run on 64-bit
operating systems, the WebSphere Application Server requires a DB2 JDBC driver
that is a 32-bit DB2 runtime client to connect to the DB2 database.
Chapter 2. Installing and configuring a database 17
If you install the 64-bit DB2 server on a 64-bit operating system on which the
Tivoli Identity Manager Server and the WebSphere Application Server will also be
installed, you should not install the 64-bit DB2 runtime client. You should complete
these steps when you install the DB2 server:
1. Choose the Custom option.
2. Exclude the 64-bit runtime client.
3. After the server is installed, install the DB2 JDBC driver that is a 32-bit DB2
runtime client.
If the 64-bit runtime client is already installed, do one of the following:
v Remove the 64-bit runtime client and then install the DB2 JDBC driver that is a
32-bit DB2 runtime client.
v Alternatively, create a 32-bit DB2 instance and catalog a connection to the 64-bit
instance that is either local or remote. Then, use the Tivoli Identity Manager
installation program to point the JDBC provider in the WebSphere Application
Server to the 32-bit instance.
To create the 32-bit DB2, instance, enter the following command:
– Command line:
- Windows: \sqllib\bin\db2icrt
- UNIX: DB_INSTANCE_HOME/instance/db2icrt -w WordWidth instancename
The value of the -w WordWidth parameter specifies the bit level that is
used, such as 32-bit. The value of instancename is a DB2 instance such as
db2inst2. For example, type this command:
db2icrt -w 32 db2inst2
– Graphical user interface: DB_INSTANCE_HOME/instance/db2isetup
Determining the correct service listening port and service
name
Creating the DB2 UDB instance creates the service listening port number and the
database service name. The default service listening port number is 50000. The
service name has this default value:
v Windows: db2c_DB2
v UNIX: db2cdb2inst1
When you catalog the local DB2 node alias, which is step 2b on page 16, you must
define either the service listening port number or the default service name.
To determine whether the correct service name or service listening port is defined,
complete these steps:
1. Locate the statement that is similar to the following example, which specifies
the current port number in the services file on the computer on which the DB2
server resides:
v Windows
– DB2 UDB Version 8.1: db2c_DB2 50000/tcp
– DB2 UDB Version 8.2: db2cdb2: 50000/tcp
v UNIX
– DB2 UDB Version 8.1: db2inst1: 50000/tcp
– DB2 UDB Version 8.2: db2c_db2: 50000/tcp
The services file has the following path:
18 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
v Windows: %SYSTEMROOT%\system32\drivers\etc\services
v UNIX: /etc/services2. If the services file does not contain the DB2 instance service name and port
number, complete these steps:
a. Edit the appropriate services file for your operating system and add a DB2
service name and number:
v Windows: db2c_DB2 50000/tcp
v UNIX: db2inst1: 50000/tcp
The default value of the DB2 UDB port number is 50000.
b. Configure DB2 UDB to use the service name. Use the following command:
db2 update dbm cfg using svcename service_name|port_number
Provide the value of either service_name or port_number. The value of
service_name matches the new service name that you created in step 2a.
c. Stop and start the DB2 service to enable the port number to take effect. Use
the following commands:
db2stop
db2start
d. Verify the service names and ports are successfully updated by checking
that DB2 UDB is now listening on the new port. Enter this command:
netstat -an
In the listing, you should see the port that you specified, such as 50000, is
open for listening. For more information, refer to documentation that the
DB2 UDB product provides. Use these parameters:
-a Show both listening and non-listening sockets.
-n Show numerical addresses rather than symbolic host, port or user
names.
Tuning performance
Performance issues can occur after you initially configure DB2 UDB. For example,
loading a large number of users can encounter performance issues. You may see
this message:
Not enough storage available for processing the sql statements.
To provide additional storage space, change the DB2 UDB application heap size to
a larger value. For recommendations and examples of setting DB2 UDB heap sizes
and other performance-sensitive parameters, refer to the IBM Tivoli Identity
Manager Performance Tuning Guide technical supplement.
Installing and configuring the Oracle database
This section describes installing and configuring the Oracle database for Tivoli
Identity Manager.
In all cases, refer to the installation and migration guides that the Oracle
Corporation provides for complete information. For more information, refer to
these Web sites:
http://otn.oracle.com/documentation/index.html
http://otn.oracle.com/tech/index.html
Chapter 2. Installing and configuring a database 19
http://otn.oracle.com/tech/linux/index.html
Before you create a database
This section describes steps to complete before you create an Oracle database for
Tivoli Identity Manager. Complete these steps:
v “Installing the Oracle database server”
v “Configuring the init.ora file”
v “Setting environment variables” on page 21
v “Backing up an existing database” on page 21
v “Installing the JDBC driver” on page 21
Installing the Oracle database server
You might install the Oracle database server on the same computer or on a
computer that is separate from Tivoli Identity Manager. For more information on
installing the Oracle database server, refer to documentation available at this Web
site:
http://otn.oracle.com/tech/index.html
Note: If you manually create the Oracle database for Tivoli Identity Manager, you
must manually install the JVM feature, or any transactions from Tivoli
Identity Manager will subsequently fail. Using the Oracle Database
Configuration Assistant wizard installs the JVM feature by default.
Configuring the init.ora file
You must configure the init.ora file for the Tivoli Identity Manager database.
Complete these steps:
1. Copy the init.ora file.
v Windows
a. Under the ORACLE_HOME\admin\ directory, create a directory named
db_name\pfile. The value of db_name might be itimdb.
b. Copy the sample init.ora file from the
ORACLE_HOME\ora92\dbs\sample\pfile\ directory to the
ORACLE_HOME\admin\db_name\pfile directory.
c. Rename the new init.ora file to a value of initdb_name.ora.v UNIX
Copy the ORACLE_HOME/dbs/init.ora file to a new
ORACLE_HOME/dbs/initdb_name.ora file.2. Based on your environment requirements, tune the value of the following
parameters in the initdb_name.ora file:
compatible=9.2.0.0
db_name=itimdb
processes=150
java_pool_size=32M
shared_pool_size=50M
Additionally, define three control files for the Tivoli Identity Manager database.
This example statement defines the control files:
control_files=("/u01/app/oracle/oradata/db_name/control01.ctl",
"/u01/app/oracle/oradata/db_name/control02.ctl",
"/u01/app/oracle/oradata/db_name/control03.ctl"
3. Manually create all the directories defined in the initdb_name.ora file.
20 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Setting environment variables
Set the environment variables for Oracle by editing the .profile file. Required
environment variables include ORACLE_SID and ORACLE_HOME, and also
include the library path, and the system path.
Source the profile on UNIX operating systems, which updates the environment
variables in the current session, to ensure that Tivoli Identity Manager can
communicate with the database. To source the profile, enter the following
command:
# . /.profile
For more information, refer to the Oracle Web site.
Backing up an existing database
Perform a full backup of any existing database, and review the preliminary steps
that the documentation from the Oracle Corporation provides for upgrading an
Oracle database, before you begin to install the Oracle product or upgrade an
existing database. For Web sites that provide this information, see “Installing the
Oracle database server” on page 20.
Installing the JDBC driver
Copy the Oracle JDBC driver from the Oracle server directory into a directory on
the computer on which Tivoli Identity Manager will later be installed. The Tivoli
Identity Manager installation program prompts for the directory containing the
JDBC driver. In a cluster configuration, the JDBC driver is required on the
computer that has the deployment manager and also on each Tivoli Identity
Manager cluster member computer. At Oracle database Version 9i, the Oracle JDBC
driver (the ojdbc14.jar file) is located in the ORACLE_HOME/ora92/jdbc/lib/
directory.
Creating the Tivoli Identity Manager database
Skip this step if you use the Oracle Database Configuration Assistant wizard,
which creates the Tivoli Identity Manager database.
Manually create a Tivoli Identity Manager database using these steps:
1. Create and start the database instance using these steps:
v Windows
a. Create the instance with this command on one line:
# oradim -new -sid db_name -pfile ORACLE_HOME\admin\db_name\pfile\
initdb_name.ora
The value of the -sid parameter specifies the database instance name. For
example, the value of db_name might be itimdb. The value of the -pfile
parameter specifies the file that you previously configured in
“Configuring the init.ora file” on page 20.
b. Start the database instance with these commands:
# sqlplus "/ as sysdba"
SQL> startup nomount pfile=ORACLE_HOME\admin\db_name\pfile\initdb_name.ora
c. Verify that the Windows service OracleServicedb_name is started.v UNIX
Start the database instance with these commands:
# sqlplus "/ as sysdba"
SQL> startup nomount pfile= ORACLE_HOME/dbs/initdb_name.ora
Chapter 2. Installing and configuring a database 21
2. Use an SQL script similar to the following example to create your database.
Change the values in the script to match any requirements at your site. In this
example, the value of the db_name is an instance name such as itimdb.
-- Create database
CREATE DATABASE db_name
CONTROLFILE REUSE
LOGFILE ’/u01/oracle/db_name/redo01.log’ SIZE 1M REUSE,
’/u01/oracle/db_name/redo02.log’ SIZE 1M REUSE,
’/u01/oracle/db_name/redo03.log’ SIZE 1M REUSE,
’/u01/oracle/db_name/redo04.log’ SIZE 1M REUSE
DATAFILE ’/u01/oracle/db_name/system01.dbf’ SIZE 10M REUSE
AUTOEXTEND ON
NEXT 10M MAXSIZE 200M
CHARACTER SET UTF8;
-- Create another (temporary) system tablespace
CREATE ROLLBACK SEGMENT rb_temp STORAGE (INITIAL 100 k NEXT 250 k);
-- Alter temporary system tablespace online before proceeding
ALTER ROLLBACK SEGMENT rb_temp ONLINE;
-- Create additional tablespaces ...
-- RBS: For rollback segments
-- USERs: Create user sets this as the default tablespace
-- TEMP: Create user sets this as the temporary tablespace
CREATE TABLESPACE rbs
DATAFILE ’/u01/oracle/db_name/db_name.dbf’ SIZE 5M REUSE AUTOEXTEND ON
NEXT 5M MAXSIZE 150M;
CREATE TABLESPACE users
DATAFILE ’/u01/oracle/db_name/users01.dbf’ SIZE 3M REUSE AUTOEXTEND ON
NEXT 5M MAXSIZE 150M;
CREATE TABLESPACE temp
DATAFILE ’/u01/oracle/db_name/temp01.dbf’ SIZE 2M REUSE AUTOEXTEND ON
NEXT 5M MAXSIZE 150M;
-- Create rollback segments.
CREATE ROLLBACK SEGMENT rb1 STORAGE(INITIAL 50K NEXT 250K)
tablespace rbs;
CREATE ROLLBACK SEGMENT rb2 STORAGE(INITIAL 50K NEXT 250K)
tablespace rbs;
CREATE ROLLBACK SEGMENT rb3 STORAGE(INITIAL 50K NEXT 250K)
tablespace rbs;
CREATE ROLLBACK SEGMENT rb4 STORAGE(INITIAL 50K NEXT 250K)
tablespace rbs;
-- Bring new rollback segments online and drop the temporary system one
ALTER ROLLBACK SEGMENT rb1 ONLINE;
ALTER ROLLBACK SEGMENT rb2 ONLINE;
ALTER ROLLBACK SEGMENT rb3 ONLINE;
ALTER ROLLBACK SEGMENT rb4 ONLINE;
ALTER ROLLBACK SEGMENT rb_temp OFFLINE;
DROP ROLLBACK SEGMENT rb_temp ;
3. Install the JVM for the database. Use these commands:
# sqlplus "/ as sysdba"
SQL> @$ORACLE_HOME/rdbms/admin/catalog.sql
SQL> @$ORACLE_HOME/rdbms/admin/catproc.sql
SQL> @?/javavm/install/initjvm.sql
SQL> @?/xdk/admin/initxml.sql
SQL> @?/xdk/admin/xmlja.sql
SQL> @?/rdbms/admin/catjava.sql
SQL> connect system/manager
SQL> @$ORACLE_HOME/sqlplus/admin/pupbld.sql
The value of the manager parameter is the password for the system user
account.
22 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Starting the Oracle product and the listener service
To start the Oracle database, complete these steps:
v Windows
Use the Services menu to start the Oracle database service called
OracleServicedb_name.
v UNIX
Enter these commands:
# su - oracle
# sqlplus "/ as sysdba"
# SQL> startup
To start the Oracle listener service, complete these steps:
v Windows
Use the Services menu to start the Oracle TNS listener named
OracleOraHome92TNSListener. If the Oracle listener service is idle, start the
listener.
v UNIX
# su - oracle
# lsnrctl start
To ensure that Oracle processes are started, enter this command:
ps -ef | grep ora
The ps (process) command searches for processes. The grep command selects the
processes that contain a string. The parameters in this example include:
-e Select all processes.
-f Display a full listingTo ensure that the listener is running, enter this command:
# lsnrctl status
Installing and configuring SQL Server 2000 on the Windows operating
system
This section describes installing and configuring SQL Server 2000 on the Windows
operating system. Complete these steps:
v “Preparing to install SQL Server 2000”
v “Installing SQL Server 2000”
v “Configuring SQL Server 2000” on page 24
Preparing to install SQL Server 2000
Complete the following procedures prior to installing SQL Server 2000 on a
Windows system:
1. Obtain the latest SQL Server 2000 service pack.
2. Log in to the Windows system with an Administrator account before launching
the SQL Server 2000 installation.
Installing SQL Server 2000
You might install SQL Server 2000 on the same computer or on a computer that is
separate from Tivoli Identity Manager. After installing SQL Server 2000, install the
Chapter 2. Installing and configuring a database 23
latest SQL Server 2000 service pack. For more information on installing SQL Server
2000, refer to documentation available at these Web sites:
http://www.msdn.com/library/
http://www.microsoft.com/sql/
Configuring SQL Server 2000
You must complete several post-installation tasks to configure SQL Server 2000 for
Tivoli Identity Manager:
1. Launch the MS SQL Server Enterprise Manager.
2. Navigate the tree, clicking the Databases node.
3. Click Tools and use the menu to open SQL server configuration properties.
4. On the SQL server configuration properties window, click the Security tab.
Ensure that SQL Server and Windows authentication (mixed-mod
authentication) is enabled.
5. Create a new database using a name such as itimdb.
6. For both data files and also for the transaction log, enter the following values
for the database that you create:
v Initial file size: 20 MB
v Automatically grow the file.
v Allow unrestricted file growth.
24 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Chapter 3. Installing and configuring a directory server
Tivoli Identity Manager stores user account and organizational data (but not data
for schedules, ACI definitions, and audit data) in a directory server. This chapter
focuses on configuring the directory server for use by Tivoli Identity Manager. The
supported combinations of directory servers and required fix packs are described
in the IBM Tivoli Identity Manager Release Notes.
The information in this chapter is not a substitute for the more extensive,
prerequisite documentation that is provided by the directory server product itself.
For more information that you are assumed to know, refer to these sources:
v IBM Tivoli Directory Server
– Hardware and software requirements, and documentation Version 5.2: http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm Version 6.0: http://publib.boulder.ibm.com/infocenter/tiv2help/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml
– Fixes
http://www.ibm.com/software/sysmgmt/products/support/IBMDirectoryServer.html
v Sun ONE Directory Server
– Usage and maintenance
http://www.sun.com/software/products/directory_srvr_ee/index.html
http://www.sun.com/download/index.jsp
– Documentation
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52
Before you install the directory server product
Before you install the directory server product, complete these steps:
v Read the installation guide that the directory server product provides.
v Ensure that your installation meets the directory server hardware and software
requirements.
Installing and configuring IBM Tivoli Directory Server
This section describes installing and configuring the IBM Tivoli Directory Server.
Installing IBM Tivoli Directory Server
You can install the IBM Tivoli Directory Server on the same computer with Tivoli
Identity Manager or on a separate computer.
The IBM Tivoli Directory Server uses DB2 Universal Database as a data store. If
DB2 UDB is not already installed, installing the IBM Tivoli Directory Server can
also install an instance of DB2 UDB on the same computer.
On the same computer, if you install IBM Tivoli Directory Server and the DB2
server that the Tivoli Identity Manager Server uses, you should install the DB2
server before you install the IBM Tivoli Directory Server. For information on
© Copyright IBM Corp. 2003, 2006 25
installing the directory server, refer to documentation that the directory server
product provides. For example, access this Web site:
http://www.ibm.com/software/sysmgmt/products/support/
IBMDirectoryServer.html
Installing the required fix packs
If your version of the IBM Tivoli Directory Server requires a fix pack, obtain and
install the fixes. For more information, refer to these support Web sites:
Version 5.2: http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm
Version 6.0: http://publib.boulder.ibm.com/infocenter/tiv2help/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml
Verify that the correct fix pack is installed on the IBM Tivoli Directory Server.
Open a fix pack file such as PF520-operatingsystem-0x.txt. For example:
v Windows: FP520W-01.txt
v Solaris: FP520OS-01.txt
Search for a text description similar to IBM Directory Release: aus52ldap Build:
041206a. The file is in this directory:
v Windows
LDAP_HOME\bin
v AIX and Linux
usr/ldap/bin
v Solaris
opt/IBMldapc/bin
For more information on these steps, refer to the IBM Tivoli Identity Manager Release
Notes and also to the documentation that the IBM Tivoli Directory Server fix pack
provides.
Setting up the IBM Tivoli Directory Server
Setting up the IBM Tivoli Directory Server requires creating the LDAP suffix for
your organization before you install the Tivoli Identity Manager Server. Setting up
the IBM Tivoli Directory Server also requires configuring the Tivoli Identity
Manager referential integrity file. An LDAP suffix, also known as a naming
context, is a distinguished name (DN) that identifies the top entry in a locally-held
directory hierarchy.
Creating the LDAP suffix object
Create the LDAP suffix for Tivoli Identity Manager using the command line
interface as follows:
1. Identify the directory server process or service, stop the directory server, create
the suffix, and restart the directory server.
a. Identify the directory server process or service.
v UNIX: grep for the process ID ibmslapd.
v Windows: Click Start –> Administrative Tools –> Services. Scroll the list
of services to locate the IBM Tivoli Directory Server.
26 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
b. Check the status of the directory server process or service. For example,
type:
ibmdirctl -D adminDN -w adminPW -h hostname -p port status
The value of adminDN (required) binds to the LDAP directory. The adminDN
parameter is a string-represented distinguished name. The value of
adminPW (required) is the administrator password. The value of hostname
(optional) and port (optional) are the host name and port of the computer
on which the directory server and the administration daemon are running.
c. If the server is running, stop the server.
v UNIX: End the ibmslapd process using the ibmdirctl command that the
administration daemon control program provides. For example, type:
ibmdirctl -D adminDN -w adminPW -h hostname -p port stop
The value of adminDN (required) binds to the LDAP directory. The
adminDN parameter is a string-represented distinguished name. The value
of adminPW (required) is the administrator password. The value of
hostname (optional) and port (optional) are the host name and port of the
computer on which the directory server and the administration daemon
are running.
v Windows:
1) Click Start –> Administrative Tools –> Services.
2) Right click the IBM Tivoli Directory Server item in the list of services
and click Stop.
Alternatively, use the ibmdirctl command that the administration
daemon control program provides. For example, type:
ibmdirctl -D adminDN -w adminPW -h hostname -p port stop
The value of adminDN (required) binds to the LDAP directory. The
adminDN parameter is a string-represented distinguished name. The
value of adminPW (required) is the administrator password. The value
of hostname (optional) and port (optional) are the host name and port
of the computer on which the directory server and the administration
daemon are running.d. Create the suffix.
v For IBM Tivoli Directory Server Version 5.2, enter this command:
ldapcfg -s "itim_suffix"
The -s parameter specifies the suffix. The itim_suffix variable is a value
such as dc=com.
v For IBM Tivoli Directory Server Version 6.0, enter this command:
idscfgsuf -I instancename -s itim_suffix
The -I parameter specifies the directory server instance. For more
information on a value for instancename, see “Definitions for HOME and
other directory variables” on page xii.e. Start the server.
v UNIX: Start the ibmslapd process using the ibmdirctl command that the
administration daemon control program provides. For example, type:
ibmdirctl -D adminDN -w adminPW -h hostname -p port start
The value of adminDN (required) binds to the LDAP directory. The
adminDN parameter is a string-represented distinguished name. The value
of adminPW (required) is the administrator password. The value of
hostname (optional) and port (optional) are the host name and port of the
computer on which the directory server and the administration daemon
are running.
Chapter 3. Installing and configuring a directory server 27
v Windows:
1) Click Start –> Administrative Tools –> Services.
2) Right click the IBM Tivoli Directory Server item in the list of services
and click Start.2. To add the LDAP suffix as a domain object, first create an LDAP Data
Interchange Format (LDIF) file, such as suffix.ldif, that has the following
statements. In this example, dc=com is the value that is specified for the Tivoli
Identity Manager suffix.
dn:dc=com
dc:com
objectclass:top
objectclass:domain
#one blank line must end this file, or the ldapadd command will not run
3. Use the ldapadd command to add the domain object. For example, complete
these steps:
a. Change to the LDAP_HOME/bin directory.
b. Enter the following command on one line:
ldapadd -h ldaphost -D ldap_admin -w ldap_admin_pwd -f full_pathsuffix.ldif
For example:
ldapadd -h localhost -D cn=root -w secret -f suffix.ldif
This example uses the following parameters:
-h Specifies an alternate host on which the LDAP server is running.
-D Uses the distinguished name to bind to the LDAP directory.
-w Uses the password for simple authentication.
-f Reads the entry modification from a file.
Verifying successful suffix object configuration
To verify the suffix object configuration in this example, enter this command:
ldapsearch -h localhost -b dc=com "(objectclass=domain)"
The options are:
-h Specifies an alternate host on which the LDAP server is running.
-b Specifies the search base of the initial search, instead of the default.
The output should confirm that you have configured permissions for dc=com and
initialized the suffix with data.
dc=com
objectclass=domain
objectclass=top
dc=com
Configuring the referential integrity plug-in on the IBM Tivoli
Directory Server
The referential integrity plug-in for the Tivoli Identity Manager application on the
IBM Tivoli Directory Server helps maintain consistency in references to objects that
are deleted from the directory. Use the following steps to configure the referential
integrity plug-in on the IBM Tivoli Directory Server:
28 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
1. Assuming that you stopped the IBM Tivoli Directory Server, copy the
referential integrity plug-in file from the Tivoli Identity Manager product CD to
the following directory in the default installation directory for IBM Tivoli
Directory Server:
v Windows:
– Version 5.2: LDAP_HOME\bin. For example, copy the file to the
C:\IBM\LDAP\bin directory.
– Version 6.0: LDAP_HOME\lib. For example, copy the file to the
C:\IBM\LDAP\lib directory.v UNIX:
Version 5.2 and 6.0: LDAP_HOME/lib. For example, copy the file to the
usr/IBM/LDAP/lib directory.
On an AIX 64-bit system using a 64-bit DB2 instance, use the
LDAP_HOME/lib64 directory if the full library path name is not specified in
the ibmslapd.conf file.The referential integrity plug-in file names are:
v AIX: libdelref.a
v Solaris: libdelref.so
v Windows: libdelref.dll
v Linux: libdelref.so
On UNIX systems, ensure that the file permission on the referential integrity
plug-in file is set to -r-xr-xr-x.
2. Copy the new Tivoli Identity Manager configuration file named timdelref.conf
from the ITIM_HOME/config/ldap/ibm directory on the version 4.6 Tivoli
Identity Manager Server or from the Tivoli Identity Manager product CD to the
etc directory on the IBM Tivoli Directory Server, replacing the previous
configuration file:
v Version 5.2: LDAP_HOME/etc
v Version 6.0: IDS_instance_HOME/etc3. Edit the ibmslapd.conf configuration file for IBM Tivoli Directory Server. The
file location varies depending on the IBM Tivoli Directory Server version:
v UNIX:
– Version 5.2: LDAP_HOME/etc. For example, locate the file in the
usr/IBM/LDAP/etc directory.
– Version 6.0: IDS_instance_HOME/etc. For example, locate the file in the
/home/instance_owner_name/etc directory.v Windows:
– Version 5.2: LDAP_HOME\etc. For example, locate the file in the
C:\IBM\LDAP\etc directory.
– Version 6.0: IDS_instance_HOME\etc. For example, locate the file in the
C:\idsslapd-ldapdb2\etc directory.4. In the configuration file, specify the referential integrity file for Tivoli Identity
Manager:
a. Locate the following line:
ibm-slapdPlugin: database path_to_rdbmfilename rdbm_backend_init
The path_to_rdbmfilename variable is one of the following files:
v AIX: /lib/libback-rdbm.a
v UNIX other than AIX: /lib/libback-rdbm.so
v Windows: /lib/libback-rdbm.dll
Chapter 3. Installing and configuring a directory server 29
The Windows path is specified with a forward slash.b. Add the following line, all on one line, directly after the previous line:
v UNIX:
Version 5.2
ibm-slapdPlugin: preoperation
LDAP_HOME/lib/lib_filename DeleteReferenceInit
file=LDAP_HOME/etc/timdelref.conf dn=itim_suffix
Version 6.0
ibm-slapdPlugin: preoperation
LDAP_HOME/lib/lib_filename
DeleteReferenceInit file=IDS_instance_HOME/etc/timdelref.conf
dn=itim_suffix
v Windows:
Version 5.2
ibm-slapdPlugin: preoperation "LDAP_HOME/bin/lib_filename"
DeleteReferenceInit file="LDAP_HOME\etc\timdelref.conf"
dn=itim_suffix
Version 6.0
ibm-slapdPlugin: preoperation
"LDAP_HOME/lib/lib_filename"
DeleteReferenceInit file="IDS_instance_HOME\etc\timdelref.conf"
dn=itim_suffix
Notes:
1) The LDAP_HOME variable is the default installation directory for the
IBM Tivoli Directory Server. The lib_filename variable is the name of
the referential integrity plug-in filename, as identified in step 1 on
page 29.
2) The itim_suffix variable is a value such as dc=com.
3) On the Windows operating system, to specify the path to the
libdelref.dll and the timdelref.conf files, ensure that you enclose the
value of lib_filename in double quote marks. Additionally, specify the
path to the libdelref.dll file with a forward slash.5. Save the changes that you made to the configuration file.
6. Start the IBM Tivoli Directory Server.
7. Determine whether the referential integrity plug-in is reconfigured and loaded
appropriately. Locate the IBM Tivoli Directory Server log file for the
configuration.
v UNIX:
– Version 5.2: LDAP_HOME/var/ibmslapd.log. On AIX, for example, the
file is in the usr/IBM/LDAP/var directory.
– Version 6.0: IDS_instance_HOME/etc/ibmslapd.log. On AIX, for example,
the file is in the usr/idsslapd-ldapdb2/etc directory.v Windows:
– Version 5.2: LDAP_HOME\var\ibmslapd.log. For example, the file is in
the C:\IBM\LDAP\var directory.
– Version 6.0: IDS_instance_HOME\logs\ibmslapd.log. For example, the file
is in the C:\idsslapd-ldapdb2\logs directory.You should see a message similar to the following information:
Plugin of type PREOPERATION is successfully loaded
from /usr/ldap/lib/libdelref.a
30 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
If you repeat this operation, more than one message occurs in the log file.
Examine the timestamp on the most recent message in the file. If the operation
does not succeed, ensure that the referential integrity plug-in file is in the target
directory.
Preventing connection problems with multiple LDAP sessions
Each instance of the Tivoli Identity Manager Server allocates a number of LDAP
sessions to form a connection pool at startup. The default minimum number of
sessions is 50. In a Tivoli Identity Manager cluster that has more than one cluster
member, starting the cluster can require more than 100 LDAP connections.
On the Windows operating system, the IBM Tivoli Directory Server supports a
default of 64 concurrent connections. Connection attempts beyond 64 connections
result in failed logons to the Tivoli Identity Manager Server and a ″Directory
Server not available″ error message similar to this example:
Connection pool exceeded: directory server not available
To prevent connection problems, define the value of SLAPD_OCHANDLERS to
increase the available connections. Complete these steps:
1. Locate the following stanza in the ibmslapd.conf file:
dn: cn=Front End, cn=Configuration
2. Add the following line to this stanza:
ibm-slapdsetenv: SLAPD_OCHANDLERS=number-of-threads
One thread supports 64 connections. If there are multiple instances of the Tivoli
Identity Manager Server, increase this value. If there are two instances of the
server, each requiring a minimum of 50 simultaneous LDAP connections,
specify a value of 2 or larger. For example, add this line to the stanza:
ibm-slapdsetenv: SLAPD_OCHANDLERS=4
3. Save the changes that you made to the configuration file.
4. Restart the IBM Tivoli Directory Server so that the changes take effect.
Avoiding port conflicts
IBM Tivoli Directory Server might install the WebSphere Application Server –
Express, which can cause potential port conflicts. If another WebSphere Application
Server is on the same computer, resolve any port conflicts with WebSphere
Application Server – Express before you run the other server. For more
information, see “Resolving port conflicts” on page 40.
Installing and configuring Sun ONE Directory Server
This section describes installing and configuring Sun ONE Directory Server.
Installing the Sun ONE Directory Server
For the instructions and more information on installing the Sun ONE Directory
Server, refer to documentation available at these Web sites:
http://www.sun.com/software/products/directory_srvr_ee/index.html
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52
http://www.sun.com/software/download/inter_ecom.html#dirserv
Chapter 3. Installing and configuring a directory server 31
Configuring the Sun ONE Directory Server
To configure the Sun ONE Directory Server, complete these steps:
1. Start and log on to the Sun ONE Directory Server administrative console. For
example, to start the directory server, enter this command:
path/Sun/mps/startconsole
On AIX, for example, the value of path is usr.
2. Navigate to your directory server in the console tree and open the directory
server.
3. Select the Configuration tab and configure a new root suffix that can be any
value for the suffix that you define for Tivoli Identity Manager, such as dc=com.
For example, complete these steps:
a. On the Configuration tab, right click the Data folder.
b. In the New Suffix window, type dc=com.
c. Select the new item dc=com. Then, add an attribute such as o for
organization.
d. Click Save. Then, on the warning window, click Do nothing.4. Give the new root suffix an object class of domain. In the Create New Root
Suffix window, complete these steps:
a. Select the Directory tab.
b. Right-click the name of the directory server in the directory server tree and
select the new root suffix such as dc=com that you created in step 3, located
under New Root Object.
c. In the New Object window, select domain and repeatedly click OK in
subsequent windows.5. Restart the directory server.
6. Open the Performance folder and increase the memory cache available for the
Tivoli Identity Manager Server to an maximum cache size that is appropriate to
the physical memory for your hardware configuration. If the Sun ONE
Directory Server is installed on its own machine, set this value to 75% of the
available memory.
7. Select the database object in the Tivoli Identity Manager application node, and
change the memory available in the database settings to a value that is
appropriate to the physical memory for your hardware configuration. If the
Tivoli Identity Manager application is the only application using this directory,
set this value to 60% of the maximum cache size.
8. Save the settings.
9. Restart the directory server.
Note: Sun ONE Directory Server access control instructions (ACIs) might have
enabled anonymous read access. To provide more secure data, modify the
default ACIs to disable anonymous read access. For more information, refer
to the Sun ONE Directory Server documentation.
32 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Chapter 4. Installing and configuring WebSphere Application
Server
This chapter describes generic steps to create a WebSphere Application Server
environment before you install the Tivoli Identity Manager Server in either
single-server or cluster configurations.
Before you install the WebSphere Application Server
Before installing the WebSphere Application Server, complete these tasks:
v “Meeting installation requirements”
v “Solaris: Setting additional kernel parameters for WebSphere embedded
messaging”
v “UNIX: Creating groups and users before installing WebSphere embedded
messaging” on page 34
Meeting installation requirements
To meet the installation requirements for the WebSphere Application Server,
complete these steps:
v Read the installation guide that the WebSphere Application Server provides.
v Ensure that your system meets the product hardware and software requirements.
v Ensure that all required operating system fix packs and cumulative fixes are in
place. For more information on tuning operating systems for the WebSphere
Application Server, refer to this Web site:
http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tprf_tuneopsys.html
For more information on installing the WebSphere Application Server, refer to the
following Web sites:
v Hardware and software requirements
http://www.ibm.com/software/webservers/appserv/doc/latest/prereq.html
http://www.ibm.com/software/webservers/appserv/doc/v51/prereqs/was_v511.htm
v Fixes
http://www.ibm.com/software/webservers/appserv/was/support/
v Documentation http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/
Solaris: Setting additional kernel parameters for WebSphere
embedded messaging
Before installing the WebSphere Application Server on Solaris operating systems,
specify the additional kernel parameter values that the WebSphere Application
Server requires to support WebSphere embedded messaging. Installation fails if
these additional kernel parameter values are not specified.
© Copyright IBM Corp. 2003, 2006 33
Tivoli Identity Manager has prerequisites for WebSphere Application Server and
WebSphere embedded messaging that require additional kernel settings. On Solaris
9, for files and additional processes that ensure prerequisite checking, access these
Web sites:
http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/relnotes/relnotes_aes.html
To locate the list of kernel parameters for Solaris systems, take these steps in the
WebSphere Application Server information center that the Web site provides:
1. In the table of contents, click Installing -> Getting started -> Installing the
product -> Installing the base Application Server on Solaris platforms.
2. Scroll the target information section to the step that reads ″Set kernel values to
support Application Server.″
AIX: Validating port 9090 is available for the WebSphere
Application Server administrative host
The WebSphere Application Server administrative host uses the default port 9090.
On AIX systems, the AIX wsmserver process might use port 9090 for Web-based
System Manager servers. To test whether the port is being used, enter this
command:
netstat -an | grep 9090
Use these parameters:
-a Show both listening and non-listening sockets.
-n Show numerical addresses rather than symbolic host, port or user names.
To make port 9090 available for the WebSphere Application Server administrative
host, specify a different port for the AIX wsmserver process. At a command line
prompt, type these commands:
cd /path/websm/bin
./wsmserver -disable
./wsmserver -enable -listenport availableportnumber
./wsmserver -start
The path parameter has a value such as usr. The value of the availableportnumber is
an available, unused port number.
UNIX: Creating groups and users before installing WebSphere
embedded messaging
Before you install the WebSphere embedded messaging server and client that the
WebSphere Application Server provides, create the groups and users that the
WebSphere embedded messaging requires on UNIX operating systems. Complete
these steps:
1. Create the groups mqm and mqbrkrs, and create the mqm user. Add the mqm user to
the mqm group. Add root to both groups.
2. To make the changes effective, log off:
v UNIX: If you are running the Common Desktop Environment, you must log
off completely. Closing the open consoles is insufficient.
v Linux: Log out of the desktop session or shell process.3. Log on again as root. For more information, refer to the installation
documentation that the WebSphere product provides.
34 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Installing the WebSphere Application Server base product, IBM HTTP
Server, and WebSphere Web Server plug-in
The WebSphere installation program can also install the IBM HTTP Server and
WebSphere Web Server plug-in. You can install these features either with the
WebSphere Application Server or on a separate computer. Additional configuration
steps are required if you install the IBM HTTP Server and WebSphere Web Server
plug-in on a separate computer. For more information on installation, refer to the
following Web site:
http://www.ibm.com/software/webservers/appserv/infocenter.html
Run the WebSphere installation program to install the WebSphere Application
Server, IBM HTTP Server and WebSphere Web Server plug-in. In a cluster
configuration, do not install the IBM HTTP Server and the WebSphere Web Server
plug-in on each cluster member. Complete these steps:
1. Install the WebSphere Application Server from the root user on UNIX systems,
or from a user with administrator authority on the Windows operating
system.
2. Start the WebSphere Application Server base installation program and
complete the required steps.
3. Choose custom installation and do not select the WebSphere sample
applications.
4. Enter the values that the WebSphere installation program requires.
5. When installation is complete, the installation wizard displays a First Steps
window. Click Verify the Installation to verify that there are no installation
problems.
6. If the IBM HTTP Server and the WebSphere Application Server are installed
on the same computer, bring down the HTTP server before you apply fix
packs and cumulative fixes for the WebSphere Application Server. Stop the
WebSphere Application Server system and any related process. For example,
stop the JMS server.
7. After you apply the WebSphere Application Server Fix Pack, start the
WebSphere Application Server using the following command:
v Windows
WAS_HOME\bin\startServer.bat servername
For example, the value of servername is server1.
v UNIX
WAS_HOME/bin/startServer.sh servername
8. After you start the WebSphere Application Server, verify that the WebSphere
embedded messaging queue manager is also running. To verify the status,
enter this command:
dspmq
A message similar to the following message indicates that the queue manager
for server1 is running:
QMNAME(WAS_wasnodename_server1) STATUS(status_string)
The value of wasnodename is the node name that is defined when the
WebSphere Application Server is installed. The value of status_string might be
a string such as Running or Ended Immediately.
9. Use the following Web address to access the WebSphere administrative
console:
http://hostname:9090/admin
Chapter 4. Installing and configuring WebSphere Application Server 35
The value of hostname is either the fully qualified host name or the IP address
of the computer on which you installed the WebSphere Application Server
base product. The value 9090 is the default port number for the WebSphere
administrative HTTP transport. The port number may not be 9090 if there is
another instance of the WebSphere Application Server on the computer.
10. Ensure you have resolved any port problems, if you have more than one
version of WebSphere Application Server installed on the computer. For more
information, see “Resolving port conflicts” on page 40.
11. Examine the SystemOut.log and SystemErr.log files to ensure that there are no
other problems. For more information, see “Logs and directories” on page 102.
Installing the IBM HTTP Server
Although you can install the IBM HTTP Server and the WebSphere Web Server
plug-in on the same computer that has the deployment manager, you might want
to install the IBM HTTP Server and the WebSphere Web Server plug-in on a
separate computer for additional security. For more information, see “Moving the
HTTP server out of the cell for additional security” on page 45.
To install the IBM HTTP Server and the WebSphere Web Server plug-in, complete
these steps:
1. Start the WebSphere Application Server base installation program.
2. Navigate through the installation windows and any windows that check
prerequisites, accepting the default settings.
3. Choose the Custom installation option when that installation window is
displayed and then click Next.
4. On the features selection window, select only the following items and then click
Next:
v IBM HTTP Server
v Web Server plug-ins (for IBM HTTP Server)5. Accept the default target directories, or modify the target and then click Next.
6. On the summary window, verify the options and click Install to install the
components.
7. Obtain and install the required fix pack and cumulative fixes for the WebSphere
Application Server base product. The fix pack also includes the fix for IBM
HTTP Server. For more information, refer to the IBM Tivoli Identity Manager
Release Notes.
If you install the IBM HTTP Server on a separate computer, there are additional
steps to set up the server for use with Tivoli Identity Manager on the WebSphere
Application Server. For more information, see “Moving the HTTP server out of the
cell for additional security” on page 45.
Creating a cluster configuration
The cluster installation and configuration program has the following sequence:
1. “Installing the deployment manager” on page 37
2. “Installing the WebSphere Application Server base product on each node” on
page 37
3. “Adding nodes to a cell” on page 38
4. “Verifying that the deployment manager, node agents, and JMS servers are
running” on page 38
36 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
5. “Creating a cluster” on page 39
Installing the deployment manager
To install the deployment manager, complete these steps:
1. Start the deployment manager installation program and complete the required
steps. Ensure that you do the following actions:
v If both the WebSphere Application Server base product and the deployment
manager are installed on the same computer, install the WebSphere
Application Server base product first. During the deployment manager
installation, select the option that allows the deployment manager to co-exist
with the WebSphere Application Server base product. The deployment
manager is assigned new port numbers to avoid a port conflict.2. When installation is complete, the installation wizard displays a First Steps
window. Click Verify the Installation to verify that there are no installation
problems.
3. Stop the deployment manager before you apply a fix pack or cumulative fix.
4. Install the required fix pack or cumulative fixes. For more information, refer to
the IBM Tivoli Identity Manager Release Notes.
5. After you install the fix pack or cumulative fix, start the deployment manager:
a. Change to the deployment manager bin subdirectory.
b. Start the deployment manager using the following command:
v Windows
startManager.bat
v UNIX
startManager.sh
6. Use the following Web address to access the administrative console:
http://hostname:9090/admin
The value of hostname is the fully qualified host name or the IP address of the
computer on which you installed the deployment manager. The value 9090 is
the default port number for the WebSphere administrative HTTP transport. If
you have multiple instances of the WebSphere Application Server on the same
computer, the port number may be a different value, such as 9091. The port
number is the port number for the WebSphere virtual host (admin_host) that is
assigned during installation, allowing coexistence of more than one WebSphere
Application Server.
Installing the WebSphere Application Server base product on
each node
Install the WebSphere Application Server base product on each computer on which
the Tivoli Identity Manager Server runs as a Tivoli Identity Manager cluster
member.
Do not install the IBM HTTP Server and the WebSphere Web Server plug-in on
each cluster member.
To install the WebSphere Application Server base product, follow the steps in
“Installing the WebSphere Application Server base product, IBM HTTP Server, and
WebSphere Web Server plug-in” on page 35.
Chapter 4. Installing and configuring WebSphere Application Server 37
Adding nodes to a cell
You can add a node to a Tivoli Identity Manager cell by running the addNode.sh
script on each application server that you want to add as a node to the cluster.
Enter this statement on one line:
v Windows
"WAS_HOME\bin\addNode.bat dmgr_host portnumber"
v UNIX
WAS_HOME/bin/addNode.sh dmgr_host portnumber
The value of dmgr_host is the host name of the computer on which the deployment
manager is installed. The portnumber parameter specifies the Simple Object Access
Protocol (SOAP) port number that is assigned to the deployment manager. The
value can be omitted if the default port number 8879 is used.
A node agent is created and started after a node is successfully added to a cell. A
JMS server that is associated with the node is also created after a node is
successfully added to a cell.
Verifying that the deployment manager, node agents, and JMS
servers are running
You must ensure that the deployment manager, WebSphere Application Server
node agents, and JMS servers are running. If Tivoli Identity Manager will use DB2
Universal Database, and either the DB2 server or the DB2 runtime client is already
installed, you must source the DB2 UDB profile on each cluster member computer
on UNIX systems before the node agent is started. Sourcing the DB2 UDB profile
on UNIX systems ensures that Tivoli Identity Manager can communicate with the
database. For more information, see either “UNIX: Sourcing the DB2 Universal
Database profile” on page 57 for a single-server configuration or “UNIX: Sourcing
the DB2 Universal Database profile” on page 73 for a cluster configuration.
To ensure that the deployment manager and all WebSphere Application Server
node agents are running, complete these steps using either a command line
interface or the WebSphere administrative console:
v Command line interface
To determine the status of the node agent and the JMS server, run the following
command on the computer on which the WebSphere Application Server base
product is installed:
– Windows
WAS_HOME\bin\serverStatus.bat -all
– UNIX
WAS_HOME/bin/serverStatus.sh -all
The status of the node agent and JMS server is displayed. If the node agent is
not started, run the following command:
– Windows
"WAS_HOME\bin\startNode.bat"
– UNIX
WAS_HOME/bin/startNode.sh
If the JMS server is not started, run the following command on the computer on
which the node agent resides:
– Windows
"WAS_HOME\bin\startServer.bat jmsserver"
38 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
– UNIX
WAS_HOME/bin/startServer.sh jmsserver
To determine the status of the deployment manager, run this command on the
computer on which the deployment manager is installed:
– Windows
WAS_NDM_HOME\bin\serverStatus.bat -all
– UNIX
WAS_NDM_HOME/bin/serverStatus.sh -all
If the deployment manager is not started, run this command on the computer
that has the deployment manager:
– Windows
startManager.bat
– UNIX
startManager.sh
v Administrative console
If the deployment manager is running, you can log on to the WebSphere
administrative console to verify the status of the node agents and JMS servers.
Complete these steps:
1. To verify the status of the node agents, click System Administration –>
Node Agents. A window opens that displays the node agents and their
status. If a node agent is not running, start the node agent by entering this
command on the computer that has the idle node agent:
– Windows
"WAS_HOME\bin\startNode.bat"
– UNIX
WAS_HOME/bin/startNode.sh
2. To verify the status of the JMS servers, click Servers –> JMS Servers. A
window opens that displays the JMS servers and their status. If a JMS server
is not running, start the JMS server by selecting the server on the WebSphere
administrative console and clicking Start.
Creating a cluster
On the WebSphere administrative console of the deployment manager, complete
these steps to create a cluster:
1. Click Servers –> Clusters.
2. On the next window, click New.
3. Enter a name that you give to the cluster, select the appropriate server, and
click Next.
4. Complete the New Clustered Servers window, specifying a cluster member, and
click Apply. Repeat the specification for additional cluster members. When the
list is complete, click Next.
5. Examine the cluster member summary to ensure that the list of cluster
members is correct. Click Finish.
6. In the Messages window, click Save.
7. Select Synch changes with Nodes, and save the configuration to the master
repository.
Chapter 4. Installing and configuring WebSphere Application Server 39
Resolving port conflicts
The WebSphere Application Server uses a set of default ports for different
purposes. For example, the value 9090 is the default port number for the
WebSphere administrative HTTP transport. Several of the ports that are associated
with the Tivoli Identity Manager application are described in Table 3. If any default
port numbers are already in use prior to installing either the WebSphere
Application Server base product or the deployment manager, either release the port
or choose a different port number when you install the WebSphere Application
Server.
Table 3. Default port numbers
Description Port number Used by Alternate port
number
example
HTTP Transport 9080 WebSphere Application Server
default host
9081
HTTP Transport 9090 WebSphere Application Server
administrative host
9091
SOAP connector port Deployment
manager:
8879
WebSphere
Application
Server base:
8880
WebSphere administrative
component
Deployment
manager: 8889
WebSphere
Application
Server base:
8881
IBM HTTP Server 80 HTTP server Value of 80 is
required.
To determine whether a port is available before starting the installation program,
enter this command:
netstat -an
The command uses these parameters:
-a Displays both listening and non-listening sockets.
-n Displays addresses and port numbers in numerical form.
Optionally configuring security for Tivoli Identity Manager
When enabled, WebSphere global security ensures that authenticated users have
the necessary permissions to access Tivoli Identity Manager JavaBeans™ (EJB™)
components. Configuring this security component involves configuring an
authentication mechanism, a user registry, and optionally, Java 2 security. The
manual steps differ, depending on whether the deployment is for one node or for
multiple nodes.
The Java 2 security policy that Tivoli Identity Manager provides grants Tivoli
Identity Manager all permissions on the system. Enabling Java 2 security can cause
a reduction in performance of the WebSphere Application Server. For more
information, refer to performance information that the WebSphere Application
Server product provides.
40 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Enabling Java 2 security for the Tivoli Identity Manager application also causes
Java 2 security to be enforced on all applications that are running on the
WebSphere Application Server. If you enable Java 2 security for the Tivoli Identity
Manager application, you should also appropriately configure all other applications
running on the WebSphere Application Server to support Java 2 security.
For more information on configuring secure sockets layer (SSL) authentication in
the Tivoli Identity Manager environment, refer to the IBM Tivoli Identity Manager
Information Center.
Configuring security manually for single-node deployments
before installing Tivoli Identity Manager
To configure the security for single-node deployment, complete the following
manual steps before installing Tivoli Identity Manager:
1. Specify an administrative user with these steps:
a. Create or select an administrative user in the user registry of your operating
system. In subsequent examples, the user is called the System User or
wasadmin.
b. Create or select another administrative user in the user registry of your
operating system. In subsequent examples, the user is called the EJB user or
itimadmin. Define the EJB User ID prior to starting installation. This user ID
will be used when configuring security after Tivoli Identity Manager
installation. For more information, see “Optionally configuring security after
installing Tivoli Identity Manager” on page 87.
2. Specify the authentication mechanism and user registry with these steps:
a. Start the WebSphere Application Server, and log in at the console.
b. Click Security –> Global Security.
c. Select the following options:
v Active Authentication Mechanism: Select SWAM (Simple WebSphere
Authentication Mechanism)
v Active User Registry: Select Local OS
d. Save the configuration changes.3. Configure the local OS user registry with these steps:
a. Click Security –> User Registries–> Local OS.
b. Enter the System User user ID (wasadmin) and password.
c. Save the configuration changes.4. Enable security with these steps:
a. Click Security –> Global Security.
b. Click Enabled. The action also selects Enforce Java 2 Security. For
performance reasons, you might consider disabling Java 2 security.
c. Save the configuration changes.5. On a single-node deployment, restart the WebSphere Application Server. When
starting the administrative server, you might be required to specify the
WebSphere administrative user ID and password. For example:
v Windows
WAS_HOME\bin\stopServer server1 [-username wasadmin -password wasadminpwd]
WAS_HOME\bin\startServer server1
v UNIX
WAS_HOME/bin/stopServer.sh server1 [-username wasadmin -password wasadminpwd]
WAS_HOME/bin/startServer.sh server1
Chapter 4. Installing and configuring WebSphere Application Server 41
Configuring security manually for multi-node deployments
before installing Tivoli Identity Manager
To configure security for multi-node deployment, complete the following steps
before installing Tivoli Identity Manager:
1. Set up LDAP for multi-node security with these steps:
a. First, using the management tool that the directory server provides, create
an organization unit (for example) ou=WasSecurity,dc=com. The value of
dc=com might be the suffix for your organization.
b. Next, create the wasadmin organizational Person object for the WebSphere
Application Server administrative user that is specified as the System User.
Use the management tool that the directory server provides, or use the
following examples:
v IBM Tivoli Directory Server
Create an ePerson. For example, create
(cn=wasadmin,ou=WasSecurity,dc=com). Set the following fields and
values:
– sn=wasadmin
– cn=wasadmin
– uid=wasadmin
– userPassword=wasadminpwd
You can also import the following LDIF file, updating the baseDN with a
value such as dc=com and userPassword variables for your environment.
For example, the file contains these statements:
dn:cn=wasadmin,ou=WasSecurity,baseDN
userPassword:userPassword
uid:wasadmin
objectclass:top
objectclass:person
objectclass:ePerson
sn:wasadmin
cn:wasadmin
v Sun ONE Directory Server
Create an inetOrgPerson. For example, create
(uid=wasadmin,ou=WasSecurity,dc=com). Set the following fields and
values:
– sn=wasadmin
– cn=wasadmin
– uid=wasadmin
– userPassword=wasadminpwd
– givenName=wasadminpwd
You can also import the following LDIF file, updating the baseDN with a
value such as dc=com and userPassword variables for your environment.
An example file contains these statements:
dn:uid=wasadmin,ou=WasSecurity,baseDN
userPassword:userPassword
uid: wasadmin
givenName: wasadmin
objectClass:inetorgperson
objectClass:organizationalPerson
objectClass:person
objectClass:top
sn:wasadmin
cn:wasadmin
42 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
c. Depending on the directory server, create the itimadmin organizational
Person object for the WebSphere Application Server administrative user that
is specified as the EJB user. For more information on setting up an
unprivileged itimadmin object in the context of security planning for Tivoli
Identity Manager, refer to the IBM Tivoli Identity Manager Planning for
Deployment Guide.
v IBM Tivoli Directory Server
Create an ePerson. For example, create
(cn=itimadmin,ou=WasSecurity,dc=com). Set the following fields and
values:
– sn=itimadmin
– cn=itimadmin
– uid=itimadmin
– userPassword=itimadminpwd
You can also import the following LDIF file, updating the baseDN with a
value such as dc=com and userPassword variables for your environment.
An example file contains these statements:
dn:cn=itimadmin,ou=WasSecurity,baseDN
userPassword:userPassword
uid:itimadmin
objectclass:top
objectclass:person
objectclass:ePerson
sn:itimadmin
cn:itimadmin
v Sun ONE Directory Server
Create an inetOrgPerson. For example, create
(uid=wasadmin,ou=WasSecurity,dc=com). Set the following fields and
values:
– sn=itimadmin
– cn=itimadmin
– uid=itimadmin
– userPassword=itimadminpwd
– givenName=itimadminpwd
You can also import the following LDIF file, updating the baseDN with a
value such as dc=com and userPassword variables for your environment.
An example file contains these statements:
dn:uid=itimadmin,ou=WasSecurity,baseDN
userPassword:userPassword
uid:itimadmin
givenName:itimadmin
objectClass:inetorgperson
objectClass:organizationalPerson
objectClass:person
objectClass:top
sn:itimadmin
cn:itimadmin
2. Set up the authentication mechanism and user registry with these steps:
a. Start the deployment manager, and log in at the console.
b. Click Security –> Global Security.
c. Select the following options:
v Active Authentication Mechanism: LTPA (Lightweight Third Party
Authentication)
Chapter 4. Installing and configuring WebSphere Application Server 43
v Active User Registry: LDAPd. Save the configuration changes.
3. Configure the authentication mechanism with these steps:
a. Click Security –> Authentication Mechanisms –> LTPA.
b. Create and confirm a password for the LTPA authentication mechanism.
c. Save the configuration changes.4. Configure the LDAP user registry with these steps:
a. Click Security –> User Registries–> LDAP.
b. Set the following fields and values:
v Server User ID=wasadmin
v Server User Password=wasadminpwd
v Type=directoryservertype
The value of directoryservertype identifies the directory server such as
IBM_Directory_Server.
v Host=ITIM LDAP server hostname
v Base Distinguished Name (DN): ou=WasSecurity,dc=com
v Bind Distinguished Name (DN): Enter the bind distinguished name such
as cn=root.
v Bind Password: Enter the password for the bind distinguished name.
v Ignore Case: Check this optionc. Save the configuration changes.
5. Enable security with these steps:
a. Click Security –> Global Security.
b. Click Enabled. The action also selects Enforce Java 2 Security. For
performance reasons, you might consider disabling Java 2 security.
c. Save the configuration changes.6. To run with security enabled, complete these steps:
a. On the computer with the deployment manager, enter:
v Windows
WAS_NDM_HOME\bin\stopManager [-username wasadmin -password wasadminpwd]
WAS_NDM_HOME\bin\startManager
v UNIX
WAS_NDM_HOME/bin/stopManager.sh [-username wasadmin -password wasadminpwd]
WAS_NDM_HOME/bin/startManager.sh
b. On other computers with the node agent:
v Windows
WAS_HOME\bin\stopNode [-username wasadmin -password wasadminpwd]
WAS_HOME\bin\startNode
v UNIX
WAS_HOME/bin/stopNode.sh [-username wasadmin -password wasadminpwd]
WAS_HOME/bin/startNode.sh
c. Restart the cluster. Complete these steps:
1) Log in to the deployment manager using the wasadmin user ID and
password at the console.
2) Click Servers –> Clusters.
3) Select the cluster.
4) Click Stop and then click Start.
44 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
d. Restart the JMS server. Complete these steps:
1) Log on to the deployment manager.
2) Click Servers –> JMS Servers.
3) Select the server.
4) Click Stop and then click Start.
Disabling security
For testing purposes or troubleshooting, you might need to disable security. To
disable security using the WebSphere administrative console, complete these steps:
1. Click Security –> Global Security.
2. Clear the Enabled and Enable Java 2 Security checkboxes.
3. Stop and then start all node agents, JMS servers, and application servers.
Moving the HTTP server out of the cell for additional security
To provide additional security, configure an HTTP server, such as the IBM HTTP
Server, to reside on a standalone computer that is external to any other Tivoli
Identity Manager component. An example of a cluster configuration that provides
additional security is similar to Figure 6. This process includes installing the IBM
HTTP Server and the WebSphere Web Server plug-in, copying several files from
the deployment manager, and configuring the web server to load and configure a
WebSphere module when the server is started.
Complete these steps:
1. On the external computer, install and configure the IBM HTTP Server and the
WebSphere Web Server plug-in.
2. Create a directory under the HTTP_HOME/conf directory called WebSphere.
3. Copy the WAS_NDM_HOME/config/cells/plugin-cfg.xml file from the
deployment manager computer to the HTTP_HOME/conf/WebSphere
directory.
Tivoli Identity Manager cell
Tivoli Identity Manager cluster
WebSphere Application Server baseTivoli Identity Manager ServerJDBC driver
}}
}IBM HTTP ServerWebSphere Web
Server plug-in
WebSphereApplication ServerNetwork DeploymentJDBC driver
}
Tivoli Identity Managerdatabase
LDAPdata store
Figure 6. HTTP server configuration for increased security
Chapter 4. Installing and configuring WebSphere Application Server 45
4. If Secure Socket Layer (SSL) communication is enabled, also copy the following
files from the deployment manager computer to the
HTTP_HOME/conf/WebSphere directory:
v WAS_NDM_HOME/etc/plugin-key.kdb
v WAS_NDM_HOME/etc/plugin-key.sth
For more information on configuring SSL authentication in the Tivoli Identity
Manager environment, refer to the IBM Tivoli Identity Manager Information
Center.
5. The behavior of the WebSphere Web Server plug-in is governed by the
plugin-cfg.xml file. On the computer that has the IBM HTTP Server, open the
plugin-cfg.xml file in the text editor and make the following changes:
v Change each instance of the WAS_NDM_HOME/etc/ directory to the
HTTP_HOME/conf/WebSphere directory. That is, replace
/path/WebSphere/DeploymentManager/etc with
/path/IBMHttpServer/conf/WebSphere.
v Change the directory of the http_plugin.log file to HTTP_HOME/logs. That
is, replace /path/WebSphere/DeploymentManager/logs/http_plugin.log
with /path/IBMHttpServer/logs/http_plugin.log.
The value of path varies for these operating systems:
v Windows: drive:\Program Files
v AIX: /usr
v Other UNIX: /opt6. Use a text editor to open the HTTP_HOME/conf/httpd.conf file and add the
following WebSphere Web Server plug-in setting as one line at the bottom of
the file:
LoadModule ibm_app_server_http_module WAS_HOME/WebSphere/
AppServer/bin/mod_ibm_app_server_http.operatingsystem
The operatingsystem is one of these values:
v dll for the Windows operating system
v so for the UNIX, including the AIX operating system
On the next line, enter the following WebSphere Web Server plug-in setting:
WebSpherePluginConfig HTTP_HOME/conf/WebSphere/plugin-cfg.xml
Ensure that any required WebSphere Application Server Fix Pack is also installed
on the computer on which the WebSphere Web Server plug-in is installed. For
more information on fix packs, refer to the IBM Tivoli Identity Manager Release
Notes.
46 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Chapter 5. Installing Tivoli Identity Manager in a single-server
configuration
This chapter describes tasks that install and configure the Tivoli Identity Manager
Server in a single-server configuration. The installation program installs only the
Tivoli Identity Manager Server.
Before you begin
Before you begin to install Tivoli Identity Manager Server in a single-server
configuration, complete these tasks:
1. Determine which product CDs that you need to install Tivoli Identity
Manager. For an itemization of the CD contents, refer to a text file such as
itim-4.6-cd-images-operatingsystem.txt that is provided with the CD image. For
a complete list of these image files, see Appendix A, “Installation images and
fix packs,” on page 109.
2. Ensure that free disk space and virtual memory requirements are met.
Additionally, ensure that there is adequate free disk space in the system temp
directory and in the WAS_HOME directory. The target computer must meet
the machine requirements described in the IBM Tivoli Identity Manager Release
Notes.
3. Ensure that you have the needed administrative authority. On Windows
systems, the logon user ID must be in the Administrators Group. On UNIX
systems, the logon user ID must be root.
4. Installing the Tivoli Identity Manager Server writes data to the Tivoli Identity
Manager database. If DB2 UDB is used, ensure that the following conditions
are met:
v If DB2 UDB is selected, the Tivoli Identity Manager installation program
pre-allocates 1 GB database table space on the computer on which the DB2
server resides. Ensure that this free disk space is available on the DB2
server. For more information on database table space, refer to the IBM Tivoli
Identity Manager Performance Tuning Guide technical supplement.
v Database configuration, such as creating table space, requires that you have
authority as database administrator. On Windows systems, the authority
can be the db2admin user. On UNIX operating systems, the authority can
be db2inst1. 5. Ensure that the directory server has loaded the appropriate referential
integrity plug-in. For more information, see “Configuring the referential
integrity plug-in on the IBM Tivoli Directory Server” on page 28.
6. Ensure that the prerequisite applications are running that are described in
Table 4:
Table 4. Prerequisite applications
Prerequisite For more information, see
Database Chapter 2, “Installing and configuring a database,” on page
11
Directory server Chapter 3, “Installing and configuring a directory server,”
on page 25
© Copyright IBM Corp. 2003, 2006 47
7. Ensure that the WebSphere Application Server can be stopped and started
before you install the Tivoli Identity Manager Server. To be sure, stop and
start the WebSphere Application Server. See Chapter 4, “Installing and
configuring WebSphere Application Server,” on page 33 for more information
on these steps.
8. If WebSphere global security is already turned on, complete the necessary
manual steps after installing the Tivoli Identity Manager Server. For more
information on post-installation steps, see “Running Java 2 security on
single-node deployments” on page 89. For more information on global
security, refer to the WebSphere documentation.
9. Obtain or complete the planning worksheet which captures the details of your
configuration. For more information, see Appendix B, “Worksheets,” on page
111.
10. If you are upgrading a version of Tivoli identity Manager that is already on
the computer, see Appendix C, “Upgrading from Tivoli Identity Manager
Version 4.5.1 to Version 4.6,” on page 115 for more information on protecting
Tivoli Identity Manager customizations and data.
Overview of the installation program in a single-server configuration
The flowchart in Figure 7 on page 49 describes the basic sequence of events during
installation of Tivoli Identity Manager Server in a single-server configuration:
48 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Enterencryption key
Pre-installationsummary
Configuredatabase
ConfigureLDAP
Configuresystem
Enter installationdirectory
Singleserver
ClusterInstallation
Type?
Clusterinstallation
Yes
NoWebSphereApplication
Serveralready
installed?
Confirm WebSphereApplication Server
installation directory
YesPromptwarning
message:Exit?
Exitinstallation
Confirm locationof the Tivoli Common
Directory
No
No
YesIs
WebSpheresecurity
on?
Entercredential
Enterhost name,
server name
Detect WebSphereApplication Server
installation directory
Ignore
Figure 7. Single-server installation flowchart
Chapter 5. Installing Tivoli Identity Manager in a single-server configuration 49
Starting the installation wizard
To install the Tivoli Identity Manager Server in a single-server configuration,
complete the following steps:
1. Start the installation program. Log on to an account with system administration
privileges on the computer where the Tivoli Identity Manager Server will be
installed.
2. Insert the Tivoli Identity Manager product CD into the CD-ROM drive. To
locate the correct CD for your environment, refer to Appendix A, “Installation
images and fix packs,” on page 109.
3. To run the installation program, complete these steps:
v Windows
a. Click Start –> Run.
b. Enter your CD-ROM drive, and then enter the following command:
instWIN-WAS.exe
The Welcome window opens.v UNIX
a. Open a command prompt window, and change to your CD-ROM drive.
b. Enter one of the following commands for the Tivoli Identity Manager
installation program:
– AIX
instAIX-WAS.bin
– Solaris
instSOL-WAS.bin
– Linux
instLINUX-WAS.bin
The installation program starts and displays the Welcome window.
Completing the installation wizard pages
Use the first set of installation wizard pages to set up the installation:
1. To change the language that is used for the installation wizard pages, select
another language from the drop-down list. This choice only affects the
installation wizard and not the language version of Tivoli Identity Manager to
be installed. Then, click OK. For more information on installing a language
pack, see “Optionally installing a language pack” on page 58.
2. In the License Agreement window, read the license agreement and decide
whether to accept its terms. If you do, select Accept, and then click Next.
The Tivoli Identity Manager Installation Directory window opens.
3. Accept the default ITIM_HOME installation directory, or select Choose to
select another directory. Then, click Next.
4. In the Installation Type window, select Single Server. Then, click Next.
5. In the Database Type window, select one of the following database types, and
then click Next:
v DB2 Universal Database
You are prompted for the DB_INSTANCE_HOME directory that contains the
database for Tivoli Identity Manager.
v Oracle Database
v Microsoft SQL Server 2000
50 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Caution windows open to prompt you to ensure that these conditions are
true:
v If DB2 UDB is selected, the Tivoli Identity Manager installation program
pre-allocates 1 GB database table space on the computer on which the DB2
server resides. Ensure that space is available and click Next.
v If the Oracle database is selected, a window prompts you for the location of
the Oracle JDBC driver. Provide the location and click Next.
v The directory server version is at the correct level. Ensure that the version is
correct and click Next. 6. The WebSphere Application Server Installation Directory window appears and
displays a value for the WAS_HOME directory.
There can be multiple installations of the WebSphere Application Server on a
computer. If the WAS_HOME directory is not the directory on which you
intend to install the Tivoli Identity Manager Server, enter the correct directory
value. Click Next.
7. A window opens to prompt you to verify the following WebSphere
Application Server data:
v Host name of the computer. Accept the displayed value unless the
computer has multiple host names and the WebSphere Application Server is
installed under a host name other than the displayed value.
v WebSphere Application Server name, which defaults to server1, where you
intend to deploy the Tivoli Identity Manager Server.
Verify the WebSphere Application Server data and click Next.
8. If WebSphere global security is on, a WebSphere Application Server
Administrator Credential window requires you to specify the WebSphere
Application Server user ID and password. This is the wasadmin user ID
described in the manual steps in “Optionally configuring security for Tivoli
Identity Manager” on page 40.
Chapter 5. Installing Tivoli Identity Manager in a single-server configuration 51
Provide the user ID and password, and then click Next.
9. In the encryption key window, provide an encryption key, which can be any
word or phrase. The key is used to encrypt Tivoli Identity Manager passwords
and other sensitive text. Then, click Next.
10. In the Tivoli Common Directory window, accept the default directory that the
Tivoli Identity Manager installation program defines, or choose a new one.
Then, click Next. Ensure that the directory has at least 25 MB of free space.
The Tivoli Common Directory is the central location for all
serviceability-related files, such as logs and first-failure capture data.
11. In the Pre-install Summary window, review the components to be installed,
the required free disk space, and the Tivoli Identity Manager installation
directory. If everything is acceptable, click Install.
12. Complete the remaining automated installation program in “Responding to
major installation actions.”
Responding to major installation actions
The Tivoli Identity Manager installation program opens a series of progress
windows for additional, major installation actions. Some windows require your
input. The installation program installs and configures the Tivoli Identity Manager
application on the WebSphere Application Server, sets up the Tivoli Identity
Manager database on the database server, and sets up the LDAP schema and a
configuration of data on the directory server.
The major installation actions include these steps:
1. Copying Tivoli Identity Manager files to the target computer.
The installation program copies Tivoli Identity Manager files to the
ITIM_HOME directory.
2. Ensuring that the WebSphere Application Server is running.
Figure 8. WebSphere Application Server Administrator Credential window
52 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
The WebSphere Application Server must be running to allow Tivoli Identity
Manager deployment and configuration to occur. The Tivoli Identity Manager
installation program verifies the status of the WebSphere Application Server. If
the WebSphere Application Server is not running, the Tivoli Identity Manager
installation program attempts to start the WebSphere Application Server.
An error message appears if the Tivoli Identity Manager installation program
fails to start the WebSphere Application Server. If an error occurs, you can do
either of these steps:
v Quit the installation program and complete these steps:
a. Resolve the problem that prevents starting the WebSphere Application
Server.
b. Manually delete all files in the ITIM_HOME directory.
c. Run the Tivoli Identity Manager installation program again.v Continue the installation program after you ensure that you can manually
start and stop the WebSphere Application Server without error. Complete
these steps:
a. Start the WebSphere Application Server:
– Windows
"WAS_HOME\bin\startServer.bat servername"
– UNIX
WAS_HOME/bin/startServer.sh servername
b. Stop the WebSphere Application Server:
– Windows
"WAS_HOME\bin\stopServer.bat servername"
– UNIX
WAS_HOME/bin/stopServer.sh servername
c. Proceed to the next step in the Tivoli Identity Manager installation
program.3. Deploying the Tivoli Identity Manager Server onto the WebSphere Application
Server.
The Tivoli Identity Manager application runs within the WebSphere Application
Server as an enterprise application. The Tivoli Identity Manager installation
program uses the WebSphere command line interface (wsadmin) to deploy the
Tivoli Identity Manager application onto the WebSphere Application Server.
Deploying the Tivoli Identity Manager application also performs certain
configuration steps on the WebSphere Application Server. These steps require
several minutes to complete. For more information about configuration, see
“Deploying and configuring the Tivoli Identity Manager J2EE application” on
page 138.
When the deployment completes, the Tivoli Identity Manager files are in these
directories:
v WAS_HOME/installedApps/cellname/enRole.ear
v WAS_HOME/config/cells/cellname/applications/enRole.ear
If the deployment fails, an error message provides the location of the
setupEnrole.stdout log file. Examine the errors in the setupEnrole.stdout log
file.
If the log data indicates failure to establish a Simple Object Access Protocol
(SOAP) connection to the WebSphere Application Server configuration manager,
or some type of WebSphere Application Server scripting error, complete these
steps:
Chapter 5. Installing Tivoli Identity Manager in a single-server configuration 53
a. Exit the Tivoli Identity Manager installation program.
b. Resolve the problem that prevents connection to the WebSphere Application
Server or a problem described as a scripting error. For more information,
refer to the WebSphere documentation.
c. Manually delete all files in the ITIM_HOME directory.
d. Run the Tivoli Identity Manager installation program again.
If the log data indicates that failure is due to a timeout, continue the Tivoli
Identity Manager installation program.
If the Tivoli Identity Manager installation program has completed, delete the
following directories if they exist:
v WAS_HOME/installedApps/cellname/enRole.ear
v WAS_HOME/config/cells/cellname/applications/enRole.ear
Run one of the following commands to deploy the Tivoli Identity Manager
Server onto the WebSphere Application Server:
v If WebSphere global security is on, run this command:
ITIM_HOME/bin/setupEnrole install server:name user:user_id password:pwd
The value of name is the name of the WebSphere Application Server on
which the Tivoli Identity Manager application is deployed. The value of
user_id is the WebSphere administrator user ID, such as wasadmin. The value
of pwd is the password for the WebSphere administrator user ID, such as
wasadminpwd.
v If WebSphere global security is off, enter this command:
ITIM_HOME/bin/setupEnrole install server:name
4. Gathering database data and configuring the database.
In this step, the Tivoli Identity Manager installation program sets up the Tivoli
Identity Manager database and configures the JDBC driver provider in the
WebSphere Application Server. For more information, see “Configuring the
Tivoli Identity Manager database” on page 77.
If an error occurs, examine the error and provide a corrective action. The error
might describe a problem in configuring the Tivoli Identity Manager database
or the WebSphere Application Server. There is more information in the
ITIM_HOME/install_logs/dbConfig.stdout log file. You might need to refer to
documentation that the database product or that the WebSphere product
provides.
Continue the Tivoli Identity Manager installation program. When the
installation completes, complete these steps:
a. Save the current log data by renaming the
ITIM_HOME/install_logs/dbConfig.stdout log file.
b. When the correction is complete, use this command to configure the Tivoli
Identity Manager database:
v Windows
ITIM_HOME\bin\DBConfig
v UNIX
ITIM_HOME/bin/cmdWrapper.sh DBConfig
New log data is recorded in the ITIM_HOME/install_logs/dbConfig.stdout
log file.
Note: The DBConfig command creates the database table definitions that
Tivoli Identity Manager requires. Run this command only if the
command failed to configure the database during installation. If the
54 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Tivoli Identity Manager database tables have been previously set,
running the DBConfig command first drops all previously existing
Tivoli Identity Manager tables.5. Gathering directory server data and configuring the directory server.
In this step, the Tivoli Identity Manager installation program sets up the LDAP
schema and defines default settings for Tivoli Identity Manager. For more
information, see “Configuring the directory server” on page 79.
If an error occurs, record the error message that is displayed, which might
describe a problem in setting up the LDAP schema or creating a configuration
of data on the directory server.
Continue the Tivoli Identity Manager installation program. When the
installation completes, complete these steps:
a. Examine the errors and provide a corrective action. There is more
information in the ITIM_HOME/install_logs/ldapConfig.stdout log file. You
might also need to refer to documentation that the directory server product
provides.
b. Save the current log data by renaming the
ITIM_HOME/install_logs/ldapConfig.stdout log file.
c. When the correction is complete, use this command to configure the
directory server:
ITIM_HOME/bin/ldapConfig
New log data is recorded in the
ITIM_HOME/install_logs/ldapConfig.stdout log file.
Note: Do not run the ldapConfig command a second time, unless the LDAP
configuration fails during the Tivoli Identity Manager installation
process. Running the ldapConfig command will restore default values
that Tivoli Identity Manager uses. If you have changed the value of any
of these Tivoli Identity Manager attributes, such as the password of the
user ID named itim manager, the value is overwritten.
6. Gathering Tivoli Identity Manager data and configuring the Tivoli Identity
Manager Server.
The Tivoli Identity Manager installation program copies a set of Tivoli Identity
Manager property files to the ITIM_HOME/data directory. During this step,
you can use the GUI to change some of the Tivoli Identity Manager properties.
For more information, see “Configuring commonly used system properties” on
page 80.
The Tivoli Identity Manager installation program also configures the
WebSphere environment settings that the Tivoli Identity Manager Server
requires. This step takes several minutes to complete. For more information on
configuring the WebSphere environment, see Appendix D, “Steps that the
installation program takes to configure the WebSphere environment,” on page
127.
If an error occurs, record the error message that is displayed, which might
describe a problem in configuring the WebSphere environment settings that the
Tivoli Identity Manager Server requires.
Continue the Tivoli Identity Manager installation program. When the
installation completes, complete these steps:
a. Examine the errors and provide a corrective action. There is more
information in the ITIM_HOME/install_logs/runConfigTmp.stdout log file.
You might also need to refer to documentation that the WebSphere product
provides.
Chapter 5. Installing Tivoli Identity Manager in a single-server configuration 55
b. When the correction is complete, use this command: To update commonly-used properties and also to reset WebSphere
Application Server settings for the Tivoli Identity Manager application, run
this command:
v Windows
ITIM_HOME\bin\runConfig install
v UNIX:
– DB2 UDB
ITIM_HOME/bin/cmdWrapper.sh runConfig install
The cmdWrapper.sh command automatically sources the DB2 profile.
– Other databases
ITIM_HOME/bin/runConfig install
New log data is recorded in the ITIM_HOME/install_logs/runConfig.stdout
log file.7. Restarting the WebSphere Application Server, to make the new WebSphere
Application Server configuration available after completing the Tivoli Identity
Manager Server installation.
If an error message indicates failure to restart the WebSphere Application
Server, complete the installation and then attempt to restart the WebSphere
Application Server. To restart the WebSphere Application Server, complete these
steps:
v Windows
WAS_HOME\bin\startServer.bat servername
For example, the value of servername is server1.
v UNIX
WAS_HOME/bin/startServer.sh servername
For more information, see “Verifying that the Tivoli Identity Manager Server is
operational.”
Verifying that the Tivoli Identity Manager Server is operational
To verify that the Tivoli Identity Manager Server and related processes are running,
complete these steps:
1. Ensure that the WebSphere Application Server is running.
Start the WebSphere administrative console. On a browser, enter this Web
address:
http://address:9090/admin/
The value of address is the fully qualified host name or the IP address of the
computer on which the WebSphere Application Server is running. The value
9090 is the default port number for the WebSphere administrative HTTP
transport. If you have multiple instances of the WebSphere Application Server
on the same computer, the port number may be a different value, such as 9091.
For more information, see step 7.
2. On the WebSphere administrative console, click Applications –> Enterprise
Application and verify that the Tivoli Identity Manager Server enRole is
running. For additional steps to verify that the Tivoli Identity Manager Server
and other processes are running, see Chapter 8, “Troubleshooting and verifying
the installation,” on page 93.
3. Log on to the Tivoli Identity Manager Server using the WebSphere embedded
HTTP transport. For example, at a browser window, enter this command:
http://hostname:9080/enrole
56 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
The value of hostname is the host name of the WebSphere Application Server.
Port 9080 is the default port number of the WebSphere virtual host. If you have
multiple installations of the WebSphere Application Server on the same system,
this port number may have a different value, such as 9081.
The browser displays the Tivoli Identity Manager logon window. Enter the
Tivoli Identity Manager Server administrator user ID (″itim manager″) and
password (immediately after installation, the value is ″secret″).
4. After successfully logging on to Tivoli Identity Manager Server using the
WebSphere embedded HTTP transport, attempt to log on to the Tivoli Identity
Manager Server using the IBM HTTP Server. Log on at this address:
http://http_server_hostname/enrole
The value of http_server_hostname is the host name of the IBM HTTP Server. For
more information if you cannot display the Tivoli Identity Manager logon
window, or cannot log on to Tivoli Identity Manager, see “Ensuring that the
HTTP server is running” on page 96.
5. After a first, successful logon, the logon window immediately prompts you to
change the administrator password. Ensure that your password change is
successful. After you change the password, you are ready to create your
organization object and a user that is termed an ITIM User.
If you cannot start and log on to Tivoli Identity Manager, see Chapter 8,
“Troubleshooting and verifying the installation,” on page 93.
UNIX: Sourcing the DB2 Universal Database profile
On UNIX operating systems, run the DB2 UDB profile to set up the correct
environment to run DB2 UDB programs. This action enables communication
between the Tivoli Identity Manager Server and the DB2 server. This manual step
is not necessary on Windows systems.
To source the profile, complete these steps:
1. Enter the appropriate db2profile command for your default login shell.
For example, if your default login shell is ksh, source the DB2 UDB profile by
entering the following command:
. DB_INSTANCE_HOME/db2profile
2. Verify that you successfully sourced the profile. Enter the following command:
set | grep -i db2
The -i parameter specifies that the search is not sensitive to case. In the
following output, the existence of the value db2inst1 associated with the value
of DB_INSTANCE_HOME indicates that the profile was successfully sourced:
CLASSPATH=/home/db2inst1...
DB2DIR=/usr/lpp/db2_08_01
DB2INSTANCE=db2inst1
3. Include the db2profile command in your user profile to ensure that the profile
is sourced every time that the database runs.
Ensure that the DB2 UDB profile is correctly sourced before doing these tasks:
v Running DBConfig, the database configuration tool. For more information, see
step 4 on page 54.
v Running runConfig, the system configuration tool. For more information, see
step 6 on page 55.
v Starting the WebSphere Application Server. For more information, see step 7 on
page 56.
Chapter 5. Installing Tivoli Identity Manager in a single-server configuration 57
Optionally installing a language pack
After installing Tivoli Identity Manager, if the default language is not English,
complete these steps:
1. Before you run the Tivoli Identity Manager language pack setup program,
ensure that the version of the Java Runtime Environment that Tivoli Identity
Manager requires is accessible from the command line. For more information,
refer to the IBM Tivoli Identity Manager Release Notes.
For example, enter this command:
java-fullversion
2. Obtain the language pack CD for the Tivoli Identity Manager Server. On UNIX
systems, mount the language pack CD.
3. Use command line mode to install the language pack. For example, enter this
language pack command at a command prompt:
java –jar itimlp_setup.jar
The Tivoli Identity Manager language pack setup program starts. To complete
the language pack installation, follow the instructions that appear in the setup
program windows.
4. Verify that the language pack is installed. Complete these steps:
a. Verify that these files are present in the
WAS_HOME/installedApps/cellname/enRole.ear/app_web.war directory:
v AppletLabels_lang.properties
v AppletErrorMessages_lang.properties
v AppletMessages_lang.properties
The value of lang is a string such as fr that indicates a language such as
French.
b. Verify that one or more of the following files are present in the
ITIM_HOME/data directory:
v ErrorMessages_lang.properties
v Labels_lang.properties
v Messages_lang.properties
v adhocreporting_lang.properties
Preparing to install adapters
Use SSL production certificates to ensure secure communication between the Tivoli
Identity Manager Server and the Tivoli Identity Manager adapter. For more
information, see “Adapters overview” on page 2.
The Certificate Authority issuer certificate that corresponds to the certificate of the
Tivoli Identity Manager adapter must be installed into the truststore file that the
Tivoli Identity Manager Server is configured to use. Tivoli Identity Manager uses
the standard Java keystore and truststore mechanisms to store certificates and
issuer certificates for SSL communications. You can use any standard Java keystore
tools to maintain certificates, such as the Java keytool command line utility, or the
WebSphere key management utility (iKeyman). The source certificate files can be in
any format that the keystore tool supports. For more information, refer to the IBM
Tivoli Identity Manager Planning for Deployment Guide.
Complete these steps:
1. Using the Tivoli Identity Manager import utility, install the adapter profile.
58 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
2. After installing Tivoli Identity Manager, if the default language is not English,
complete these steps before you install the first Tivoli Identity Manager
adapter:
a. Before you run the Tivoli Identity Manager language pack setup program,
ensure that the version of the Java Runtime Environment that Tivoli Identity
Manager requires is accessible from the command line. For more
information, refer to the IBM Tivoli Identity Manager Release Notes.
For example, enter this command:
java-fullversion
b. Obtain and mount the language pack CD for the Tivoli Identity Manager
adapters. Use command line mode to install the language pack for the
adapters on the Tivoli Identity Manager Server. For example, enter the
following command:
java –jar itimlp_agents_setup.jar
The Tivoli Identity Manager language pack setup program starts. To
complete the language pack installation, follow the instructions that appear
in the setup program panels.
Chapter 5. Installing Tivoli Identity Manager in a single-server configuration 59
60 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Chapter 6. Installing Tivoli Identity Manager in a cluster
configuration
This chapter describes installing and configuring the Tivoli Identity Manager in a
cluster configuration. Before continuing, read “Configuration options” on page 4.
For required application versions and fix packs, refer to the IBM Tivoli Identity
Manager Release Notes.
Before you begin
Before you begin to install Tivoli Identity Manager Server in a cluster
configuration, complete these tasks:
1. Determine which product CDs that you need to install Tivoli Identity
Manager. For an itemization of the CD contents, refer to a text file such as
itim-4.6-cd-images-operatingsystem.txt that is provided with the CD image. For
a complete list of these image files, see Appendix A, “Installation images and
fix packs,” on page 109.
2. Ensure that free disk space and virtual memory requirements are met on
every computer in the cluster. Additionally, ensure that there is adequate free
disk space in the system temp directory and in the WAS_HOME and
WAS_NDM_HOME directories. The target computers must meet the machine
requirements described in the IBM Tivoli Identity Manager Release Notes.
3. Ensure that you have the needed administrative authority. On Windows
systems, the logon user ID must be in the Administrators Group. On UNIX
systems, the logon user ID must be root.
4. Installing the Tivoli Identity Manager Server writes data to the Tivoli Identity
Manager database. If DB2 UDB is used, ensure that the following conditions
are met:
v If DB2 UDB is selected, the Tivoli Identity Manager installation program
pre-allocates 1 GB database table space on the computer on which the DB2
server resides. Ensure that this free disk space is available on the DB2
server. For more information on database table space, refer to the IBM Tivoli
Identity Manager Performance Tuning Guide technical supplement.
v Database configuration, such as creating table space, requires that you have
authority as database administrator. On Windows systems, the authority
can be the db2admin user. On UNIX systems, the authority can be db2inst1. 5. In a cluster, the name of the Tivoli Identity Manager installation directory
must be the same for all cluster members. Specify an identical directory to
avoid later runtime difficulties in certificate recognition or in identity feed
activities on different cluster member computers. For example, specify
/usr/IBM/itim on the AIX operating system as the directory on all cluster
member computers.
6. Ensure that the directory server has loaded the appropriate referential
integrity plug-in. For more information, see “Configuring the referential
integrity plug-in on the IBM Tivoli Directory Server” on page 28.
7. Ensure that the prerequisite applications are running that are described in
Table 5 on page 62:
© Copyright IBM Corp. 2003, 2006 61
Table 5. Prerequisites that must be running
Prerequisite For more information
Database Chapter 2, “Installing and configuring a database,”
on page 11
Directory server Chapter 3, “Installing and configuring a directory
server,” on page 25
8. Determine that the WebSphere Application Server cell and cluster are ready
for Tivoli Identity Manager installation. Complete the steps to construct a
WebSphere Application Server cell and a cluster, described in “Creating a
cluster configuration” on page 36.
The processes described in Table 6 must be running before and after you
install the Tivoli Identity Manager Server:
Table 6. Processes that must be running before and after installing the Tivoli Identity
Manager Server
Process For more information
v Deployment manager
v WebSphere Application Server node
agents
v WebSphere Application Server JMS
servers on all nodes in the cluster
“UNIX: Creating groups and users before
installing WebSphere embedded messaging”
on page 34
9. If DB2 UDB is used, ensure that the DB2 UDB profile is correctly sourced
before starting the WebSphere node agent on each cluster member node. For
more information, see “UNIX: Sourcing the DB2 Universal Database profile”
on page 73.
10. If WebSphere global security is already turned on, complete the necessary
manual steps after installing Tivoli Identity Manager. For more information on
those post-installation steps, see “Running Java 2 security on multi-node
deployments” on page 89. For more information on global security, refer to
the WebSphere documentation.
11. Obtain or complete the planning worksheet which captures the details of your
configuration. For more information, see Appendix B, “Worksheets,” on page
111.
12. If you are upgrading a version of Tivoli Identity Manager that is already on
the computer, see Appendix C, “Upgrading from Tivoli Identity Manager
Version 4.5.1 to Version 4.6,” on page 115 for more information on protecting
Tivoli Identity Manager customizations and data.
Overview of the installation program in a cluster configuration
The flowchart in Figure 9 on page 63 describes the basic sequence of events during
installation of the Tivoli Identity Manager Server in a cluster configuration:
62 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Enter Tivoli IdentityManager Server
installation directory
Installationtype?
Single Server Singleserver
installation
Cluster
Directory of WebSphere ApplicationServer base and deployment manager
Choose clusternode type
Iscluster
member?
No
Yes
No
Yes
Confirm WebSphereApplication Server base product
installation directory
WebSphereApplication Server
base productexists?
Promptwarning
message:Exit?
No
YesExit
Ignore
Isdeploymentmanager?
No
Yes
No
Yes
Confirm deployment managerinstallation directory
Deploymentmanagerexists?
No
YesExit
Ignore
Enter clustername
Verify host name,IP address
A
Promptwarning
message:Exit?
Figure 9. Cluster installation flowchart
Chapter 6. Installing Tivoli Identity Manager in a cluster configuration 63
Install the Tivoli Identity Manager Server on the following computers:
v The deployment manager.
Install the Tivoli Identity Manager Server on the computer that has the
deployment manager before you install the Tivoli Identity Manager Server on
cluster nodes. The deployment of the Tivoli Identity Manager application and
also the configuration of the database and the directory server for Tivoli Identity
Manager occurs during this installation. The deployment manager distributes the
Tivoli Identity Manager application to all cluster member computers. The
installation program expands the Tivoli Identity Manager Enterprise Application
Archive (EAR) file on each cluster member.
v One or more cluster members.
Repeat the steps in this chapter to install the Tivoli Identity Manager Server on
each computer that is a cluster member. The installation program does these
tasks:
– Copies additional Tivoli Identity Manager files to the target computer.
Enterencryption key
Pre-installationsummary
Configuredatabase
ConfigureLDAP
Configuresystem
No
Yes
Yes
No
IsWebSphere
securityon?
Entercredential
A
Installing ondeploymentmanager?
Confirm locationof the Tivoli Common
Directory
Figure 10. Cluster installation flowchart (continued)
64 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
– Configures the WebSphere Application Server that hosts the cluster member.
Installing the Tivoli Identity Manager Server on clusters must be done
sequentially, one computer at a time. Running the Tivoli Identity Manager
installation program simultaneously on more than one computer at a time might
result in synchronization problems with the WebSphere master configuration file.
Note: If the same computer has both the deployment manager and a Tivoli
Identity Manager cluster member, you must select both the deployment
manager and the cluster member node types when you run the Tivoli
Identity Manager installation program.
Starting the installation wizard
To install Tivoli Identity Manager Server in a cluster configuration, complete the
following steps:
1. Log on to an account with system administration privileges on the computer
where the Tivoli Identity Manager Server will be installed.
2. Insert the Tivoli Identity Manager product CD into the CD-ROM drive. To
locate the correct CD for your environment, refer to Appendix A, “Installation
images and fix packs,” on page 109.
3. To run the installation program, complete these steps:
v Windows
a. Click Start –> Run.
b. Enter your CD-ROM drive, and then enter the following command:
instWIN-WAS.exe
The Welcome window opens.v UNIX
a. Open a command prompt window, and change to your CD-ROM drive.
b. Enter one of the following commands for the Tivoli Identity Manager
installation program:
– AIX
instAIX-WAS.bin
– Solaris
instSOL-WAS.bin
– Linux
instLINUX-WAS.bin
The installation program starts and displays the Welcome window.
Completing the installation wizard pages
Use the first set of installation wizard pages to set up the installation:
1. To change the language that is used for the installation wizard pages, select
another language from the drop-down list. This choice only affects the
installation wizard and not the language version of Tivoli Identity Manager to
be installed. Then, click OK. For more information on installing a language
pack, see “Optionally installing a language pack” on page 74.
2. In the License Agreement window, read the license agreement and decide
whether to accept its terms. If you do, select Accept, and then click Next.
The Tivoli Identity Manager Installation Directory window opens.
Chapter 6. Installing Tivoli Identity Manager in a cluster configuration 65
3. Accept the default ITIM_HOME installation directory, or select Choose to
select another directory. Then, click Next.
4. In the Installation Type window, select Regular cluster. Then, click Next.
5. In the Installing Tivoli Identity Manager on a Cluster Environment window,
read the conditions that apply to a cluster environment. Before continuing,
apply any other changes that are necessary to configure the environment for
these conditions. For example, verify that the deployment manager and all
WebSphere node agents are running. For more information, see “Verifying that
the deployment manager, node agents, and JMS servers are running” on page
38. Click Next.
The Database Type window opens.
6. In the Database Type window, select one of the following database types, and
then click Next:
v DB2 Universal Database
You are prompted for the DB_INSTANCE_HOME directory that contains the
database for Tivoli Identity Manager.
v Oracle Database
If the Oracle database is selected, another window prompts you for the
location of the Oracle JDBC driver. Provide the location and click Next. For
more information, see “Tivoli Identity Manager information for the
database” on page 111.
v Microsoft SQL Server 2000 7. In the Choose Cluster Node Type window, select one or both of these node
types:
v Deployment manager
You must install Tivoli Identity Manager first on the computer that has the
deployment manager.
v Cluster member
Install Tivoli Identity Manager on every cluster member that does not reside
on the same computer as the deployment manager, after you install Tivoli
Identity Manager on the computer that has the deployment manager. If you
have the deployment manager and a Tivoli Identity Manager cluster
member on the same computer, you must select both node types. 8. If you selected a cluster member for the Tivoli Identity Manager installation,
the WebSphere Application Server Installation Directory window appears and
displays a value for a WAS_HOME directory.
There can be multiple installations of the WebSphere Application Server on a
computer. If the WAS_HOME directory is not the directory on which you
intend to install the Tivoli Identity Manager Server, enter the correct directory
value. Click Next.
9. If you selected the deployment manager for the Tivoli Identity Manager
installation, the WebSphere Application Server Installation Directory window
appears and displays a value for a WAS_NDM_HOME directory. If the
WAS_NDM_HOME directory is not the directory on which you intend to
install the Tivoli Identity Manager Server, enter the correct directory value.
Click Next.
10. If you selected the deployment manager for the Tivoli Identity Manager
installation, caution windows open to prompt you to ensure that these
conditions are true:
66 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
v If DB2 UDB is selected, the Tivoli Identity Manager installation program
pre-allocates 1 GB database table space on the computer on which the DB2
server resides. Ensure that space is available and click Next.
v The directory server version is at the correct level. Ensure that the version is
correct and click Next.11. In the data window that requests the cluster name, enter an existing cluster
name such as cluster1 that was defined for the Tivoli Identity Manager cluster.
Then, click Next.
12. A window opens to prompt you to verify the host name and IP address of the
computer. Accept the displayed value unless the computer has multiple host
names and IP addresses, and either the deployment manager or the
WebSphere Application Server is installed under a host name or IP address
other than the displayed value. Verify the WebSphere Application Server data
and click Next.
13. If you are installing Tivoli Identity Manager on a cluster member, the
Directory Server Information window opens.
Complete the fields shown in Figure 11. The window does not appear during
Tivoli Identity Manager installation on the computer that has the deployment
manager.
From the information worksheet you completed in “Tivoli Identity Manager
information for the directory server” on page 112, enter organization data in
the fields in the window. For every cluster member, the information must be
identical and must match the LDAP specification that was entered during
Tivoli Identity Manager installation on the deployment manager. Click Next.
14. If WebSphere global security is on, a WebSphere Application Server
Administrator Credential window that is similar to Figure 12 on page 68
requires you to specify the WebSphere Application Server user ID and
Figure 11. Directory server information window
Chapter 6. Installing Tivoli Identity Manager in a cluster configuration 67
password. This is the wasadmin user ID described in the manual steps in
“Optionally configuring security for Tivoli Identity Manager” on page 40.
15. In the encryption key window, provide an encryption key, which can be any
word or phrase. The key is used to encrypt Tivoli Identity Manager passwords
and other sensitive text. Then, click Next.
16. In the Tivoli Common Directory window, accept the default directory for the
Tivoli Common Directory that the Tivoli Identity Manager installation
program defines, or choose a new one. For more information on directory
paths, see “Definitions for HOME and other directory variables” on page xii.
Then, click Next. Ensure that the directory has at least 25 MB of free space.
The Tivoli Common Directory is the central location for all
serviceability-related files, such as logs and first-failure capture data.
17. In the Pre-install Summary window, review the components to be installed,
the required free disk space, and the Tivoli Identity Manager installation
directory. If everything is acceptable, click Install.
18. Complete the remaining automated installation program. “Responding to
major installation actions” describes these major steps.
Responding to major installation actions
The Tivoli Identity Manager installation program opens a series of progress
windows for additional, major installation actions. Some windows require your
input. The installation program installs and configures the Tivoli Identity Manager
application on the WebSphere Application Server, sets up the Tivoli Identity
Manager database on the database server, and sets up the LDAP schema and a
configuration of data on the directory server.
The major installation actions include these steps:
1. Copying Tivoli Identity Manager files to the target computer.
Figure 12. WebSphere Application Server Administrator Credential window
68 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
The installation program copies Tivoli Identity Manager files to the
ITIM_HOME directory.
2. Deploying Tivoli Identity Manager onto the deployment manager.
The Tivoli Identity Manager application runs within the WebSphere Application
Server as an enterprise application. The Tivoli Identity Manager installation
program uses the WebSphere command line interface (wsadmin) to deploy the
Tivoli Identity Manager application onto the deployment manager.
The Tivoli Identity Manager installation program also configures the
WebSphere environment settings that the Tivoli Identity Manager Server
requires. The deployment takes several minutes to complete. For more
information on configuring the WebSphere environment, see Appendix D,
“Steps that the installation program takes to configure the WebSphere
environment,” on page 127.
When the deployment completes, the Tivoli Identity Manager files are in the
WAS_NDM_HOME/config/cells/cellname/applications/enRole.ear directory.
If the deployment fails, an error message provides the location of the
setupEnrole.stdout log file. Examine the errors in the setupEnrole.stdout log
file. Then, complete these tasks:
v If the log data indicates failure to create a SOAP connection to the
deployment manager, or some type of deployment manager scripting error,
complete these steps:
a. Exit the Tivoli Identity Manager installation program.
b. Resolve the problem that prevents connection to the WebSphere
Application Server or a problem described as a scripting error. For more
information, refer to the WebSphere documentation.
c. Manually delete all files in the ITIM_HOME directory.
d. Run the Tivoli Identity Manager installation program again.v If the log data indicates that failure is due to a timeout, continue the Tivoli
Identity Manager installation program. When installation finishes, complete
these steps:
a. If the WAS_NDM_HOME/config/cells/cellname/applications/enRole.ear
directory was created, delete the directory on the computer that has the
deployment manager.
b. Run one of the following commands to deploy the Tivoli Identity
Manager Server onto the deployment manager:
– If WebSphere global security is on, run this command:
ITIM_HOME/bin/setupEnrole install server:name user:user_id password:pwd
The value of name is the name of the WebSphere Application Server on
which the Tivoli Identity Manager application is deployed. The value
of user_id is the WebSphere administrator user ID, such as wasadmin.
The value of pwd is the password for the WebSphere administrator
user ID, such as wasadminpwd.
– If WebSphere global security is off, enter this command:
ITIM_HOME/bin/setupEnrole install server:name
3. If installation is on the deployment manager, the next step is gathering
database data and configuring the database.
In this step, the Tivoli Identity Manager installation program sets up the Tivoli
Identity Manager database and configures the JDBC driver provider in the
WebSphere Application Server. For more information, see “Configuring the
Tivoli Identity Manager database” on page 77.
Chapter 6. Installing Tivoli Identity Manager in a cluster configuration 69
If an error occurs, examine the error and provide a corrective action. There is
more information in the ITIM_HOME/install_logs/dbConfig.stdout log file.
You might need to refer to documentation that the database product or that the
WebSphere product provides.
Continue the Tivoli Identity Manager installation program. When the
installation completes, complete these steps:
a. Save the current log data by renaming the
ITIM_HOME/install_logs/dbConfig.stdout log file.
b. When the correction is complete, type this command to configure the Tivoli
Identity Manager database:
v Windows
ITIM_HOME\bin\DBConfig
v UNIX
ITIM_HOME/bin/cmdWrapper.sh DBConfig
New log data is recorded in the ITIM_HOME/install_logs/dbConfig.stdout
log file.
Note: The DBConfig command creates the database table definitions that
Tivoli Identity Manager requires. Run this command only if the
command failed to configure the database during installation. If the
Tivoli Identity Manager database tables have been previously set,
running the DBConfig command first drops all previously existing
Tivoli Identity Manager tables.4. If installation is on the deployment manager, the next step is gathering
directory server data and configuring the directory server.
In this step, the Tivoli Identity Manager installation program sets up the LDAP
schema and defines default settings for Tivoli Identity Manager. For more
information, see “Configuring the directory server” on page 79.
If an error occurs, record the error message that is displayed, which might
describe a problem in setting up the LDAP schema or creating a configuration
of data on the directory server.
Continue the Tivoli Identity Manager installation program. When the
installation completes, complete these steps:
a. Examine the errors and provide a corrective action. There is more
information in the ITIM_HOME/install_logs/ldapConfig.stdout log file. You
might also need to refer to documentation that the directory server product
provides.
b. Save the current log data by renaming the
ITIM_HOME/install_logs/ldapConfig.stdout log file.
c. When the correction is complete, use this command to configure the
directory server:
ITIM_HOME/bin/ldapConfig
New log data is recorded in the
ITIM_HOME/install_logs/ldapConfig.stdout log file.
Note: Do not run the ldapConfig command a second time, unless the
LDAP configuration fails during the Tivoli Identity Manager
installation process. Running the ldapConfig command will restore
default values that Tivoli Identity Manager uses. If you have changed
the value of any of these Tivoli Identity Manager attributes, such as
the password of the user ID named itim manager, the value is
overwritten.
70 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
5. If installation is on the deployment manager or on a cluster member, the Tivoli
Identity Manager installation program copies a set of Tivoli Identity Manager
property files to the ITIM_HOME directory. During this step, you can use the
GUI to change some of the Tivoli Identity Manager properties.
If the installation is on a cluster member, ensure that the directory and database
connection information that you enter on the Directory tab and the Database
tab match the information that you entered on these tabs when you configure
the deployment manager. The default database user ID is enrole. The user ID
password is the password that is created for the user ID enrole during the
deployment manager setup. Do not change the default database user ID and
password. The Tivoli Identity Manager will not function properly if any user
information is incorrect. For more information, see “Configuring commonly
used system properties” on page 80.
The Tivoli Identity Manager installation program also configures the
WebSphere environment settings that the Tivoli Identity Manager Server
requires. This step takes several minutes to complete. For more information on
configuring the WebSphere environment, see Appendix D, “Steps that the
installation program takes to configure the WebSphere environment,” on page
127.
If an error occurs, record the error message that is displayed, which might
describe a problem in configuring the WebSphere environment settings that the
Tivoli Identity Manager Server requires.
Continue the Tivoli Identity Manager installation program. When the
installation completes, complete these steps:
a. Examine the errors and provide a corrective action. There is more
information in the ITIM_HOME/install_logs/runConfigTmp.stdout log file.
You might also need to refer to documentation that the WebSphere product
provides.
b. When the correction is complete, enter one of the following commands: To update commonly-used properties and also to reset WebSphere
Application Server settings for the Tivoli Identity Manager application, run
this command:
v Windows
ITIM_HOME\bin\runConfig install
v UNIX:
– DB2 UDB
ITIM_HOME/bin/cmdWrapper.sh runConfig install
The cmdWrapper.sh command automatically sources the DB2 profile.
– Other databases
ITIM_HOME/bin/runConfig install
New log data is recorded in the ITIM_HOME/install_logs/runConfig.stdout
log file.6. Restart the cluster. For more information, see “Starting a cluster” on page 72.
7. Verify that the Tivoli Identity Manager Server is working correctly. For more
information, see “Verifying that the Tivoli Identity Manager Server is
operational” on page 56.
Chapter 6. Installing Tivoli Identity Manager in a cluster configuration 71
Starting a cluster
When installation completes and any required configuration and security
modification is done, restart the cluster. On the WebSphere administrative console,
complete these steps, which assume that the installation process automatically
started the Tivoli Identity Manager:
1. Stop the Tivoli Identity Manager program and the Tivoli Identity Manager
cluster.
a. Click Servers –> Clusters.
b. Select the Tivoli Identity Manager cluster.
c. Click Stop. The Tivoli Identity Manager application stops when the cluster
stops.2. Start the Tivoli Identity Manager application and the Tivoli Identity Manager
cluster.
a. Click Servers –> Clusters.
b. Select the Tivoli Identity Manager cluster.
c. Click Start. The Tivoli Identity Manager application starts when the cluster
starts.
Use the WebSphere administrative console to verify that all required cluster
applications are started. Complete these steps:
1. Click Applications –> Enterprise Applications. Examine the status of the Tivoli
Identity Manager (enRole) application.
2. Click Servers –> Application Servers. Examine the status of the cluster
members.
3. Additionally, examine the log files for other problems. For more information,
see “Logs and directories” on page 102.
If the status of the Tivoli Identity Manager (enRole) application indicates a partial
start, complete these steps:
1. Locate the computer that has the cluster member that fails to start.
2. Examine the following log files of the computer where the cluster member
resides:
v WAS_HOME/logs/member_hostname/SystemOut.log
v Tivoli_Common_Directory/logs/trace.log3. Correct the problem. Then, use the WebSphere administrative console to start
the cluster member.
Verifying that the Tivoli Identity Manager Server is operational
To verify that the Tivoli Identity Manager Server and related processes are running,
complete these steps:
1. Start the Tivoli Identity Manager Server cluster. For more information, see
“Starting a cluster.”
2. Ensure that the JMS server that is associated with each cluster member node is
running.
a. On the WebSphere administrative console, click Servers –> JMS Servers.
b. Select the target JMS server and examine the status column for the server. If
the server is not active, click Start to activate it.
For more information, see “Determining if the JMS server is running on a
cluster node” on page 98.
72 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
3. Log on to Tivoli Identity Manager Server using the WebSphere embedded
HTTP transport. For example, at a browser window, enter this command:
http://hostname:9080/enrole
The value of hostname is the fully qualified name or IP address of the computer
on which the Tivoli Identity Manager Server is running. The port number
default is 9080. If you have multiple instances of the WebSphere Application
Server on the same computer, the port number may be a different value, such
as 9081.
The browser displays the Tivoli Identity Manager logon window. Enter the
Tivoli Identity Manager Server administrator user ID (″itim manager″) and
password (immediately after installation, the value is ″secret″).
4. After successfully logging on to Tivoli Identity Manager Server using the
WebSphere embedded HTTP transport, attempt to log on to the Tivoli Identity
Manager Server using the IBM HTTP Server. Log on at this address:
http://http_server_hostname/enrole
The value of http_server_hostname is the host name of the IBM HTTP Server. For
more information if you cannot display the Tivoli Identity Manager logon
window, or cannot log on to Tivoli Identity Manager, see “Ensuring that the
HTTP server is running” on page 96.
5. After a first, successful logon, the logon window immediately prompts you to
change the administrator password. Ensure that your password change is
successful. After you change the password, you are ready to create your
organization object and a user that is called an ITIM User.
If you cannot start and log on to Tivoli Identity Manager, see Chapter 8,
“Troubleshooting and verifying the installation,” on page 93.
UNIX: Sourcing the DB2 Universal Database profile
On UNIX operating systems, run the DB2 UDB profile to set up the correct
environment to run DB2 UDB programs. This action enables communication
between the Tivoli Identity Manager Server and the DB2 server. This manual step
is not necessary on Windows systems.
To source the profile, complete these steps:
1. Enter the appropriate db2profile command for your default login shell.
For example, if your default login shell is ksh, source the DB2 UDB profile by
entering the following command:
. DB_INSTANCE_HOME/SQLLIB/db2profile
2. Verify that you successfully sourced the profile. Enter the following command:
set | grep -i db2
The -i parameter specifies that the search is not sensitive to case. In the
following output, the existence of the value db2inst1 associated with the value
of DB_INSTANCE_HOME indicates that the profile was successfully sourced:
CLASSPATH=/home/db2inst1...
DB2DIR=/usr/lpp/db2_08_01
DB2INSTANCE=db2inst1
3. Include the db2profile command in your user profile to ensure that the profile
is sourced every time that the database runs.
Ensure that the DB2 UDB profile is correctly sourced before doing these tasks:
Chapter 6. Installing Tivoli Identity Manager in a cluster configuration 73
v Running DBConfig, the database configuration tool. For more information, see
step 3 on page 69.
v Running runConfig, the system configuration tool. For more information, see
step 5 on page 71.
v Starting a WebSphere node agent. For more information, see “Verifying that the
deployment manager, node agents, and JMS servers are running” on page 38.
Optionally installing a language pack
After installing Tivoli Identity Manager, if the default language is not English,
complete these steps:
1. Before you run the Tivoli Identity Manager language pack setup program,
ensure that the version of the Java Runtime Environment that Tivoli Identity
Manager requires is accessible from the command line. For more information,
refer to the IBM Tivoli Identity Manager Release Notes.
For example, enter this command:
java-fullversion
2. Obtain the language pack CD for the Tivoli Identity Manager Server. On UNIX
systems, mount the language pack CD.
3. Use command line mode to install the language pack. For example, enter this
language pack command at a command prompt:
java –jar itimlp_setup.jar
The Tivoli Identity Manager language pack setup program starts. To complete
the language pack installation, follow the instructions that appear in the setup
program windows.
4. Verify that the language pack is installed. Complete these steps:
a. Verify that these files are present in the
WAS_HOME/installedApps/cellname/enRole.ear/app_web.war directory:
v AppletLabels_lang.properties
v AppletErrorMessages_lang.properties
v AppletMessages_lang.properties
The value of lang is a string such as fr that indicates a language such as
French.
b. Verify that one or more of the following files are present in the
ITIM_HOME/data directory:
v ErrorMessages_lang.properties
v Labels_lang.properties
v Messages_lang.properties
v adhocreporting_lang.properties
Changing cluster configurations after Tivoli Identity Manager is
installed
This section describes expanding or reducing the members in a cluster for
performance reasons after Tivoli Identity Manager is installed.
Expanding a cluster using a new computer
To add a new cluster member to an existing Tivoli Identity Manager cluster,
complete these steps to add a computer with a WebSphere Application Server that
was not previously in the WebSphere cell.
74 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
1. Run the addNode command to federate the new node into the cell. If DB2 UDB
is used, ensure that you set the DB2 environment before you run the addNode
command. For more information, see “Adding nodes to a cell” on page 38.
2. Create a new Tivoli Identity Manager cluster member on the new node. On the
WebSphere administrative console, complete these steps:
a. Click Servers –> Cluster.
b. On the next window, click the Tivoli Identity Manager cluster name.
c. Click Cluster Members, then click New.
d. Select the node name that is the node that you added to the cell. Enter the
node name. Then, click Next.
e. Verify the summary window, then click Finish.
f. Save the changes.3. Run the Tivoli Identity Manager installation program on the new computer,
choosing cluster member installation.
4. Update the WebSphere Web Server plug-in file. Using the WebSphere
administrative console, click Environment –> Update Web Server Plugin –>
OK. If the IBM HTTP Server is located on a different computer than the
computer that has the WebSphere Application Server, move the plugin-cfg.xml
file to the IBM HTTP Server computer. For more information, see “Moving the
HTTP server out of the cell for additional security” on page 45.
5. Start the new cluster member. Click Servers –> Clusters and select the cluster.
In the cluster, click Cluster Members. Select the new member and click Start.
Removing cluster members
To remove cluster members, complete these steps:
1. Run the Tivoli Identity Manager uninstallation program on the computer that
has the cluster member that you intend to remove. For more information, see
Chapter 9, “Uninstalling the Tivoli Identity Manager Server,” on page 105.
2. On the WebSphere administrative console, delete the cluster member from the
cluster.
3. Update the WebSphere Web Server plug-in file. Using the WebSphere
administrative console, click Environment –> Update Web Server Plugin –>
OK. For more information, see “Generating the WebSphere Web Server plug-in
configuration file.”
Generating the WebSphere Web Server plug-in configuration
file
If you add to or reduce the number of cluster members, you must generate the
plugin-cfg.xml configuration file for the WebSphere Web Server plug-in. Complete
these steps:
1. Log on to the deployment manager, using the WebSphere administrative
console.
2. From the left pane of the console, click Environment –> Update Web Server
Plugin –> OK.
3. After the update completes, click Save to save your configuration to the master
repository. The updated plugin-cfg.xml file should reside in the
WAS_NDM_HOME/config/cells directory.
4. If the IBM HTTP Server and deployment manager are installed on different
computers, you must move the plugin-cfg.xml file to the computer that has the
IBM HTTP Server, and replace the existing plugin-cfg.xml file.
Chapter 6. Installing Tivoli Identity Manager in a cluster configuration 75
5. Restart the IBM HTTP Server.
Preparing to install adapters
Use SSL production certificates to ensure secure communication between the Tivoli
Identity Manager Server and the Tivoli Identity Manager adapter. For more
information, see “Adapters overview” on page 2.
The Certificate Authority issuer certificate that corresponds to the certificate of the
Tivoli Identity Manager adapter must be installed into the truststore file that the
Tivoli Identity Manager Server is configured to use. Tivoli Identity Manager uses
the standard Java keystore and truststore mechanisms to store certificates and
issuer certificates for SSL communications. You can use any standard Java keystore
tools to maintain certificates, such as the Java keytool command line utility, or the
WebSphere key management utility (iKeyman). The source certificate files can be in
any format that the keystore tool supports. For more information, refer to the IBM
Tivoli Identity Manager Planning for Deployment Guide.
A cluster configuration requires that the issuer certificate that corresponds to the
certificate of the Tivoli Identity Manager adapter is installed into the truststore file
of each application server on the cluster.
Complete these steps:
1. Using the Tivoli Identity Manager import utility, install the adapter profile.
2. In a cluster configuration, install the adapter profile once. For recommendations
on where to install the adapter profile in a cluster configuration, refer to the
adapter installation guide for your specific adapter.
3. Labels from the CustomLabels.properties file are stored in the Tivoli Identity
Manager database. In a cluster configuration, import the adapter profile on the
computer on which the deployment manager is installed, although the adapter
profile can be imported on any server in the cluster. The profile information is
pushed into the directory and becomes available to all cluster members.
4. After installing Tivoli Identity Manager, if the default language is not English,
complete these steps before you install the first Tivoli Identity Manager
adapter:
a. Before you run the Tivoli Identity Manager language pack setup program,
ensure that the version of the Java Runtime Environment that Tivoli Identity
Manager requires is accessible from the command line. For more
information, refer to the IBM Tivoli Identity Manager Release Notes.
For example, enter this command:
java-fullversion
b. Obtain and mount the language pack CD for the Tivoli Identity Manager
adapters. Use command line mode to install the language pack for the
adapters on the Tivoli Identity Manager Server. For example, enter the
following command:
java –jar itimlp_agents_setup.jar
The Tivoli Identity Manager language pack setup program starts. To
complete the language pack installation, follow the instructions that appear
in the setup program panels.
76 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Chapter 7. Configuring the Tivoli Identity Manager Server
Configuring the Tivoli Identity Manager Server has these steps:
v “Configuring the Tivoli Identity Manager database”
v “Configuring the directory server” on page 79
v “Configuring commonly used system properties” on page 80
v “Optionally configuring security after installing Tivoli Identity Manager” on
page 87
v “Modifying system properties during normal operation” on page 90
Configuring the Tivoli Identity Manager database
The Tivoli Identity Manager installation program automatically uses the DBConfig
database configuration tool during a single-server installation, or during a cluster
installation on the deployment manager, to set up these components:
v Tivoli Identity Manager database
v WebSphere JDBC driver provider configuration
v WebSphere data source configuration
Completing the database configuration windows
A database configuration window opens to allow you to configure the database
property file and to set up tables in the Tivoli Identity Manager database. The
fields that appear in the window might vary, depending on which database that
you use. For more information, see Appendix B, “Worksheets,” on page 111.
On the database configuration window, follow these steps:
1. Complete the Identity Manager Database Information fields. The data is
required to configure and connect to the Tivoli Identity Manager database.
Ensure that the database administrator ID has the rights to update the
database. If the database is DB2 UDB, the IP Address and Port Number fields
are greyed out. These fields are required for other databases. For example, for
an Oracle database, enter the IP address of your Oracle database server in the
IP Address field; the default value for the Port Number field is 1521.
© Copyright IBM Corp. 2003, 2006 77
2. Click Test to ensure that the connection to the database is active. When the
database test is successful, the Tivoli Identity Manager User Password field
becomes active and the Test button changes to Continue. The User ID field
defaults to the value enrole, which cannot be changed. Before you continue,
ensure that the user ID enrole exists on the computer that is the database
server.
3. Enter the correct password for the existing database user ID that is named
enrole and click Continue. The database configuration requires several minutes
to complete.
Manually starting the DBConfig database configuration tool
The DBConfig command creates the database table definitions that Tivoli Identity
Manager requires. Run this command only if the command failed to configure the
database during installation. If the Tivoli Identity Manager database tables have
been previously set, running the DBConfig command first drops all previously
existing Tivoli Identity Manager tables.
To manually start the database configuration tool (DBConfig), complete these
tasks:
1. Ensure that the WebSphere Application Server is running. For more
information, see “Ensuring that the WebSphere Application Server is running”
on page 98.
2. Run the following command:
v Windows
ITIM_HOME\bin\DBConfig
v UNIX
ITIM_HOME/bin/cmdWrapper.sh DBConfig
Running the database configuration tool writes data to the
ITIM_HOME/install_logs/dbConfig.stdout log file. The database configuration
requires several minutes to complete.
Figure 13. Database configuration window
78 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Configuring the directory server
Do not run the ldapConfig command a second time, unless the LDAP
configuration fails during the Tivoli Identity Manager installation process. Running
the ldapConfig command will restore default values that Tivoli Identity Manager
uses. If you have changed the value of any of these Tivoli Identity Manager
attributes, such as the password of the user ID named itim manager, the value is
overwritten.
Completing the directory server configuration windows
To configure the LDAP data repository with Tivoli Identity Manager values,
complete these steps:
1. Enter the values for the LDAP Server Information fields to set up the
connection to the directory server. For example, the value of the Host Name
field is the fully qualified host name of the computer on which the directory
server is running.
2. Click Test to ensure that the connection to the directory server can be
established. When the test for a connection to the directory server is successful,
the fields in the Identity Manager Directory Information section become active.
3. See Appendix B, “Worksheets,” on page 111 and complete the fields with the
values for your site. Then, click Continue.
Manually running the ldapConfig configuration tool
To avoid the loss of existing directory server data, you must not manually run this
tool unless a directory server configuration problem occurs during installation.
To manually start the ldapConfig configuration tool, run the following command:
ITIM_HOME/bin/ldapConfig
Running the configuration tool writes data to the
ITIM_HOME/install_logs/ldapConfig.stdout log file. The directory server
configuration requires several minutes to complete.
Figure 14. Directory configuration window
Chapter 7. Configuring the Tivoli Identity Manager Server 79
Configuring commonly used system properties
The Tivoli Identity Manager installation program automatically runs the runConfig
system configuration tool to edit commonly used system properties for the Tivoli
Identity Manager Server and also to configure WebSphere Application Server
settings for the Tivoli Identity Manager application. The Tivoli Identity Manager
installation program runs the system configuration tool for both a single-server
and cluster configuration, which includes the deployment manager and the cluster
members.
You can run the system configuration tool manually. For more information, see
“Manually starting the system configuration tool.” For alternative ways to
configure system properties, see “Modifying system properties during normal
operation” on page 90.
The system configuration tool provides these windows:
v “General tab”
v “Directory tab” on page 82
v “Database tab” on page 83
v “Logging tab” on page 84
v “Mail tab” on page 84
v “UI tab” on page 85
v “Security tab” on page 86
Manually starting the system configuration tool
To update commonly-used properties and also to reset WebSphere Application
Server settings for the Tivoli Identity Manager application, run this command:
v Windows
ITIM_HOME\bin\runConfig install
v UNIX:
– DB2 UDB
ITIM_HOME/bin/cmdWrapper.sh runConfig install
The cmdWrapper.sh command automatically sources the DB2 profile.
– Other databases
ITIM_HOME/bin/runConfig install
Running the system configuration tool writes log data to the
ITIM_HOME/install_logs/runConfig.stdout log file.
General tab
Click the General tab. The General tab of the system configuration tool configures
the general information about the Tivoli Identity Manager Server.
80 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
The following field values on the General tab are prefilled by the installation
program:
v Host name
Not used with the Tivoli Identity Manager Server running on the WebSphere
Application Server.
v TCP/IP port number
Not used with the Tivoli Identity Manager Server running on the WebSphere
Application Server.
v SSL TCP/IP port number
Not used with the Tivoli Identity Manager Server running on the WebSphere
Application Server.
v Scheduling information
– Heart beat
The Scheduling Information field displays information about how frequently
a scheduling thread queries the scheduled message stores for events to
process (Heart Beat). You might want to consider performance issues before
you enable a more frequent beat. Only system administrators can modify the
Heart Beat, which is measured in seconds.
– Recycle bin age limit (days)
When you delete Tivoli Identity Manager objects (such as organization units,
persons, or accounts), the objects are not immediately removed from the
system. Instead, they are moved to a recycle bin container. Emptying the
recycle bin is a separate deletion process that involves running cleanup
scripts.
For example, to avoid assigning an old user ID to a new user, the assignment
process might check the recycle bin to determine if an old user ID exists. You
might set the value of the recycle bin interval to an interval that determines
the length of time to retain old user IDs.
The Recycle Bin Age Limit field specifies the number of days that an object
remains in the recycle bin of the system before it becomes available for
deletion by cleanup scripts. The cleanup scripts can only remove those objects
that are older than the age limit setting. For example, if the age limit setting is
Figure 15. General tab window
Chapter 7. Configuring the Tivoli Identity Manager Server 81
62 days (the default value), only objects that have been in the recycle bin for
more than 62 days can be deleted by cleanup scripts.
You can use the following scripts to either manually remove or to schedule
the periodic cleanup of recycle bin entries with expired age limits:
- Windows
ITIM_HOME\bin\win\ldapClean.cmd
To schedule periodic cleanup, register the above command script with the
Windows scheduler.
- UNIX
ITIM_HOME/bin/unix/ldapClean.sh
To schedule periodic cleanup, create a UNIX cron job such as the following
example:
ITIM_HOME/bin/unix/schedule_garbage.cron
Directory tab
Click the Directory tab. The Directory tab of the system configuration tool displays
directory connection information and LDAP connection pool information. The tab
also has a Test button to test the connection to the directory server. If you update
any field on this tab, click Test to ensure that the connection works.
The information is pre-filled for the deployment manager, but not for a WebSphere
Application Server. If necessary, modify the following information for the directory
server:
v Principal DN and password that the Tivoli Identity Manager Server uses to log
onto the directory server
v Directory server host name
v Port number for the directory server
v The LDAP connection pool information defines a pool of LDAP connections
accessible by the Tivoli Identity Manager Server. Once a connection is
established and data is stored in the LDAP directory server, changing the host
name or the port number might have detrimental effects.
Figure 16. Directory tab window
82 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
– In the Maximum Pool Size field, specify the maximum number of
connections that the LDAP Connection Pool can have at any time.
– In the Initial Pool Size field, specify the initial number of connections to be
created for the LDAP Connection Pool.
– In the Increment Count field, specify the number of connections to be added
to the LDAP Connection Pool every time a connection is requested after all
connections are in use.
Database tab
Click the Database tab. The Database tab displays general database information
and database pool information. The tab also has a Test button to test the
connection to the database. If you update any field on this tab, click Test to ensure
that the connection works. Changing the configuration after the system is set up
can have detrimental effects.
Depending on the type of connection that is used, one of several windows is
displayed when configuring database properties. The window in this example
displays the Database tab when Tivoli Identity Manager does not use an Oracle
Client to connect to the Oracle database.
If this installation is on a cluster member, the information must match the database
specification previously made for the deployment manager.
v In the Database Type field, specify a database such as DB2 UDB.
v In the Database Name or Alias field, specify the name or alias of the database.
For example, the value of Database Name may be itimdb.
– DB2 Universal Database only: The Database Name or Alias field displays
how Tivoli Identity Manager connects to the database.
If the database is installed locally, the value represents the name of the
database.
If the database is installed remotely, the value represents the local alias name
of the remote database.
– Oracle only: The field label is: Database IP:Port:Name
– Microsoft SQLServer only: The field label is: Database IP:Port:Service Name
Figure 17. Database tab window
Chapter 7. Configuring the Tivoli Identity Manager Server 83
v In the Database User and the User Password fields, specify the database
account and password that Tivoli Identity Manager uses to log onto the
database. The default user ID is enrole, which is created by the Tivoli Identity
Manager database configuration program (DBConfig). The account must have a
valid user password.
v The database pool information determines the number of JDBC connections. For
more information on supported JDBC drivers, see “Configuring the DB2 JDBC
driver” on page 16.
– In the Initial Capacity field, specify the initial number of JDBC connections.
– In the Maximum Capacity field, specify the maximum number of JDBC
connections that the Tivoli Identity Manager Server can open to the database
at any one time.
– In the Login Delay Seconds field, specify the time, in seconds, between
connections.
Logging tab
Click the Logging tab.
The Logging tab of the system configuration tool enables you to set the level of
tracing. Choose one of these values:
MIN Writes less information to the log file. Use this setting for best
performance.
MED Writes an increased amount of information to the log file.
MAX Writes the maximum amount of information to the log file. The increased
amount of logging activity mighty affect performance. This is
approximately the equivalent of INFO or VERBOSE.
Mail tab
Click the Mail tab.
Figure 18. Logging tab window
84 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
The Mail tab of the system configuration tool displays mail notification and
gateway parameters:
v In the Identity Manager URL field, specify the login Universal Resource Locator
(URL) for the Tivoli Identity Manager Server that is first presented as a
hyperlink in e-mail to new Tivoli Identity Manager users.
The value is the URL of the proxy server (for example, the IBM HTTP Server).
Specify the host name (or IP address) and port in the base URL. Ensure that the
value matches the published login URL to your Tivoli Identity Manager system.
– Single-server configuration
The base URL is the address of the Web server (for example, the IBM HTTP
Server) which by default uses port 80. For more information, see Table 3 on
page 40.
– Cluster configuration
The base URL is the address of the Web server which load-balances to all
application server instances in the cluster (not the base URL of a specific
application server instance).v In the Mail From field, specify the address to the Tivoli Identity Manager
system administrator e-mail address for your site. All e-mail is delivered from
the Mail From parameter. You must change this address, or you will send spam
to the e-mail address listed.
v In the Mail Server Name field, specify the SMTP mail host that sends mail
notification. SMTP mail servers are supported. The SMTP host is the mail
gateway. For example, enter a host name such as swiftcreek.mycity.ibm.com.
UI tab
Click the UI tab.
Figure 19. Mail tab window
Chapter 7. Configuring the Tivoli Identity Manager Server 85
The UI tab of the system configuration tool displays information to customize the
Tivoli Identity Manager Server GUI.
v In the Customer Logo field, specify the file name of the logo graphic.
v In the Customer Logo Link field, specify an optional URL link activated by
clicking on the logo image. System administrators can specify these two
variables to replace the IBM logo with their company logo throughout the Tivoli
Identity Manager system. The default IBM logo file is the ibm_banner.gif file,
which is located in the
WAS_HOME/installedApps/cell_name/enRole.ear/app_web.war/images
directory.
v In the List Page Size field, specify how many items that require a search in the
directory are displayed on lists throughout the user interface. If the total number
of items exceeds the set List Page Size, the list is spread over multiple pages. For
example, the value controls the size of the names list that appears when you
browse the My Organization –> Manage People tab in the Tivoli Identity
Manager GUI.
Security tab
Click the Security tab. The Security tab of the system configuration tool displays
information to manage database, LDAP, and application server user IDs and
passwords that are stored in Tivoli Identity Manager properties files. The tab
displays the encryption settings and application server user management
preferences in the Tivoli Identity Manager Server.
Figure 20. UI tab window
86 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
By default, passwords in the Tivoli Identity Manager property files are not
encrypted.
v In the Encryption box, check the box to encrypt the passwords used for
database and LDAP connections and the password of the EJB user that is used
for EJB authentication. The encryption flags are set to true. Clear the box to
decrypt the passwords and set the flags to false. The flags are represented by the
following properties in the enRole.properties file:
enrole.password.database.encrypted
enrole.password.ldap.encrypted
enrole.password.appServer.encrypted
v In the System User and System User Password fields, specify the system user
and the system user password. The fields are prefilled if WebSphere global
security is on, and an administrator user ID and password have been entered.
The fields are blank if WebSphere global security is not on.
v In the EJB User and EJB User Password fields, specify the EJB user and the EJB
user password. The fields initially take the values of the System User and
Password fields. The length of the EJB user ID must be fewer than 12 characters.
If you define your own EJB user during installation to be different than the
System User, you might need to modify the EJB User and EJB User Password
fields. If you change the value of the EJB user ID or the EJB password on this
system configuration Security window, additional manual steps are required
after Tivoli Identity Manager installation to map the security role to the ITIM
user in order to start Tivoli Identity Manager. For more information, see
“Optionally configuring security after installing Tivoli Identity Manager.”
Optionally configuring security after installing Tivoli Identity Manager
If you chose to enable global security on the WebSphere Application Server, map
the itimadmin administrative user to the ITIM_SYSTEM role to further limit access.
If you also enabled Java 2 security, verify that the was.policy file exists. Any time
that the System User or EJB User are modified outside of Tivoli Identity Manager,
run the runConfig command to update the Tivoli Identity Manager configuration.
Each of the following steps applies to both single and multi-node deployments.
Figure 21. Security tab window
Chapter 7. Configuring the Tivoli Identity Manager Server 87
Mapping an administrative user to a role
Map an administrative user to a Tivoli Identity Manager role with these steps:
1. On the WebSphere administrative console, click Applications –> Enterprise
Applications.
2. Click enRole.
3. In Additional Properties, scroll down and click Map security roles to
users/groups.
4. Select the check box for ITIM_SYSTEM.
5. Click Lookup users.
6. Click Search.
7. Select the EJB User (itimadmin) from the list.
8. Click OK.
9. To prevent unauthorized access, clear the Everyone? or All Authenticated?
check boxes.
10. Save the configuration changes.
Ensuring that the was.policy file exists
The Tivoli Identity Manager installation program automatically creates the
was.policy policy file with all the permissions that the Tivoli Identity Manager
application needs to run with Java 2 security enabled.
Enabling Java 2 security for the Tivoli Identity Manager application also causes
Java 2 security to be enforced on all applications that are running on the
WebSphere Application Server. If you enable Java 2 security for the Tivoli Identity
Manager application, you should also appropriately configure all other applications
running on the WebSphere Application Server to support Java 2 security.
Ensure that the was.policy file exists. If the file does not exist, create the file in the
following directory on the node:
WAS_HOME/config/cells/cellname/applications/enRole.ear/deployements/enrole/META-INF
The file contents are similar to these lines:
grant codeBase "file::${application}" {
permission java.security.AllPermission;
};
Updating the system user and the EJB user
If you made changes to the System User or to the EJB User fields, you must
update Tivoli Identity Manager configurations with these new values. Complete
these steps:
1. Start the system configuration tool. To do so, enter the following command:
v Windows
ITIM_HOME\bin\runConfig
v UNIX
ITIM_HOME/bin/runConfig.sh
2. Select the Security tab.
88 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
3. Update the System User field and its password with the wasadmin user ID
that you created in the local OS registry.
4. Update the EJB User field and its password with the itimadmin user ID that
you created in the local operating system registry.
5. Click OK.
Running Java 2 security on single-node deployments
To run with security enabled in a single-node deployment, use the WebSphere
administrative console to restart Tivoli Identity Manager and log in when
prompted. Complete these steps:
1. Click Applications –> Enterprise Applications.
2. Select enRole. Then, click Start.
Running Java 2 security on multi-node deployments
To run the Java 2 security component after installing Tivoli Identity Manager on
multi-node deployments, synchronize the nodes in the cell, and ensure that the
timeout interval is large enough to prevent accidental timeouts.
Synchronizing the nodes in the cell
Synchronize the deployment manager configuration with the nodes in the cell.
Restart the Tivoli Identity Manager cluster. Restart Tivoli Identity Manager with
these steps:
1. Click Server –> Clusters.
2. Select the check box next to the cluster name.
3. Click Stop. Wait for the cluster to stop, and then click Start.
Increasing the timeout interval
Ensure that the token expiration value is large enough to prevent accidental
timeouts.
Security uses a Lightweight Third Party Authentication (LTPA) token that expires
after an interval of system inactivity. The default is 120 minutes, which might not
be large enough to use with Tivoli Identity Manager. On some systems, the actual
Figure 22. Security tab window
Chapter 7. Configuring the Tivoli Identity Manager Server 89
timeout interval might be shorter than the value that is specified. A timeout might
prevent you from logging on. When a timeout occurs, you must recycle the
deployment manager, the cluster, and all node agents.
Complete these steps:
1. Start the WebSphere administrative console.
2. Click Security –> Authentication Mechanisms –> LTPA –> Timeout.
3. Set the token expiration interval to a value that exceeds the longest anticipated
interval of system inactivity at your site.
Modifying system properties during normal operation
You configure the Tivoli Identity Manager Server by managing system properties.
For example, a system property determines how the server responds to the correct
completion of a challenge question. System properties can be modified at any time.
You may need to restart the Tivoli Identity Manager Server when changes are
made to certain system properties such as the server startup modules, which are
not recognized unless you restart the server. Restart the Tivoli Identity Manager
Server after modifying any property using the system configuration tool. Changes
to other system properties can be recognized within 30 seconds. Logging properties
can be changed without restarting the server and changes take effect within 30
seconds.
To modify system properties, use these choices:
v Use the system configuration tool, runConfig. For more information, see
“Modifying system properties with the system configuration tool.”
v Make changes manually. For more information, see “Modifying system
properties manually.”
v Use the Tivoli Identity Manager Server GUI. For more information, see
“Modifying system properties with the Tivoli Identity Manager GUI” on page
91.
Modifying system properties with the system configuration
tool
After installation, use the system configuration tool (runConfig) for the following
tasks:
v Changing the password of the enrole user.
v Specifying password encryption and updating Tivoli Identity Manager EJB user
IDs and passwords.
Modifying system properties manually
Alternatively, you can manually modify system properties by editing the
appropriate property file.
System and supplemental property files are located on the Tivoli Identity Manager
Server in the ITIM_HOME/data directory. These files contain all of the system and
supplemental properties used by the server. For more information about system
properties located in the enRole.properties file, refer to the IBM Tivoli Identity
Manager Information Center.
90 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Modifying system properties with the Tivoli Identity Manager
GUI
You can also modify certain system properties from within the Configuration
section of the Main Menu Navigation Bar in the Tivoli Identity Manager Server
GUI.
From the Configuration tab, you can modify the following properties:
v Lost password question behavior
v Enable/disable password editing
v Password expiration period (number of days)
This property is only for the Tivoli Identity Manager Server account. The user
has to change the password before this period is reached. Whenever a new
password is set for the Tivoli Identity Manager Server account, the password
expiration period is affected from that time. You can make this period never
expire by setting this value to zero.
v Password retrieval expiration period (number of hours)
After the new account is created, the user receives an e-mail with the URL link
that provides the password. The user has to get the password before this
password retrieval period expires.
v Maximum number of invalid logon attempts
Sets the maximum number of invalid logon attempts. If exceeded, the account is
suspended. The default setting is ″0″ (unlimited logon attempts).
Chapter 7. Configuring the Tivoli Identity Manager Server 91
92 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Chapter 8. Troubleshooting and verifying the installation
This section describes how to correct problems with the Tivoli Identity Manager
installation and then to verify that the Tivoli Identity Manager Server and its
prerequisite processes are running correctly.
You can test whether the database, the directory server, and other programs that
the Tivoli Identity Manager Server uses are correctly configured and also in full
communication with each other. To determine supported prerequisite products,
release levels, and fix pack specifications, refer to the IBM Tivoli Identity Manager
Release Notes, which takes precedence over this document.
Correcting problems starting the installation
If you cannot start the Tivoli Identity Manager installation program, check these
requirements:
v Is there enough real memory available to run the installation program? For more
information, refer to the IBM Tivoli Identity Manager Release Notes.
v Are the correct operating system levels, patches, and space requirements
provided for the hardware and software prerequisites? For more information,
refer to the IBM Tivoli Identity Manager Release Notes.
v Does the installation program have the correct file permissions to run?
v If the installation is on a UNIX system, do you have the correct permissions and
display variables set?
A common mistake is to log into the desktop, omit enabling the X Server and
setting the DISPLAY environment variable, and then telnet to a remote host on
which you intend to install the Tivoli Identity Manager Server. To correct this
problem, complete these tasks:
1. Run this command at the command shell of your desktop to enable the X
Server:
xhost +
2. After you telnet to the remote host, run this command to set the DISPLAY
environment variable:
export DISPLAY=hostname:0.0
The value of hostname is the host name or IP address of your local desktop
computer.v Using a terminal session such as a vnc session or a session started with a similar
product, the Tivoli Identity Manager installation process fails to complete. Error
messages may indicate that the jmsserver process stopped. A subsequent attempt
to install may produce an error message indicating a problem with the enrole.ear
file.
To correct this, install Tivoli Identity Manager directly on the operating system
of the target computer. Do not use a vnc session or a session provided by similar
products to install Tivoli Identity Manager.
Verifying the installation
This section describes verifying whether the database, the directory server, and
other programs that the Tivoli Identity Manager Server uses are correctly
configured and also in full communication with the Tivoli Identity Manager Server.
© Copyright IBM Corp. 2003, 2006 93
Testing the database connection
Before starting the Tivoli Identity Manager Server, use the WebSphere
administrative console to test the database connection. Complete these steps:
1. Start the WebSphere administrative console.
http://hostname:9090/admin
The value of hostname is the fully qualified host name of the computer on
which you installed the WebSphere Application Server or the deployment
manager.
2. On any configuration, click Resources –> JDBC Providers.
On a cluster configuration, additionally select the target node.
3. Select the scope as server, select a target server such as server1, and then click
Apply.
4. Scroll down to the list of JDBC providers, and click ITIM db_type JDBC
Provider. The value of the db_type parameter specifies DB2 UDB, Oracle, or
Microsoft SQL Server 2000.
5. Scroll the JDBC Provider window that appears to view the Additional
Properties. Click Data Sources.
6. Select ITIM Data Source.
7. In the Data Sources window, click Test Connection. A message appears that
indicates the test result.
If the connection does not work, complete these steps:
1. If DB2 Universal Database is used, ensure that you execute the DB2 command
db2profile on a UNIX or Linux system to set up the environment before you
start the following processes:
v WebSphere Application Server base product running on a Tivoli Identity
Manager single server
v WebSphere node agent running on a Tivoli Identity Manager cluster2. If the Oracle database is used, ensure that both the Oracle database product
and the listener service are started. For more information, see “Starting the
Oracle product and the listener service” on page 23.
3. The CLASSPATH definition of the JDBC provider is set up during Tivoli
Identity Manager installation. Verify that the CLASSPATH value is correct.
Complete these steps:
a. Click Resources –> JDBC Providers –> ITIM DB2 JDBC Provider (XA).
b. Examine the properties to verify that the CLASSPATH value is correct. For
example, its value should be similar to the following path:
$ITIM_DB_JDBC_DRIVER_PATH/db2java.zip
To determine the value of $ITIM_DB_JDBC_DRIVER_PATH, click
Environment –> Manage WebSphere Variables. Select the node scope and
click Apply. Scroll the list to locate the variable.4. Verify that the DB2 user ID and password are correct. Complete these steps:
a. Click Resources –> JDBC Providers –> ITIM DB2 JDBC Provider (XA) –>
Data Sources.
b. Examine these fields to verify the correct values:
v Component-managed Authentication Alias
The value should be itim-init.
v Container-managed Authentication Alias
The value should be itim-init.
94 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
c. In the J2C Authentication Data Entries for Related Items, examine the Alias
list to ensure that an itim-init entry exists.
1) Click itim-init.
2) Verify that the value of the user ID field is enrole. Do not change this
value.
3) Note the password field. If you use this field to reset the password,
ensure that the password value that you enter is identical to the value
defined in the ITIM_HOME/data/enRoleDatabase.properties file.5. Ensure that other database settings are correct, such as specifying the TCP/IP
protocol, the local database alias, and cataloging the local database alias. For
more information, see Chapter 2, “Installing and configuring a database,” on
page 11.
Ensuring that the directory server is running
This section describes the steps to ensure that the installed directory server for
Tivoli Identity Manager is running.
IBM Tivoli Directory Server
To determine whether the IBM Tivoli Directory Server is running, complete these
steps:
v On Windows systems, click Start –> Administrative Tools –> Services. Scroll the
list of services to the directory server entry such as IBM Tivoli Directory Server.
Ensure that the directory server service is started.
v On UNIX systems, ensure that the ibmslapd process is running. Enter this
command:
ps -ef|grep ibmslapd
The ps (process) command searches for processes. The grep command selects the
processes that contain a string. The parameters in this example include:
-e Select all processes.
-f Display a full listing.If the IBM Tivoli Directory Server is running, a process ID (PID) number is
returned. If a PID number is not returned, stop and start the server. For more
information, see Chapter 3, “Installing and configuring a directory server,” on
page 25.
v If the IBM Tivoli Directory Server is running, you must ensure that the IBM
Tivoli Directory Server is not in configuration mode. Enter this command:
ldapsearch -s base -b " " objectclass=* ibm-slapdisconfigurationmode
If the IBM Tivoli Directory Server is not in configuration mode, the value of the
ibm-slapdisconfigurationmode parameter is FALSE. The ldapsearch command
opens a connection to an LDAP server, binds, and performs a search. The -s
parameter specifies the scope of the search to be base, one, or sub, which
searches a base object, one level, or subtree. The -b parameter uses searchbase as
the starting point for the search, instead of the default.
If problems continue, examine the ibmslapd.log file for messages that indicate
whether the directory server is completely or partially started. The location of the
log file depends on the IBM Tivoli Directory Server version:
v UNIX:
– Version 5.2: LDAP_HOME/var/ibmslapd.log. On AIX, for example, the file is
in the usr/IBM/LDAP/var directory.
Chapter 8. Troubleshooting and verifying the installation 95
– Version 6.0: IDS_instance_HOME/etc/ibmslapd.log. On AIX, for example, the
file is in the usr/idsslapd-ldapdb2/etc directory.v Windows:
– Version 5.2: LDAP_HOME\var\ibmslapd.log. For example, the file is in the
C:\IBM\LDAP\var directory.
– Version 6.0: IDS_instance_HOME\logs\ibmslapd.log. For example, the file is
in the C:\idsslapd-ldapdb2\logs directory.
Sun ONE Directory Server
Determine whether the Sun ONE Directory Server process is running. On the
computer on which the directory server is installed, enter this command:
ps -ef|grep slapd
If Sun ONE Directory Server is running, a process ID (PID) number is returned. If
a PID number is not returned, start and stop the server. For more information on
start and stop procedures, refer to this Web site:
http://www.sun.com/software/products/directory_srvr_ee/index.html
All requests are locked in running state
If all requests in the system seem to be stuck in the running state, the connection
between the Tivoli Identity Manager Server and the directory server might have
been lost or become corrupt. Check the server log such as
Tivoli_Common_Directory/msg.log and look for any errors. In particular, look for the
SERVER_NOT_AVAILABLE error.
Stop and start the directory server, and then stop and start the Tivoli Identity
Manager Server.
Ensuring that the HTTP server is running
The HTTP server receives Tivoli Identity Manager requests and routes them to a
Tivoli Identity Manager Server in either a single-server or cluster environment. You
must determine that the HTTP server is running and also that the default virtual
host of the WebSphere Application Server has the correct host alias, which is a
combination of the host name and port number that are defined as a pair.
For test purposes only, you can use the HTTP transport that is embedded in the
WebSphere Application Server as the Web server. In production, use an HTTP
server such as the IBM HTTP Server. The HTTP server may be on the same
computer as the Tivoli Identity Manager Server or on another computer. For more
information, see “Moving the HTTP server out of the cell for additional security”
on page 45.
Using the embedded HTTP transport, for test purposes only
In a single-server configuration, for test purposes only, you can use the HTTP
transport that is embedded in the WebSphere Application Server to log on to Tivoli
Identity Manager. Ensure that you can log on to Tivoli Identity Manager using the
embedded HTTP transport first, before attempting to log on using the
production-level HTTP server, such as the IBM HTTP Server.
To log on to Tivoli Identity Manager using the embedded HTTP transport, enter
this command:
http://WebSphere_hostname:transport_portnumber/enrole
96 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
The default port number for the HTTP transport port 1 is 9080. If you have
multiple instances of the WebSphere Application Server on the same computer, the
port number may be a different value, such as 9081.
Determining that the HTTP server is running
In a production environment, complete these steps to determine that the
production-level HTTP server, such as the IBM HTTP Server, is running:
1. To ensure that the server process is running, complete these steps:
v Windows
On Windows systems, click Start –> Administrative Tools –> Services. Scroll
the list of services to the HTTP server entry.
v UNIX
Enter this command:
ps -ef|grep http|grep
You should observe that HTTP processes are running.2. If you do not see a message indicating that IBM HTTP Server is running, start
the server. Enter the following command on the computer on which the HTTP
server resides:
v Windows
net start "IBM HTTP Server version"
v UNIX
HTTP_HOME/bin/apachetcl start
3. Ensure that the IBM HTTP Server is started by entering this Web address on a
browser:
http://http_server_hostname
The value of http_server_hostname is the host name on which the IBM HTTP
Server resides. If you cannot access the home page of the IBM HTTP Server, the
IBM HTTP Server is either not started, or is not listening on port 80.
4. If you cannot display the home page of the HTTP server after starting the IBM
HTTP Server, examine the status of the server on port 80. Enter the following
command on the computer on which the HTTP server resides:
v Windows
netstat -a | find "80"
v UNIX
netstat -a | grep 80
The -a option displays all connections and listening ports.
If port 80 is not in a listening state, examine the HTTP_HOME/conf/httpd.conf
file for either the port 80 or the listen 80 statement:
If you see a statement such as port 81 or listen 81, change the port value in
the statement to 80. Restart the WebSphere Application Server and then restart
the IBM HTTP Server. Determine whether port 80 is now in a listening state.
If port 80 is in use by another Web server, stop that server and start the IBM
HTTP Server.
Ensuring that WebSphere embedded messaging is running
The JMS server runs either as the embedded Java Virtual Machine (JVM) in the
WebSphere Application Server base product or as its own dedicated JVM
(jmsserver) that is created as part of adding a node to a cell. In either case, Tivoli
Identity Manager uses the queue-based messaging system which is running as
native WebSphere MQ processes.
Chapter 8. Troubleshooting and verifying the installation 97
Ensuring that the JMS server is running in a single-server
configuration
The WebSphere MQ queue manager should be running when the JMS server is
running. To determine whether the queue manager is running, enter this
command:
dspmq
The dspmq command displays the status of the queue manager. For example:
QMNAME(WAS_nodename_servername) STATUS(Running)
The value of nodename is the WebSphere Application Server node name defined
during WebSphere Application Server installation. The servername parameter is
usually a value such as server1.
If the queue manager is not running, enter this command to start the processes:
strmqm WAS_nodename_servername
The value of nodename is the WebSphere Application Server node name defined
during WebSphere Application Server installation. The servername parameter is
usually a value such as server1.
Determining if the JMS server is running on a cluster node
To determine whether the JMS server is running on a cluster node, complete these
steps:
1. On the WebSphere administrative console, click Servers –> JMS Servers.
2. Select the target JMS server and examine the status column for the server.
If WebSphere embedded messaging is not running, complete these steps:
1. Select the target JMS server.
2. Click Start.
Ensuring that the WebSphere Application Server is running
In a single server configuration, the WebSphere Application Server, such as server1,
should be running. This is the WebSphere Application Server on which the Tivoli
Identity Manager application is deployed. In a cluster, both the deployment
manager and the node agents should be running.
To determine whether the WebSphere Application Server is running, enter this
command:
v Windows
path\bin\serverStatus.bat -all
v UNIX
path/bin/serverStatus.sh -all
The value of path is WAS_HOME for a single-server configuration or a cluster
member. The value of path is WAS_NDM_HOME for the deployment manager. In a
cluster configuration, you must check both the deployment manager and each
cluster member.
These processes should be running:
v For the WebSphere Application Server base product, a server such as server1,
should be running. This is the WebSphere Application Server on which the
Tivoli Identity Manager application is deployed.
98 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
v Cluster member: The node agent should be running before you install the Tivoli
Identity Manager Server. After you install the Tivoli Identity Manager Server, the
node agent, the JMS server, and the cluster member node should be running.
v Deployment manager: The dmgr process should be running.
If you do not find the process running, complete these steps to start the server:
v Single-server configuration
– Windows
WAS_HOME\bin\startServer.bat servername
For example, the value of servername is server1.
– UNIX
WAS_HOME/bin/startServer.sh servername
v Cluster configuration
– Deployment manager and node agent, see “Verifying that the deployment
manager, node agents, and JMS servers are running” on page 38.
– Cluster member, see “Starting a cluster” on page 72.
Additionally, examine the following log files in the logs directory for entries that
indicate the startup status of server1. For example, examine the log files in the
WAS_HOME/logs/servername directory.
For example, the value of servername is server1.
Checking the Web browser operation
This section describes potential problems associated with the Web browser.
Ensuring that the browser registers the Java Plug-in
Tivoli Identity Manager workflow, policy, or form designer uses applets that
require the Java plug-in, provided by the Java 2 Runtime Environment, Standard
Edition (JRE). The Java plug-in provides a connection between browsers and the
Java platform, and enables applets to run within a browser. For more information
on the version of the Java plug-in that Tivoli Identity Manager supports, refer to
the IBM Tivoli Identity Manager Release Notes.
If the Java plug-in is not installed on your system, or is not at a supported level,
the browser prompts you to install the plug-in. For more information on these
steps, refer to the IBM Tivoli Identity Manager Information Center.
Microsoft Internet Explorer: Enabling active scripting
For Microsoft Internet Explorer, ensure that the Active Scripting item is enabled in
the Scripting section of the browser. Complete these steps:
1. Click Tools –> Internet Options on the main menu.
2. On the Security tab, click the Internet icon and click the Custom Level button.
3. Click the Scripting –> Active Scripting list items and click Enable.
Using a supported browser
You may not be able to log on to Tivoli Identity Manager for a variety of reasons.
For example, you might be using an unsupported Web browser. For a list of
supported browsers, refer to the IBM Tivoli Identity Manager Release Notes.
Selecting a language default for a Web browser
If you log on using the single sign-on capability and need to select a language,
append /language to the Web site address. For example, enter:
Chapter 8. Troubleshooting and verifying the installation 99
https://mysite.myco.com/enrole/language
Avoiding two Web browser sessions on the same computer
Do not start two separate browser sessions from the same client computer. The two
sessions are regarded as one session ID, resulting in problems with data.
Troubleshooting the Tivoli Identity Manager startup
To verify that the Tivoli Identity Manager Server is running, complete these steps:
1. On the WebSphere administrative console, click Applications –> Enterprise
Applications –> enRole.
2. If the Tivoli Identity Manager Server is not running, select the application and
click Start.
If the Tivoli Identity Manager Server does not start, examine the following log
files:
v WAS_HOME/logs/servername/SystemOut.log
The value of servername is usually server1.
v Tivoli_Common_Directory/logs/trace.log
In this directory, also examine the msg.log file. Installing Tivoli Identity Manager
Server defines the value of Tivoli_Common_Directory.
Verifying a logon using the embedded HTTP transport in a
single-server configuration
To verify that you can log on to Tivoli Identity Manager using the WebSphere
embedded HTTP transport in a single-server configuration, enter this command:
http://hostname:9080/enrole
The value of hostname is the fully qualified name or IP address of the computer on
which the Tivoli Identity Manager Server is running. The port number default is
9080. If you have multiple instances of the WebSphere Application Server on the
same computer, the port number may be a different value, such as 9081.
The browser displays the Tivoli Identity Manager logon window. Enter the Tivoli
Identity Manager Server administrator user ID (″itim manager″) and password
(immediately after installation, the value is ″secret″).
Verifying a logon using the HTTP server
Log on to Tivoli Identity Manager using the HTTP server, enter this command:
http://http_server_hostname/enrole
If you cannot log on, complete these steps:
v Determine whether the correct HTTP server is running.
Multiple levels of HTTP servers can co-exist on the same computer. Ensure that
the HTTP server is running that is associated with the WebSphere Application
Server in a single-server configuration, or with the deployment manager in a
cluster configuration. For more information, see Chapter 4, “Installing and
configuring WebSphere Application Server,” on page 33.
v If the IBM HTTP Server is already started, but you cannot access the Tivoli
Identity Manager logon window, complete these steps:
– Examine the IBM HTTP Server error.log and access.log files to ensure that the
Tivoli Identity Manager logon request was received. If the request was
received, ensure that the WebSphere Web Server plug-in is installed on the
Web server computer. Also ensure that the WebSphere Web Server plug-in
100 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
library and the WebSphere plugin-cfg.xml file are referenced correctly in the
HTTP_HOME/conf/httpd.conf file. The file should contain the following
statements:
# WebSphere plugin settings
LoadModule ibm_app_server_http_module full_path/mod_ibm_app_server_http.*
WebSpherePluginConfig full_path/plugin-cfg.xml
This example assumes that the IBM HTTP Server and the WebSphere
Application Server are on the same computer. For example, this statement on
one line specifies a WebSphere Web Server plug-in for a Windows
environment in a clustered configuration:
LoadModule ibm_app_server_http_module "C:\Program Files\WebSphere\AppServer/
bin/ mod_ibm_app_server_http.dll"
Additionally, this statement on one line specifies the plugin-cfg.xml file:
WebSpherePluginConfig "C:\Program Files\WebSphere\AppServer/config/
cells/plugin-cfg.xml"
On the deployment manager, this statement on one line specifies the
plugin-cfg.xml file:
WebSpherePluginConfig "C:\Program Files\WebSphere\DeploymentManager/config/
cells/plugin-cfg.xml"
– Examine the error.log and access.log log files in the HTTP_HOME/logs
directory for additional information.
Verifying the host alias definition on the WebSphere default host
If the IBM HTTP Server is already started and the settings in the
HTTP_HOME/conf/httpd.conf file are correct, but you still cannot access the Tivoli
Identity Manager logon window, complete these steps:
v Ensure that the mapping of port 80 is specified for the WebSphere default virtual
host.
The Tivoli Identity Manager Server is associated with the WebSphere default
virtual host, which defines host aliases that are pairs of host names and port
numbers.
Only the requests from those host aliases are processed by the servlets and JSPs
of the Tivoli Identity Manager Server. The Tivoli Identity Manager requests are
associated to the default HTTP port 80.
To ensure that port 80 is defined on the host alias of the WebSphere default
virtual host, complete these steps:
1. Using the WebSphere administrative console, click Environment –> Virtual
Hosts –> Default Host –> Host Aliases.
2. Ensure that a value of *:80 is one of the host aliases.
3. If you find a value of *:81 as the host alias, change the value to *:80.
4. Save the configuration. In a cluster configuration, propagate the change by
selecting Synch Changes with Nodes.
5. Click Update Web Server Plugin, and then click OK.
6. Restart the WebSphere environment:
– Single server: Restart the WebSphere Application Server.
– Cluster: Restart the Tivoli Identity Manager cluster.v If you still cannot log on, examine the Tivoli Identity Manager log and trace files
in the Tivoli Common Directory. For more information on this directory’s
location, see “Definitions for HOME and other directory variables” on page xii.
Contact IBM Support for the problem that you locate in the log or trace files.
Chapter 8. Troubleshooting and verifying the installation 101
Solving additional logon problems
Complete these steps if you encounter additional logon problems:
v Examine the WAS_HOME/logs/itim_server_hostname/SystemOut.log file to
determine whether the request was sent to the WebSphere Application Server. If
the SystemOut.log file contains a DBLink exception and DB2 Universal Database
is the database, ensure that you sourced the DB2 profile.
v If continued attempts fail to log on to Tivoli Identity Manager, determine
whether the SystemOut.log file contains errors about referencing Tivoli Identity
Manager properties files.
Ensure that the ITIM_HOME/data directory contains the properties files.
Additionally, ensure that the WebSphere Application Server also references the
ITIM_HOME/data directory. Complete these steps.
1. On the WebSphere administrative console, click Servers –> Application
Servers.
2. Select a server such as server1 and search for the Process Definition entry.
3. In the Process Definition, select Java Virtual Machine.
4. Ensure that the Classpath field specifies the ITIM_HOME/data directory.v If the HTTP_HOME/logs/activity.log file indicates that no Tivoli Identity
Manager logon requests arrived, and you have tried the previous steps, reboot
the operating system. Attempt to log on again.
Logs and directories
When the system configuration is complete, note the following log locations:
Table 7. Install log file names and directories
File names Directory
dbConfig.stdout
ldapConfig.stdout
itim_installer_debug.txt
runConfig.stdout (on cluster member)
runConfigTmp.stdout (on single server
and deployment manager)
setupEnrole.stdout
StartStopWas.stdout (on single server)
ITIM_HOME/install_logs
itim_install.stdout
itim_install.stderr
system root
Tivoli_Identity_Manager_InstallLog.log If installation completes successfully, the
log file is in the ITIM_HOME directory.
If installation fails, the log file is in the
following location:
v Windows: On the desktop
v UNIX: System root
102 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Table 7. Install log file names and directories (continued)
File names Directory
SystemOut.log
SystemErr.log
v Single-server
WAS_HOME/logs/servername/
v Cluster member
WAS_HOME/logs/servername/
v Network deployment manager:
NDM_WAS_HOME/logs/dmgrname/
For more information on WebSphere
Application Server log files, refer to the
WebSphere Application Server
documentation.
trace.log
msg.log
Tivoli_Common_Directory/logs/
The Tivoli Common Directory is the
central location for all
serviceability-related files, such as logs
and first-failure capture data.
For more information on using IBM Logging Toolkit for Java (JLog) for logging
and alerting, refer to the IBM Tivoli Identity Manager Problem Determination Guide.
For recommendations on avoiding log file and disk space problems, refer to the
IBM Tivoli Identity Manager Performance Tuning Guide technical supplement.
Standard Tivoli Identity Manager logging properties are located in the
enRoleLogging.properties file. For more information, refer to the IBM Tivoli Identity
Manager Information Center.
Chapter 8. Troubleshooting and verifying the installation 103
104 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Chapter 9. Uninstalling the Tivoli Identity Manager Server
Uninstalling Tivoli Identity Manager uses the Tivoli Identity Manager installation
program to perform the following tasks:
v Removes all files in the ITIM_HOME directory that the Tivoli Identity Manager
installation program created, including certificates in the ITIM_HOME/cert
directory.
v Clears all configuration settings that were created for the Tivoli Identity
Manager Server on the WebSphere Application Server.
v Removes the Tivoli Identity Manager Server that was deployed on these
computers:
– Single server configuration: Computer that has the WebSphere Application
Server.
– Cluster configuration: Computer that has the deployment manager.
In a cluster configuration, uninstalling the Tivoli Identity Manager Server
from the deployment manager removes the availability of the Tivoli Identity
Manager Server to the cluster. The deployed Tivoli Identity Manager
application files are automatically removed from Tivoli Identity Manager
cluster members.
What is not removed
Uninstalling the Tivoli Identity Manager Server does not modify existing database
tables or the directory server schema. The Tivoli Identity Manager log files are not
removed.
For more information on manually removing the database tables, directory server
schema, and log files, see “Manually removing components” on page 106.
Before you begin
Before you uninstall the Tivoli Identity Manager Server, complete these tasks:
v Single server configuration
– Back up any certificates in the ITIM_HOME/cert directory.
– Ensure that the WebSphere Application Server is running.v Cluster configuration
– Back up any certificates in the ITIM_HOME/cert directory.
– If you are uninstalling the Tivoli Identity Manager Server from a cluster
configuration, ensure that the node agents are running and that the
deployment manager is also running.
Steps to uninstall the Tivoli Identity Manager Server
To uninstall the Tivoli Identity Manager Server, complete these steps:
1. Uninstall the Tivoli Identity Manager Server using this command:
ITIM_HOME/itimUninstallerData/Uninstall_ITIM
v Single server configuration
Run the command on computer on which the Tivoli Identity Manager Server
is installed.
© Copyright IBM Corp. 2003, 2006 105
v Cluster configuration
Run the command on each cluster member first, and then run the command
on the computer on which the deployment manager is installed.2. Complete the uninstallation wizard panels and confirm that you want to
uninstall the Tivoli Identity Manager Server.
Verifying that the Tivoli Identity Manager Server is uninstalled
To verify that the Tivoli Identity Manager Server has been uninstalled and
removed as an application from the WebSphere Application Server, complete these
steps:
1. Examine the ITIM_HOME directory and remove any residual Tivoli Identity
Manager directories, configuration files, and log files.
2. Launch the WebSphere administrative console and log in.
3. From the navigation tree, navigate to the target node, and click the Enterprise
Applications link.
A list is displayed of the enterprise applications that are installed on the
application server.
If you see an application named enRole listed, the uninstallation process was
unable to automatically remove the Tivoli Identity Manager Server from the
WebSphere Application Server. You can remove the application manually. For
more information, see “Manually removing the Tivoli Identity Manager Server
from the WebSphere Application Server.”
Manually removing components
This section describes manually removing components that are not removed by the
uninstallation process.
Manually removing the Tivoli Identity Manager Server from the
WebSphere Application Server
To uninstall the Tivoli Identity Manager Server in a single server or a cluster
configuration, complete these tasks:
1. On the WebSphere administrative console, take these steps:
a. Select the enRole application.
b. Click Stop.
c. When the enRole application stops, select the enRole application again.
d. Click Uninstall.2. Manually ensure that the enRole.ear directory is completely removed. Take
these steps:
a. Open the applications directory:
v Single server and each cluster member
WAS_HOME/AppServer/config/cells/cellname/applications
v Deployment manager
WAS_NDM_HOME/AppServer/config/cells/cellname/applicationsb. If the enRole.ear directory exists, remove the directory.
Manually removing other files or directories
Examine the ITIM_HOME directory and remove any residual Tivoli Identity
Manager directories, configuration files, and log files.
106 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Ensuring that Tivoli Identity Manager objects are removed
from the Sun ONE Directory Server
Before you re-install Tivoli Identity Manager, ensure that any previous Tivoli
Identity Manager schema objects, object classes, and other attributes are removed
from the Sun ONE Directory Server. Complete these tasks:
1. Start the Sun ONE Directory Server administration console.
2. On the Configuration tab, remove the Tivoli Identity Manager suffix.
3. On the Directory tab, complete these tasks:
a. Remove the Tivoli Identity Manager domain.
b. Click Config –> Plugins. Then, open the properties for the referential
integrity postoperation entry and delete all attributes that begin with the
characters er.4. Stop the directory server.
5. Open the ldapServerInstance/config/schema/99user.ldif file. Then, remove all
Tivoli Identity Manager object classes and attribute types that begin with the
characters er.
6. Start the directory server.
Chapter 9. Uninstalling the Tivoli Identity Manager Server 107
108 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Appendix A. Installation images and fix packs
This section itemizes the installation images, and provides a Web address for the
product fix packs.
Installation images
The base CD for each operating system contains a list of the installation files that
Tivoli Identity Manager provides.
Locate the installation image file that is appropriate for your operating system:
v itim-4.6-cd-images-linux.txt
v itim-4.6-cd-images-aix.txt
v itim-4.6-cd-images-sun.txt
v itim-4.6-cd-images-windows.txt
For example, to locate all the files provided for the Tivoli Identity Manager
installation on the AIX operating system, open the itim-4.6-cd-images-aix.txt file on
the AIX base CD.
For more information on all supported platforms and their prerequisite
applications, refer to the IBM Tivoli Identity Manager Release Notes.
Verifying the fix pack level
Verify that the WebSphere Application Server Fix Pack is at the correct level. Enter
one of these commands:
v Windows:
– Single server or cluster member
WAS_HOME\bin\versionInfo.bat
– Deployment manager
WAS_NDM_HOME\bin\versionInfo.bat
v UNIX:
– Single server or cluster member
WAS_HOME/bin/versionInfo.sh
– Deployment manager
WAS_NDM_HOME/bin/versionInfo.sh
For example, the version is similar to the following output:
v WebSphere Application Server base
Installed Product
-----------------------------------------------
Name IBM WebSphere Application Server
Version 5.1.1.3
ID BASE
v Deployment manager
© Copyright IBM Corp. 2003, 2006 109
Installed Product
-----------------------------------------------
Name IBM WebSphere Application Server for Network Deployment
Version 5.1.1.3
ID ND
Obtaining fix packs
A fix pack file for Tivoli Identity Manager has a name similar to the following:
4.6.0-TIV-TIM-platform-WAS-000n.zip
where platform is a value such as AIX and n is an integer such as 1.
Tivoli Identity Manager fixes are available at this Web site:
http://www-1.ibm.com/support/dlsearch.wss?rs=644&q=&tc=SSTFWV&dc=D420&loc=en_US&cs=utf-8&lang=en&sort=desc&rankfile=8&p=1
For more information on registering your personal IBM online ID and alternatives
in obtaining fix packs, see “Obtaining fixes” on page 142.
110 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Appendix B. Worksheets
Complete these worksheets before you install Tivoli Identity Manager and its
prerequisites.
Tivoli Identity Manager information for the database
This table shows the required information for the database product:
Field name Description Default or example value Your value
Administrator ID The administrator user ID (the
db2InstanceName as database instance owner)
that you created when you installed the
database.
For more information, see “Configuring the
DB2 server” on page 13.
Default for DB2 UDB:
v Windows: db2admin
v UNIX: db2inst1
Default for Oracle:
v sys
v sysmanager
Administrator
Password
The password for the administrator user ID.
Database Name The database name that Tivoli Identity
Manager uses to store its data. If the database
is installed locally, the database name is the
name of the database. If the database is
installed remotely, the database name is the
local alias name of the remote database.
For more information on the remote database,
see “Configuring the DB2 JDBC driver” on
page 16.
Example: itimdb
Database Type The type of database that is used for the
Tivoli Identity Manager database.
Example: DB2 UDB
user ID The account that Tivoli Identity Manager uses
to log in to the database. For more
information, see “Creating a user on
Windows and UNIX systems” on page 14.
Required value: enrole This value is
pre-defined
and cannot be
changed.
user ID password The password for the enrole user ID.
IP Address The IP address of the database server. This
value is required for Oracle and SQL Server
2000 only, not for DB2 UDB.
Example: 9.67.5.10
Port Number The port number of the database server. This
value is required for Oracle and SQL Server
2000 only, not for DB2 UDB.
Oracle default: 1521.
SQL Server 2000 default:
1433
JDBC driver Connects a Java-based application to a
database.
Oracle example:
ojdbc14.jar
Additionally, the installation program uses the following database pool
information. The database pool information determines the number of JDBC
connections that the Tivoli Identity Manager Server can open to the database.
Evaluate the following values in relation to your site needs:
© Copyright IBM Corp. 2003, 2006 111
Field name Description Default or example value Your value
Initial Capacity The initial number of JDBC connections that
Tivoli Identity Manager Server can open to
the database.
Default: 5
Maximum Capacity The maximum number of JDBC connections
that Tivoli Identity Manager Server can open
to the database at any one time.
Default: 50
Login Delay Seconds The time, in seconds, between connections. Default: 1
Tivoli Identity Manager information for the directory server
Collect the following information for the directory server:
Field name Description Default or example value Your value
Host name The fully qualified host name of the directory
server.
Example:
ldap.lab.domain.com
Identity Manager DN
Location
The value of the Identity Manager DN
Location field is the root suffix for Tivoli
Identity Manager. The value that you enter in
the field must match the suffix (for example,
dc=com) that you created when you
configured the directory server. For more
information, see Chapter 3, “Installing and
configuring a directory server,” on page 25.
Example: dc=com
Name of your
organization
The formal name of your company. This value
is displayed in the organization chart on many
of the Tivoli Identity Manager windows. You
can enter either single-byte character set
(ASCII) characters or double-byte character set
(DBCS) characters in this field.
Example: IBM
Corporation
Default Org Short
Name
The abbreviation for your company name.
This value is used internally in the IBM Tivoli
Directory Server to represent your
organization. Enter only single-byte character
set (ASCII) characters in this field, such as an
identifier in English.
Example: ibmcorp
Number of hash
buckets
The quantity of data buckets. Data buckets are
used to allocate data items for sorting or
lookup purposes.
Default: 1 (ou=0). Do not modify
this value.
Port The port on which the directory server is
listening.
Example: 389
Principal DN The user ID that represents the principal
distinguished name.
Example: cn=root
Principal DN Password The password of the user ID that represents
the principal distinguished name.
Example: secret
The installation program reports the following LDAP Connection Pool Information
fields for a pool of LDAP connections accessible by Tivoli Identity Manager Server.
To determine values appropriate for your configuration, refer to the technical
supplement IBM Tivoli Identity Manager Performance Tuning Guide.
112 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Field name Description Default or example value Your value
Max. pool size The maximum number of connections that the
LDAP connection pool can have at any time.
Default: 100
Initial pool size The initial number of connections that were
created for the LDAP connection pool.
Default: 50
Increment count The number of connections that are added to
the LDAP connection pool every time a
connection is requested, after all connections
are in use.
Default: 3
Tivoli Identity Manager information
Note the following information for Tivoli Identity Manager:
Field name Description Default or example value Your value
Encryption key Used to encrypt Tivoli Identity Manager
passwords and other sensitive text.
Example: sunshine
Encryption
(checkbox)
On the System Configuration Security tab,
encrypts the password of the database, LDAP,
and WebSphere Application Server
administrator user ID in the Tivoli Identity
Manager property files.
Default: Not checked
Logging level Determines how verbose the logs are when you
trace system errors. Select how detailed the log
file is by choosing a value between MIN and
MAX. The more severe the logging level, the
better the performance of the system because
less information is written to the log file.
Default: MIN
Mail server name The name of the SMTP mail server. Enter the
host name of the SMTP host that is the mail
gateway.
Example: smtp.site.com
User ID The Tivoli Identity Manager Administrator user
ID. The value is pre-defined.
Default: itim manager
Password The password for the Tivoli Identity Manager
administrator user ID. You are required to
change the password the first time that you log
on after installing the Tivoli Identity Manager
Server.
Default: secret
System User The WebSphere Application Server
administrator user ID. This value is required
only if WebSphere global security is enabled.
For more information, see “Optionally
configuring security for Tivoli Identity
Manager” on page 40.
Default: wasadmin
System User
Password
The password for the WebSphere Application
Server user ID.
Appendix B. Worksheets 113
Field name Description Default or example value Your value
EJB User The EJB User is authorized to call all EJB
methods in both privileged and unprivileged
layers of the Tivoli Identity Manager
application. Define the EJB User ID prior to
starting installation. If this field is pre-filled
when it appears, the field might contain the
value of wasadmin. Change the field to the
value of itimadmin. This value is required only
if WebSphere global security is enabled. For
more information, see “Optionally configuring
security for Tivoli Identity Manager” on page
40.
Default: itimadmin
EJB User Password The password for the EJB User ID.
WebSphere Application Server: single-server installation
WebSphere Application Server installation for a single-server configuration has the
following fields. For more information, see Chapter 4, “Installing and configuring
WebSphere Application Server,” on page 33.
Field name Description Default or example value Your value
Installation directory The installation directory for the WebSphere
Application Server base product.
Default: WAS_HOME
Host name Host name or the IP address of the computer
on which the WebSphere Application Server
is running.
Example: myhostname
Server Name A case-sensitive name for the WebSphere
Application Server to which you deploy the
Tivoli Identity Manager Server during a
single-server installation.
Example: server1
WebSphere Application Server: cluster installation
WebSphere Application Server installation for a cluster configuration has the
following fields. For more information, see Chapter 4, “Installing and configuring
WebSphere Application Server,” on page 33.
Field name Description Default or example value Your value
Cluster name A case-sensitive name that is used to create the
Tivoli Identity Manager cluster. This name is
case sensitive. This field is not displayed
during single-server installation.
Example: ITIM_CLUSTER
Installation directory The installation directory for the WebSphere
Application Server base product and the
WebSphere deployment manager.
For more information, see “Definitions for
HOME and other directory variables” on page
xii.
Example: WAS_HOME and
WAS_NDM_HOME
IP Address The IP address of the computer on which the
deployment manager or the WebSphere
Application Server base product is installed.
114 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Appendix C. Upgrading from Tivoli Identity Manager Version
4.5.1 to Version 4.6
The Tivoli Identity Manager installation program will upgrade a computer that has
Tivoli Identity Manager Version 4.5.1, or Version 4.5.1 with fix packs applied, to
Tivoli Identity Manager Version 4.6. Some manual steps are required to preserve or
re-customize settings. This section describes upgrading both single-server and
cluster configurations. For more information on prerequisite software that this
release supports, refer to the IBM Tivoli Identity Manager Release Notes.
The upgrade process has these major tasks:
1. Ensure that the operating system is at a level that this release of Tivoli Identity
Manager supports, and that the system has the required fix pack or patches.
2. Manually upgrade prerequisite software applications.
You must upgrade any software that is part of the existing Tivoli Identity
Manager environment to meet the requirements for the new Tivoli Identity
Manager version. This includes migrating or applying fixes to the database,
directory server, and WebSphere Application Server base product and
deployment manager.
Migrating from AIX Version 5.1 to AIX Version 5.2 can remove symbolic links
from the DB2 Version 8.1 product directory, such as a link to libdb2.a. You must
back up the DB2 database for Tivoli Identity Manager, uninstall DB2, upgrade
AIX Version 5.1 to Version 5.2, reinstall DB2, and then restore the DB2 database.
3. To migrate the WebSphere Application Server, make one of these choices:
v Use the following steps to migrate WebSphere Application Server Version
5.0.2 to Version 5.1.1.3, and no longer use WebSphere Application Server
Version 5.0.2.
You can migrate WebSphere Application Server, Version 5.0 directly to
Version 5.1 by running the WebSphere Application Server installation
program and select the migration option. The program migrates all user
configuration and existing enterprise applications in WebSphere Application
Server Version 5.0 to WebSphere Application Server Version 5.1.
However, you might not be able to migrate WebSphere Application Server
Version 5.0.2 directly to Version 5.1. To migrate WebSphere Application
Server Version 5.0.2 to Version 5.1.1.3, complete these tasks:
a. Migrate the WebSphere Application Server on these computers:
– Single server: Migrate the WebSphere Application Server.
– Cluster: Migrate the WebSphere Application Server base product and
the deployment manager.b. For each computer, read the WebSphere Application Server installation
information to ensure that the computer meets the WebSphere
Application Server requirements.
c. Install WebSphere Application Server Version 5.1 on a separate directory.
Make sure to choose the option to allow coexistence with WebSphere
Application Server Version 5.1. Ensure that you use the same WebSphere
Application Server ports that WebSphere Application Server Version 5.0.2
previously used.
On an AIX system, installing WebSphere Application Server Version 5.1.x
requires font package X11.fnt.coreX 5.x.x.x. Refer to the IBM Tivoli Identity
© Copyright IBM Corp. 2003, 2006 115
Manager Release Notes for the most current fix pack, cumulative fix, and
any possible Authorized Program Analysis Report (APAR).
d. Apply WebSphere Application Server Version 5.1 Fix Pack 1 and
cumulative fix 3, bringing WebSphere Application Server to Version
5.1.1.3.
e. Migrate all WebSphere Application Server Version 5.0.2 configuration
settings and enterprise applications, including Tivoli Identity Manager
Version 4.5.1, to WebSphere Application Server Version 5.1.1.3. To do so,
run these commands:
cd /WAS_HOME_51/bin
./WASPreUpgrade.sh backupDirectory WAS_HOME_502
./WASPostUpgrade.sh backupDirectory
The value of backupDirectory is any directory that you define to store the
WebSphere Application Server Version 5.0.2 data that is migrated.v Alternatively, install WebSphere Application Server Version 5.1 and allow it
to co-exist with WebSphere Application Server Version 5.0.2. Do not use the
ports that WebSphere Application Server Version 5.0.2 previously defined.
You might select this alternative if you have applications that continue to
require WebSphere Application Server Version 5.0.2.
No migration occurs for WebSphere Application Server 5.0.2 configuration
settings or enterprise applications, including Tivoli Identity Manager Version
4.5.1, to WebSphere Application Server Version 5.1.1.3.
After you install WebSphere Application Server Version 5.1, run the Tivoli
Identity Manager Version 4.6 installation program to upgrade Tivoli Identity
Manager Version 4.5.1 to ITIM 4.6 on WebSphere Application Server Version
5.1.1.3. After you upgrade Tivoli Identity Manager to version 4.6, remove
Tivoli Identity Manager Version 4.5.1 from WebSphere Application Server
Version 5.0.2.
For more information on migration, refer to WebSphere documentation at
this Web site:
http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1/index.jsp4. Upgrade the Tivoli Identity Manager Server using the Tivoli Identity Manager,
Version 4.6 installation program.
The Tivoli Identity Manager installation program upgrades the database
schema, the directory server schema and data, the WebSphere Application
Server configuration for Tivoli Identity Manager, the Tivoli Identity Manager
property files, and other Tivoli Identity Manager files. During the upgrade
process, the ITIM_HOME/data directory is copied to the
ITIM_HOME/data/backup directory.
Note: To perform the upgrade, you must select the current ITIM_HOME
directory for the Tivoli Identity Manager Version 4.6 installation location.
Tivoli Identity Manager Version 4.6 will use Tivoli Identity Manager
Version 4.5.1 home directory (for example, itim45) as the Tivoli Identity
Manager Version 4.6 home directory. After making an upgrade, you can
validate the current Tivoli Identity Manager version by examining the
copyright notice in the header of the Messages.properties file.
116 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Processes and settings that the upgrade process preserves
Some workflow processes that start in the Tivoli Identity Manager previous release
4.5.1 or above will continue to run when the upgrade to Tivoli Identity Manager
4.6 completes. For example, user operations such as new account requests and
password changes that start in version 4.5.1 will complete after Tivoli Identity
Manager is upgraded to version 4.6.
The upgrade process preserves the following settings:
v Certificate-authority (CA) certificates. Tivoli Identity Manager demonstration
certificates are updated.
v Existing WebSphere Application Server settings that are related to the Tivoli
Identity Manager application.
v Tivoli Identity Manager properties defined in the following files:
– enRole.properties
– enRoleAuthentication.properties
– enRoleDatabase.properties
– enRoleLDAPConnection.properties
– enRoleMail.properties
– enroleworkflow.properties
– ui.properties
– CustomLabels.properties
– adhocreporting.propertiesv The following workflow system process files in the
data/workflow_systemprocess directory:
– notifytemplate.html
– addserviceselectionpolicy.xml
– changeserviceselectionpolicy.xml
– removeserviceselectionpolicy.xml
– multiaccountdelete.xml
– multiaccountpassword.xml
– multiaccountrestore.xml
– multiaccountsuspend.xml
– multiuserdelete.xml
– multiusersrestore.xml
– multiusersuspend.xml
Processes and settings that are not preserved, or require manual
upgrade
The upgrade process does not preserve the following workflow processes, which
you must stop or allow to complete before you upgrade Tivoli Identity Manager:
v Policy Add/Modify/Remove
v Dynamic Role Add/Modify/Remove
v Reconciliations
v Identity feeds
Appendix C. Upgrading from Tivoli Identity Manager Version 4.5.1 to Version 4.6 117
All other customized data and settings are lost after the upgrade process. For more
information, see “Preserving customized data manually” on page 123. These
customizations are not preserved:
v LDAP schema
v Java security
v Custom logos used in a Welcome page and XLS style sheets. If you modified the
welcome page, you must re-implement the Styles.css file.
v Logging settings
v Any shared library used by Tivoli Identity Manager through a WebSphere
Application Server shared library definition. For more information, see
“Post-migration tasks” on page 123.
Additionally, you must manually upgrade the following components:
v Crystal reports. For more information, see “Upgrading Crystal Reports” on page
124.
v Tivoli Identity Manager jar files that the Tivoli Identity Manager client
applications use.
Tivoli Identity Manager client applications must replace their Tivoli Identity
Manager Version 4.5.1 itim_api.jar and api_ejb.jar files with those from Tivoli
Identity Manager Version 4.6.
For any Tivoli Identity Manager client application that has a duplicate copy of
Tivoli Identity Manager properties files on the client side, take these steps:
1. Rename the duplicate property files on the client application to preserve any
manual changes that you might have made.
2. Copy the property files from the Tivoli Identity Manager Server to the
duplicate copy on the client application.
3. If you manually changed the duplicate property files earlier, manually apply
the changes again.
Before you begin
Before upgrading Tivoli Identity Manager, complete these steps:
1. If at all possible, reduce system activity prior to starting the upgrade process.
It is recommended that you avoid starting large policy enforcements or
reconciliation requests prior to upgrading Tivoli Identity Manager. Do not
delete entries directly from the SCHEDULED_MESSAGES table in the Tivoli
Identity Manager database.
2. Complete or stop the following workflow processes, which are not preserved
during upgrade:
v Policy Add/Modify/Remove
v Dynamic Role Add/Modify/Remove
v Reconciliations
v Identity feeds3. If you are using an Oracle database, login to SQLPlus using an account that can
grant privileges to the user enrole. Then, grant the CREATE VIEW privilege to
the user enrole. For example, enter these commands:
sqlplpus system/manager@itimdb
SQL > GRANT CREATE VIEW to enrole;
SQL > quit;
4. Migrate the database server to the supported version. Then, back up the Tivoli
Identity Manager database, and ensure that the database server is running.
118 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
5. Migrate the directory server to the supported version. Then, back up the Tivoli
Identity Manager schema and data, and ensure that the directory server is
running. For Tivoli Identity Manager Version 4.5.1 recovery purposes, export
the Tivoli Identity Manager LDAP directory to an LDIF file.
6. Complete these steps for your WebSphere Application Server configuration:
v Single-server: Migrate the WebSphere Application Server base product.
v Cluster: Migrate the deployment manager, and migrate the WebSphere
Application Server base product on each node.7. If you intend to save the Tivoli Identity Manager configuration information on
the WebSphere Application Server, perform a backup of the WebSphere
configuration files. Complete these steps:
a. Stop the WebSphere Application Server.
b. To make a backup file, run the following command on the computer that
hosts the WebSphere Application Server base product:
v Windows
WAS_HOME\bin\backupConfig.bat
v UNIX
WAS_HOME/bin/backupConfig.sh
The command creates a compressed file, such as
WebSphereConfig_2005–07–10.zip that contains all current Tivoli Identity
Manager configuration settings. The file is created in the directory from
which you run the backupConfig command.The backup preserves the WebSphere Application Server configuration that
includes the settings for Tivoli Identity Manager.
8. Ensure that the appropriate servers are running in the WebSphere environment.
Complete these steps:
v Single-server configuration: Start the WebSphere Application Server that you
previously upgraded to version 5.1.x (refer to the IBM Tivoli Identity Manager
Release Notes for the most current fix pack, cumulative fix, and possible
APARs). Using the WebSphere administrative console, stop the Tivoli Identity
Manager application enRole.
v Cluster configuration: Ensure that the deployment manager and all the node
agents are running. Using the WebSphere administrative console, stop the
Tivoli Identity Manager cluster.9. On a single-server configuration, and on each cluster member in a cluster
configuration, complete these steps:
v Back up the itim directory.
v Access the WAS_HOME/installedApps/cellname/enRole.ear directory and
store any customized files in a temporary holding area.
v Access the
WAS_HOME/installedApps/cellname/enRole.ear/app_web.war/META-INF
directory and store the MANIFEST.MF file in a temporary holding area.
Upgrading a single-server configuration
The upgrade process performs these tasks in a single-server configuration:
1. Backs up files in the ITIM_HOME/data directory.
2. Replaces the files in the ITIM_HOME directory.
Appendix C. Upgrading from Tivoli Identity Manager Version 4.5.1 to Version 4.6 119
3. Ensures that WebSphere Application Server Version 5.1.x is running, and starts
the WebSphere Application Server if it is not running. Refer to the IBM Tivoli
Identity Manager Release Notes for the most current fix pack, cumulative fix,
and possible APARs.
4. Removes the existing Tivoli Identity Manager Version 4.5.1 (enRole) from
WebSphere Application Server Version 5.1.x.
5. Deploys the Tivoli Identity Manager Version 4.6 to WebSphere Application
Server Version 5.1.x.
6. Updates the Tivoli Identity Manager database to create new tables and other
settings.
7. Updates the LDAP server to add new LDAP schema and default Tivoli
Identity Manager settings.
8. Starts the system configuration tool (runConfig) to prompt the user to
examine current system configuration values.
9. Updates several Tivoli Identity Manager properties files. For more
information, see step 117.
10. Updates the WebSphere Application Server configuration for Tivoli Identity
Manager Version 4.6.
To upgrade a single-server configuration, complete these steps:
1. To run the installation program, complete these steps:
v Windows
a. Click Start –> Run.
b. Enter your CD-ROM drive, and then enter the following command:
instWIN-WAS.exe
The Welcome window opens.v UNIX
a. Open a command prompt window, and change to your CD-ROM drive.
b. Enter one of the following commands for the Tivoli Identity Manager
installation program:
– AIX
instAIX-WAS.bin
– Solaris
instSOL-WAS.bin
– Linux
instLINUX-WAS.bin
The installation program starts and displays the Welcome window. 2. Select the appropriate language and click OK.
3. In the License Agreement window, read the license agreement and decide
whether to accept its terms. If you do, select Accept and click Next.
4. In the Choose Install Directory window, you must select the existing Tivoli
Identity Manager Version 4.5.1 home directory that you want to upgrade.
Accept the existing 4.5.1 directory, or click Choose.... and select the correct
directory. Then, click Next.
5. In the Upgrade from 4.5.1 to 4.6? window, click Continue to Next to start the
upgrade.
6. Read the caution windows to ensure that the prerequisite applications meet
the requirements that Tivoli Identity Manager supports. Then, click Next.
120 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
7. In the WebSphere Application Server installation directory window, specify
the WebSphere Application Server that you intend to use. There can be
multiple instances of the WebSphere Application Server on the computer.
Click Next.
8. In the Java home window, notice the directory to which Tivoli Identity
Manager Version 4.6 now points. You might need to manually migrate any
files that reference the previous directory to reference the current directory.
Click OK.
9. In the Tivoli Common Directory window, accept the default directory for the
Tivoli Common Directory or specify a different directory. The Tivoli Identity
Manager installation program creates the CTGIM subdirectory to store
serviceability-related files for Tivoli Identity Manager. Ensure that the
directory has at least 25 MB of free space. Click Next.
10. In the Pre-install Summary window, click Install.
The upgrade process silently upgrades the previously configured database and
LDAP server. Additionally, the installation program launches the system
configuration tool to allow you to change configuration settings, if necessary.
11. In the System Configuration Tool window, examine the values of all
parameters, which should be the values of the existing Tivoli Identity Manager
version 4.5.1 program. Verify the values and click OK. The system
configuration requires several minutes to complete. For more information, see
Chapter 7, “Configuring the Tivoli Identity Manager Server,” on page 77.
Upgrading a cluster configuration
The upgrade process performs these tasks in a cluster configuration:
1. Backs up files in the ITIM_HOME/data directory.
2. Replaces the files in the ITIM_HOME directory.
3. On the computer that has the deployment manager, does these tasks:
a. Removes the existing Tivoli Identity Manager Version 4.5.1 (enRole) from
WebSphere Application Server Version 5.1.x. Refer to the IBM Tivoli Identity
Manager Release Notes for the most current fix pack, cumulative fix, and
possible APARs.
b. Deploys the Tivoli Identity Manager Version 4.6 to WebSphere Application
Server Version 5.1.x.
c. Updates the Tivoli Identity Manager database to create new tables and other
settings.
d. Updates the LDAP server to add new LDAP schema and default Tivoli
Identity Manager settings.4. On each computer that has a Tivoli Identity Manager cluster member, does
these tasks:
a. Starts the system configuration tool (runConfig) to prompt the user to
examine current system configuration values.
b. Updates several Tivoli Identity Manager properties files. For more
information, see step 117.
c. Updates the WebSphere Application Server configuration for Tivoli Identity
Manager Version 4.6.
To upgrade a cluster configuration on the deployment manager, and also on each
cluster member computer, complete these steps:
1. To run the installation program, complete these steps:
Appendix C. Upgrading from Tivoli Identity Manager Version 4.5.1 to Version 4.6 121
v Windows
a. Click Start –> Run.
b. Enter your CD-ROM drive, and then enter the following command:
instWIN-WAS.exe
The Welcome window opens.v UNIX
a. Open a command prompt window, and change to your CD-ROM drive.
b. Enter one of the following commands for the Tivoli Identity Manager
installation program:
– AIX
instAIX-WAS.bin
– Solaris
instSOL-WAS.bin
– Linux
instLINUX-WAS.bin
The installation program starts and displays the Welcome window. 2. Select the appropriate language and click OK.
3. In the License Agreement window, read the license agreement and decide
whether to accept its terms. If you do, select Accept and click Next.
4. In the Choose Install Directory window, you must select the existing Tivoli
Identity Manager Version 4.5.1 home directory that you want to upgrade.
Accept the existing 4.5.1 directory, or click Choose.... and select the correct
directory. Then, click Next.
5. In the Upgrade from 4.5.1 to 4.6? window, click Continue to Next to start the
upgrade.
6. Read the caution windows to ensure that the prerequisite applications meet
Tivoli Identity Manager requirements. Then, click Next.
7. In the WebSphere Application Server installation directory window, specify
the deployment manager or the WebSphere Application Server base product
that you intend to use. Then, click Next.
If the deployment manager of the Tivoli Identity Manager cluster is on the
computer, the deployment manager installation directory window opens.
Ensure the installation location for the deployment manager is correct.
If the Tivoli Identity Manager cluster is on the computer, the installation
directory window opens for the WebSphere Application Server base product.
There can be multiple instances of the deployment manager or the WebSphere
Application Server base product on the computer. Ensure the installation
directory for the WebSphere Application Server base product is the location
where the product resides.
8. In the Java home window, notice the directory to which Tivoli Identity
Manager Version 4.6 now points. You might need to manually migrate any
files that reference the previous directory to reference the current directory.
Click OK.
9. In the Tivoli Common Directory window, accept the default directory for the
Tivoli Common Directory or specify a different directory. The Tivoli Identity
Manager installation program creates the CTGIM subdirectory to store
serviceability-related files for Tivoli Identity Manager. Ensure that the
directory has at least 25 MB of free space.
10. In the Pre-install Summary window, read the summary. Then, click Install.
122 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
On the deployment manager, the upgrade process silently upgrades the
previously configured database and LDAP server. Additionally, the installation
program launches the system configuration tool to allow you to change
configuration settings, if necessary.
11. In the system configuration tool window, click OK and complete the
installation.
Post-migration tasks
If the directory server is the IBM Tivoli Directory Server, you must upgrade the
previous Tivoli Identity Manager Version 4.5.1 referential integrity file named
timdelref.conf to the new version. Complete these steps:
1. Stop the Tivoli Identity Manager Server.
2. Stop the IBM Tivoli Directory Server.
3. Copy the new Tivoli Identity Manager configuration file named timdelref.conf
from the ITIM_HOME/config/ldap/ibm directory on the version 4.6 Tivoli
Identity Manager Server or from the Tivoli Identity Manager product CD to the
etc directory on the IBM Tivoli Directory Server, replacing the previous
configuration file:
v Version 5.2: LDAP_HOME/etc
v Version 6.0: IDS_instance_HOME/etc4. Restart the directory server.
5. Restart the Tivoli Identity Manager Server.
Preserving customized data manually
To preserve customized data that is not preserved by the upgrade process,
complete these manual steps:
v LDAP schema
Repeat the customization that you provided for the previous version of Tivoli
Identity Manager.
v Java security
Tivoli Identity Manager, Version 4.6 uses IBM Development Kit for Java 1.4.2,
which is bundled by the WebSphere Application Server, Version 5.1 in the
WAS_HOME/java directory.
Manually apply the changes that you made for the previous IBM Development
Kit for Java to the new IBM Development Kit for Java.
v Custom logos and customized style sheets
If you need to insert customized logos and style sheets in the
WAS_HOME/cellname/enRole.ear directory, restore these files from a backup
location.
v Logging settings
Tivoli Identity Manager Version 4.6 separates message logging and tracing to
different outputs and uses the IBM Logging Toolkit for Java (JLog) by default.
The logging settings are defined in the enRoleLogging.properties file.
Tivoli Identity Manager Version 4.5.1 used the Log4J logging toolkit. The Tivoli
Identity Manager Version 4.6 upgrade program renames the previous logging
setting properties file for the Log4J logging toolkit to
enRoleLogging.log4j.properties. If you customized the Log4J logging toolkit
setting and want to continue to use the Log4J logging toolkit for logging,
complete these steps:
Appendix C. Upgrading from Tivoli Identity Manager Version 4.5.1 to Version 4.6 123
1. Specify the new property enrole.logging.provider in the enRole.properties file
with this statement:
enrole.logging.provider=com.ibm.itim.logging.Log4jProvider
The Tivoli Identity Manager application will continue to perform tracing by
using the IBM Logging Toolkit for Java.
2. Restart the Tivoli Identity Manager application.v If Tivoli Identity Manager Version 4.5.1 loaded specific jar files using settings for
a WebSphere Application Server shared library, you need to define the name of
the shared library to the newly-deployed Tivoli Identity Manager Version 4.6.
For example, Tivoli Identity Manager Version 4.5.1 might load a shared library
with a name such as user_shared_library.
Complete these tasks on the WebSphere administrative console to associate the
previously-defined shared library with Tivoli Identity Manager Version 4.6:
1. Click Applications –> Enterprise Applications –> enRole.
2. Select Additional Properties –> Libraries.
3. Click Add and select a shared library such as user_shared_library from the
drop-down list.
4. Click Apply to apply the changes.
5. Save the configuration.
6. Restart the WebSphere Application Server to allow the changes to take effect.
Upgrading Crystal Reports
You must manually reconfigure Crystal Reports when you upgrade Tivoli Identity
Manager. After the upgrade completes, re-import all the reports that were
imported for Tivoli Identity Manager Version 4.5.x. For more information on using
the Crystal Reports designer tool to configure Crystal Reports, including importing
reports for use with Tivoli Identity Manager, refer to the IBM Tivoli Identity
Manager Information Center.
Correcting upgrade problems
If the upgrade process fails to complete, pop-up messages describe the problem.
Complete these steps:
1. If the Tivoli Identity Manager deployment of the enRole.ear directory failed,
examine the ITIM_HOME/install_logs/setupEnrole.stdout log file to determine
the cause. Correct the problem and redeploy the enRole.ear directory. Complete
these tasks:
v Single-server
– Uninstall the enRole.ear directory from the WebSphere Application Server
using this command:
ITIM_HOME/bin/SetupEnrole uninstall server:name user:user_id password:pwd
Verify that the uninstallation process removed the
WAS_HOME/installedApps/cellname/enRole.ear directory and the
WAS_HOME/config/cells/cellname/applications/enRole.ear directory. If
the directories exist, remove both enRole.ear directories manually.
– Install the enRole.ear directory using this command on the WebSphere
Application Server:
ITIM_HOME/bin/SetupEnrole install server:name user:user_id password:pwd
Copy the jsafe.jar and log4j.jar file from the ITIM_HOME/lib directory to
the enRole.ear directory.
124 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
The value of name is the name of the WebSphere Application Server on
which the Tivoli Identity Manager application is deployed. The value of
user_id is the WebSphere administrator user ID, such as wasadmin. The value
of pwd is the password for the WebSphere administrator user ID, such as
wasadminpwd.
v Cluster
– Uninstall the enRole.ear directory from the deployment manager using
this command:
ITIM_HOME/bin/SetupEnrole uninstall user:user_id password:pwd
Verify that the uninstallation process removed the
WAS_NDM_HOME/config/cells/cellname/applications/enRole.ear
directory. If the directory exists, remove the enRole.ear directory manually.
– Install the enRole.ear directory using this command on the deployment
manager:
ITIM_HOME/bin/SetupEnrole install user:user_id password:pwd
On each Tivoli Identity Manager cluster member, copy the jsafe.jar and
log4j.jar file from the ITIM_HOME/lib directory to the
WAS_HOME/installedApps/cellname/enRole.ear directory.2. If the LDAP schema upgrade failed, examine the
ITIM_HOME/install_logs/ldapUpgrade.stdout log file. Correct the problem and
run the following program:
ITIM_HOME/bin/ldapUpgrade
3. If the database schema upgrade failed, examine the
ITIM_HOME/install_logs/dbUpgrade.stdout log file. Correct the problem and
run the following program:
ITIM_HOME/bin/DBUpgrade
4. Restart the Tivoli Identity Manager application.
5. Log on to Tivoli Identity Manager.
On Windows Server 2003, you might not be able to log on to Tivoli Identity
Manager after upgrading or installing Tivoli Identity Manager.
To resolve this problem, reboot the system, which may correct certain
environment settings and WebSphere embedded messaging queue problems.
Examine the WAS_HOME\logs\server1\SystemOut.log file to determine
whether any exception relates to the WebSphere embedded messaging queue
manager.
Appendix C. Upgrading from Tivoli Identity Manager Version 4.5.1 to Version 4.6 125
126 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Appendix D. Steps that the installation program takes to
configure the WebSphere environment
This section describes the steps that the Tivoli Identity Manager installation
program takes to configure the WebSphere environment.
Use the manual steps described in this section only to verify or to modify the
WebSphere configuration. Do not use these steps for installation.
Additional configuration steps are required that are not described here, such as
updating Tivoli Identity Manager property files, configuring the Tivoli Identity
Manager database, and configuring the LDAP server.
Before you begin
Before you begin, start the WebSphere Application Server, and log on to the
WebSphere administrative console. All the tasks assume that you are logged on to
the console.
The installation and configuration activities refer to the directories that are
described in Table 8.
The value of path varies for these operating systems:
v Windows: drive:\Program Files
v AIX: /usr
v Other UNIX: /opt
Table 8. Referenced directories
Directory Default Location Description
ITIM_HOME Windows:
C:\Program Files\IBM\itim
UNIX:
/path/IBM/itim
The base directory
that contains the
Tivoli Identity
Manager code,
configuration, and
documentation.
WAS_HOME Windows:
C:\Program Files\WebSphere\AppServer
UNIX:
/path/WebSphere/AppServer
The WebSphere
Application Server
home directory
DB_INSTANCE_HOME Windows:
path\IBM\SQLLIB
UNIX:
v AIX, Linux: /home/dbinstancename
v Solaris: /export/home/dbinstancename
The directory that
contains the
database for Tivoli
Identity Manager.
© Copyright IBM Corp. 2003, 2006 127
||
|||
Configuring resources for the Tivoli Identity Manager Server
This section describes configuring resources that the Tivoli Identity Manager Server
requires, including database drivers, data sources, and message queues. The
installation program takes the following actions:
1. “Setting environment properties”
2. “Setting transaction service properties” on page 129
3. “Creating J2C authentication data entries” on page 129
4. “Creating the JDBC driver and the WebSphere Application Server data source”
on page 130
5. “Creating Tivoli Identity Manager JMS objects at the cell level” on page 131
6. “Creating Tivoli Identity Manager JMS objects at the server level” on page 132
7. “Creating message listener ports” on page 134
8. “Configuring the internal JMS server” on page 137
9. “Updating the JVM classpath” on page 137
10. “Overriding client encoding” on page 138
Setting environment properties
The Tivoli Identity Manager installation program sets environment variables for
both a single-server configuration and for all cluster members in a Tivoli Identity
Manager cluster configuration.
To verify these variables, complete these steps:
1. Click Environment –> Manage WebSphere Variables.
2. At the node level, verify values for the fields described in Table 9.
Table 9. ITIM_HOME variable
Field Value
Name ITIM_HOME
Value Windows:
path\IBM\itim
UNIX:
/path/IBM/itim
3. At the node level, verify the ITIM_DB_JDBC_DRIVER_PATH variable.
Table 10. ITIM_DB_JDBC_DRIVER_PATH variable
Field Value
Name ITIM_DB_JDBC_DRIVER_PATH
Value JDBC_DRIVER_PATH
This is the directory where the database JDBC driver
resides. For example, on a Windows system that has a
JDBC driver for DB2 UDB, enter the value C:\Program
Files\SQLLIB\java\.
128 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
|
|||
|
|
|
Setting transaction service properties
The Tivoli Identity Manager installation program sets transaction service properties
for a single-server configuration and for all cluster members in a Tivoli Identity
Manager cluster configuration.
To verify these service properties, complete these steps:
1. Click Servers –> Application Servers –> servername –> Transaction Service.
2. Verify values for the fields described in Table 11.
Table 11. Transaction service properties
Field Value
Total Transaction Lifetime Timeout 1200
Client Inactivity Timeout 600
Creating J2C authentication data entries
The Tivoli Identity Manager installation program creates J2EE Connector (J2C)
authentication data entries for a single-server configuration and for the deployment
manager in a Tivoli Identity Manager cluster configuration.
To verify J2C authentication data entries, complete these steps:
1. Click Security –> JAAS Configuration –> J2C Authentication Data.
2. Verify values for the fields described in Table 12.
Table 12. J2C authentication data entries
Field Value
Alias itim_init
User ID enrole
Password A password for the enrole user ID
Description Initial J2C authentication alias for Tivoli Identity Manager
3. To verify the second J2C authentication data entry, examine values for the fields
described in Table 13.
Table 13. Additional J2C authentication data entries
Field Value
Alias itim_jms
User ID Enter either the WebSphere administrator ID when WebSphere
global security is on, or enter an empty field when WebSphere
global security is off.
Password Enter a password for either the WebSphere administrator ID when
WebSphere global security is on, or enter an empty field when
WebSphere global security is off.
Description JMS J2C authentication alias
Appendix D. Steps that the installation program takes to configure the WebSphere environment 129
|
|
|
|
|
Creating the JDBC driver and the WebSphere Application
Server data source
The Tivoli Identity Manager installation program creates the JDBC provider and
the WebSphere Application Server data sources for a single-server configuration
and for all cluster members in a Tivoli Identity Manager cluster configuration.
To verify the JDBC provider at the server level, complete these steps:
1. Click Resources –> JDBC Provider.
2. Click New to create the JDBC provider.
3. Select DB2 Universal JDBC Driver Provider (XA), then click OK.
4. Verify values for the fields described in Table 14.
Table 14. JDBC provider
Field Value
Name ITIM DB2 JDBC Provider (XA)
Description ITIM JDBC2 XA Compliant Driver (DB2)
Implementation Class COM.ibm.db2.jdbc.DB2XADataSource
Classpath ${ITIM_DB_JDBC_DRIVER_PATH}/db2java.zip
5. To verify the data source, complete these steps:
a. Click Resources –> JDBC Provider.
b. Select DB2 Universal JDBC Driver Provider (XA), and then select Data
Sources.
c. Verify values for the fields described in Table 15.
Table 15. Data source
Field Value
Name ITIM Data Source
JNDI Name enroleDataSource
Description ITIM Data Source
Component-managed
Authentication Alias
itim_init
Container-managed
Authentication Alias
itim_init
Mapping-Configuration
Alias
DefaultPrincipalMapping
Statement Cache Size 100
6. Configure the database name. Complete these steps:
a. Click ITIM DB2 JDBC Provider (XA) –> Data Sources. Then, select ITIM
Data Source from the list of data sources.
b. Select Custom Properties, and then select database name.
c. Verify the value of the database name as itimdb.7. Configure the connection pool. Complete these steps:
a. Click ITIM DB2 JDBC Provider (XA) –> Data Sources –> ITIM Data
Source –> Connection Pool.
130 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
|
|
|
|
|
b. Verify values for the fields described in Table 16.
Table 16. Connection pool fields
Field Value
Min Connections 5
Max Connections 50
Creating Tivoli Identity Manager JMS objects at the cell level
The Tivoli Identity Manager installation program creates JMS objects for a
single-server configuration and for the deployment manager in a Tivoli Identity
Manager cluster configuration.
To verify JMS objects, complete these steps:
1. Verify the ITIM Queue Connection Factory at the cell level. Complete these
steps:
a. Click Resources –> WebSphere JMS Provider –> WebSphere Queue
Connection Factory. The WebSphere Queue Connection Factory is at the
cell level.
b. Verify a new Queue Connection Factory with values for the fields described
in Table 17. Accept default values for the other fields.
Table 17. Queue Connection Factory values - cell level
Field Value
Name ITIM Shared Queue Connection Factory
JNDI Name enrole.jms.SharedQueueConnectionFactory
Description ITIM Shared Queue Connection Factory
Node Select the current node in a single-server configuration. Select a
cluster member node in a cluster configuration.
Component-managed
Authentication Alias
itim_jms
Container-managed
Authentication Alias
itim_jms
Mapping-Configuration Alias
DefaultPrincipalMapping
XA Enabled True
c. Select Create Queue Connection Factory, and verify that the connection
pool and the session pool have a maxConnection size of 50.2. Verify ITIM WebSphere queue destinations at the cell level. Complete these
steps:
a. Click Resources –> WebSphere JMS Provider –> ITIM WebSphere Queue
Destinations.
b. Verify 3 new queue destinations. Use defaults for any values that are not
specified in the following tables:
v itim_policy
Table 18. Queue destination values - itim_policy
Field Value
Name itim_policy
Appendix D. Steps that the installation program takes to configure the WebSphere environment 131
|
|
|
|
||
|
|
Table 18. Queue destination values - itim_policy (continued)
Field Value
JNDI Name policyAnalysisQueue
Description ITIM Policy Analysis Queue
Persistence PERSISTENT
v itim_policy_simulation
Table 19. Queue destination values - itim_policy_simulation
Field Value
Name itim_policy_simulation
JNDI Name policySimulationQueue
Description ITIM Policy Simulation Queue
Persistence PERSISTENT
v itim_wf_shared
Table 20. Queue destination values - itim_wf_shared
Field Value
Name itim_wf_shared
JNDI Name sharedWorkflowQueue
Description ITIM Shared Workflow Queue
Persistence PERSISTENT
Creating Tivoli Identity Manager JMS objects at the server
level
The Tivoli Identity Manager installation program creates JMS objects for a
single-server configuration and for all cluster members in a Tivoli Identity
Manager cluster configuration.
To verify JMS objects, complete these steps:
1. Verify the ITIM Queue Connection Factory at the server level. Complete these
steps:
a. Click Resources –> WebSphere JMS Provider –> WebSphere Queue
Connection Factory. The WebSphere Queue Connection Factory is at the
server level.
b. Verify a new Queue Connection Factory with values for the fields described
in Table 17 on page 131. All other fields can have default values.
Table 21. Queue Connection Factory values - server level
Field Value
Name ITIM Queue Connection Factory
JNDI Name enrole.jms.QueueConnectionFactory
Description ITIM Queue Connection Factory
Node Select the current node.
Component-managed
Authentication Alias
itim_jms
132 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
|
|
|
Table 21. Queue Connection Factory values - server level (continued)
Field Value
Container-managed
Authentication Alias
itim_jms
Mapping-Configuration Alias
DefaultPrincipalMapping
XA Enabled True
c. Select Create Queue Connection Factory, and verify that the connection
pool and the session pool have a maxConnection size of 50.2. Verify ITIM WebSphere queue destinations at the server level. Complete these
steps:
a. Click Resources –> WebSphere JMS Provider –> ITIM WebSphere Queue
Destinations.
b. Verify 6 new queue destinations. Accept defaults for values that are not
specified in the following tables:
v itim_ms
Table 22. Queue destination values - itim_ms
Field Value
Name itim_ms
JNDI Name mailServicesQueue
Description ITIM Mail Services Queue
Persistence PERSISTENT
v itim_rs
Table 23. Queue destination values - itim_rs
Field Value
Name itim_rs
JNDI Name remoteServicesQueue
Description ITIM Remove Services Queue
Persistence PERSISTENT
v itim_wf
Table 24. Queue destination values - itim_wf
Field Value
Name itim_wf
JNDI Name WorkflowQueue
Description ITIM Workflow Queue
Persistence PERSISTENT
v itim_rs_pending
Table 25. Queue destination values - itim_rs_pending
Field Value
Name itim_rs_pending
Appendix D. Steps that the installation program takes to configure the WebSphere environment 133
||
|
|
Table 25. Queue destination values - itim_rs_pending (continued)
Field Value
JNDI Name ITIM Remote Pending Queue
Description ITIM Remote Pending Queue
Persistence PERSISTENT
v itim_ps
Table 26. Queue destination values - itim_ps
Field Value
Name itim_ps
JNDI Name partitioningServiceQueue
Description ITIM Partitioning Service Queue
Persistence PERSISTENT
v itim_adhocSync
Table 27. Queue destination values - itim_adhocSync
Field Value
Name itim_adhocSync
JNDI Name adhocSyncQueue
Description ITIM Adhoc Sync Queue
Persistence PERSISTENT
Creating message listener ports
The Tivoli Identity Manager installation program creates message listener ports for
a single-server configuration and for all cluster members in a Tivoli Identity
Manager cluster configuration.
To verify message listener ports, complete these steps:
1. Access the listener ports definition window. Complete these steps:
v Single-server configuration: Click Servers –> Applications Servers –>
servername –> Message Listener Service –>Listener Ports.
v Each cluster member: Click Servers –> Applications Servers –>
clustermembername –> Message Listener Service –>Listener Ports.2. Verify the listener ports described in the following tables:
v ITIMAdhocSyncListenerPort
Table 28. ITIMAdhocSyncListenerPort
Field Value
Name ITIMAdhocSyncListenerPort
Connection Factory
JNDI Name
enrole.jms.QueueConnectionFactory
Destination JNDI
Name
adhocSyncQueue
Maximum Sessions 5
Maximum Retry 100
134 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
|
|
v ITIMLocalWorkflowListenerPort
Table 29. ITIMLocalWorkflowListenerPort
Field Value
Name ITIMLocalWorkflowListenerPort
Connection Factory
JNDI Name
enrole.jms.QueueConnectionFactory
Destination JNDI
Name
workflowQueue
Maximum Sessions 10
Maximum Retry 100
v ITIMMailServicesListenerPort
Table 30. ITIMMailServicesListenerPort
Field Value
Name ITIMMailServicesListenerPort
Connection Factory
JNDI Name
enrole.jms.QueueConnectionFactory
Destination JNDI
Name
mailServicesQueue
Maximum Sessions 3
Maximum Retry 100
v ITIMPartitioningServiceListenerPort
Table 31. ITIMPartitioningServiceListenerPort
Field Value
Name ITIMPartitioningServiceListenerPort
Connection Factory
JNDI Name
enrole.jms.QueueConnectionFactory
Destination JNDI
Name
partitioningServiceQueue
Maximum Sessions 5
Maximum Retry 100
v ITIMRemoteServicesListenerPort
Table 32. ITIMRemoteServicesListenerPort
Field Value
Name ITIMRemoteServicesListenerPort
Connection Factory
JNDI Name
enrole.jms.QueueConnectionFactory
Destination JNDI
Name
remoteServicesQueue
Maximum Sessions 5
Maximum Retry 100
Appendix D. Steps that the installation program takes to configure the WebSphere environment 135
v ITIMRemoteServicesPendingListenerPort
Table 33. ITIMRemoteServicesPendingListenerPort
Field Value
Name ITIMRemoteServicesPendingListenerPort
Connection Factory
JNDI Name
enrole.jms.QueueConnectionFactory
Destination JNDI
Name
remotePendingQueue
Maximum Sessions 5
Maximum Retry 100
v ITIMPolicyAnalysisListenerPort
Table 34. ITIMPolicyAnalysisListenerPort
Field Value
Name ITIMPolicyAnalysisListenerPort
Connection Factory
JNDI Name
enrole.jms.QueueConnectionFactory
Destination JNDI
Name
policyAnalysisQueue
Maximum Sessions 5
Maximum Retry 100
v ITIMPolicySimulationListenerPort
Table 35. ITIMPolicySimulationListenerPort
Field Value
Name ITIMPolicySimulationListenerPort
Connection Factory
JNDI Name
enrole.jms.QueueConnectionFactory
Destination JNDI
Name
policySimulationQueue
Maximum Sessions 5
Maximum Retry 100
v ITIMSharedWorkflowListenerPort
Table 36. ITIMSharedWorkflowListenerPort
Field Value
Name ITIMSharedWorkflowListenerPort
Connection Factory
JNDI Name
enrole.jms.QueueConnectionFactory
Destination JNDI
Name
sharedWorkflowQueue
Maximum Sessions 5
Maximum Retry 100
136 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Configuring the internal JMS server
The Tivoli Identity Manager installation program creates the internal JMS server
for a single-server configuration and for all cluster members in a Tivoli Identity
Manager cluster configuration.
To verify the internal JMS server, complete these steps:
1. Access the internal JMS server definition window. Complete these steps:
v Single-server configuration: Click Servers –> Applications Servers –>
servername –> Server Component –>Internal JMS Server.
v Each cluster member: Click Servers –> JMS Servers –> jmsservername.2. Verify the following queue names, which should match the queue names
specified on the queue destination:
v itim_ms
v itim_rs
v itim_wf
v tim_rs_pending
v itim_ps
v itim_adhocSync
v itim_wf_shared
v itim_policy
v itim_policy_simulation
For more information on queue destinations, see “Creating Tivoli Identity
Manager JMS objects at the cell level” on page 131 and “Creating Tivoli
Identity Manager JMS objects at the server level” on page 132.
3. Verify the queue values in Table 37:
Table 37. Queue values
Field Value
Number of Threads 20
Initial State Started
Updating the JVM classpath
The Tivoli Identity Manager installation program updates the internal Java Virtual
Machine (JVM) classpath for a single-server configuration and for all cluster
members in a Tivoli Identity Manager cluster configuration.
To verify the JVM classpath, specify the ITIM_HOME/data directory in the JVM
classpath. The PropertiesManager uses the JVM classpath to resolve the location of
this directory. Complete these steps:
1. Access the Java Virtual Machine definition window. Complete these steps:
v Single-server configuration: Click Servers –> Application Servers –>
servername –> Process Definition –>Java Virtual Machine.
v Each cluster member: Click Servers –> Applications Servers –>
clustermembername –> Process Definition –>Java Virtual Machine.2. Verify ${ITIM_HOME}/data in the Classpath attribute.
Appendix D. Steps that the installation program takes to configure the WebSphere environment 137
|
|
|
|||
|
Overriding client encoding
The Tivoli Identity Manager installation program ensures that the JVM overrides
client encoding with UTF-8 encoding for a single-server configuration and for all
cluster members in a Tivoli Identity Manager cluster configuration.
To verify that the JVM overrides client encoding with UTF-8 encoding, complete
these steps:
1. Access the Java Virtual Machine definition window. Complete these steps:
v Single-server configuration: Click Servers –> Applications Servers –>
servername –> Process Definition –>Java Virtual Machine.
v Each cluster member: Click Servers –> Applications Servers –>
clustermembername –> Process Definition –>Java Virtual Machine.2. Verify -Dclient.encoding.override=UTF-8 in the Generic JVM arguments
attribute.
Deploying and configuring the Tivoli Identity Manager J2EE application
The Tivoli Identity Manager installation program performs additional steps to
deploy and configure the Tivoli Identity Manager J2EE application for a
single-server configuration and for the deployment manager in a Tivoli Identity
Manager cluster configuration.
Tivoli Identity Manager installation program performs the following tasks to
deploy and configure the Tivoli Identity Manager J2EE application:
1. “Deploying Tivoli Identity Manager on the WebSphere Application Server”
2. “Configuring application classloader settings” on page 139
3. “Regenerating the WebSphere Web Server plug-in” on page 139
4. “Configuring the JAAS login module” on page 139
5. “Configuring the JAAS login module for JNDI feed” on page 139
Deploying Tivoli Identity Manager on the WebSphere
Application Server
The Tivoli Identity Manager installation program deploys Tivoli Identity Manager
on the WebSphere Application Server. Tivoli Identity Manager can also be
deployed with the following steps:
1. Click Applications –> Install New Application.
2. On the next series of windows to prepare for application installation, complete
these steps:
a. Verify the value ITIM_HOME/enrole.ear in the Server path field. Click Next.
b. On the next window, accept all the default values to generate bindings and
mappings. Click Next.3. On the next series of windows to install a new application, complete these
steps:
a. Provide the values in Table 38 for options to install a new application.
Accept the default values for all other fields, then click Next.
Table 38. Installation values
Field Value
Pre-compile JSP True
138 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
||
|
||||
||
|
|
|
|
|
|||
|
b. For the next series of windows, accept the default values, and then click
Next:
1) Deploy EJBs
2) Provide JNDI names for beans
3) Map virtual hosts for web modules
4) Map modules to application serversc. On the window to map security roles to users and groups, enter the value
Everyone=true in the ITIM_SYSTEM field. Then, click Next.
d. On the Summary window, review the options.
Configuring application classloader settings
To verify configuration of application classloader settings, complete these steps:
1. Click Applications –> Enterprise Applications –> enRole.
2. Verify the values in Table 39.
Table 39. Application classloader values
Field Value
Classloader Mode PARENT_LAST
WAR Classloader
Policy
Application
Regenerating the WebSphere Web Server plug-in
The Tivoli Identity Manager installation program regenerates the WebSphere Web
Server plug-in after deploying Tivoli Identity Manager. To regenerate the
WebSphere Web Server plug-in, click Environment –> Update Web Server Plugin.
Configuring the JAAS login module
To verify configuration of the JAAS login module, complete these steps:
1. Click Security –> JAAS Configuration –> Application Logins.
2. Click New and enter the alias name ITIM in the General Properties field. Then,
click OK.
3. Click the ITIM link in the Application Login Configuration/ITIM window.
4. On the Application Login Configuration/ITIM window, click the JAAS Login
Modules link.
5. Verify the module classname as
com.ibm.itim.apps.jaas.spi.PlatformLoginModule.
Configuring the JAAS login module for JNDI feed
The Tivoli Identity Manager Server provides a Java Naming and Directory (JNDI)
Service Provider that can be used as a programming interface to deliver human
resources database changes to the server. To verify configuration of the JAAS login
module for JNDI feed, complete these steps:
1. Click Security –> JAAS Configuration –> Application Logins.
2. Click New and enter the alias name serviceLoginContext in the General
Properties field. Then, click OK.
3. Click the serviceLoginContext link in the Application Login Configuration
window.
Appendix D. Steps that the installation program takes to configure the WebSphere environment 139
|
|
|
|||
|
|
||||
4. On the Application Login Configuration/ServiceLogonContext window, click
the JAAS Login Modules link.
5. Verify the module classname as
com.ibm.remoteservices.provider.itim.ServiceLoginModule.
140 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
|
Appendix E. Support information
This section describes the following options for obtaining support for IBM
products:
v “Searching knowledge bases”
v “Obtaining fixes” on page 142
v “Contacting IBM Software Support” on page 142
Searching knowledge bases
If you have a problem with your IBM software, you want it resolved quickly. Begin
by searching the available knowledge bases to determine whether the resolution to
your problem is already documented.
Search the information center on your local system or
network
IBM provides extensive documentation that can be installed on your local
computer or on an intranet server. You can use the search function of this
information center to query conceptual information, instructions for completing
tasks, reference information, and support documents.
Search the Internet
If you cannot find an answer to your question in the information center, search the
Internet for the latest, most complete information that might help you resolve your
problem. To locate Internet resources for your product, open one of the following
Web sites:
v IBM Tivoli Identity Manager Performance Tuning Guide
Provides information needed to tune Tivoli Identity Manager Server for a
production environment. It is available on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list, and then, click the IBM Tivoli
Identity Manager link. Browse the information center for the Technical
Supplements section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web site:
http://www.ibm.com/developerworks/
© Copyright IBM Corp. 2003, 2006 141
Obtaining fixes
A product fix might be available to resolve your problem. You can determine what
fixes are available for your IBM software product by checking the product support
Web site:
1. Go to the IBM Software Support Web site
(http://www.ibm.com/software/support).
2. Under Products support pages A to Z, select the letter for your product name.
3. In the list of specific products, click IBM Tivoli Identity Manager.
4. Under Self help, you find a list of fixes, fix packs, and other service updates
for your product.
5. Click the name of a fix to read the description and optionally download the fix.
To receive weekly e-mail notifications about fixes and other news about IBM
products, follow these steps:
1. From the support page for any IBM product, click My support in the upper-left
corner of the page.
2. If you have already registered, skip to the next step. If you have not registered,
click register in the upper-right corner of the support page to establish your
user ID and password.
3. Sign in to My support.
4. On the My support page, click Edit profiles in the left navigation pane, and
scroll to Select Mail Preferences. Select a product family and check the
appropriate boxes for the type of information you want.
5. Click Submit.
6. For e-mail notification for other products, repeat Steps 4 and 5.
For more information about types of fixes, see the Software Support Handbook
(http://techsupport.services.ibm.com/guides/handbook.html).
Contacting IBM Software Support
IBM Software Support provides assistance with product defects.
Before contacting IBM Software Support, your company must have an active IBM
software maintenance contract, and you must be authorized to submit problems to
IBM. The type of software maintenance contract that you need depends on the
type of product you have:
v For IBM distributed software products (including, but not limited to, Tivoli,
Lotus, and Rational products, as well as DB2 and WebSphere products that run
on Windows or UNIX operating systems), enroll in Passport Advantage in one
of the following ways:
– Online: Go to the Passport Advantage Web page
(http://www.lotus.com/services/passport.nsf/WebDocs/
Passport_Advantage_Home) and click How to Enroll
– By phone: For the phone number to call in your country, go to the IBM
Software Support Web site
(http://techsupport.services.ibm.com/guides/contacts.html) and click the
name of your geographic region.v For IBM eServer software products (including, but not limited to, DB2 and
WebSphere products that run in zSeries, pSeries, and iSeries environments), you
can purchase a software maintenance agreement by working directly with an
IBM sales representative or an IBM Business Partner. For more information
142 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
about support for eServer software products, go to the IBM Technical Support
Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).
If you are not sure what type of software maintenance contract you need, call
1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to
the contacts page of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of
your geographic region for phone numbers of people who provide support for
your location.
Follow the steps in this topic to contact IBM Software Support:
1. Determine the business impact of your problem.
2. Describe your problem and gather background information.
3. Submit your problem to IBM Software Support.
Determine the business impact of your problem
When you report a problem to IBM, you are asked to supply a severity level.
Therefore, you need to understand and assess the business impact of the problem
you are reporting. Use the following criteria:
Severity 1 Critical business impact: You are unable to use the program,
resulting in a critical impact on operations. This condition
requires an immediate solution.
Severity 2 Significant business impact: The program is usable but is
severely limited.
Severity 3 Some business impact: The program is usable with less
significant features (not critical to operations) unavailable.
Severity 4 Minimal business impact: The problem causes little impact on
operations, or a reasonable circumvention to the problem has
been implemented.
Describe your problem and gather background information
When explaining a problem to IBM, be as specific as possible. Include all relevant
background information so that IBM Software Support specialists can help you
solve the problem efficiently. To save time, know the answers to these questions:
v What software versions were you running when the problem occurred?
v Do you have logs, traces, and messages that are related to the problem
symptoms? IBM Software Support is likely to ask for this information.
v Can the problem be re-created? If so, what steps led to the failure?
v Have any changes been made to the system? (For example, hardware, operating
system, networking software, and so on.)
v Are you currently using a workaround for this problem? If so, please be
prepared to explain it when you report the problem.
The Tivoli Identity Manager serviceability tool assists in gathering information for
working with an IBM Software Support representative. The tool collects Tivoli
Identity Manager related log files, performs a check of the product JAR files,
gathers some limited configuration details, and creates a compressed file that
contains this information. The compressed file can then be transferred or e-mailed
to a support representative.
Appendix E. Support information 143
Use this tool only when directed to by your support representative. For more
information, refer to the IBM Tivoli Identity Manager Problem Determination Guide.
Submit your problem to IBM Software Support
You can submit your problem in one of two ways:
v Online: Go to the ″Submit and track problems″ page on the IBM Software
Support site (http://www.ibm.com/software/support/probsub.html). Enter
your information into the appropriate problem submission tool.
v By phone: For the phone number to call in your country, go to the contacts page
of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name
of your geographic region.
If the problem you submit is for a software defect or for missing or inaccurate
documentation, IBM Software Support creates an Authorized Program Analysis
Report (APAR). The APAR describes the problem in detail. Whenever possible,
IBM Software Support provides a workaround for you to implement until the
APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the
IBM product support Web pages daily, so that other users who experience the
same problem can benefit from the same resolutions.
For more information about problem resolution, see “Searching knowledge bases”
on page 141 and “Obtaining fixes” on page 142.
144 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Appendix F. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2003, 2006 145
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both: IBM,
IBM logo, AIX, DB2, Domino, Lotus, SecureWay, Tivoli, Tivoli logo, Universal
Database, WebSphere.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation
in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
146 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
Java and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or
both.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix F. Notices 147
148 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Glossary
A
access. (1) The ability to read, update, delete, or
otherwise use a resource. Access to protected resources
is usually controlled by system software. (2) The ability
to use data that is stored and protected on a computer
system.
access control. In computer security, the process of
ensuring that the resources of a computer system can
be accessed only by principals in authorized ways. See
also principal.
access control list. In computer security, a list that is
associated with a resource that identifies all the
principals that can access the resource and the
permissions for those principals. See also permission
and principal.
access control item (ACI). Data that (a) identifies the
permissions of principals and (b) is assigned to a
resource.
account. An entity that contains a set of parameters
that define the application-specific attributes of a
principal, which include the identity, user profile, and
credentials.
ACI target. The resource for which you define the
access control items. For example, an ACI target can be
a service.
activity. The smallest unit of work in a workflow. See
also workflow.
adapter. (1) A set of software components that
communicate with an integration broker and with
applications or technologies in order to perform tasks,
such as executing application logic or exchanging data.
(2) A transparent, intermediary software component
that allows different software components with
different interfaces to work together.
administrative domain. A logical collection of
resources that is used to separate responsibilities and
manage permissions. See also permission.
adopt. To assign an orphan account to the appropriate
owner.
adoption rules. The set of rules that determine which
orphan accounts belong to which owners. See also
orphan account.
agent. A process that manages target resources on
behalf of a system in order to respond to requests.
aggregate message. A collection of notification
messages that are combined into a single e-mail, along
with optional user defined text.
alias. In identity management, an identity for a user,
which might match the user ID. The alias is used
during reconciliation to determine who owns the
account. A person can have several aliases, for example,
GSmith, GWSmith, and SmithG.
application server. A server program in a distributed
network that provides the execution environment for
an application program.
application user administrator. A type of person who
uses Tivoli Identity Manager to set up and administer
(a) the services that are managed by Tivoli Identity
Manager or (b) the Tivoli Identity Manager users of
those services.
approval. A type of workflow activity that allows
someone to approve or reject a request. See also
workflow.
audit trail. A chronological record of events or
transactions. You can use audit trails for examining or
reconstructing a sequence of events or transactions,
managing security, and for recovering lost transactions.
authentication. The process of verifying that an entity
is the entity that it claims to be, often by verifying a
user ID and password combination. Authentication
does not identify the permissions that a person has in
the system. See also authorization.
authorization. The process of granting a user either
complete or restricted access to an object, resource, or
function. See also authentication.
authorization owner. A user who can manage access
control items (ACIs) for a resource.
C
Certificate Authority (CA). An organization that
issues certificates. The CA authenticates the certificate
owner’s identity and the services that the owner is
authorized to use, issues new certificates, renews
existing certificates, and revokes certificates that belong
to users who are no longer authorized to use them.
challenge-response authentication. An authentication
method that requires users to respond to a prompt by
providing information to verify their identity when
they log in to the system. For example, when users
forget their password, they are prompted (challenged)
with a question to which they must provide an answer
© Copyright IBM Corp. 2003, 2006 149
(response) in order to either receive a new password or
receive a hint for specifying the correct password.
Common Criteria. A standardized method, which is
used by international governments, the United States
federal government, and other organizations, for
expressing security requirements in order to assess the
security and assurance of technology products.
connector. A plug-in that is used to access and update
data sources. A connector accesses the data and
separates out the details of data manipulations and
relationships. See also adapter.
credentials. Authentication information that is
associated with a principal. See also authentication and
principal.
D
DAML. See Directory Access Markup Language.
data model. A description of the organization of data
in a manner that reflects the information structure of an
enterprise.
data warehouse. (1) A subject-oriented collection of
data that is used to support strategic decision making.
(2) A central repository for all or significant parts of the
data that an organization’s business systems collect.
delegate (noun). The user who is designated to
approve requests or provide information for requests
for another user.
delegate (verb). (1) To assign all or a subset of
administrator privileges to another user, such that the
user can perform all or a subset of administrator
activities for a specific set of the users. (2) To designate
a user to approve requests or provide information for
requests for another user.
delegate administrator. The user who has all or a
subset of administrator privileges over a specific set of
users.
delegate administration. The ability to apply all or a
subset of administrator privileges to another user (the
delegate administrator), such that the user can perform
all or a subset of administrator activities for a specific
set of the users.
deprovision. To remove a service or component. For
example, to deprovision an account means to delete an
account from a resource. See also provision.
digital certificate. An electronic document that is used
to identify an individual, server, company, or some
other entity, and to associate a public key with the
entity. A digital certificate is issued by a certification
authority and is digitally signed by that authority. See
also Certificate Authority.
Directory Access Markup Language (DAML). An
XML specification that extends the functions of
Directory Services Markup Language (DSML) 1.0 in
order to represent directory operations. In Tivoli
Identity Manager, DAML is mainly used for server to
agent communications. See also Directory Services
Markup Language v2.0.
directory server. A server that can add, delete, change,
or search directory information on behalf of a client.
Directory Services Markup Language v1.0 (DSMLv1).
An XML implementation that describes the structure of
data in a directory and the state of the directory. DSML
can be used to locate data into a directory. DSMLv1 is
an open standard defined by OASIS. Contrast with
Directory Services Markup Language v2.0.
Directory Services Markup Language v2.0 (DSMLv2).
An XML implementation that describes the operations
that a directory can perform (such as how to create,
modify, and delete data) as well as the results of those
operations. Whereas DSMLv1 can be used to describe
the structure of data in a directory, DSMLv2 can be
used to communicate with other products about that
data. DSMLv2 is an open standard defined by OASIS.
Contrast with DSMLv1.
distinguished name (DN). The name that uniquely
identifies an entry in a directory. A distinguished name
is made up of name-component pairs. For example,
CN=John Doe, O=My Organization, C=US.
domain administrator. The owner of an
administrative domain. See also administrative domain.
dynamic content tags. A set of XML tags (based on
the XML Text Template Language (XTTL) schema) that
allows the administrator to provide customized
information in a message, notification, or report. See
also XML Text Template Language.
dynamic organizational role. An organizational role
that is assigned to a person by using an LDAP filter.
When a user is added to the system and the LDAP
filter parameters are met, the user is automatically
added to the dynamic organizational role. See also
organizational role.
E
entitlement. In security management, a data structure,
service, or list of attributes that contains externalized
security policy information.
entitlement workflow. A workflow that defines the
business logic that is used when provisioning a policy.
For example, an entitlement workflow is used to define
approvals for managing accounts. See also workflow.
150 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
entity. A person or object about which you want to
store information or manage. For example, a person
and an organization are both entities.
entity type. Categories of managed objects. See also
entity.
escalation. The process that defines what happens and
who acts when an activity has not been completed in
the specified amount of time.
escalation limit. The amount of time, for example,
hours or days, that a participant has to respond to a
request, before an escalation occurs.
event. The encapsulated data that is sent as a result of
an occurrence, or situation, in the system.
F
failover. An operation that switches a system to a
redundant or standby system when services fail.
FESI extension. A Java extension that can be used to
enhance JavaScript code and then be embedded within
a FESI script.
Free EcmaScript Interpreter (FESI). An
implementation of the EcmaScript scripting language,
which is an ISO standard scripting language that is
similar to the JavaScript scripting language.
G
group. A collection of Tivoli Identity Manager users.
H
help desk assistant. A person who uses Tivoli Identity
Manager to assist users and managers with managing
their accounts and passwords.
I
identity. The subset of profile data that uniquely
represents a person or entity and that is stored in one
or more repositories.
identity feed. The automated process of creating one
or more identities from one or more common sources
of identity data.
identity policy. The policy that defines the user ID to
be used when creating an account for a user.
IIOP (Internet Inter-ORB Protocol). A protocol that is
used for communication between Common Object
Request Broker Architecture (CORBA) object request
brokers (ORBs).
ITIM group. A list of Tivoli Identity Manager
accounts. Membership within an ITIM group
determines the access to data within Tivoli Identity
Manager.
ITIM user. A user who has a Tivoli Identity Manager
account.
J
JDBC (Java Database Connectivity). An industry
standard for database-independent connectivity
between the Java platform and a wide range of
databases. The JDBC interface provides a call-level API
for SQL-based database access.
join directive. The set of rules that define how to
handle attributes when two or more provisioning
policies are applied. Two or more policies might have
overlapping scope, so the join directive specifies what
actions to take when this overlap occurs.
L
LDAP (Lightweight Directory Access Protocol). An
open protocol that uses TCP/IP to provide access to
directories that support an X.500 model and that does
not incur the resource requirements of the more
complex X.500 Directory Access Protocol (DAP). For
example, LDAP can be used to locate people,
organizations, and other resources in an Internet or
intranet directory.
LDAP directory. A hierarchical directory of names that
can reflect an organization’s structure or geography and
that is accessed using LDAP.
LDAP filter. A search filter that narrows the results
from an LDAP search.
LDIF (LDAP Data Interchange Format). A file format
that is used to describe directory information as well as
changes that need to be applied to a directory, such
that directory information can be exchanged between
directory servers that are using LDAP.
life cycle. Passage or transformation through different
stages over time. For example markets, brands, and
offerings have life cycles.
life cycle rules. A set of rules in a policy that
determine which operations to use when automatically
handling commonly occurring events, such as
suspending an account that has been inactive for a
period of time.
location. An entity that is a subdivision of an
organization, usually based on geographical area.
Glossary 151
M
mail. A type of workflow activity that sends a
notification to one or more users about a request.
managed resource. An entity that exists in the runtime
environment of an IT system and that can be managed.
manager. A type of person who uses Tivoli Identity
Manager to manage their own accounts and passwords
or the accounts and passwords of those people that
they supervise.
manual service. A type of service that requires
manual intervention by the service owner to complete
the provisioning request.
N
namespace. (1) The set of unique names that a service
recognizes. (2) Space reserved by a file system to
contain the names of its objects.
nested group. A group that contains another group.
See also group.
notification. A message that is sent to a user and that
explains the actions that were taken for a request.
O
operation. An action that can be performed against an
object; for example, add, modify, or delete.
operational workflow. A workflow that defines the
lifecycle process for accounts, persons, and other
entities. See also workflow.
organization. A hierarchical arrangement of
organizational units, such that each user is included
once and only once. See also organizational unit.
organization tree. A hierarchical structure of an
organization that provides a logical place to create,
access, and store organizational information.
organizational container. An organization,
organizational unit, location, business partner unit, or
administration domain.
organizational role. In identity management, a list of
account owners that is used to determine which
entitlements are provisioned to them. See also dynamic
organizational role and static organizational role.
organizational unit. A type of organizational
container that represents a department or similar
grouping of people.
orphan account. On a managed resource, an account
whose owner cannot be automatically determined by
the provisioning system.
P
participant. In identity management, an individual, a
role, a group, or a JavaScript script that has the
authority to respond to a request that is part of a
workflow. See also workflow.
password. In computer and network security, a
specific string of characters that is used by a program,
computer operator, or user to access the system and the
information stored within it.
password retrieval. The method of retrieving a new or
changed password by accessing a designated Web site
and specifying a shared secret. See also shared secret.
password strength rules. The set of rules that a
password must conform to, such as the length of the
password and the type of characters that are allowed
(or not allowed) in the password.
password strength policy. A policy that defines the
password strength rules. A password strength policy is
applied whenever a password is set or modified.
password synchronization. The process of
coordinating passwords across services and systems
such that only a single password is needed to access
those multiple services and systems.
permission. Authorization to perform activities on
resources, such as reading and writing local files,
creating network connections, and loading native code.
person. An individual in the system that has a person
record in one or more corporate directories.
plug-in. A software module that adds function to an
existing program or application.
policy. A set of considerations that influence the
behavior of a managed resource or a user.
post office. A component that collects notifications
from the appropriate workflow activities and
distributes those notifications to the appropriate
workflow participants.
principal. A person or group that has been granted
permissions.
privilege. See permission.
profile. Data that describes the characteristics of a
user, group, resource, program, device, or remote
location.
provision. (1) To set up and maintain the access of a
user to a system. (2) To create an account on a
managed resource.
provisioning. The process of providing, deploying,
and tracking a service or component.
152 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
provisioning policy. A policy that defines the access
to various managed resources, such as applications or
operating systems. Access is granted to all users, users
with a specific role, or users who are not members of a
specific role.
R
reconciliation. The process of synchronizing data in a
central data repository with data on a managed
resource.
registration. The process of accessing a system and
requesting an account on that system.
registry. A repository that contains access and
configuration information for users, systems, and
software.
relationship. A defined association between two or
more data entities, which is used when defining a Free
EcmaScript Interpreter (FESI) extension or when
customizing the graphical user interface.
relevant data. The data that is used to complete a
workflow activity in a workflow operation at runtime.
See also workflow.
repository. A persistent storage area for data and
other application resources. Common types of
repositories are databases, directories, and file systems.
request. The item that initiates a workflow and
instigates the various activities of a workflow. See also
workflow.
request for information (RFI). A workflow activity
that requests additional information from the specified
participant. See also workflow.
resource. A hardware, software, or data entity. See
also managed resource.
restore. To activate an account that was suspended.
rights. See permission.
rule. A set of conditional statements that enable
computer systems to identify relationships and execute
automated responses accordingly.
S
schema. The fields and rules in a repository that
comprise a profile. See also profile.
scope. In identity management, the set of entities that
a policy or an access control item (ACI) can affect.
secure socket layer (SSL). A security protocol that
provides communication privacy. SSL enables
client/server applications to communicate in a way that
is designed to prevent eavesdropping, tampering, and
message forgery.
security. The protection of data, system operations,
and devices from accidental or intentional ruin,
damage, or exposure.
security administrator. A type of person who sets up
and administers Tivoli Identity Manager for users,
managers, help desk assistants, and application user
administrators.
self-registration. See registration.
service. A representation of a managed resource,
application, database, or system.
service owner. A role that identifies the person who
owns and maintains a particular service in Tivoli
Identity Manager. See also service.
service selection policy. A policy that determines
which service to use in a provisioning policy. See also
provisioning policy.
service type. A category of related services that share
the same schemas. See also service.
shared secret. An encrypted value that is used to
retrieve the initial password of a user. This value is
defined when the personal information for the user is
initially loaded into the system.
single signon (SSO). The ability of a user to log on
once and access multiple applications without having
to log on to each application separately.
static organizational role. An organizational role that
is manually assigned to a person. See also
organizational role.
supervisor. A role that identifies the person who
supervises another set of users and who is often
responsible for approving or rejecting requests that are
made by those users.
suspend. To deactivate an account so that the account
owner cannot access the service.
system administrator. A role that identifies the person
who is responsible for the configuration,
administration, and maintenance of Tivoli Identity
Manager.
T
tenant. In a hosted service environment, a virtual
enterprise instance of an application. Each tenant can
share directory servers or relational databases while
remaining completely separate service instances.
Glossary 153
to-do list. A collection of outstanding activities. See
also activity.
topic. The subject of a notification message, which
allows messages to be grouped together based on the
same task.
transition. A connection between two workflow
elements. See also workflow.
U
universally unique identifier (UUID). The 128–bit
numerical identifier that is used to ensure that two
entities do not have the same identifier. The identifier is
unique for all space and time.
user. Any individual, organization, process, device,
program, protocol, or system that uses the services of a
computing system.
V
view. A collection of graphical user interfaces that
represent the set of tasks that a particular type of user
is allowed to perform. Administrators can customize
views to contain different collections of graphical user
interfaces.
W
workflow. The sequence of activities performed in
accordance with the business processes of an enterprise.
See also activity.
work order. A workflow activity that requires a
participant to perform an activity outside of the scope
of the system.
X
XML Text Template Language (XTTL). An XML
schema that provides a means for representing dynamic
content within a message, notification, or report. The
XML tags are also called dynamic content tags. See also
dynamic content tags.
154 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Index
Special characters.profile file
DB2 UDB profile 57, 73
db2profile command, including in file 57, 73
DBLink exception 102
Oracle 21
″secret″, as first password 113
WAS_HOMEWebSphere Application Server base installation
directory 114
Numerics34-bit runtime client on 64-bit operating system 17
389, port 112
50000, default DB2 UDB listening port number 18
64-bit operating system 17
80, port 40
8880, port 40
9080, port 40
9090, port 40
Aaccessibility
pdf format, for screen-reader software xi
statement for documentation xi
text, alternative for document images xi
accountLDAP storage 4
remote resource, management 1
active scripting, browser 99
activity.log file 102
activity.log, logon request 102
adapteragent-less or agent-based 2
definition 2
location 2
profile 58, 76
remote resource 1
secure communication 58, 76
addNode, command 38
addserviceselectionpolicy.xml, workflow process file 117
adhocreporting.properties 117
Admin IDdatabase field 111
db2admin 111
db2inst1 111
Admin Password, database field 111
administrativesystem management interface tool
SMIT 14
system management tooladmintool 14
userEJB user 41
ID, DB2 UDB 13
itimadmin 41
mapping to role 88
System User 41
administrative (continued)user (continued)
wasadmin 41
Administrator 47, 61
admintool, administrative tool (Solaris) 14
alias, database 83
api_ejb.jar 118
app_ctl_heap_sz example, update database 14
applheapsz example, update database 14
application server, WebSphere Application Server 3
ASCII character setDefault Org Short Name field 112
organization name 112
audience, who should read this book vii
authentication alias, itim-init 94
authentication, J2C 129
authorityAdministrator 47, 61
database 47, 61
db2admin user 47, 61
installing Tivoli Identity Manager Server 47, 61
logon user ID in Administrator Group 47, 61
rootensuring 47, 61
was.policy file 41, 88
Bbackup
commandbackupConfig 119
configuration file, Tivoli Identity Manager 119
Oracle 21
backupConfig, command 119
bookssee publications xi
browseractive scripting 99
language default 100
two session problems 100
using supported 99
CCA certificate
preserved during upgrade 117
requirements 58, 76
cache size, Sun ONE Directory Server 32
catalog, db2 command 16
celladding nodes 38
definition 5
WebSphere Application Server 5
certificateCA, preserved during upgrade 117
demonstration, upgraded 117
identical directory requirement, cluster member 61
server-adapter communication 58, 76
supported certificate types 58, 76
trust store, identical on cluster members 76
© Copyright IBM Corp. 2003, 2006 155
changeserviceselectionpolicy.xml, workflow process file 117
character set, for organization name 112
classloader settings, Tivoli Identity Manager 139
CLASSPATHexample 57, 73
verifying database 94
Classpath field, specifying data directory 102
classpath, JVM 137
cleanupcron job 82
recycle bin age limit 82
clientdatabase
DB2 UDB 12
on remote computer 12
encodingoverriding 138
UTF-8 138
inactivity timeout 129
interface 1
upgrading duplicate properties files 118
Client Inactivity Timeout 129
clusterdefinition 5
deployment 36
deployment manager 39
expandingnew computer 74
installationflowchart 62
restart after 72
sequence 64, 65
sequential requirement 65
Tivoli Identity Manager Server 61
wizard 65
manual steps to create 39
membercertificate files 61
certificate recognition 61
certificate trust store, identical 76
components, products installed on 6
CustomLabels.properties, stored in Tivoli Identity
Manager database 76
definition 6
deployment manager installation deploys Tivoli Identity
Manager 64
generating plugin-cfg.xml 75
homogeneous operating system 6
HR feed 61
IBM HTTP Server and WebSphere Web Server plug-in
not on every member 37
identical database specification 83
identical directory requirement 61
identical LDAP specification 67
installation sequence after deployment manager 65
multiples on same computer 66
new, adding to cluster 74
partial start 72
removing 75
restriction for Tivoli Identity Manager 6
sourcing DB2 UDB profile on each member 38
sourcing DB2 UDB profile on each member, AIX and
Solaris 38
WebSphere Application Server 6
name, WebSphere Application Server field 114
prerequisitesdatabase 61
cluster (continued)prerequisites (continued)
deployment manager 62
directory server 61
JMS servers 62
node agents 62
WebSphere Application Server base 62
WebSphere Global Security 41
WebSphere global security on? 62
regular 6
remove member 75
Tivoli Identity Manager installationwizard 65
cn=itimadmin,ou=WasSecurity,dc=com 43
cn=root 28, 112
cn=wasadmin,ou=WasSecurity,dc=com 42
co-existing productsdeployment manager 37
HTTP server 100
port reassignment 37
WebSphere Application Server 100
commandaddNode 38
backupConfig 119
connect 17
db2catalog 16
create 14
force application all 15
update 14
db2cmd 14
db2fs 13
db2level 13, 26
db2profile 57, 73
db2set 15
db2start 15, 16
db2stop 15
dspmq 35, 98
java 58, 74
ldapadd 28
ldapcfg 27
ldapClean 82
ldapsearch 28
logon 73, 100
netstat 40
runConfig 80
serverStatus 38, 98
startManager 37
startNode 38, 39
startServer 38, 53
stopServer 53
strmqm 98
versionInfo.bat 109
versionInfo.sh 109
Common Desktop Environment 34
communication with database, profile 38
configurationdatabase 77
DB2 UDBcreate user enrole 14
JDBC driver 4
performance 19
overview 1
SQL Server 2000 23, 24
Sun ONE Directory Server 32
Tivoli Identity ManagerDatabase tab 83
156 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
configuration (continued)Tivoli Identity Manager (continued)
Directory tab 82
enRole.properties 80
General tab 80
Logging tab 84
Mail tab 84
Security tab 86
UI tab 85
WebSphere Application Serverpreserved during upgrade 117
regular-cluster 6
single-server 4
configuration filehttpd.conf 75
ibmslapd.conf 29, 31
timdelref.conf 29, 123
conflictdeployment manager ports 37
HTTP server ports 36
port80 40, 101
8879 40
9080 40
9090 40
9443 101
conflict with wsmserver 40
reassignment 37, 40
table of numbers assigned 40
unregistered WebSphere Application Server –
Express 31
table of port numbers 40
two WebSphere products on same computer 37
connect, db2 command 17
connectionIncrement Count 83
Increment Count, LDAP 113
initial JDBC 112
Initial Pool Size 83
Initial Pool Size, LDAP 113
JDBC 84
login delay 84
Max. Pool Size, LDAP 113
maximum JDBC 112
Maximum Pool Size 83
pool, LDAP 31, 83
problems, preventing with LDAP sessions 31
conventionsHOME directory
Tivoli_Common_Directory xiv
DB_INSTANCE_HOME xiii, 127
HTTP_HOME xiv
ITIM_HOME xiv, 127
LDAP_HOME xiii
WAS_HOME xiv, 127
WAS_MQ_HOME xiv
WAS_NDM_HOME xiv
typeface xii
UNIX variable, directory notation xii
used in this document xi
create, db2 command 14
Crystal reportsmanual upgrade 118
Crystal Reportsupgrading manually 124
CTGIM, Tivoli Common Directory 52, 68
customerlogo
image file 86
link 86
upgrading manually 123
customer supportsee Software Support 142
CustomLabels.properties 76, 117
Ddata
directorycontains properties file 102
copied during upgrade 116
specified by Classpath field 102
historical, on database 3, 11
initializing LDAP suffix 28
organizational, on directory server 4, 25
transactional, on database 3, 11
user account, on directory server 4, 25
databaseitim_dbname
create 14
update 14
Administrator 47, 61
authentication alias, itim-init 94
authority 47, 61
CLASSPATH 94
client32-bit DB2 runtime 18
64-bit operating system 18
JDBC driver 4
remote computer 12
command to create 14
configurationfields 77
initial 77
connectiondb2profile 94
testing 94
DB2 UDBinitially empty 12
profile, sourcing 57, 73
select during installation 50, 66
db2admin user 47, 61
enRoleDatabase.properties file 95
fieldAdmin ID 111
Admin Password 111
Database Name 111
Database Type 111
Database User 111
IP Address 111
Port Number 111
User Password 111
fix pack 13, 26
historical data 3, 11
itimdb 83
database name 14
JDBC connections 84
login delay 84
namealias 83
itimdb 111
Oracle.profile file 21
Index 157
database (continued)Oracle (continued)
environment variables 21
init.ora file 21
install, configure 19
java_pool_size parameter 21
JVM feature required by Tivoli Identity Manager 20
processes parameter 21
select during installation 50, 66
shared_pool_size parameter 21
poolInitial Capacity 112
Login Delay Seconds 112
Maximum Capacity 112
profiledb2profile command 57, 73
DBLink exception 102
verifying successful 57, 73
schema preserved during upgrade 117
select during installation 50, 66
server, definition 3
session persistencedb2profile 57, 73
Oracle environment variables 21
SQL Server 2000, select during installation 50, 66
tab 83
TCP/IP 15
transactional data 3, 11
type 83
upgrade, schema preserved 117
user enrole 84
Database Name, database field 111
Database Type, database field 111
Database User, database field 111
DB_INSTANCE_HOMEDB2 UDB installation directory xiii, 127
definition xiii, 127
db2force application all, command 15
db2 commandcatalog 16
create 14
update 14
DB2 runtime client64-bit operating systems 17
computers that require 16
install, configure 16
named pipes, avoiding 16
type of JDBC driver 3
using TCP/IP as protocol 16
DB2 UDBAdministrative user ID 13
client64-bit operating systems 17
on remote computer 12
commandcatalog 16
connect 17
create 14
db2 force application all 15
db2cmd 14
db2set 15
db2start 15
db2stop 15
update 14
configurationcreate user enrole 14
DB2 UDB (continued)configuration (continued)
EXTSHM environment variable 15
JDBC driver 4
performance 19
service listening port number 18
steps 14
TCP/IP communication 15
db2admin 13
db2inst1, instance name on UNIX or Linux 12
db2profile command 57, 73
deployment 12
First Steps 13
home directory 12
initially empty 12
instance namedb2 on Windows 13
instance, db2inst1 on UNIX or Linux 12
out of memory error 19
profilesourcing 57, 73
sourcing on each cluster member, AIX and Solaris 38
relation to Tivoli Identity Manager 12
runtime adjustment 14
service namedb2c_DB2 on Windows 18
db2cdb2inst12 on UNIX 18
storage space 19
user named enrole 14
wizard, verifying installation 13
DB2 UDB Serverdeployment 12
fix pack 13
install, configure 12
setting up 11
db2admin 13, 111
db2c_DB2, service name on Windows 18
db2cdb2inst12, DB2 service name on UNIX 18
DB2COMM 15, 17
db2fs, command 13
db2inst1, instance name on UNIX or Linux 12
db2inst1, instance owner user name 111
db2level, command 13, 26
db2profilecommand 57, 73
in .profile file 57, 73
sourcing, for DB2 UDB 58, 74
db2setcommand 14, 15
DB2COMM 15
DB2ENVLIST=EXTSHM 16
db2start, command 15, 16
db2stop, command 15
dbConfig.stdout 102
DBLink exception 102
dc=compermissions 28
suffix value 112
defaultibm_banner.gif 86
logo image file 86
Default Org Short Name, directory server field 112
delay, database login 112
demonstration certificate upgraded 117
deploymentadapter 2
cluster 39
158 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
deployment (continued)cluster configuration 36
cluster member 74
DB2 UDB 12
deployment manager 37
IBM HTTP Server 35
IBM Tivoli Directory Server 25
illustration, basic 1
node, add to cell 38
outside cell 45
overview 1
planning steps 7
port conflicts 40
security 40
server 1
WebSphere Application Server 33
WebSphere Application Server base 37
WebSphere embedded messaging 34
WebSphere Web Server plug-in 35, 75
deployment managerco-existing with WebSphere Application Server base
product 37
create cluster 39
database configuration 77
deployment 37
httpd.conf 46
IBM HTTP Server on different computer 75
installing 37
LDAP data repository 79
manual steps to create cluster 39
plugin-cfg.xml 75
plugin-key.kdb 46
plugin-key.sth 46
port conflict 37
propagating Tivoli Identity Manager Server 64
running before installing Tivoli Identity Manager
Server 98
startManager command 37
verifying 38
WebSphere Application Server 5
directoryWAS_HOME 114
DB_INSTANCE_HOME xiii, 127
HTTP_HOME xiv
identical requirement, on cluster members 61
installationDB2 UDB xiii, 127
IBM HTTP Server xiv
IBM Tivoli Directory Server xiii
WebSphere Application Server 114
WebSphere Application Server base product xiv, 127
WebSphere Application Server Network Deployment
product xiv
WebSphere MQ xiv
installation for Sun ONE Directory Server xiii
ITIM_HOME xiv, 127
LDAP_HOME xiii
names, UNIX notation xii
WAS_HOME xiv, 114, 127
WAS_MQ_HOME xiv
WAS_NDM_HOME xiv
directory serverdefinition 4
determination if running 95
fieldDefault Org Short Name 112
Host name 112
directory server (continued)field (continued)
Identity Manager DN Location 112
Increment Count 113
Initial Pool Size 113
Max. Pool Size 113
Name of your organization 112
Number of hash buckets 112
Password 112
Port 112
Principal DN 112
host name 82
ibmslapd process 95
ibmslapd.log file 96
identity management 4
LDAP directory 4
organizational data 4, 25
port number 82
Principal DN 82
process ID (PID) 95
requests locked in running state 96
user account data 4, 25
disabilities, using documentation xi
disable, Java 2 security configuration 45
DNprincipal password, as directory server field 112
principal, as directory server field 112
suffix example 28
top entry in a locally-held directory hierarchy 26
documentsrelated x
Tivoli Identity Manager library vii
domainobject 28
object, ldapadd command 28
objectclass 28
double-byte character set, for organization name 112
driver, JDBC 3, 130
dspmq, command 35, 98
Dynamic Role Add/Modify/Remove, workflow process 117
Ee-mail
address for the Tivoli Identity Manager Server 85
mail gateway 85
system administrator address 85
editing password 91
EJB userfield, WebSphere Application Server 114
initial values 87
itimadmin 88
length limit 87
manual steps 87
mapping 88
updating 87, 88
user name 41
embeddedHTTP transport 96
WebSphere embedded messaging 33
embedded HTTP transport, WebSpherelogon 73, 100
empty, DB2 UDB 12
encryptioncheckbox 113
enrole.password.appServer.encrypted 87
enrole.password.database.encrypted 87
Index 159
encryption (continued)enrole.password.ldap.encrypted 87
enRole.properties 87
key 52, 68
key, WebSphere Application Server 113
settings 87
enroledefault user ID, database 84
password identical in enRoleDatabase.properties file 95
required user ID 111
usercreate 14
on DB2 server 14
privileges, no special 14
enrole.jms.QueueConnectionFactory 134
enrole.password.appServer.encrypted 87
enrole.password.database.encrypted 87
enrole.password.ldap.encrypted 87
enRole.properties/data directory 90
configuring Tivoli Identity Manager Server 80
encryption properties 87
preserved during upgrade 117
enRoleAuthentication.properties 117
enRoleDatabase.properties 117
enRoleDatabase.properties file 95
enRoleLDAPConnection.properties 117
enRoleLogging.log4j.properties 123
enRoleLogging.properties file 103
enRoleMail.properties 117
enroleworkflow.properties 117
environment variableDB2COMM 15
EXTSHM 15
ITIM_DB_JDBC_DRIVER_PATH 128
Oracle 21
processes, Oracle 21
set by Tivoli Identity Manager installation program 128
setting with .profile file 21
shared_pool_size, Oracle 21
UNIX notation xii
exception, DBLink 102
expired password 91
export EXTSHM environment variable 15
EXTSHMAIX operating system 15
DB2 UDB 15
environment variableconfiguration 15
setting in profile file 15
shell for client application shell 15
shell for db2start 15
FFirst Steps
DB2 UDB installation 13
verifying WebSphere installation 35
fix packdatabase 13, 26
IBM HTTP Server 36
IBM Tivoli Directory Server 26
stopping processes before applying 35
fixes, obtaining 142
flowchartcluster installation 62
single-server installation 48
Ggarbage cleanup
recycle bin age limit 82
schedule_garbage.cron 82
global securitydetermining state before installation 48, 62
itimadmin 89
wasadmin 89
WebSphere Application ServerEJB User field 114
settings 51, 113
System User field 113
Global Securityconfiguration 41
group, WebSphere embedded messagingadding root 34
mqbrkrs 34
mqm 34
Hhash bucket, directory server 112
heap size, DB2 UDB 19
heart beat 81
historical data, on database 11
home directoriesDB_INSTANCE_HOME xiii, 127
DB2 UDB 12
HTTP_HOME xiv
ITIM_HOME xiv, 127
LDAP_HOME xiii
WAS_HOME xiv, 127
WAS_MQ_HOME xiv
WAS_NDM_HOME xiv
homogeneous, operating system 6
host namedirectory server 82
directory server field 112
Tivoli Identity Manager Server 81
HTTPembedded HTTP transport, WebSphere 73, 100
serveraccess 4
definition 4
determine if running 97
multiple on same computer 100
multiple versions 100
not on every cluster member 37
port 80 101
requests 4
WebSphere Web Server plug-in 4
transportembedded 96
test purposes only 96
HTTP_HOMEdefinition xiv
IBM HTTP Server installation directory xiv
httpd.confWebSphere Web Server plug-in 46
IIBM HTTP Server
configuring outside cell 45
deployment 35
fix pack for WebSphere Application Server base 36
160 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
IBM HTTP Server (continued)installing 36
plugin-cfg.xml 75
separate computer recommended 36
IBM Logging Toolkit for Java (JLog) 123
IBM logo file, default 86
IBM Tivoli Directory Serverdeployment 25
fix pack 26
install, configure 25
LDAP suffix 26
port conflict 31
referential integrity file 26
setting up 26
ibm_banner.gif 86
ibmdirctl, command 27
ibmslapdibmdirctl command, to stop 27
log file 30
process ID 26, 27
process running 95
ibmslapd.confLDAP sessions 31
SLAPD_OCHANDLERS 31
ibmslapd.log file 96
identical directory, cluster members 61
identity feed, lost if running during upgrade 117
Identity Manager DN Location, directory server field 112
iKeyman, WebSphere key management utility 58, 76
imagedirectory 86
installation file name 109
itim-4.6-cd-images-aix.txt 109
itim-4.6-cd-images-linux.txt 109
itim-4.6-cd-images-sun.txt 109
itim-4.6-cd-images-windows.txt 109
logo 86
Increment Countdirectory server field 113
LDAP 83
information centers, searching to find software problem
resolution 141
init.ora file, Oracle 21
Initial Capacity, database pool field 112
Initial Pool Sizedirectory server field 113
LDAP 83
instAIX-WAS.bin, installation program 50, 65, 120, 122
installationdeployment manager 37
directoryDB2 UDB xiii, 127
IBM HTTP Server xiv
IBM Tivoli Directory Server xiii
Sun ONE Directory Server xiii
WebSphere Application Server base product xiv, 114,
127
WebSphere Application Server Network Deployment
product xiv
WebSphere MQ xiv
IBM HTTP Server 35, 36
imageitim-4.6-cd-images-aix.txt 109
itim-4.6-cd-images-linux.txt 109
itim-4.6-cd-images-sun.txt 109
itim-4.6-cd-images-windows.txt 109
instAIX-WAS.bin 50, 65, 120, 122
installation (continued)instLINUX-WAS.bin 50, 65, 120, 122
instSOL-WAS.bin 50, 65, 120, 122
instWIN-WAS.exe 50, 65, 120, 122
logs 102
restarting clusters 72
select database 50, 66
sequencecluster 64, 65
single-server 50
SQL Server 2000 23
Tivoli Identity Manager Serverauthority 47, 61
cluster 61
flowchart, cluster 62
flowchart, single-server 48
single-server 47
verifyingTivoli Identity Manager Server 56, 72
WebSphere installation 35
WebSphere Application Server basefor Tivoli Identity Manager Server 37
on node 37
WebSphere Web Server plug-in 35, 36
instance nameDB2 UDB on UNIX or Linux 12
DB2 UDB on Windows 13
instLINUX-WAS.bin, installation program 50, 65, 120, 122
instSOL-WAS.bin, installation program 50, 65, 120, 122
instWIN-WAS.exe, installation program 50, 65, 120, 122
Internet Explorer, active scripting 99
Internet, searching to find software problem resolution 141,
142
IP Address, database field 111
ITIM user 57, 73
itim_adhocSync queue 134
itim_api.jar 118
ITIM_DB_JDBC_DRIVER_PATH 94, 128
ITIM_HOMEdefinition xiv, 127
directory xiv, 127
itim_install.stderr 102
itim_install.stdout 102
itim_installer_debug.txt 102
itim_ms queue 133
itim_ps queue 134
itim_rs queue 133
itim_rs_pending queue 133
itim_wf queue 133
itim-4.6-cd-images-aix.txt, installation image 109
itim-4.6-cd-images-linux.txt, installation image 109
itim-4.6-cd-images-sun.txt, installation image 109
itim-4.6-cd-images-windows.txt, installation image 109
itim-init, authentication alias 94
ITIMAdhocSyncListenerPort 134
itimadminEJB user 41, 88, 89
object 43
user 114
User 43
itimdbdatabase
database name 14
database name or alias 83
on remote or local computer 111
setting initial values, SQL Server 2000 24
SQL Server 2000 24
Index 161
ITIMLocalWorkflowListenerPort 135
itimlp_agents_setup.jar 59, 76
itimlp_setup.jar 58, 74
ITIMMailServicesListenerPort 135
ITIMPartitioningServiceListenerPort 135
ITIMPolicyAnalysisListenerPort 136
ITIMPolicySimulationListenerPort 136
ITIMRemoteServicesListenerPort 135
ITIMRemoteServicesPendingListenerPort 136
ITIMSharedWorkflowListenerPort 136
JJ2C authentication 129
JAAS login moduleJNDI feed 139
manual deployment 139
jar fileapi_ejb.jar 118
itim_api.jar 118
itimlp_agents_setup.jar 59, 76
itimlp_setup.jar 58, 74
jsafe.jar 124
log4j.jar 124
manual upgrade 118
ojdbc14.jar 21
Java 2 securityconfiguration
multi-node 42
single-node 41
customization, upgrading manually 123
disabling 45
lost during upgrade 118
Java Naming and Directory (JNDI) service provider 139
Java Runtime Environmentlanguage pack 58, 74
required level 58, 74
java_pool_size parameter, Oracle 21
java, command 58, 74
JDBCconnection
fields 84
initial number 112
Maximum Capacity of database pool 112
driver32-bit DB2 runtime client 18
64-bit operating system 17
DB2 runtime client 3
DB2 UDB database client 4
manual creation 130
ojdbc14.jar 21
SQL Server 2000 database 4
type 2 3
type 4 4
initial connections 112
JLog for logging and alerting 103
JMS objects, create manuallycell level 131
JMS objects, creating manuallyserver level 132
JMS serverinternal, creating manually 137
verifying, single-server 98
WebSphere embedded messaging 3
JNDI feed 139
jsafe.jar 124
JVM classpath 137
Kkernel
settings for DB2 UDB 11
settings for WebSphere embedded messagingSolaris 34
keyencryption
password 113
WebSphere Application Server 113
plugin-key.kdb file 46
knowledge bases, searching to find software problem
resolution 141
Llanguage
on installation panels 50, 65
packdefault not English 58, 74
installing 58, 74
jar file name 58, 74
Java Runtime Environment 58, 74
specifying at logon 100
LDAPconnection increment 83
connection pool 31, 83
customization, upgrading manually 123
directory server 4
ibmslapd.conf file 31
Increment Count 113
initial configuration 79
initial connections 83
Initial Pool Size 113
Max. Pool Size 113
maximum connections 83
schema customization lost during upgrade 118
sessions 31
suffixcreating 26
definition 26
IBM Tivoli Directory Server 26
initializing with data 28
verifying configuration 28
LDAP_HOMEdefinition xiii
IBM Tivoli Directory Server installation directory xiii
Sun ONE Directory Server installation directory xiii
ldapaddadd domain object 28
command 28
ldapcfg, command 27
ldapClean, command 82
ldapConfig.stdout 102
ldapsearch, command 28
LDIFfile example 28
ldapadd 28
suffix.ldif file 28
libdelrefsuccess message 30
testing configuration 30
libdelref.a, referential integrity file 29
libdelref.dll, referential integrity file 29
libdelref.so, referential integrity file 29
Lightweight Third Party Authentication (LTPA) 43
limit, recycle bin age 82
162 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
limitationhomogeneous operating system 6
vertical cluster configuration 6
list page size, as search control 86
listenerports, creating manually 134
service, Oracle 23
Log4J logging toolkit setting, upgrading manually 123
log4j.jar 124
loggingdbConfig.stdout 102
enRoleLogging.log4j.properties 123
IBM Logging Toolkit for Java (JLog) 123
ibmslapd.log file 96
itim_install.stderr 102
itim_install.stdout 102
itim_installer_debug.txt 102
ldapConfig.stdout 102
level 113
MAX 84
MED 84
MIN 84
performance settings 84
runConfig.stdout 102
runConfigTmp.stdout 102
setupEnrole.stdout 102
StartStopWas.stdout 102
system properties 90
tab 84
Tivoli_Identity_Manager_InstallLog.log 102
tracing 84
upgrading Log4J logging toolkit setting 123
logging utilitysettings 118
login delaydatabase connections 84
time between database connections 112
logocustomized lost during upgrade 118
customized, upgrading manually 123
default image 86
logonactivity.log file 102
attempts 91
command 73, 100
language default 100
SystemOut.log file 102
logsavoiding file and disk space problems 103
enRoleLogging.properties file 103
installation 102
msg.log 103
SystemErr.log 103
SystemOut.log 103
trace.log 103
lost password 91
LTPA (Lightweight Third Party Authentication) 43
Mmail
gateway 113
server name 113
tab 84
manualssee publications xi
MAX, logging 84
Max. Pool Size, directory server field 113
Maximum Capacity, database pool field 112
Maximum Pool Size, LDAP 83
MED, logging 84
memory segments shared, setting with EXTSHM 15
messagepreoperation 31
status of WebSphere embedded messaging 35
MIN, logging 84
mqbrkrs group, WebSphere embedded messaging 34
mqm group, WebSphere embedded messaging 34
msg.login Tivoli Common Directory 103
verifying Tivoli Identity Manager Server 100
multi-nodeJava 2 security configuration 42
securitynode synchronization 89
timeout interval 89
multiaccountdelete.xml, workflow process file 117
multiaccountpassword.xml, workflow process file 117
multiaccountrestore.xml, workflow process file 117
multiaccountsuspend.xml, workflow process file 117
multiuserdelete.xml, workflow process file 117
multiusersrestore.xml, workflow process file 117
multiusersuspend.xml, workflow process file 117
Nname
database 83
organization field 112
naming context, definition 26
netstat, command 40
nodeadding to cell 38
agentverifying 38
WebSphere Application Server 5
installing WebSphere Application Server base 37
local alias for DB2 UDB 16
local alias of database 17
name fieldidentical to host name of physical computer 114
WebSphere Application Server 114
synchronization, multi-node deployment 89
WebSphere Application Server 5
notifytemplate.html, workflow process file 117
Number of hash buckets, directory server field 112
Oobjectclass
domain 28
top 28
ojdbc14.jar file, JDBC driver for Oracle 21
online publicationsaccessing xi
operating system64-bit 17
homogeneous 6
identity provisioning 2
Oracle.profile file 21
backup 21
command to start server 23
Index 163
Oracle (continued)environment variables 21
init.ora file 21
install, configure 19
java_pool_size parameter 21
JDBC driver (ojdbc14.jar) 21
JVM feature required by Tivoli Identity Manager 20
listener service 23
processes parameter 21
session persistence 21
shared_pool_size parameter 21
SQL script example 22
organizationdata, on directory server 25
unit suffix 42
organization nameformal company name 112
single or double-byte character set 112
ou=WasSecurity,dc=com 42
out of memory error, DB2 UDB 19
overview of deployment 1
Ppassword
″secret″ as first password 113
directory server field 112
editing 91
enrole user, password identical in
enRoleDatabase.properties file 95
expiration period 91
lost 91
properties file 113
retrieval expiration period 91
Tivoli Identity Manager Server field 113
path names, notation xii
pdf format, for screen-reader software xi
performanceDB2 UDB 19
distributed environment configuration 5
LDAP connection 82
table of log files 103
tracing level 84
permissionsdc=com 28
EJB component 40
Java 2 security 40
libdelref file 29
referential integrity file 29
was.policy file 41, 88
planningactivities 9
authority 9
change control 10
list of sites 9
major steps in installation 7
script library 10
troubleshooting 10
worksheets 10
plug-indefault installation directory 29
file permissions 29
libdelref.a 29
libdelref.dll 29
libdelref.so 29
plugin-cfg.xml 75
plugin-key.kdb file 46
plug-in (continued)plugin-key.sth file 46
referential integrity file 28
update after deleting cluster member 75
WebSphere Web Server plug-in 35
pluginplugin-cfg.xml 101
plugin-cfg.xml 101
plugin-key.kdb file 46
plugin-key.sth file 46
Policy Add/Modify/Remove, workflow process 117
poolInitial Capacity, database 112
Initial Pool Size, LDAP 113
JDBC connections, database 84
Login Delay Seconds, database 112
Max. Pool Size, LDAP 113
Maximum Capacity, database 112
port389 112
50000 18
80 40, 101
8880 40
9080 40, 73, 100
9090 40
conflictconflict with wsmserver 40
resolving 40
table of numbers assigned 40
unregistered WebSphere Application Server –
Express 31
directory server 82
directory server field 112
enrole.jms.QueueConnectionFactory 134
in services file 18
ITIMAdhocSyncListenerPort 134
ITIMLocalWorkflowListenerPort 135
ITIMMailServicesListenerPort 135
ITIMPartitioningServiceListenerPort 135
ITIMPolicyAnalysisListenerPort 136
ITIMPolicySimulationListenerPort 136
ITIMRemoteServicesListenerPort 135
ITIMRemoteServicesPendingListenerPort 136
ITIMSharedWorkflowListenerPort 136
listener, creating manually 134
number, as database field 111
reassignment, co-existing products 37
service listening 18
SSL port number 81
TCP/IP port number 81
preoperation, message 31
prerequisitecluster
database 61
deployment manager 62
directory server 61
JMS servers 62
node agents 62
WebSphere Application Server base 62
WebSphere global security on? 62
single-serverdatabase 48
directory server 48
WebSphere Application Server 48
WebSphere global security on? 48
Principal DNdirectory server 82
164 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Principal DN (continued)directory server field 112
Password, directory server field 112
privilegelogon 50, 65
planning need 10
user, enrole 14
problem determinationbrowser
avoiding two sessions 100
language default 100
using supported 99
databaseauthentication alias 94
database connectionCLASSPATH 94
db2profile 94
testing 94
DB2 UDB.profile file 102
DBLink exception 102
DB2 user ID, password 94
describing problem for IBM Software Support 143
determining business impact for IBM Software
Support 143
directory serveribmslapd.log 96
process ID (PID) 95
requests locked in running state 96
embedded HTTP transport, WebSpherelogon 73, 100
HTTP serverdetermine if running 97
httpd.conf 97
multiple versions 100
port 80 97, 101
installationdatabase configuration 54, 70
database connection 94
DBConfig 54, 70
directory server configuration 55, 70
file permissions 93
hardware, software prerequisites 93
ldapConfig 55, 70, 71
log files 56, 71, 93
permissions and display variables 93
real memory 93
Simple Object Access Protocol (SOAP) connection 53,
69
wasadmin user ID 54, 69
WebSphere Application Server 53
wsadmin 53, 69
JLog for logging and alerting 103
JMS serverdspmq command 98
WebSphere embedded messaging 98
logs and directories 102
properties files 102
queue managerdspmq command 98
starting 98
strmqm command 98
submitting problem to IBM Software Support 144
SystemOut.log file 102
Tivoli Identity Managerembedded HTTP transport, WebSphere 73, 100
HTTP server, correct level 100
problem determination (continued)Tivoli Identity Manager (continued)
HTTP server, port 80 101
ITIM_HOME/data directory 102
msg.log file 100
properties files 102
running process 100
SystemOut.log file 100
trace.log file 100
WebSphere Application Serverdeployment manager 99
dmgr process 99
node agent 99
server1 98
serverStatus command 98
process file, workflowaddserviceselectionpolicy.xml, preserved during
upgrade 117
changeserviceselectionpolicy.xml, preserved during
upgrade 117
multiaccountdelete.xml, preserved during upgrade 117
multiaccountpassword.xml, preserved during upgrade 117
multiaccountrestore.xml, preserved during upgrade 117
multiaccountsuspend.xml, preserved during upgrade 117
multiuserdelete.xml, preserved during upgrade 117
multiusersrestore.xml, preserved during upgrade 117
multiusersuspend.xml, preserved during upgrade 117
notifytemplate.html, preserved during upgrade 117
removeserviceselectionpolicy.xml, preserved during
upgrade 117
process, workflowDynamic Role Add/Modify/Remove, lost if running
during upgrade 117
Policy Add/Modify/Remove, lost if running during
upgrade 117
processes parameter, Oracle 21
profileadapter 58, 76
cluster configuration 76
cluster member 38
communication with database 38
DB2 UDB.profile file 57, 73
db2profile command 57, 73
DBLink exception 102
repeated sourcing 57, 73
sourcing 57, 73
sourcing on each cluster member, AIX and Solaris 38
profile fileEXTSHM environment variable 15
propertiesconfiguring with Tivoli Identity Manager GUI 91
enRoleDatabase.properties file 95
fileconfigure 80
data directory 102
encryption 87
enRole.properties 80
enRoleLogging.log4j.properties 123
list 90
Log4J logging toolkit setting 123
security tab 86
SystemOut.log file, indicating error 102
heart beat 81
recycle bin age limit 82
tracing 84
Index 165
properties (continued)transaction service
Client Inactivity Timeout 129
Total Transaction Lifetime Timeout 129
properties fileclient, upgrading duplicate files 118
CustomLabels.properties 76
encryption 113
fileadhocreporting.properties 117
CustomLabels.properties 117
enRole.properties 117
enRoleAuthentication.properties 117
enRoleDatabase.properties 117
enRoleLDAPConnection.properties 117
enRoleMail.properties 117
enroleworkflow.properties 117
ui.properties 117
password 113
preserved during upgrade 117
upgrade, preservedadhocreporting.properties 117
CustomLabels.properties 117
enRole.properties 117
enRoleAuthentication.properties 117
enRoleDatabase.properties 117
enRoleLDAPConnection.properties 117
enRoleMail.properties 117
enroleworkflow.properties 117
ui.properties 117
provisioningidentity 2
relational database 3
publicationsaccessing online xi
related x
Tivoli Identity Manager library vii
Qqueue
itim_adhocSync 134
itim_ms 133
itim_ps 134
itim_rs 133
itim_rs_pending 133
itim_wf 133
queue managerdspmq command 98
starting 98
status 98
strmqm command 98
Rreconciliation, lost if running during upgrade 117
recycle bin age limit 82
referential integrity filedefinition 28
file permissions 29
IBM Tivoli Directory Server 26
libdelref.a 29
libdelref.dll 29
libdelref.so 29
loading success message 31
steps to configure 28
referential integrity file (continued)testing configuration 30
regular cluster, definition 6
regular-cluster configurationinstalling 64
selecting 67
remotecomputer, database client 12
host name of node with DB2 UDB 16
name of DB2 database 17
resourceaccount management 1
adapter 1
removeserviceselectionpolicy.xml, workflow process file 117
removing cluster member 75
requests locked in running state, directory server 96
requirementCA certificate 58, 76
cluster 61
single-server 48
retrieval period, password 91
rootadding to group, WebSphere embedded messaging 34
authority for installation specialist 9
group member, WebSphere embedded messaging 34
logon user ID, to install Tivoli Identity Manager
Server 47, 61
suffix, Sun ONE Directory Server 32
used in value for distinguished name 28
using system management tool 14
runConfigchange password, enrole user 90
command 80
configuring Tivoli Identity Manager Server 80
EJB user 90
password encryption 90
system properties 90
runConfig.stdout 102
runConfigTmp.stdout 102
running processdatabase 94
directory server 95
HTTP server 97
HTTP transport 96
logs and directories 102
Tivoli Identity Manager Server 100, 102
using runConfig (System Configuration) 90
WebSphere Application Server 98
WebSphere embedded messaging 98
runtimeadjust DB2 UDB 14
client64-bit operating system 17
computers that require 16
DB2 UDB 3
install, configure 16
environment, WebSphere Application Server 3
Java Runtime Environment 58, 74
Sschedule_garbage.cron, job 82
schedulingheart beat 81
ldapClean 82
periodic cleanup 82
Recycle Bin Age Limit 81
166 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
scheduling (continued)schedule_garbage 82
thread 81
scriptcreate Oracle database 22
library suggested 10
search, items displayed 86
secret, as first password 113
Secure Socket Layerplugin-key.kdb file 46
plugin-key.sth file 46
securityconfiguring IBM HTTP Server outside cell 45
EJB user 88
map administrative user to role 88
multi-node deploymentnode synchronization 89
timeout interval 89
tab 86
was.policy file 41, 88
segments, shared memory, setting with EXTSHM 15
sequenceinstallation, cluster 64, 65
installation, single-server 50
requirement, cluster installation 65
Server Name, WebSphere Application Server field 114
serverStatus, command 38, 98
service namedb2c_DB2 on Windows 18
db2cdb2inst12 on UNIX 18
service pack, SQL Server 2000 24
serviceability-related files, Tivoli Common Directory 52, 68
services file, port number 18
sessionbrowser problem 100
connection pool, LDAP 31
LDAP 31, 83
persistencedb2profile 57, 73
Oracle environment variables 21
settingsDB2 UDB
EXTSHM environment variable 15
kernel, on Solaris 11
kernel, WebSphere embedded messaging 33
preserved, upgrading Tivoli Identity Manager 117
runtime, DB2 UDB 14
setupEnrole.stdout 102
shared memory segments, setting with EXTSHM 15
shared_pool_size parameter, Oracle 21
Simple WebSphere Authentication Mechanism (SWAM) 41
single-nodeJava 2 security configuration 41
single-serverconfiguration
installing 47
WebSphere Application Server 4
definition 4
installationauthority 47, 61
flowchart 48
sequence 50
Tivoli Identity Manager Server 47
wizard 50
prerequisitesdatabase 48
WebSphere Application Server 48
single-server (continued)prerequisites (continued)
WebSphere global security on? 48
SLAPD_OCHANDLERS 31
SMTP mail host 85, 113
Software Supportcontacting 142
describing problem for IBM Software Support 143
determining business impact for IBM Software
Support 143
submitting problem to IBM Software Support 144
Solariskernel settings for DB2 UDB 11
kernel settings for WebSphere embedded messaging 34
sorting, hash bucket 112
sourcedata 2
DB_INSTANCE_HOME 57, 73
DB2 UDB profile 57, 73
DB2INSTANCE 57, 73
specialistworking practices 9
SQL Server 2000configuring 24
installing 23
itimdb database 24
service pack, obtaining 24
SSLTCP/IP port number 81
startManager, command 37
startNode, command 38, 39
startServer, command 38, 53
StartStopWas.stdout 102
statusDB2 UDB installation wizard 12
deployment manager 39
Oracle listener 23
WebSphere Application Server 98
WebSphere embedded messaging 35
stopServer, command 53
storage spacecluster configuration 61
DB2 UDB 19
more than one WebSphere Application Server on
computer 6
single-server configuration 47
tuning guide 103
WebSphere Web Server plug-in, IBM HTTP Server 36
strmqm, command 98
suffixcn=itimadmin,ou=WasSecurity,dc=com 43
cn=wasadmin,ou=WasSecurity,dc=com 42
dc=com 112
ou=WasSecurity,dc=com 42
suffix.ldif file 28
Sun ONE Directory Server 96
cache size, setting maximum 32
configuring 32
root suffix 32
system administrator e-mail address 85
system configuration toolLogging tab, tracing 84
System Management Interface Tool (SMIT, AIX) 14
system propertiesenRole.properties 90
interval to recognize changes 90
logging 90
Index 167
system properties (continued)logon attempts 91
managing 90
manual modification 90
passwordediting 91
expiration period 91
lost 91
retrieval expiration period 91
restart Tivoli Identity Manager Server 90
runConfig 90
Web user interface 91
System userupdating 88
System UserUser ID, WebSphere Application Server 113
user name 41
SystemErr.log 103
SystemOut.logerrors and properties files 102
file 103
logon request 102
verifying Tivoli Identity Manager Server 100
Ttab
Database 83
Directory 82
General 80
Logging 84
Mail 84
Security 86
UI 85
TCP/IPconfiguration, DB2 UDB 15
DB2COMM 17
port number 81
SSL port number 81
TCP/IP protocolDB2 runtime client 16
testingdatabase 94
directory server 95
HTTP server 97
HTTP transport 96
JMS server 98
Tivoli Identity Manager Server 100
WebSphere Application Server 98
text, alternative for document images xi
the Tivoli Identity Manager Serveruninstalling
saving configuration information in WebSphere 119
threadLDAP connections 31
scheduling 81
SLAPD_OCHANDLERS 31
timdelref.confconfiguration file for Tivoli Identity Manager 29, 123
target directory 29, 123
timeout interval, multi-node security 89
Tivoli Common DirectoryCTGIM 52, 68
msg.log 103
serviceability-related files 52, 68
trace.log 103
Tivoli Identity Managerfield
User ID 113
manual deploymentclassloader settings 139
JAAS login module 139
JNDI service provider 139
WebSphere Application Server 138
WebSphere Web Server plug-in 139
uninstalling 105
Tivoli Identity Manager ServerCA certificate 58, 76
configurationDatabase tab 83
General tab 80
Directory tab 82
fieldPassword 113
host name 81
installation, configuration 47
installingauthority 47, 61
cluster 61
flowchart, cluster 62
flowchart, single-server 48
single-server 47
Logging tab 84
Mail tab 84
msg.log file 100
Security tab 86
SystemOut.log file 100
test communication 93
trace.log file 100
UI tab 85
uninstallingadditional products 105
database tables 105
directory server schema 105
steps 105
verifying 100
Tivoli software information center xi
Tivoli_Common_Directorydefinition xiv
Tivoli_Identity_Manager_InstallLog.log 102
top, objectclass 28
Total Transaction Lifetime Timeout 129
trace.login Tivoli Common Directory 103
verifying Tivoli Identity Manager Server 100
tracingIBM Logging Toolkit for Java (JLog) 124
logging 84
MAX 84
MED 84
MIN 84
performance settings 84
transaction serviceClient Inactivity Timeout 129
Total Transaction Lifetime Timeout 129
transactional data, on database 11
type2 JDBC driver 3
4 JDBC driver 4
database 83
typeface conventions xii
168 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
Uui.properties 117
uninstallingTivoli Identity Manager 105
additional products 105
database tables 105
directory server schema 105
saving configuration information in WebSphere 119
steps 105
utility for Tivoli Identity Manager 75
unregistered WebSphere Application Server – Express 31
update, db2 command 14
upgradingbefore upgrading 118
configuration 119, 121
Crystal Reportsmanual steps 124
Crystal reports, manually 118
custom logos lost 118
customizationJava 2 security, manually 123
LDAP schema, manually 123
Log4J logging toolkit setting 123
logos, manually 123
customized logging settingsutility lost 118
duplicate properties files on client side 118
Dynamic Role Add/Modify/Remove lost if running 117
identity feed lost if running 117
jar files for client, manually 118
Java security lost 118
LDAP schema customization lost 118
Policy Add/Modify/Remove lost if running 117
problems, correction 124
reconciliation lost if running 117
stepscluster configuration 121
single-server configuration 120
taskscluster configuration 121
single-server configuration 119
Tivoli Identity Manager version 4.5.1 to 4.6CA certificates preserved 117
customization, preserving WebSphere Application
Server 116
data directory 116
database schema 117
demonstration certificate upgraded 117
property files 117
settings preserved 117
WebSphere Application Server configuration 117
WebSphere Application Server installation 116
WebSphere Application Server migration 116
workflow files 117
workflow_systemprocess directory 117
useraccount data, on directory server 25
enroleon DB2 server 14
privileges, no special 14
ID field, Tivoli Identity Manager 113
ID, verifying for database 94
password, verifying for database 94
user passworddatabase field 111
identical in enRoleDatabase.properties file 95
user, ITIM 57, 73
UTF-8, encoding 138
Vverifying
databaseCLASSPATH 94
connection 94
installation 13
user ID 94
user password 94
deployment manager 38
HTTP server 97
HTTP server version 100
installationTivoli Identity Manager Server 56, 72
JMS serversingle-server 98
node agent 38
WebSphere Application Server 98
WebSphere embedded messaging 98
versionInfo.bat,command 109
versionInfo.sh,command 109
WWAS_HOME
definition xiv, 127
WebSphere Application Server base installation
directory xiv, 114, 127
WAS_MQ_HOMEdefinition xiv
WebSphere MQ installation directory xiv
WAS_NDM_HOMEdefinition xiv
WebSphere Application Server Network Deployment
installation directory xiv
was.policy file, permissions 41, 88
wasadminobject 42
System User 41, 89
User 42
User ID, WebSphere Application Server 113
Web addressTivoli Identity Manager 73, 100
WebSphere administrative console 36
Web user interface (Tivoli Identity Manager) 91
WebSphere administrative consolestarting 56
Web address 36
WebSphere Application Serverconfiguration
preserved during upgrade 117
regular-cluster 6
single-server 4
definition 3
encryptioncheckbox 113
key 113
fieldCluster name 114
Installation directory 114
Logging Level 113
Mail Server Name 113
Node name 114
Server Name 114
global securityEJB User field 114
itimadmin 89
Index 169
WebSphere Application Server (continued)global security (continued)
settings 51, 113
System User field 113
wasadmin 89
Java Message Service 3
verifying 98
WebSphere Application Server – Expressport conflict 31
unregistered WebSphere Application Server – Express 31
WebSphere embedded messagingdeployment 34
groupadding root 34
mqbrkrs 34
mqm 34
message indicates running 35
process 3
verifyingsingle-server 98
verifying operation 35
WebSphere MQ 3
WebSphere installationcustom installation recommended 35
First Steps 35
IBM HTTP Server installation 35
WebSphere Web Server plug-in installation 35
WebSphere key management utility (iKeyman) 58, 76
WebSphere MQ, WebSphere embedded messaging 3
WebSphere Web Server plug-inconfiguration file 75
definition 4
deployment 35
HTTP server 4
installing 36
manual regeneration 139
not on every cluster member 37
plugin-cfg.xml 75
separate computer recommended 36
wizardFirst Steps, WebSphere installation 35
Tivoli Identity Manager installationcluster 65
single-server 50
verifying DB2 UDB installation 13
workflow process file, preserved during upgradeaddserviceselectionpolicy.xml 117
changeserviceselectionpolicy.xml 117
multiaccountdelete.xml 117
multiaccountpassword.xml 117
multiaccountrestore.xml 117
multiaccountsuspend.xml 117
multiuserdelete.xml 117
multiusersrestore.xml 117
multiusersuspend.xml 117
notifytemplate.html 117
removeserviceselectionpolicy.xml 117
workflow process, lost if running during upgradeDynamic Role Add/Modify/Remove 117
Policy Add/Modify/Remove 117
worksheetplanning 10
tables 111
170 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments
����
Program Number: 5724–C34
Printed in USA
SC32-1750-01