Академический Документы
Профессиональный Документы
Культура Документы
Version 5.1
SC27-2410-00
Tivoli Identity Manager Server
®
Version 5.1
SC27-2410-00
Note:
Before using this information and the product it supports, read the information in Appendix E, “Notices,” on page 145.
Edition notice
This edition applies to version .1 of Tivoli Identity Manager and to all subsequent releases and modifications until
otherwise indicated in new editions.
This edition obsoletes and replaces SC32-1562-01
© Copyright International Business Machines Corporation 2009.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . vii Chapter 3. Installing and configuring a
Intended Audience . . . . . . . . . . . . vii directory server . . . . . . . . . . . 27
Publications and related information . . . . . . vii Before you install the directory server product. . . 27
Tivoli Identity Manager library . . . . . . . vii Installing and configuring IBM Tivoli Directory
Prerequisite product publications . . . . . . ix Server . . . . . . . . . . . . . . . . 27
Related publications . . . . . . . . . . . x Installing IBM Tivoli Directory Server . . . . 27
Accessing publications online. . . . . . . . x Installing the required fix packs . . . . . . 28
Accessibility . . . . . . . . . . . . . . xi Configuring IBM Tivoli Directory Server. . . . 29
Support for problem solving . . . . . . . . . xi Sun Enterprise Directory Server . . . . . . . 36
Conventions used in this book . . . . . . . . xi Installing Sun Enterprise Directory Server . . . 36
Typeface conventions . . . . . . . . . . xi Configuring Sun Enterprise Directory Server . . 36
Definitions for HOME and other directory
variables . . . . . . . . . . . . . . xii Chapter 4. Optionally installing IBM
Operating system differences . . . . . . . xiv
Tivoli Directory Integrator . . . . . . 39
Before you install the directory integrator product 39
Chapter 1. Overview of the Tivoli Identity Installing IBM Tivoli Directory Integrator . . . . 39
Manager environment . . . . . . . . . 1 Installing IBM Tivoli Directory Integrator . . . 39
Tivoli Identity Manager components . . . . . . 1 Installing the required fix packs . . . . . . 39
Database server products . . . . . . . . . 1 Installing agentless adapters . . . . . . . . 40
Directory server products . . . . . . . . . 2
IBM Tivoli Directory Integrator . . . . . . . 2 Chapter 5. Installing and configuring
WebSphere Application Server . . . . . . . 3
An HTTP server and WebSphere Web Server
WebSphere Application Server . . . . 41
plug-in . . . . . . . . . . . . . . . 3 Before you install WebSphere Application Server . . 41
Tivoli Identity Manager Server . . . . . . . 3 Installing the WebSphere Application Server product 41
Tivoli Identity Manager adapters . . . . . . 3 Installing WebSphere Application Server in a
Configuration options . . . . . . . . . . . 4 single-server environment . . . . . . . . 42
Single-server configuration . . . . . . . . 4 Installing WebSphere Application Server in a
Cluster configuration . . . . . . . . . . 4 cluster environment . . . . . . . . . . 43
Overview of the installation . . . . . . . . . 5 Tuning WebSphere Application Server for
Planning activities for deployments at large sites . . 6 performance . . . . . . . . . . . . . 48
Contents v
vi IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Preface
This guide describes how to install and configure Tivoli Identity Manager.
Intended Audience
This book is intended for system and security administrators who install, maintain,
or administer software on their computer systems. Readers are expected to
understand system and security administration concepts. Additionally, the reader
must understand administration concepts for the following types of products:
v Database servers
v Directory servers
v Application servers
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/
welcome.htm
The publications in the Tivoli Identity Manager technical documentation library are
organized into the following categories:
v Release information
v Online user assistance
v Server installation and configuration
v Problem determination
v Technical supplements
v Adapter installation and configuration
Release Information:
v Tivoli Identity Manager Quick Start Guide
Helps you install a base configuration of Tivoli Identity Manager.
v Tivoli Identity Manager Information Center
Provides software and hardware requirements for Tivoli Identity Manager and
additional fix, patch, and other support information. This publication also
includes known limitations, problems, and workarounds.
Tivoli Identity Manager Express Separate System Upgrade and Data Migration Guide
provides upgrade and data migration information for Tivoli Identity Manager.
Problem determination:
Tivoli Identity Manager Messages Guide provides message information for Tivoli
Identity Manager.
Tivoli Identity Manager Database and Schema Reference describes some of the data
structures used by Tivoli Identity Manager.
Technical supplements:
The Tivoli Identity Manager Server technical documentation library also includes
an evolving set of platform-specific installation documents for the adapter
components of an IBM Tivoli Identity Manager implementation.
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/
welcome.htm
IBM Tivoli Identity Manager Performance Tuning Guide provides information to help
you optimize the use of resources for Tivoli Identity Manager.
viii IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Skills and training:
Preface ix
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp
v IBM DB2 Database™
– Support:
http://www.ibm.com/software/data/db2/udb/support.html
– Information center:
http://publib.boulder.ibm.com/infocenter/db2help/index.jsp
– Documentation
http://www-306.ibm.com/software/data/db2/support/db2_9/
http://www.ibm.com/software/data/db2/udb/support/manualsv9.html
– DB2® product family:
http://www.ibm.com/software/data/db2/
– Fix packs by version:
http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21255572
– System requirements:
http://www.ibm.com/software/data/db2/udb/sysreqs.html
v IBM Tivoli Directory Server
– Support
http://www.ibm.com/software/sysmgmt/products/support/
IBMDirectoryServer.html
– Information center
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.IBMDS.doc/welcome.htm
v IBM Tivoli Directory Integrator
– Support
http://www.ibm.com/software/sysmgmt/products/support/
IBMDirectoryIntegrator.html
– Information center
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/
com.ibm.IBMDI.doc/toc.xml
Related publications
Information that is related to Tivoli Identity Manager Server is available in the
following publications:
v The Tivoli Software Library provides various Tivoli publications such as white
papers, data sheets, demonstrations, Redbooks, and announcement letters. The
Tivoli Software Library is available on the Web at:
http://www.ibm.com/software/tivoli/literature/
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available from the
Glossary link of the Tivoli Software Library Web page at:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Click the I character in the A-Z list, and then click the Tivoli Identity Manager
link to access the product library.
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe Reader to print letter-sized
pages on your local paper.
Accessibility
The product documentation includes the following features to aid accessibility:
v Documentation is available in convertible PDF format to give the maximum
opportunity for users to apply screen-reader software.
v All images in the online documentation are provided with alternative text so
that users with vision impairments can understand the contents of the images.
Typeface conventions
This book uses the following typeface conventions:
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), and labels (such as Tip:)
v Keywords and parameters in text
Italic
Preface xi
v Words defined in text
v Emphasis of words (words as words)
v New terms in text (except in a definition list)
v Variables and values that you must provide
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Other UNIX/Linux:
/home/dbinstancename
xii IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Path Variable Default Definition Description
ITDS_HOME Windows: The directory that
v Version 6.1 contains the IBM
Tivoli Directory
path\IBM\LDAP\V6.1
Server code.
v Version 6.2
path\IBM\LDAP\V6.2
UNIX/Linux:
v Version 6.1
path/ibm/ldap/V6.1
v Version 6.2
path/ibm/ldap/V6.2
UNIX/Linux:
/home/instance_owner_name/
idsslapd-instance_owner_name
Solaris:
/export/home/instance_owner_name/
idsslapd-instance_owner_name
An example of instance_owner_name
might be ldapdb2. For example, the log
file might be /export/home/ldapdb2/
idsslapd-ldapdb2/logs/ibmslapd.log
ITDI_HOME Windows: The directory that
v Version 6.1.1 contains the IBM
Tivoli Directory
path\IBM\TDI\V6.1.1
Integrator Server
v Version 7.0 code. Also, where
path\IBM\TDI\V7.0 adapters are
installed.
UNIX/Linux:
v Version 6.1.1
path/IBM/TDI/V6.1.1
v Version 7.0
path/IBM/TDI/V7.0
Preface xiii
Path Variable Default Definition Description
ITIM_HOME Windows: The base directory
path\IBM\itim that contains the
Tivoli Identity
UNIX/Linux: Manager code,
path/IBM/itim configuration, and
documentation.
TIVOLI_COMMON_ Windows: The central location
DIRECTORY path\IBM\tivoli\common for all
serviceability-
UNIX/Linux: related files, such
path/IBM/tivoli/common as logs and
first-failure capture
data.
WAS_HOME Windows: The directory that
path\IBM\WebSphere\AppServer contains the
WebSphere
UNIX/Linux: Application Server
path/IBM/WebSphere/AppServer code.
When using the UNIX/Linux command line, replace %variable% with $variable for
environment variables, and replace each backslash (\) with a forward slash (/) in
directory paths. The names of environment variables are not always the same in
Windows and UNIX/Linux. For example, %TEMP% in the Windows operating
system is equivalent to /tmp in a UNIX/Linux operating system.
Note: If you are using the bash shell on a Windows system, you can use the
UNIX/Linux convention for specifying file path notation.
xiv IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 1. Overview of the Tivoli Identity Manager
environment
This book focuses on the tasks that you must complete in order to install and
configure Tivoli Identity Manager.
To determine the supported release levels and fix pack specifications for the
supported UNIX, Linux and Windows operating systems, refer to the Tivoli Identity
Manager Information Center, which takes precedence over this document.
Tivoli Identity Manager requires the installation and configuration of the following
components:
v A database server
v A directory server
v IBM Tivoli Directory Integrator (optional)
v WebSphere Application Server
v An HTTP server (optional)
v Tivoli Identity Manager Server
v Tivoli Identity Manager adapters
For more information about supported database server products, refer to the Tivoli
Identity Manager Information Center.
For more information about supported directory server products, refer to the Tivoli
Identity Manager Information Center.
For more information about IBM Tivoli Directory Integrator, refer to the Tivoli
Identity Manager Information Center.
For additional information about the WebSphere Application Server products, refer
to additional documentation cited in “Prerequisite product publications” on page
ix.
Note: If an HTTP server is used, you must use the WebSphere Application Server
Administrative Console to map the Tivoli Identity Manager applications to
the HTTP Web server name. See Appendix A, “Mapping Tivoli Identity
Manager application modules to IBM HTTP Server,” on page 125 for more
information about mapping the applications.
Note: For agentless adapters, the SSH process or daemon must be active on the
managed resource.
Configuration options
Before you install Tivoli Identity Manager, you must determine how to configure
WebSphere Application Server, either in a single-server or a cluster configuration.
Single-server configuration
A single-server configuration contains the WebSphere Application Server base
server and Tivoli Identity Manager on one computer. Other required applications
can run on the same computer or a different computer. You must ensure that the
computer has the required memory, speed, and available disk space to meet the
workload.
Cluster configuration
A cluster configuration contains WebSphere Application Server nodes, which are
logical groups of one or more application servers on computers. Nodes reside
within an administrative domain called a cell, which the deployment manager
manages. A node agent manages all managed processes on the node by
communicating with the deployment manager to coordinate and synchronize the
configuration. The deployment manager is the administrative process that provides
a centralized management view and control for all elements in the cell, including
the management of clusters.
Tivoli Identity Manager assumes that the operating system is the same for each
cluster member.
For example, all Tivoli Identity Manager cluster members run on the IBM AIX
operating system. To avoid problems with identity feeds, do not use more than one
operating system type within a Tivoli Identity Manager cluster.
Tivoli Identity Manager does not support a vertical cluster configuration, which
has more than one cluster member within a WebSphere Application Server node.
For example, one cluster configuration might consist of one or more WebSphere
Application Server nodes, each node consisting of one computer, controlled by a
deployment manager on a separate server. The remaining applications are
configured on additional computers.
The major steps to install and test Tivoli Identity Manager are:
1. Determine the Tivoli Identity Manager Server topology. The information in this
chapter describes the major configuration choices.
2. Ensure that the operating system of each physical server is at the level that
Tivoli Identity Manager requires. For more information about software and
hardware requirements, refer to the Tivoli Identity Manager Information Center.
3. Ensure that the database server is installed and preconfigured. See Chapter 2,
“Installing and configuring a database,” on page 9 for steps to prepare the
database.
4. Ensure that the directory server is installed and preconfigured. See Chapter 3,
“Installing and configuring a directory server,” on page 27 for steps to prepare
the directory server.
5. Ensure that IBM Tivoli Directory Integrator is installed and preconfigured. See
Chapter 4, “Optionally installing IBM Tivoli Directory Integrator,” on page 39
for steps to prepare IBM Tivoli Directory Integrator.
6. Determine that the WebSphere Application Server is ready. See Chapter 5,
“Installing and configuring WebSphere Application Server,” on page 41 for
steps to prepare the WebSphere Application Server in a single-cluster or cluster
configuration.
7. Install and configure Tivoli Identity Manager on one of these configurations:
v Single-server. Tivoli Identity Manager supports both regular and silent
installation. For more information about single-server install, see “Installing
Tivoli Identity Manager in a single-server configuration” on page 49.
The information in this chapter is not a substitute for the more extensive,
prerequisite documentation that is provided by the database product. For more
information that you must previously know, refer to these sources:
v IBM DB2 Database
http://www.ibm.com/software/data/db2/udb/support.html
http://www.ibm.com/software/data/db2/support/db2_9/doc.html
(Information centers and operating system prerequisites)
http://www.ibm.com/software/data/db2
v Oracle
http://otn.oracle.com/documentation/index.html
http://otn.oracle.com/tech/index.html
v Microsoft SQL Server 2005
http://www.microsoft.com/sql/
http://www.msdn.com/library/
You can install DB2 on the same computer with Tivoli Identity Manager or on a
separate computer. Installing DB2 on the same computer requires the installation of
a Java Database Connectivity driver (JDBC driver, type 4). A JDBC driver enables
Tivoli Identity Manager to communicate with the data source. Installing DB2
automatically installs the type 4 JDBC driver.
Tivoli Identity Manager requires DB2 to run with a required level of the DB2 fix
pack. For more information about installing DB2 and any fix packs, refer to the
Tivoli Identity Manager Information Center and to documentation that the database
product provides. For example, access these Web sites:
http://www.ibm.com/software/data/db2/udb/support.html
http://www.ibm.com/software/data/db2/udb/support/downloadv9.html
For more information about verifying the DB2 installation, visit this Web site:
http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp?topic=/
com.ibm.db2.udb.uprun.doc/doc/t0006838.htm
http://www.ibm.com/software/data/db2/udb/support.html
Verify that the correct fix pack is installed on both the database server and the
database client computers.
If you created a DB2 instance during installation, you can use the following
commands:
v On UNIX and Linux systems, log on as the DB2 instance user ID and enter the
db2level command:
su - DB2_instance_ID
db2level
If you did not create a DB2 instance during installation, use the following
commands:
v On UNIX and Linux systems, enter the db2ls command:
DB_HOME/install/db2ls
or
/usr/local/bin/db2ls
v On Windows, run the regedit command and look for the information in the
following location:
HKEY_LOCAL_MACHINE\SOFTWARE\IBM\DB2\InstalledCopies\db2_name\CurrentVersion
For more information about these steps, refer to the Tivoli Identity Manager
Information Center and to documentation that the DB2 fix pack provides.
Note: The middleware configuration utility stores by default any input you
provide in a response file called db2ldap.rsp located in the system temp
directory; for example, the /tmp directory. This file is normally cleaned up
after the utility completes. If you cancel the utility before it completes, this
file might not be erased.
The middleware configuration utility can be run manually or silently. For more
information about silent configuration, see “Configuring DB2 silently” on page 15.
On UNIX and Linux operating systems, you must be a root user. Additionally, the
umask setting must be 022. To verify the umask setting issue the command:
umask
Note: Record the values you provide for the middleware configuration utility for
later use with the DBConfig and ldapConfig utilities used during Tivoli
Identity Manager server installation.
Note: The dollar sign ($) has special meaning in the installer frameworks used
by the middleware configuration utility. Avoid using $ in any field
values. The installer framework or operating system platform might do
variable substitution for the value.
7. If you have changed the default DB2 instance name, or if a DB2 instance exists
with that name, you are prompted with a warning message. If you are only
Note: If you run the middleware configuration utility silently, the response file
is updated during the configuration process.
Related topics:
Creating a user on a Linux system: You can use the console command interface
or the GUI utility to create a user on Linux. To create a user by using the console
command interface on a Linux (Red Hat) operating system, enter the following
command:
useradd -d /home/itimuser -p password itimuser
The -d switch specifies the home directory. The entry itimuser specifies the user
ID that is created.
Proceed to the next step, “Creating the Tivoli Identity Manager database.”
Creating the Tivoli Identity Manager database: You can specify any name for the
Tivoli Identity Manager database, such as itimdb. To create the Tivoli Identity
Manager database, follow these steps:
1. Open a DB2 command window.
v UNIX: Log on as the DB2 instance owner and ensure that the db2profile has
been sourced into the environment.
v Windows: Click Start > Run, and enter db2cmd.
2. In the DB2 command window, enter these commands to create the database:
db2 create database itim_dbname using codeset UTF-8 territory us
db2 connect to itim_dbname user itim_dbadmin_name using itim_dbadmin_password
db2 create bufferpool ENROLEBP size automatic pagesize 32k
db2 update db cfg for itim_dbname using logsecond 12
db2 update db cfg for itim_dbname using logfilsiz 10000
db2 update db cfg for itim_dbname using applheapsz 2048
db2 update db cfg for itim_dbname using app_ctl_heap_sz 1024
db2 update db cfg for itim_dbname using maxfilop 256
db2 update db cfg for itim_dbname using locklist 5000
db2 update db cfg for itim_dbname using auto_runstats off
db2 update db cfg for itim_dbname using database_memory itim_dbmemory
db2 alter bufferpool IBMDEFAULTBP size automatic
db2 disconnect current
The value of itim_dbname is a name such as itimdb. The value of itim_dbmemory
is 40000 for a single-server installation, COMPUTED for all platforms except AIX
and Windows. For AIX and Windows, the value is AUTOMATIC. For more
There is a service listening port associated with each DB2 instance. The port is
used for establishing a DB2 connection from a DB2 application to the database
owned by the instance. The default service port number for the DB2 default
instance (DB2 on windows and db2inst1 on Unix), which is created on installing
the DB2 server, is 50000. Running the middleware configuration utility to create a
DB2 instance, the default service port number of the instance is 50002. If you have
migrated DB2 8.2 to DB2 9.1 or DB2 9.5 along with the DB2 instance, the DB2
migration utility might reset the service port of the instance as 60000.
To determine whether the correct service name or service listening port is defined,
complete these steps:
1. In the DB2 command window, enter these commands to check the service
name:
db2 connect to itim_dbname user itim_dbadmin_id using itim_dbadmin_password
db2 get dbm cfg
Look for the SVCENAME attribute to locate the service name.
2. Locate the statement that is like the following example, which specifies the
current port number in the services file on the computer on which the DB2
server resides:
v Windows
– DB2 Version 9.1: service_name: 50000/tcp
v UNIX
– DB2 Version 9.1: service_name: 50000/tcp
Related topics:
See “Before you begin” on page 106 for topics related to DB2 migration.
To provide additional storage space, change the DB2 application heap size to a
larger value. Using the IBM Tivoli Identity Manager Performance Tuning Guide to tune
DB2 is recommended for all systems, both for production and test environments.
In all cases, refer to the installation and migration guides that the Oracle
Corporation provides for complete information. For more information, refer to
these Web sites:
http://otn.oracle.com/documentation/index.html
http://otn.oracle.com/tech/linux/index.html
To create an Oracle database for Tivoli Identity Manager, complete these steps:
v “Installing the Oracle database server” on page 20
v “Configuring the init.ora file” on page 20
v “Setting environment variables” on page 21
v “Backing up an existing database” on page 21
v “Installing the Oracle JDBC driver” on page 21
Note: The two lines where the code needs to be modified are highlighted in bold.
# pwd
/u02/enrole/config/rdbms/oracle
# more enrole_admin.sql
CREATE TABLESPACE enrole_data
DATAFILE 'enrole1_data_002.dbf'
SIZE 160M
AUTOEXTEND ON
NEXT 20M
MAXSIZE 1024M
DEFAULT STORAGE (INITIAL 10M
NEXT 1M
PCTINCREASE 10)
PERMANENT
ONLINE
LOGGING;
http://otn.oracle.com/tech/index.html
Note: If you manually create the Oracle database for Tivoli Identity Manager, you
must manually install the JVM feature, or any transactions from Tivoli
Identity Manager later fails. It is not required to manually create the
database and install the JVM feature, however. You can use the Oracle
Database Configuration Assistant wizard to create the database and install
the JVM feature.
Source the profile on UNIX operating systems, which updates the environment
variables in the current session, to ensure that Tivoli Identity Manager can
communicate with the database. To source the profile, enter the following
command:
# . /.profile
Copy the Oracle JDBC driver from the Oracle server directory or download it from
the Oracle Web site into a directory on the computer on which Tivoli Identity
Manager is to be installed. The Tivoli Identity Manager installation program
prompts for the directory containing the JDBC driver and the driver name. In a
cluster configuration, the JDBC driver is required on the computer that has the
deployment manager and on each Tivoli Identity Manager cluster member
computer. For example, if Oracle database is installed on Linux, but Tivoli Identity
Manager is installed on Windows, create a directory C:\itim_jdbcdriver\ and
copy the JDBC driver file to that directory, then point to this directory during
installation.
-- Bring new rollback segments online and drop the temporary system one
ALTER ROLLBACK SEGMENT rb1 ONLINE;
ALTER ROLLBACK SEGMENT rb2 ONLINE;
ALTER ROLLBACK SEGMENT rb3 ONLINE;
ALTER ROLLBACK SEGMENT rb4 ONLINE;
Note: Using the IBM Tivoli Identity Manager Performance Tuning Guide to tune
the Oracle database is recommended for all systems, both for production
and test environments.
3. Install the JVM for the database. Use these commands:
# sqlplus "/ as sysdba"
SQL> @$ORACLE_HOME/rdbms/admin/catalog.sql
SQL> @$ORACLE_HOME/rdbms/admin/catproc.sql
SQL> @?/javavm/install/initjvm.sql
SQL> @?/xdk/admin/initxml.sql
SQL> @?/xdk/admin/xmlja.sql
SQL> @?/rdbms/admin/catjava.sql
As the database administrator, connect to the database and run the following
commands:
grant select on pending_trans$ to public;
grant select on dba_2pc_pending to public;
grant select on dba_pending_transactions to public;
grant execute on dbms_system to itim_db_user;
where itim_db_user is the user that owns the Tivoli Identity Manager database,
such as itimuser.
Stop and restart the database instance for these changes to take effect.
http://www.msdn.com/library/
http://www.microsoft.com/Sqlserver/2005/en/us/default.aspx
Note: You do not have to complete the section titled Configuring the
User-Defined Roles because Tivoli Identity Manager creates the
necessary ID and associate with the SqlJDBCXAUser role for you.
Copy the SQL Server JDBC driver from where SQL Server 2005 is installed or
download it from the Microsoft Web site into a directory on the computer on
which Tivoli Identity Manager is to be installed. The Tivoli Identity Manager
installation program prompts for the directory containing the JDBC driver and the
driver name. In a cluster configuration, the JDBC driver is required on the
computer that has the deployment manager and on each Tivoli Identity Manager
cluster member computer. For example, on the computer on which Tivoli Identity
Manager is to be installed, create a directory C:\itim_jdbcdriver\ and copy the
JDBC driver file to that directory, then point to this directory during installation.
The information in this chapter is not a substitute for the more extensive,
prerequisite documentation that is provided by the directory server product itself.
For more information that you must previously know, refer to these sources:
v IBM Tivoli Directory Server
– Hardware and software requirements, and documentation
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/
com.ibm.IBMDS.doc/toc.xml
– Fixes
http://www.ibm.com/software/sysmgmt/products/support/
B925741X14164Q78-download.html
The IBM Tivoli Directory Server uses DB2 Database as a data store and WebSphere
Application Server for the Web Administration Tool.
Note: You cannot use embedded DB2 for the Tivoli Identity Manager database or
embedded WebSphere Application Server for Tivoli Identity Manager.
To install IBM Tivoli Directory Server using the Tivoli Identity Manager product
DVD, complete these steps:
For information about installing the directory server, refer to documentation that
the directory server product provides. For example, access this Web site:
http://www.ibm.com/software/sysmgmt/products/support/
IBMDirectoryServer.html
http://www.ibm.com/software/sysmgmt/products/support/
IBMDirectoryServer.html
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.IBMDS.doc/welcome.htm
Verify that the correct fix pack is installed on the IBM Tivoli Directory Server. To
verify that the correct fix pack is installed on the IBM Tivoli Directory Server, issue
the following command:
v AIX: lslpp -l 'idsldap*'
v Linux: rpm -qa | grep idsldap
v Solaris:
1. Type pkginfo | grep IDSl to query the version for a particular package.
2. Type pkgparam package_name VERSION for each installed package. For
example, pkgparam IDSl64s61 VERSION for IBM Tivoli Directory Server
version 6.1, or pkgparam IDSl32s60 VERSION for IBM Tivoli Directory Server
version 6.0.
v Windows:
1. From the command line, type regedit.
2. Look in the following registry area:
– 6.1 - My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\IBM\IDSLDAP\6.1
For more information about these steps, refer to the Tivoli Identity Manager
Information Center and to the documentation that the IBM Tivoli Directory Server
fix pack provides.
Note: The middleware configuration utility stores by default any input you
provide in a response file called db2ldap.rsp located in the system temp
directory, for example the /tmp directory. This file is normally cleaned up
after the utility completes. If you cancel the utility before it completes, this
file might not be erased.
The middleware configuration utility can be run manually or silently. For more
information about silent configuration, see “Configuring IBM Tivoli Directory
Server silently” on page 31.
On UNIX and Linux operating systems, you must be a root user. Additionally, the
umask setting must be 022. To verify the umask setting issue the command:
Procedure: To start the middleware configuration utility for IBM Tivoli Directory
Server manually, complete the following steps:
1. Log on to an account with system administration privileges on the computer
where IBM Tivoli Directory Server is installed.
2. Start the middleware configuration utility from the DVD or a download
directory:
v AIX: Start the middleware configuration utility by running the
cfg_itim_mw_aix program.
v Solaris: Start the middleware configuration utility by running the
cfg_itim_mw_solaris program.
v Linux for xSeries: Start the middleware configuration utility by running the
cfg_itim_mw_xLinux program.
v Linux for pSeries: Start the middleware configuration utility by running the
cfg_itim_mw_pLinux program.
v Linux for zSeries: Start the middleware configuration utility by running the
cfg_itim_mw_zLinux program.
v Windows: Start the middleware configuration utility by using the
cfg_itim_mw.exe program if the Windows autorun feature is disabled.
Each platform requires a file called cfg_itim_mw.jar to go along with the native
program. The JAR file and the native program must be in the same directory
location.
3. Select your language, and click OK.
4. From the Product Configuration panel, check only Configure IBM Tivoli
Directory Server, and click Next.
5. You can receive a warning if IBM Tivoli Directory Server is not at the correct
level or not installed. Action might be required to make sure that IBM Tivoli
Directory Server is at the correct level. To bypass this warning, click Next.
6. From the IBM Tivoli Directory Server configuration options panel, provide the
following information, and then click Next:
v Directory server administrator ID and instance name
Provide the user ID that is used to connect to IBM Tivoli Directory Server as
the directory server administrator. For example, itimldap.
Note: The dollar sign ($) has special meaning in the installer frameworks used
by the middleware configuration utility. Avoid using $ in any field
values. The installer framework or operating system platform might do
variable substitution for the value.
7. Provide the following LDAP information, and then click Next.
v Administrator DN
The user ID that represents the principal distinguished name. This DN is the
root suffix for Tivoli Identity Manager. For example, cn=root.
v Administrator DN password
The password of the user ID that represents the principal distinguished
name. For example, secret.
v Password confirmation
Type the password again.
v User-defined suffix
Provide the LDAP suffix. This suffix can be any valid suffix and is used as
the context root under which Tivoli Identity Manager information is located.
For example, choose dc=com.
v Non-SSL port
The port on which the directory server is listening. The default port is 389.
Note: This default port might conflict with other services. For example, a
Windows server could run Windows Active Directory services, which
uses a default port of 389.
8. Review your configuration options before clicking Next to begin the
configuration process.
9. The configuration can take up to several minutes to complete. Once the
configuration completes successfully, click Finish to exit the deployment
wizard. This task concludes the middleware configuration process for IBM
Tivoli Directory Server. To verify the middleware configuration utility
completed for IBM Tivoli Directory Server without error, check the
cfg_itim_mw.log in the system temp directory.
Note: If you run the middleware configuration utility silently, the response file
is updated during the configuration process.
Related topics
The output confirms that you have configured permissions for dc=com and
initialized the suffix with data.
dc=com
objectclass=domain
objectclass=top
dc=com
http://www.sun.com/software/products/directory_srvr_ee/index.html
http://docs.sun.com/app/docs/coll/1224.4
http://www.sun.com/software/products/directory_srvr_ee/get.jsp
Where portnumber the port number for the Sun Enterprise Directory Server and
SSL-port is the SSL port number for the Sun Enterprise Directory Server. For
examples:
v For UNIX systems, dsadm.sh create –p 1389 –P 1363 /local/itimldap
v For Windows systems, dsadm.exe create –p 1389 –P 1363 C:\itimldap
2. Start the Tivoli Identity Manager LDAP server. Issue the command:
dsadm.sh start instance-path
For example,
dsadm.sh start /local/itimldap
3. Create a root suffix. Issue the command:
dsconf.sh create-suffix –h host –p portnumber rootsuffix
For example,
dsconf.sh create-suffix –h localhost –p 1389 dc=com
This command creates the root suffix dc=com on the Tivoli Identity Manager
LDAP server.
If you receive an Unable to bind securely on host:portNumber message, use
the -unsecured parameter:
dsconf create-suffix –unsecured –h localhost –p 1389 dc=com
4. Create and save a file called dcequalscom.ldif with the following content:
dn:dc=com
dc:com
objectclass:top
objectclass:domain
5. Import the dcequalscom.ldif file to the dc=com root suffix. Issue the command:
dsconf.sh import -h hostname -p portnumber path/dcequalscom.ldif rootsuffix
For example,
Note: Sun Enterprise Directory Server access control instructions might have
enabled anonymous read access. To provide more secure data, modify the
default access control instructions to disable anonymous read access. For
more information, refer to the Sun Enterprise Directory Server
documentation.
The information in this chapter is not a substitute for the more extensive,
prerequisite documentation that is provided by the directory integrator product
itself.
http://www.ibm.com/software/sysmgmt/products/support/J958636N88774A05-
doc.html
You can install IBM Tivoli Directory Integrator on the same computer as Tivoli
Identity Manager or remotely. If you install Tivoli Identity Manager locally, the
Tivoli Identity Manager installation program automatically installs agentless
adapters and you can also choose to automatically install agentless adapter
profiles. If you install Tivoli Identity Manager remotely, you must manually install
the agentless adapters on the computer that hosts IBM Tivoli Directory Integrator,
and manually install agentless adapter profiles on the computer that hosts Tivoli
Identity Manager.
For more information about manually installing agentless adapters, see “Manually
installing agentless adapters and adapter profiles” on page 81.
For more information about installing the WebSphere Application Server, refer to
the following Web sites:
v Hardware and software requirements
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27006921
v Support
http://www.ibm.com/software/webservers/appserv/was/support/
v Information center
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp
Additional configuration steps are required if you want to install the IBM HTTP
Server and WebSphere Web Server plug-in.
For more information about installing the IBM HTTP Server, refer to the following
Web site:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/
index.jsp?topic=/com.ibm.websphere.ihs.doc/info/welcome_ihs.html
For more information about planning to install the WebSphere Web Server plug-in,
refer to the following Web site:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/
index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tins_scenario5.html
Once you have completed the installation, the next step is installing IBM Tivoli
Directory Server. For more information, see “Installing and configuring IBM Tivoli
Directory Server” on page 27.
For more information on installing IBM HTTP Server, refer to the following Web
site:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/
index.jsp?topic=/com.ibm.websphere.ihs.doc/info/welcome_ihs.html
For more information planning to install the WebSphere Web Server plug-in, refer
to the following Web site:http://publib.boulder.ibm.com/infocenter/wasinfo/
v6r1/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tins_scenario5.html
You can also install and configure Tivoli Identity Manager silently. For more
information, see Chapter 8, “Performing a silent installation and configuration of
Tivoli Identity Manager,” on page 85.
The dollar sign ($) has special meaning in the installer frameworks used by Install
Anywhere. Avoid using $ in any field values. The installer framework or operating
system platform might do variable substitution for the value.
Note: The license is always shown in the system locale of the machine and
not the installation language selected.
2. Click Next to advance past the copyright and legal text.
3. In the License Agreement window, read the license agreement and decide
whether to accept its terms. Optionally click Read non-IBM terms to read the
terms of any non-IBM products or Print to print out the license agreement. To
accept the terms and continue with the installation, select Accept, and then
click Next.
4. Accept the default ITIM_HOME installation directory, or select Choose to
select another directory. Then, click Next.
5. In the Installation Type window, select Single WebSphere Application Server.
Then, click Next.
6. The WebSphere Application Server Installation Directory window appears and
displays a value for the WebSphere Application Server installation directory,
or WAS_HOME, directory.
There can be multiple installations of the WebSphere Application Server on a
computer. If the directory displayed is not the directory in which you intend
to install the Tivoli Identity Manager Server, click Choose, enter the correct
directory value, and click Next.
7. From the WebSphere profile selection panel, select the WebSphere Application
Server profile name in which Tivoli Identity Manager is to be installed from
the list, and click Next.
Note: Once you click Install, if you click Cancel to cancel the installation you
get a message indicating that Tivoli Identity Manager is not installed.
However files are not automatically cleaned up through this action, and
this condition might result in a partial installation. Clean up any partial
installation manually before running Install again.
16. Complete the remaining automated installation program steps in “Responding
to major installation actions.”
Note: The DBConfig command creates the database table definitions that
Tivoli Identity Manager requires. Run this command only if the
command failed to configure the database during installation. If the
Tivoli Identity Manager database tables have been previously set,
running the DBConfig command first, drops all the existing Tivoli
Identity Manager tables.
4. Gathering directory server data and configuring the directory server.
Note: Running the ldapConfig command will restore default values that Tivoli
Identity Manager uses. If you have changed the value of any of these
Tivoli Identity Manager attributes, such as the password of the itim
manager user ID, the value is overwritten. Do not run the ldapConfig
command a second time, unless the LDAP configuration fails during the
Tivoli Identity Manager Server installation process.
5. Gathering Tivoli Identity Manager data and configuring the Tivoli Identity
Manager Server.
The Tivoli Identity Manager installation program copies a set of Tivoli Identity
Manager property files to the ITIM_HOME\data directory. During this step,
you can use the GUI to change some of the Tivoli Identity Manager properties.
For more information, see “Configuring commonly used system properties” on
page 75.
The Tivoli Identity Manager installation program also configures the
WebSphere environment settings that the Tivoli Identity Manager Server
requires. This step takes several minutes to complete.
If an error occurs, record the error message that is displayed. The message
might describe a problem in configuring the WebSphere environment settings
that the Tivoli Identity Manager Server requires.
Continue the Tivoli Identity Manager installation program. When the
installation completes, complete these steps:
a. Examine the errors and provide a corrective action. There is more
information in the ITIM_HOME\install_logs\runConfigFirstTime.stdout log
file. You might also need to refer to documentation that the WebSphere
product provides.
b. When the correction is complete, use this command:
To update commonly-used Tivoli Identity Manager properties, run the
following command:
The runConfig utility also accepts an install parameter. Use runConfig with
the install parameter when there is a problem reported for runConfig
during the Tivoli Identity Manager installation. Note that system
configuration requires several minutes to complete if the install option is
used.
v Windows: ITIM_HOME\bin\runConfig.exe install
v UNIX/Linux: ITIM_HOME/bin/runConfig install
New log data is recorded in the ITIM_HOME\install_logs\runConfig.stdout
log file.
6. Deploying the Tivoli Identity Manager Server onto the WebSphere Application
Server.
The Tivoli Identity Manager application runs within the WebSphere Application
Server as an enterprise application. The Tivoli Identity Manager installation
program uses the WebSphere command-line interface (wsadmin) to deploy the
Tivoli Identity Manager application onto the WebSphere Application Server.
Deploying the Tivoli Identity Manager application also performs certain
configuration steps on the WebSphere Application Server. These steps require
several minutes to complete.
When the deployment completes, the Tivoli Identity Manager files are in these
directories:
v WAS_PROFILE_HOME\installedApps\cellname\ITIM.ear
v WAS_PROFILE_HOME\config\cells\cellname\applications\ITIM.ear
Note: For the deployment manager node, these files are only in the
WAS_NDM_PROFILE_HOME\config\cells\cellname\applications\
ITIM.ear directory
If the log data indicates failure to establish a SOAP connection to the
WebSphere Application Server configuration manager, or some type of
WebSphere Application Server scripting error, complete these steps:
a. Exit the Tivoli Identity Manager installation program.
b. Resolve the problem that prevents connection to the WebSphere Application
Server or a problem described as a scripting error. For more information,
refer to the WebSphere documentation.
c. Manually delete all files in the ITIM_HOME directory.
d. Run the Tivoli Identity Manager installation program again.
If the log data indicates that failure is due to a timeout, continue the Tivoli
Identity Manager installation program.
If the Tivoli Identity Manager installation program has completed, delete the
following directories if they exist:
v WAS_PROFILE_HOME\installedApps\cellname\ITIM.ear
v WAS_PROFILE_HOME\config\cells\cellname\applications\ITIM.ear
Run one of the following commands to deploy the Tivoli Identity Manager
Server onto the WebSphere Application Server:
v If WebSphere administrative security and application security is on, run this
command:
ITIM_HOME\bin\setupEnrole install server:server_name user:user_id
password:pwd ejbuser:ejb_user_id
If you cannot start and log on to Tivoli Identity Manager, see Chapter 9, “Verifying
and troubleshooting the installation,” on page 93.
Note: If the same computer has both the deployment manager and a Tivoli
Identity Manager cluster member, you must select both the deployment
manager and the cluster member node types when you run the Tivoli
Identity Manager installation program.
The dollar sign ($) has special meaning in the installer frameworks used by Install
Anywhere. Avoid using $ in any field values. The installer framework or operating
system platform might do variable substitution for the value.
Note: The license is always shown in the system locale of the machine and
not the installation language selected.
2. Click Next to advance past the copyright and legal text.
3. In the License Agreement window, read the license agreement and decide
whether to accept its terms. Optionally click Read non-IBM terms to read the
terms of any non-IBM products or Print to print out the license agreement. To
accept the terms and continue with the installation, select Accept, and then
click Next.
4. Accept the default ITIM_HOME installation directory, or select Choose to
select another directory. Then, click Next.
5. In the Installation Type window, select Regular WebSphere cluster. Then,
click Next.
6. In the Installing Tivoli Identity Manager on a Cluster Environment window,
read the conditions that apply to a cluster environment. Before continuing,
apply any other changes that are necessary to configure the environment for
these conditions. For example, verify that the deployment manager and all
Note: Once you click Install, if you click Cancel to cancel the installation you
get a message indicating that Tivoli Identity Manager is not installed.
However files are not automatically cleaned up through this action.
This condition might result in a partial installation. Clean up any
partial installation manually before running Install again.
22. Complete the remaining automated installation program. “Responding to
major installation actions” describes these major steps.
Note: The DBConfig command creates the database table definitions that
Tivoli Identity Manager requires. Run this command only if the
command failed to configure the database during installation. If the
Tivoli Identity Manager database tables have been previously set,
running the DBConfig command first, drops all the existing Tivoli
Identity Manager tables.
3. If installation is on the deployment manager, the next step is gathering
directory server data and configuring the directory server.
In this step, the Tivoli Identity Manager installation program sets up the LDAP
schema and defines default settings for Tivoli Identity Manager. For more
information, see “Configuring the directory server” on page 74.
If an error occurs, record the error message. The message might describe a
problem in setting up the LDAP schema or creating a configuration of data on
the directory server.
Continue the Tivoli Identity Manager installation program. When the
installation completes, complete these steps:
a. Examine the errors and provide a corrective action. There is more
information in the ITIM_HOME\install_logs\ldapConfig.stdout log file. You
might also need to refer to documentation that the directory server product
provides.
b. Save the current log data by renaming the ITIM_HOME\install_logs\
ldapConfig.stdout log file.
c. When the correction is complete, use these commands to configure the
directory server:
v Windows operating systems:
ITIM_HOME\bin\ldapConfig.exe
v UNIX or Linux operating systems:
ITIM_HOME/bin/ldapConfig
New log data is recorded in the ITIM_HOME\install_logs\
ldapConfig.stdout log file.
Note: Running the ldapConfig command will restore default values that
Tivoli Identity Manager uses. If you have changed the value of any of
these Tivoli Identity Manager attributes, such as the password of the
itim manager user ID, the value is overwritten. Do not run the
ldapConfig command a second time, unless the LDAP configuration
fails during the Tivoli Identity Manager Server installation process.
4. If installation is on the deployment manager or on a cluster member, the Tivoli
Identity Manager installation program copies a set of Tivoli Identity Manager
The runConfig utility also accepts an install parameter. Use runConfig with
the install parameter when there is a problem reported for runConfig
during the Tivoli Identity Manager installation. Note that system
configuration requires several minutes to complete if the install option is
used.
v Windows: ITIM_HOME\bin\runConfig.exe install
v UNIX/Linux: ITIM_HOME/bin/runConfig install
New log data is recorded in the ITIM_HOME\install_logs\runConfig.stdout
log file.
5. Deploying Tivoli Identity Manager onto the deployment manager.
The Tivoli Identity Manager application runs within the WebSphere Application
Server as an enterprise application. The Tivoli Identity Manager installation
program uses the WebSphere command-line interface (wsadmin) to deploy the
Tivoli Identity Manager application onto the deployment manager.
The Tivoli Identity Manager installation program also configures the
WebSphere environment settings that the Tivoli Identity Manager Server
requires. The deployment takes several minutes to complete.
When the deployment completes, the Tivoli Identity Manager files are in the
WAS_NDM_PROFILE_HOME\config\cells\cellname\applications\ITIM.ear
directory.
Starting clusters
When installation completes and configuration and security modification is done,
restart all node agents where cluster members are running, then start your clusters.
On the WebSphere administrative console, complete these steps:
1. Start both the Tivoli Identity Manager application and the Tivoli Identity
Manager messaging cluster.
a. Click Servers > Clusters.
b. Select the Tivoli Identity Manager clusters.
c. Click Start. The Tivoli Identity Manager application starts when the clusters
start.
If the status of the Tivoli Identity Manager application indicates a partial start,
complete these steps:
1. Locate the computer that has the cluster member that fails to start.
2. Examine the following log files of the computer where the cluster member
resides to determine whether the Tivoli Identity Manager server has started
successfully:
v WAS_PROFILE_HOME\logs\server_name\SystemOut.log
v TIVOLI_COMMON_DIRECTORY\CTGIM\logs\trace.log
3. Correct the problem. Then, use the WebSphere administrative console to start
the cluster member.
The value of hostname is the fully qualified name or IP address of the computer
which hosts the WebSphere Application Server cluster member and the Tivoli
Identity Manager Server application. The value of port is the port number of
the WebSphere virtual host. The default port number is 9080. If you have
multiple instances of the WebSphere Application Server on the same computer,
the port number might be a different value, such as 9081. The port number can
be removed if an HTTP server is used as the front-end proxy. For more
information, see “Determining the port number of the default host” on page
101.
The browser displays the Tivoli Identity Manager logon window. Enter the
Tivoli Identity Manager administrator user ID (itim manager) and password
(immediately after installation, the value is secret).
3. After a first, successful logon, the logon window immediately prompts you to
change the administrator password. Ensure that your password change is
successful. After you change the password, you are ready to create your
organization object and a user that is called an ITIM User.
If you cannot start and log on to Tivoli Identity Manager, see Chapter 9, “Verifying
and troubleshooting the installation,” on page 93.
After the language pack has been successfully installed, you can change the
language displayed in the Tivoli Identity Manager interface by changing the
language preference for your browser: Make language preference changes prior to
logging into Tivoli Identity Manager.
For Internet Explorer, complete the following steps:
To uninstall the language pack from the system, change to the ITIM_HOME\timlp
directory, and then enter this language pack command at a command prompt:
java –jar timlp_uninstall.jar
Note: If you have upgraded from Tivoli Identity Manager version 5.0 to version
5.1 and are using a service instance that was created using a Tivoli Identity
Manager 5.0 profile, you must upgrade to the 5.1 adapter before you create
groups on the service. The adapters for Tivoli Identity Manager 5.0 do not
support group management.
For more information about the role of adapters, see “Tivoli Identity Manager
adapters” on page 3
Optionally, you can configure security after installing Tivoli Identity Manager. For
more information about configuring security post-install for Tivoli Identity
Manager, see Appendix B, “Configuring security for Tivoli Identity Manager,” on
page 127.
To manually start the database configuration tool (DBConfig), complete these tasks:
1. Back up the ITIM_HOME\install_logs\dbConfig.stdout file.
2. Run the following command:
v Windows: ITIM_HOME\bin\DBConfig.exe
v UNIX/Linux: ITIM_HOME/bin/DBConfig
Note: You must run the runConfig command after running DBConfig to ensure
that database changes are updated.
If DBConfig has never run after an install completes, you must run the
following commands to update changes:
v Windows operating systems:
ITIM_HOME\bin\runConfig.exe install
v UNIX or Linux operating systems:
ITIM_HOME/bin/runConfig install
Running the ldapConfig command will restore default values that Tivoli Identity
Manager uses. If you have changed the value of any of these Tivoli Identity
You can run the system configuration tool manually. For more information, see
“Manually starting the system configuration tool” on page 80. For alternative ways
to configure system properties, see “Modifying system properties during normal
operation” on page 82.
Related topics:
General tab
Click the General tab. The General tab of the system configuration tool configures
the general information about the Tivoli Identity Manager Server.
The following field values on the General tab are prefilled by the installation
program:
v Scheduling information
– Heart Beat (seconds)
The Scheduling Information field displays information about how frequently
a scheduling thread queries the scheduled message stores for events to
process (Heart Beat). You might want to consider performance issues before
you enable a more frequent beat. Only system administrators can modify the
Heart Beat, which is measured in seconds.
– Recycle Bin Age Limit (days)
When you delete Tivoli Identity Manager objects (such as organization units,
persons, or accounts), the objects are not immediately removed from the
system. Instead, they are moved to a recycle bin container. Emptying the
recycle bin is a separate deletion process that involves running cleanup
scripts.
The recycle bin is disabled by default but can be enabled by editing the
enRole.properties file in the ITIM_HOME\data directory.
For example, to avoid assigning an old user ID to a new user, the assignment
process might check the recycle bin to determine if an old user ID exists. You
might set the value of the recycle bin interval to an interval that determines
the length of time to retain old user IDs.
The Recycle Bin Age Limit field specifies the number of days that an object
remains in the recycle bin of the system before it becomes available for
deletion by cleanup scripts. The cleanup scripts can only remove those objects
that are older than the age limit setting. For example, if the age limit setting is
62 days (the default value), only objects that have been in the recycle bin for
more than 62 days can be deleted by cleanup scripts.
You can use the following scripts to either manually remove or to schedule
the periodic cleanup of recycle bin entries with expired age limits:
Related topics:
Directory tab
Click the Directory tab. The Directory tab of the system configuration tool displays
directory connection information and LDAP connection pool information. The tab
also has a Test button to test the connection to the directory server. If you update
any field on this tab, click Test to ensure that the connection works.
The information is pre-filled for the deployment manager, but not for a WebSphere
Application Server. If necessary, modify the following information for the directory
server:
v Principal DN and password that the Tivoli Identity Manager Server uses to log
on to the directory server
v Host name or IP address for the directory server
For IPv6, literal addresses need to be enclosed in brackets. For example,
[abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd]
Related topics:
Database tab
Click the Database tab. The Database tab displays general database information
and database pool information. The tab also has a Test button to test the
If this installation is on a cluster member, the information must match the database
specification previously made for the deployment manager.
v In the JDBC URL field, specify the URL value with type 4 JDBC Driver URL
format.
For IPv6, literal addresses need to be enclosed in brackets. For example,
jdbc:db2://[abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd]:50002/itimdb
Related topics:
Logging tab
Click the Logging tab.
The Logging tab of the system configuration tool enables you to set the level of
tracing. Choose one of these values:
MIN Writes less information to the log file. Use this setting for best
performance.
MID Writes an increased amount of information to the log file.
MAX Writes the maximum amount of information to the log file. The increased
amount of logging activity might affect performance. This setting is
approximately the equivalent of VERBOSE.
Related topics:
Mail tab
Click the Mail tab.
Related topics:
UI tab
Click the UI tab.
The UI tab of the system configuration tool displays information to customize the
Tivoli Identity Manager Server GUI.
v In the Customer Logo field, specify the path and file name of the logo graphic.
v In the Customer Logo Link field, specify an optional URL link activated by
clicking the logo image. System administrators can specify these two variables to
replace the IBM logo with their company logo throughout the Tivoli Identity
Manager system. The default IBM logo file is the ibm_banner.gif file, which is
located in the WAS_PROFILE_HOME\installedApps\cellname\ITIM.ear\
itim_console.war\html\images directory. In a cluster configuration, this default
logo can be found in the node member workstation and not on the Deployment
Manager workstation.
v In the List Page Size field, specify how many items that require a search in the
directory are displayed on lists throughout the user interface. If the total number
of items exceeds the set List Page Size, the list is spread over multiple pages. For
Related topics:
Security tab
Click the Security tab. The Security tab of the system configuration tool displays
information to manage database, LDAP, and application server user IDs and
passwords that are stored in Tivoli Identity Manager properties files. The tab
displays the encryption settings and application server user management
preferences in Tivoli Identity Manager.
By default, passwords in the Tivoli Identity Manager property files are encrypted.
v In the Encryption box, check the box to encrypt the passwords used for database
and directory server connections and the password of the EJB user that is used
for EJB authentication. The encryption flags are set to true. Clear the box to
decrypt the passwords and set the flags to false. The flags are represented by the
following properties in the enRole.properties file:
enrole.password.database.encrypted
enrole.password.ldap.encrypted
enrole.password.appServer.encrypted
v In the System User and System User Password fields, specify the system user
and the system user password. The fields are pre-filled if WebSphere
administrative security and application security is on, and an administrator user
ID and password have been entered. The fields are blank if WebSphere
administrative security and application security is not on.
v In the EJB User and EJB User Password fields, specify the EJB user and the EJB
user password. The fields initially take the values of the System User and
Password fields.
If you define your own EJB user during installation to be different from the
System User, you might need to modify the EJB User and EJB User Password
fields. If you change the value of the EJB user ID or the EJB password on this
system configuration Security window and run runConfig as a stand-alone
command, additional manual steps are required after Tivoli Identity Manager
installation to map the security role to the Tivoli Identity Manager user in order
to start Tivoli Identity Manager. For more information, see “Mapping an
administrative user to a role” on page 131.
Related topics:
Running the system configuration tool writes log data to the ITIM_HOME\
install_logs\runConfig.stdout log file.
The following tasks are for agentless adapter installation only. For information
about installing agent-based adapters and adapter profiles, see the Installing
section of the Tivoli Identity Manager Information Center.
Note: You can also install them by selecting Configure System > Manage Service
Types > Import from the administrative console user interface.
Related topics:
You might need to restart the Tivoli Identity Manager Server when changes are
made to certain system properties such as the server startup modules, which are
not recognized unless you restart the server. Restart the Tivoli Identity Manager
Server after modifying any property using the system configuration tool. Changes
to other system properties can be recognized within 30 seconds. Logging properties
can be changed without restarting the server and changes take effect within 5
minutes.
System and supplemental property files are located on the Tivoli Identity Manager
Server in the ITIM_HOME\data directory. These files contain all the system and
supplemental properties used by the server. For more information about system
properties located in the enRole.properties file, refer to the IBM Tivoli Identity
Manager Information Center.
From the Set Systems Security tab, you can modify the following properties:
v Enable/disable password editing
v Password expiration period (number of days)
This property is only for the Tivoli Identity Manager Server account. The user
has to change the password before this period is reached. Whenever a new
password is set for the Tivoli Identity Manager Server account, the password
expiration period is affected from that time. You can disable password expiration
by setting this value to zero.
v Password retrieval expiration period (number of hours)
After the new account is created, the user receives an e-mail with the URL link
that provides the password. The user has to get the password before this
password retrieval period expires.
v Maximum number of invalid logon attempts
Sets the maximum number of invalid logon attempts. If exceeded, the account is
suspended. The default setting is ″0″ (unlimited logon attempts).
From the Configure Forgotten Password Settings tab, you can modify the following
properties:
v Lost password question behavior
The installation program reads input from the two response files,
installvariables.properties and configReponse.properties. The
installvariables.properties file has the installer-related input values such as the
installation directory, database type, directory server type, and so on. The
configResponse.properties file has system configuration input values such as the
database server location, LDAP server location, and so on, There are different
filenames for an upgrade scenario. The following set of response files are needed
for clean installation and for the upgrade depending on the application server
type:
v Clean installation:
– For single-server or deployment manager:
installvariables.properties, configResponse.properties
– For cluster members:
installvariables.properties, configResponseCM.properties
v Upgrade:
– For single-server or deployment manager:
installvariablesUpgrade.properties, configResponseUpgrade.properties
– For cluster members: installvariablesUpgrade.properties,
configResponseCMUpgrade.properties
Notes:
1. You can use a different file name for the installation response file (for example,
installvariablesUpgrade.properties) because it can be passed to the installer
with the "-f" flag, but the name of the configuration response file must always
be configResponse.properties
2. The configResponse.properties or configResponseUpgrade.properties template
only contains the minimum set of required system properties. You can add
additional system properties to the file if necessary. Use the convention:
sysConfigResponse.propertyFileName.propertyName=value. For example:
sysConfigResponse.enRoleLDAPConnection.enrole.ldapserver.ip=localhost
sysConfigResponse.enRoleLDAPConnection.enrole.ldapserver.port=389
sysConfigResponse.enRoleLDAPConnection.java.naming.security.principal=cn=root
sysConfigResponse.enRoleLDAPConnection.java.naming.security.credentials=xxxxxx
The system configuration program running in silent mode sets the values of the
listed properties in the enRoleLDAPConnection.properties file. This file is
located in the ITIM_HOME/data directory.
Note: If you have the installer and the response files in the different
directory or in the different drive, then you have to use the relative or
absolute path for the installvariables.properties file and you have to
use the absolute path for the configResponse.properties file. For
example, if the response files are in the C:\temp directory on a
Windows machine, use this command:
instwin.exe -i silent -f C:\temp\installvariables.properties
-DITIM_CFG_RESP_FILE_DIR=C:\temp
Note: If you have the installer and the response files in the different
directory or in the different drive, then you have to use the relative or
absolute path for the installvariables.properties file and you have to
use the absolute path for the configResponse.properties file. For
example, if the response files are in the C:\temp directory on a
Windows machine, use this command:
instwin.exe -i silent -f C:\temp\installvariablesUpgrade.properties
-DITIM_CFG_RESP_FILE_DIR=C:\temp
Silent installation might take some time to complete. To check on the installation
progress, check the itim_install_activity.log file located in the ITIM_HOME\
install_logs directory.
Verify the installation and troubleshoot to resolve any problems that happened
during installation and startup. For more information, see Chapter 9, “Verifying
and troubleshooting the installation,” on page 93.
Note: If you have the installer and the response files in the different
directory or in the different drive, then you have to use the relative
or absolute path for the installvariables.properties file and you have
to use the absolute path for the configResponse.properties file. For
example, if the response files are in the C:\temp directory on a
Windows machine, use this command:
instwin.exe -i silent -f C:\temp\installvariables.properties
-DITIM_CFG_RESP_FILE_DIR=C:\temp
Note: If you have the installer and the response files in the different
directory or in the different drive, then you have to use the relative
or absolute path for the installvariables.properties file and you have
to use the absolute path for the configResponse.properties file. For
example, if the response files are in the C:\temp directory on a
Windows machine, use this command:
instwin.exe -i silent -f C:\temp\installvariables.properties
-DITIM_CFG_RESP_FILE_DIR=C:\temp
Note: If you have the installer and the response files in the different
directory or in the different drive, then you have to use the relative
or absolute path for the installvariablesUpgrade.properties file and
you have to use the absolute path for the configResponse.properties
file. For example, if the response files are in the C:\temp directory
on a Windows machine, use this command:
instwin.exe -i silent -f C:\temp\installvariablesUpgrade.properties
-DITIM_CFG_RESP_FILE_DIR=C:\temp
Note: If you have the installer and the response files in the different
directory or in the different drive, then you have to use the relative
or absolute path for the installvariablesUpgrade.properties file and
you have to use the absolute path for the configResponse.properties
file. For example, if the response files are in the C:\temp directory
on a Windows machine, use this command:
instwin.exe -i silent -f C:\temp\installvariablesUpgrade.properties
-DITIM_CFG_RESP_FILE_DIR=C:\temp
Silent installation might take some time to complete. To check on the installation
progress, check the itim_install_activity.log file located in the ITIM_HOME\
install_logs directory.
Verify the installation and troubleshoot to resolve any problems that happened
during installation and startup. For more information, see Chapter 9, “Verifying
and troubleshooting the installation,” on page 93.
You can test whether the database, the directory server, and other programs that
the Tivoli Identity Manager Server uses are correctly configured and are in full
communication with each other.
Additionally, examine the log files in the logs directory for entries that indicate the
status of server1. For example, examine the log files in the WAS_PROFILE_HOME\
logs\server1 directory.
If a message engine is not started, click the messaging engine name, and under the
Additional Properties section, click Message store to see the data source JNDI
name. From this JNDI name, you can link the Tivoli Identity Manager data source
defined under the Resources section and test the data source connection. If the
data source connection test fails, see “Testing the database connection” for more
information about how to resolve the issue. If the connection test succeeds,
examine the WAS_PROFILE_HOME\logs\server_name\SystemOut.log file to
determine the reason that the messaging engine cannot be started.
Repeat these steps for the ITIM Bus DataSource, and for clusters, additionally test
the ITIM BUS Shared DataSource.
For example, if the db2 is running on the port 50000, then you see the
following line as the output:
To determine whether the IBM Tivoli Directory Server is running, complete these
steps:
v On Windows systems, click Start > Programs > Administrative Tools >
Services. Locate the directory server entry, such as IBM Tivoli Directory Server
Instance V6.2 - ldapdb2
Ensure that the directory server service is started. If the service has not started,
select it, and then select Action > Start from the main menu of the Services
window.
v On UNIX/Linux systems, ensure that the ibmslapd process is running. Enter this
command:
ps -ef | grep ibmslapd
The ps (process) command searches for processes. The grep command selects the
processes that contain a string. The parameters in this example include:
-e Select all processes.
-f Display a full listing.
If the IBM Tivoli Directory Server is running, a process ID (PID) number is
returned. If a PID number is not returned, the server must be restarted. First,
stop the server:
ibmslapd -I <instancename> -k
If problems continue, examine the ibmslapd.log file for messages that indicate
whether the directory server is completely or partially started. The location of the
log file depends on the IBM Tivoli Directory Server version:
Windows:
ITDS_INSTANCE_HOME\logs\ibmslapd.log. For example, the file is in the
C:\idsslapd-ldapdb2\logs directory.
UNIX/Linux:
ITDS_INSTANCE_HOME/etc/ibmslapd.log. On Linux, for example, the file
is in the /home/ldapdb2/idsslapd-ldapdb2/etc/logs directory.
If the Java plug-in is not installed on your system, or is not at a supported level,
the browser prompts you to install the plug-in. For more information about these
steps, refer to the Tivoli Identity Manager Information Center.
When the deployment completes, the Tivoli Identity Manager files are in these
directories:
v WAS_PROFILE_HOME\installedApps\cellname\ITIM.ear
v WAS_PROFILE_HOME\config\cells\cellname\applications\ITIM.ear
If the deployment fails, check the installation log files under ITIM_HOME\
install_logs\ starting with the itim_install_activity.log, and examine the
setupEnrole.stdout log file.
If the Tivoli Identity Manager installation program has completed, delete the
following directories if they exist:
v WAS_PROFILE_HOME\installedApps\cellname\ITIM.ear
v WAS_PROFILE_HOME\config\cells\cellname\applications\ITIM.ear
100 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Run one of the following commands to deploy the Tivoli Identity Manager Server
onto the WebSphere Application Server:
v If WebSphere administrative security and application security is on, run this
command:
– Windows operating systems:
ITIM_HOME\bin\setupEnrole.exe install server:name user:user_id
password:pwd ejbuser:ejb_user_id
– UNIX or Linux operating systems:
ITIM_HOME/bin/setupEnrole.sh install server:name user:user_id
password:pwd ejbuser:ejb_user_id
The value of server_name is the name of the WebSphere Application Server on
which the Tivoli Identity Manager application is deployed. The value of user_id
is the WebSphere administrator user ID, such as wasadmin. The value of pwd is
the password for the WebSphere administrator user ID, such as wasadmin. The
value of ejb_user_id is the Tivoli Identity Manager EJB user ID, which uses the
WebSphere Application Server administrator user ID by default.
v If WebSphere administrative security and application security is off, enter this
command:
– Windows operating systems:
ITIM_HOME\bin\setupEnrole.exe install server:name
– UNIX or Linux operating systems:
ITIM_HOME/bin/setupEnrole.sh install server:name
Log files
When the system configuration is complete, you can find the log files in Table 5 in
the directories specified.
Table 5. Installation log file names and directories
File names Description and location
log.txt Installation log file for WebSphere
Application Server.
102 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 10. Upgrading to Tivoli Identity Manager Version 5.1
The Tivoli Identity Manager installation program upgrades a computer that has the
following versions of Tivoli Identity Manager:
v Tivoli Identity Manager Version 4.6
v Tivoli Identity Manager Version 5.0
Some manual steps are required to preserve or recustomize settings. This section
describes upgrading both single-server and cluster configurations. For more
information about prerequisite software that this release supports, refer to the Tivoli
Identity Manager Information Center.
Note: If you are upgrading from Linux SUSE 9 to SUSE 10, make sure to back
up your existing /etc/services file before the upgrade and copy the file
back to the /etc directory after upgrade.
2. Migrate your database to the supported version, and ensure that you can
perform database commands.
3. Migrate your directory server to the supported version, and ensure that you
can perform directory server commands.
4. If you are using IBM Tivoli Directory Integrator, migrate it to the supported
version.
5. If you are upgrading from Tivoli Identity Manager Version 4.6, install
WebSphere Application Server Version 6.1 in a separate directory. Running
WebSphere Application Server Version 6.1 upgrade utilities (WASPreUpgrade
and WASPostUpgrade) is not recommended. To perform the installation,
perform the following tasks:
v Single-server: Install WebSphere Application Server 6.1 and any necessary fix
packs for a stand-alone node.
v Cluster: Install WebSphere Application Server 6.1 and any necessary fix packs
on the deployment manager node and each cluster member node, then
federate the nodes to the cell and create a cluster.
If you do not want to disable the old version of WebSphere Application Server
upon installing WebSphere Application Server Version 6.1, make sure to choose
the option to allow coexistence with WebSphere Application Server Version 5.1.
WebSphere Application Server Version 6.1 detects any port conflicts with the
older version.
For more information about installation, refer to Chapter 5, “Installing and
configuring WebSphere Application Server,” on page 41 or the WebSphere
documentation at this Web site:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp
If you are upgrading from Tivoli Identity Manager Version 5.0, apply any
necessary fix packs to WebSphere Application Server 6.1.
Note: To perform the upgrade, you must select the current ITIM_HOME
directory as the Tivoli Identity Manager Version 5.1 installation location.
After making an upgrade, you can validate the current Tivoli Identity
Manager version by examining the copyright notice in the header of the
Messages.properties file in the ITIM_HOME\data directory.
104 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
– SelfServiceScreenText.properties
– SelfServiceScreenText_en.properties
– SelfServiceHelp.properties
– SelfServiceUI.properties
– SelfServiceHomePage.properties
– scriptframework.properties
v The following workflow system files in the data\workflow_systemprocess
directory:
– notifytemplate.html
Note: The notification template has been modified since Tivoli Identity
Manager Version 5.0. To use the new template, rename
notifytemplate.html.5.0 back to notifytemplate.html. For more
information about migration of notification templates, see “Migrating
notification templates” on page 114.
– addserviceselectionpolicy.xml
v Any default notification templates stored in LDAP if they were modified in
Tivoli Identity Manager Version 4.6 or 5.0. If you are upgrading from Tivoli
Identity Manager 4.6 and none of the default notification templates were
modified in Version 4.6, the upgrade process replaces all of them with the new
templates. For more information about manual migration of notification
templates, see “Migrating notification templates” on page 114.
All other customized data and settings are lost after the upgrade process. For more
information, see “Preserving customized data manually” on page 114. These user
customizations are not preserved:
v Java security (for Tivoli Identity Manager 4.6 on WebSphere Application Server
5.1)
If you are upgrading from Tivoli Identity Manager 4.6, you need to manually
apply the changes that you made for the previous IBM Development Kit for Java
to the new IBM Development Kit for Java bundled with WebSphere Application
Server 6.1.
v Custom logos used in a Welcome page and XLS style sheets. If you modified the
welcome page, you must reimplement the Styles.css file.
v EJB user ID and password (for Tivoli Identity Manager 4.6 on WebSphere
Application Server 5.1)
During upgrade the user enters the WebSphere Application Server 6.1
administrator user ID and password. If you are running Tivoli Identity Manager
4.6 on WebSphere Application Server 5.1, the user ID and password might be the
same or different from this new entry. The default Tivoli Identity Manager EJB
user ID and password on the Security tab of the system configuration GUI is set
as the same as the WebSphere Application Server 6.1 administrative user ID and
106 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Identity Manager application. If you are upgrading from Tivoli Identity
Manager 4.6, for running workflow processes to continue to run after upgrade,
make sure that the JMS messages in the JMS queues are clear. See “Determining
that the WebSphere MQ message queue is empty” on page 113 for details on
how to check the JMS queues.
4. Migrate the database server to the supported version. Then, back up the Tivoli
Identity Manager database, and ensure that the database server is running.
v DB2 Database
For information about upgrading DB2 Database, refer to this Web site:
http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp
Note: Upon upgrade of DB2 Database, the port number might change. Verify
that the port number you are using. For more information, see
“Determining the correct service listening port and service name” on
page 17.
v Oracle
For information about upgrading Oracle, refer to this Web site:
http://www.oracle-base.com/articles/11g/UpgradingTo11g.php
v SQL Server 2005
For information about upgrading SQL Server 2005, refer to this Web site:
http://www.microsoft.com/sql/solutions/upgrade/default.mspx
For information about configuring SQL Server 2005, see “Configuring SQL
Server 2005” on page 24.
5. Migrate the directory server to the supported version. Then, back up the Tivoli
Identity Manager schema and data, and ensure that the directory server is
running. For Tivoli Identity Manager Version 4.6 or 5.0 recovery purposes,
export the Tivoli Identity Manager LDAP directory to an LDIF file. If you are
running the IBM Tivoli Directory Server, configure the IBM Tivoli Directory
Server referential integrity plug-in. For more information, see “Manually
configuring the referential integrity plug-in on the IBM Tivoli Directory Server”
on page 32.
Note: Migration is not necessary if you are using IBM Tivoli Directory Server
Version 6.1 or 6.2 or Sun Enterprise Directory Server 6.3, which are
supported directory servers.
6. Complete these steps for the WebSphere Application Server installation and
configuration:
v Single-server: Install any necessary fix packs. If you are upgrading from
Tivoli Identity Manager 4.6, install WebSphere Application Server 6.1 and
any necessary fix packs for a stand-alone node.
v Cluster: Install any necessary fix packs. If you are upgrading from Tivoli
Identity Manager 4.6, install WebSphere Application Server 6.1 and any
necessary fix packs on the deployment manager node and each cluster
member node, then federate the nodes to the cell and create clusters for the
Tivoli Identity Manager application and the messaging engine.
7. On a single-server configuration, and on each cluster member in a cluster
configuration, complete these steps:
a. Back up the itim directory.
b. If you are upgrading from Tivoli Identity Manager 4.6, access the
OLD_WAS_HOME\installedApps\cellname\enRole.ear directory and store
any customized files in a temporary holding area.
108 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
b. Enter the drive and path where the installation program is located and
then enter the following command:
instwin.exe
The Welcome window opens.
v UNIX/Linux:
a. Open a command shell prompt window, and navigate to the directory
where the installation program is located.
b. Enter the following command for the Tivoli Identity Manager
installation program:
– AIX:
instaix.bin
– Linux:
instlinux.bin
– pLinux:
instplinux.bin
– zLinux:
instzlinux.bin
– Solaris:
instsol.bin
The installation program starts and displays the Welcome window.
If you are running the installation program on a UNIX/Linux system that
does not have at least 150MB of free space in the /tmp directory, you
should set the IATEMPDIR environment variable to a directory on a disk
partition with enough free disk space. To set the variable, enter one of the
following commands at the command line prompt before running the
installation program again:
– Bourne shell (sh), ksh, bash, and zsh:
$ IATEMPDIR=temp_dir
$ export IATEMPDIR
– C shell (csh) and tcsh:
$ setenv IATEMPDIR temp_dir
where temp_dir is the path to the directory, for example
/your/free/directory, where free disk space is available.
2. Select the appropriate language and click OK.
3. Click Next to advance past the copyright and legal text.
4. In the License Agreement window, read the license agreement and decide
whether to accept its terms. If you do, select Accept and click Next.
5. In the Choose Install Directory window, you must select the existing Tivoli
Identity Manager home directory that you want to upgrade. Accept the
existing directory, or click Choose and select the correct directory. Then, click
Next.
6. In the Upgrade IBM Tivoli Identity Manager window, click Continue to Next
to start the upgrade.
7. Read the caution windows to ensure that the prerequisite applications meet
the requirements that Tivoli Identity Manager supports. Then, click Next.
8. In the WebSphere Application Server installation directory window, specify
the location of WebSphere Application Server 6.1. There can be multiple
instances of the WebSphere Application Server on the computer. Click Next.
Note: For Sun Enterprise Directory Server 6.3, if the upgrade adds new
indexes, you must index your data again after the upgrade to Tivoli
Identity Manager Version 5.1 has completed.
18. After the installation has completed, you might have to manually update any
customizations which were not preserved during the upgrade process. For
more information, see “Preserving customized data manually” on page 114.
110 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Upgrading a cluster configuration
The upgrade process performs these tasks in a cluster configuration:
1. Backs up files in the ITIM_HOME\data directory.
2. Replaces the files in the ITIM_HOME directory.
3. On the computer that has the deployment manager, does these tasks:
a. Deploys the Tivoli Identity Manager application to WebSphere Application
Server.
b. Starts the system configuration tool (runConfig), which prompts the user to
examine current system configuration values, updates several Tivoli Identity
Manager properties files, and configures WebSphere Application Server for
Tivoli Identity Manager. For more information, see “Processes and settings
that the upgrade process preserves” on page 104.
c. Upgrades the Tivoli Identity Manager database schema and data.
d. Upgrades the Tivoli Identity Manager directory server schema and data.
4. On each computer that has a Tivoli Identity Manager cluster member, starts the
system configuration tool (runConfig), which prompts the user to examine
current system configuration values, updates several Tivoli Identity Manager
properties files, and configures WebSphere Application Server for Tivoli
Identity Manager. For more information, see “Processes and settings that the
upgrade process preserves” on page 104.
112 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Change the EJB user ID and password on the Security tab if the user ID and
password are different from the WebSphere Application Server administrative
user ID and password.
Verify the values and click OK. The system configuration requires several
minutes to complete.
For more information about runConfig, see “Configuring commonly used
system properties” on page 75.
16. On the deployment manager, the installer invokes the database upgrade
program to upgrade the database schema and data. If you are upgrading from
Tivoli Identity Manager 4.6 with WebSphere Application Server 5.1, you need
to provide the database administrative user ID and password to create the
database schema for the messaging engine. If the administrative user ID does
not have the proper privileges to create the database schema, an error
message is displayed during the upgrade. Run the ITIM_HOME\bin\
DBUpgrade program after the upgrade completes and enter the correct
database administrative ID. This program ensures that the database schema
and tables for the messaging engine are created.
17. On the deployment manager, the installer invokes the LDAP upgrade program
to upgrade the LDAP schema and data silently.
Note: For Sun Enterprise Directory Server 6.3, if the upgrade adds new
indexes, you must index your data again after the upgrade to Tivoli
Identity Manager Version 5.1 has completed.
18. After the installation has completed, you might have to manually update any
customizations which were not preserved during the upgrade process. For
more information, see “Preserving customized data manually” on page 114.
The following command displays the status of the Tivoli Identity Manager
workflow queue:
Ensure that all message queues are empty. In the resulting display, the CURDEPTH
attribute shows the number of messages in the queue. For example:
AMQ8409: Display Queue details.
QUEUE(WQ_itim_ms) MAXDEPTH(640000)
CURDEPTH(0)
If all queue depths (“CURDEPTH”) are zero, then no messages need processing,
continue with the Tivoli Identity Manager upgrade. Do not restart WebSphere
Application Server 5.1. If you have current queue depths greater than zero,
messages are still being processed. Wait and check the queue depths again.
To return to the pre-upgrade steps, see “Before you begin” on page 106.
For more information about processes that are not preserved, see “Processes and
settings that are not preserved, or require manual upgrade” on page 105.
114 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
notification templates from Tivoli Identity Manager Versions 4.6. To migrate old
notification templates to Tivoli Identity Manager Version 5.1, you must update both
the XML Text Template Language (XTTL) contents and the style.
<JS>if (EmailContext.hasNewAccess()) {
'<RE key="accountNewAccess"/>:
<JS>EmailContext.getAccountNewAccessAsString();
</JS>\n';
}</JS>
v Default New Password Account Notification
Add:
<ITIMURL/>
v Default Change Account Notification
Add:
<ITIMURL/>
<JS>if (EmailContext.hasNewAccess()) {
'<RE key="accountNewAccess"/>:
<JS>EmailContext.getAccountNewAccessAsString();
</JS>\n';
}</JS>
v Default Restore Account Notification
Add:
<ITIMURL/>
v Default Suspended Account Notification
Add:
<ITIMURL/>
v Default Deprovision Account Notification
Add:
<ITIMURL/>
<JS>if (EmailContext.hasRemovedAccess()) {
'<RE key="accountRemovedAccess"/>:
<JS>EmailContext.getAccountRemovedAccessAsString();
</JS>\n';
}</JS>
v Default Activity Timeout Notification
– Add:
<ITIMURL/>
<JS>if (EmailContext.hasRemovedAccess()) {
'<RE key="accountRemovedAccess"/>:
<JS>EmailContext.getAccountRemovedAccessAsString();
</JS>\n';
}</JS>
– Remove the following:
<RE key="description"/>:
<RE><KEY><JS>activity.description;</JS></KEY>
</RE>
– Modify the following:
<RE key="state"/>: <RE>
<KEY><JS>process.STATE_PREFIX+activity.state;</JS>
</KEY>
</RE>
116 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
<RE key="detail"/>:
<JS>Enrole.localize(process.resultDetail, "$LOCALE");
</JS>
v Default Process Timeout Notification
– Add:
<ITIMURL/>
– Modify the following:
<RE key="detail"/>:
<JS>Enrole.localize(process.resultDetail, "$LOCALE");
</JS>
v Default Process Completion Notification
– Add:
<ITIMURL/>
– Modify the following:
<RE key="detail"/>:
<JS>Enrole.localize(process.resultDetail, "$LOCALE");
</JS>
v Default ManualActivityApproval Notification
– Add:
<ITIMURL/>
<JS>if (process.subjectAccess!=null) if
(process.subjectAccess.length>0) {
'<RE key="accessName"/>:
<JS>process.subjectAccess;</JS>\n';
}</JS>
– Modify the following:
<JS>if (process.parentId == '0') { 'left
valign="middle"><td class="text-description" bgcolor="EBEDF3"><RE
key="requestedBy"/>:</td><td width="773" class="text-description"
bgcolor="white"><JS>process.requestorName;</JS></td></tr>';
}</JS>
v Default ManualActivityRFI Notification
Add:
<ITIMURL/>
<JS>if (process.subjectAccess!=null) if
(process.subjectAccess.length>0) {
'<RE key="accessName"/>:
<JS>process.subjectAccess;</JS>\n';
}</JS>
v Default ManualActivityWorkOrder Notification
No changes required.
In addition, all recertification templates are modified and the following six new
templates are added:
v Decline Mark notification
v Decline Marked notification
v Decline Deletes Access notification
v Decline Deleted Access notification
v Decline Marks Access notification
v Decline Marked Access notification
To design an XHTML template use the following cascading style sheet (CSS) file
and images:
v Imperative style sheet
BASE_URL/console/css/imperative.css
v Images
– Tivoli logo
BASE_URL/console/html/images/left-tiv-1.gif
– IBM banner
BASE_URL/console/html/images/ibm_banner.gif
– Background image
BASE_URL/console/html/images/mid-part-1.gif
– Template body
BASE_URL/console/html/images/portfolio_background.gif
To apply a style sheet, link the style sheet in the following way:
<link type="text/css" title="Styles" rel="stylesheet"
href="BASE_URL/console/css/imperative.css" />
</tr>
</tbody>
</table>
118 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
To modify the contents of default workflow notification templates, log in to the
Tivoli Identity Manager Version 5.1 GUI administrative console with administrative
permission and complete these steps:
1. Go to Configure System > Workflow Notification Properties
2. Select the template to modify.
3. On the Notification Template page, modify the appropriate section of the
notification template.
For more details on how to create an access control item, refer to the Tivoli Identity
Manager Version 5.1 Information Center topic "Access control item management"
(Administering>Security administration).
Note: For a new installation of Tivoli Identity Manager Version 5.1, with the
default set of user groups, access control items, and views, the
persona-based console provides sets of tasks, for the default administrative
user types.
Configuring Crystal
Note to Reviewers:
According to Henry Crystal upgrades successfully with WAS 6.1
without manual steps.
Can we remove this section?
For more information about Crystal configuration, refer to the Tivoli Identity
Manager Information Center.
120 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 11. Uninstalling Tivoli Identity Manager
Uninstalling Tivoli Identity Manager consists of using the Tivoli Identity Manager
uninstallation program, which performs the following tasks:
v Removes all files in the ITIM_HOME directory that the Tivoli Identity Manager
installation program created, including certificates in the ITIM_HOME\cert
directory and the itimKeystore.jceks keystore file in the ITIM_HOME\config\
keystore directory.
v Clears all configuration settings that were created for the Tivoli Identity
Manager Server on the WebSphere Application Server.
v Removes the Tivoli Identity Manager Server that was deployed on these
computers:
– Single-server configuration: Computer that has the WebSphere Application
Server.
– Cluster configuration: Computer that has the deployment manager.
In a cluster configuration, uninstalling the Tivoli Identity Manager Server
from the deployment manager removes the availability of the Tivoli Identity
Manager Server to the cluster. The deployed Tivoli Identity Manager
application files are automatically removed from Tivoli Identity Manager
cluster members.
Reboot the Windows operating system after uninstallation to clean up any residual
Tivoli Identity Manager files which were not able to be removed during the
uninstallation process.
For more information about manually removing the database tables, directory
server schema, and log files, see “Manually removing components” on page 122.
122 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
b. Select the ITIM application.
c. Click Stop.
d. When the ITIM application stops, select the ITIM application again.
e. Click Uninstall.
2. Manually ensure that the ITIM.ear directory is removed. Take these steps:
a. Open the applications directory:
v Single-server and each cluster member
WAS_PROFILE_HOME\config\cells\cellname\applications
v Deployment manager
WAS_NDM_PROFILE_HOME\config\cells\cellname\applications
b. If the ITIM.ear directory exists, remove the directory.
124 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Appendix A. Mapping Tivoli Identity Manager application
modules to IBM HTTP Server
Use the WebSphere administrative console to map Tivoli Identity Manager
applications to the IBM HTTP Web server.
1. Log in to the WebSphere administrative console on the WebSphere Application
Server Network Deployment Manager for the Tivoli Identity Manager cluster
using the WebSphere Application Server administrator credentials.
2. Click Applications > Application Types > WebSphere enterprise applications
in the task menu.
3. Click ITIM in the Enterprise Applications list.
4. Click Manage Modules.
5. Select the ITIM Application Cluster name (not the JMS cluster name) and select
the check boxes for these modules:
v PasswordSynch
v ITIM_Console
v EnRole
v ITIM_Self_Service
v ITIM_Self_Service_Help
v ITIM_Console_Help
v ITIM_Message_Help
v EHS3.01
v PasswordReset
6. Click Apply (next to the Clusters and servers field).
7. Click OK.
8. Click Save configuration in the message box.
This task is performed after installing Tivoli Identity Manager, and cannot be
performed before a new installation. If you want to configure LDAP only through
an SSL connection, skip the LDAP configuration during the installation, and run
ldapConfig after the installation has completed.
Use GSKit to create the key database file and certificates. Make sure to extract the
server certificate (the one created for the LDAP server) for client use. The
certificate must be copied to the machine where Tivoli Identity Manager is
running. The location of the server certificate is required to set up a trusted
certificate for Tivoli Identity Manager in a later task.
For more information about enabling SSL on LDAP for IBM Tivoli Directory
Server, see the documentation available at the following Web site:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.IBMDS.doc/admin_gd16.htm
http://docs.sun.com/app/docs/prod/s1dirsrv
To successfully configure the SSL connection between the Tivoli Identity Manager
Server and the LDAP Server, you must import the self-signed certificate (or CA
certificate) created for the LDAP Server into the truststore that is used by JSSE (the
IBM JSSE, which is part of WebSphere Application Server). Additionally, you must
first configure Tivoli Identity Manager to use SSL (configuring it to use the ldaps
protocol instead of the ldap protocol) when communicating with the LDAP Server.
The next task is to add the certificate you created for the LDAP server into this
certificate store. Complete these steps:
1. In the main window, in the Key database content area, select Signer
Certificates from the drop-down list, and click Add.
2. From the Data Type drop-down list, select Binary Der data.
3. In the Certificate file name field, browse and locate the server certificate file
that was created for the LDAP server. Verify that the appropriate directory is
displayed in the Location field. Click OK.
4. In the prompt that is displayed, type a label for this certificate. For example,
type LDAPCA. Click OK.
The certificate is added for the LDAP Server. You can now close the ikeyman
utility.
128 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
2. Save the changes.
Note: Skip this step if the CA certificate (which is required to verify the
authenticity of the authority that has issued an LDAP server certificate)
is installed in the truststore of the JVM that is used by
ldapConfig/runConfig.
Running the utilities that access the LDAP server with SSL
To successfully run the following utilities present in the ITIM_HOME\bin\platform
directory:
v addindex
v addintegrity
v config_remote_services
v createLinks
v ldapClean
v remove_service_profiles
v loadDSMLSchema
v serviceability
you must perform these steps when SSL is configured:
1. Verify that enRoleLDAPConnections.properties, has
java.naming.security.protocol set to ssl.
2. Open the utility file (for example, addindex.sh or addindex.cmd) with a text
editor.
3. Add the following properties as Java runtime properties (the following
property is one line):
-Djavax.net.ssl.trustStoreType=type_of_truststore -Djavax.net.ssl.trustStore
=truststore_location -Djavax.net.ssl.trustStorePassword=truststore_password
- Djava.ext.dirs=WAS_HOME\java\jre\lib\ext:WAS_HOME\plugins:
WAS_HOME\lib:WAS_HOME\lib\ext
For example, ldapClean.sh modified for SSL would look like this example:
$JAVA -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStore=
/opt/ibm/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.
dirs=/opt/IBM/WebSphere61/AppServer/java/jre/lib/ext:
/opt/IBM/WebSphere61/AppServer/plugins:/opt/IBM/WebSphere61/
AppServer/lib:/opt/IBM/WebSphere61/AppServer/lib/ext -cp $CLASSPATH
com.ibm.itim.systemConfig.LdapSweeper
4. Save the changes to the utility file.
130 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Configuring security for WebSphere Application Server
If you chose to enable administrative security and application security on the
WebSphere Application Server, additional security configuration might be required.
Each of the following security tasks applies to both single and multi-node
deployments. You can perform these additional security tasks:
v Map the itimadmin administrative user to the ITIM_SYSTEM role to further
limit access.
v If the System User or EJB User are modified outside of Tivoli Identity Manager,
run the runConfig command to update the Tivoli Identity Manager
configuration.
v If you also enabled Java 2 security, modify the library.policy file and verify that
the was.policy file exists.
v Modify the token expiration to prevent accidental timeouts in a cluster
configuration.
v Enable FIPS compliance for WebSphere Application Server.
Enabling Java 2 security for the Tivoli Identity Manager application also causes
Java 2 security to be enforced on all applications that are running on the
WebSphere Application Server. If you enable Java 2 security for the Tivoli Identity
Manager application, you should also appropriately configure all other applications
running on the WebSphere Application Server to support Java 2 security.
Note: Ensure that you are using the IBM Java 2 Platform Standard Edition
Development Kit 1.5 Service Release 6 or later. Service Release 6 is needed if
you intend to enable Java 2 security. You can download the service release
and follow the instructions to apply the fix at the following WebSphere
Application Server fix pack Web site:
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24017492
Note: This sample policy file provides blanket access to the Tivoli Identity
Manager shared library but does not provide any extra security. Set the
policy file according to your security requirements by configuring this file
correctly.
Ensure that the was.policy file exists. If the file does not exist, create the file in the
following directory on the node:
WAS_PROFILE_HOME/config/cells/cellname/applications/ITIM.ear/
deployments/application_name/META-INF
Note: This sample policy file provides blanket access to Tivoli Identity Manager
but does not provide any extra security. Set the policy file according to your
security requirements by configuring this file correctly.
132 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Running Java 2 security on single-node deployments
To run the Java 2 security component after installing and setting up Tivoli Identity
Manager in a single-node deployment, use the WebSphere administrative console
to restart Tivoli Identity Manager and log in when prompted. Complete these
steps:
1. Click Applications > Enterprise Applications.
2. Select the check box for ITIM and click Stop. Wait for the Tivoli Identity
Manager application to stop, then click Start.
Security uses a Lightweight Third Party Authentication (LTPA) token that expires
after an interval of system inactivity. The default is 120 minutes, which might not
be large enough to use with Tivoli Identity Manager. On some systems, the actual
timeout interval might be shorter than the value that is specified. A timeout might
prevent you from logging on. When a timeout occurs, you must recycle the
deployment manager, the cluster, and all node agents.
To enable FIPS compliance for WebSphere Application Server, complete these steps:
1. Add these IBM cryptographic providers as entries in the java.security
cryptographic provider list, as shown in this example.
security.provider.1=com.ibm.crypto.fips.provider.IBMJSSE2
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
This step ensures that Java uses these cryptographic providers for all
cryptographic functions.
Note: The order in which you specify the security providers is important. The
security providers are processed in numeric order. The first security
provider that supports the encryption method being requested is used.
On Solaris systems, the first provider must always be
sun.security.provider.Sun.
2. Enable FIPS in WebSphere Application Server. To enable FIPS for WebSphere
Application Server, complete these steps:
a. On the WebSphere administrative console, click Security > SSL certificate
and key management.
b. Select the check box next to Use the United States Federal Information
Processing Standard (FIPS) algorithms
c. Click Apply.
d. Save the configuration changes.
3. To set the environment variable to restrict the IBMJSSE2 provider to
FIPS-compliant algorithms, complete these steps:
a. On the WebSphere administrative console, click Servers > Application
servers and click a server, such as server1.
b. In the Server Infrastructure field, click the link for Java and Process
Management > Process Definition
c. In the Additional Properties field, click the link for Java Virtual Machine
d. In the Generic JVM Arguments field, set the environment variable by
adding the following statement:
-Dcom.ibm.jsse2.JSSEFIPS=true
For more information about enabling FIPS in WebSphere Application Server 6.1,
see the documentation available at the following Web site:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/
com.ibm.websphere.base.doc/info/aes/ae/tsec_fips.html
Run the utility once on a single server or at the deployment manager to migrate
the data in the LDAP repository and in the property files. Also run the utility on
each managed node (in a clustered environment) to migrate the property files on
that node.
The following example shows the supported usage and command-line parameters
for the changeCipher command:
134 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
changekey {keystore_name} {keystore_password}
[-algorithm AES] [-keysize 128 | 192 | 256]
[-skiperrors]
resume [-skiperrors]
Note: The new encrypted data is longer in length. If the attribute length in
LDAP is too small you get an Object Class violation and the script ends.
v Migrates the encrypted data in the property files to the new cipher
v Sets the new cipher settings to enrole.properties
While running, the tool creates and maintain a file which contains its current state
information. This file is written to ITIM_HOME\temp\CipherMigrator.properties.
If an error occurs during migration (for instance, if the LDAP server goes down),
correct the problem and invoke the tool with the resume parameter. This parameter
tells the utility to pick up from where it left off before the error occurred.
The optional –skiperrors parameter tells the tool to continue running even if it
encounters data that cannot be decrypted with the old cipher. If specified,
undecipherable LDAP data does not cause the tool to fail.
Back up all LDAP data before running the tool. There are a number of things that
can go wrong when migrating LDAP data. For example, if the keystore file is
accidentally deleted before the LDAP migration is completed, some of the
encrypted LDAP data becomes inaccessible. Backing up LDAP data along with the
current keystore ensures you can return to a safe state.
Before running the tool, stop the Tivoli Identity Manager Server and ensure that
there are no pending transactions in the database because encrypted data in the
database is not migrated.
For each LDAP object it finds, the cipher migration utility decrypts the attribute
using the old cipher and re-encrypts the attribute using the new cipher. No
changes are made to attributes that are hashed.
http://www.ibm.com/developerworks/java/jdk/security/index.html
Installation images
Refer to the Tivoli Identity Manager Quick Start Guide for the download location of
the installation images that Tivoli Identity Manager provides. For more information
about all supported platforms and their prerequisite applications, refer to the Tivoli
Identity Manager Information Center.
Tivoli Identity Manager fixes and information about fix pack installation are
available at this Web site:
http://www-306.ibm.com/software/sysmgmt/products/support/
IBMTivoliIdentityManager.html
UNIX/Linux:
path/IBM/WebSphere/
AppServer
WebSphere The name of the WebSphere v Single-server:
Application Server Application Server profile. AppSrv01
profile name
v Deployment
manager: Dmgr01
v Cluster member:
Custom01
WebSphere The name of the WebSphere Example: server1
Application Server Application Server server.
server name
Computer host name The host name of the
computer.
WebSphere User name that is used to Example: wsadmin
Application Server administer WebSphere
administrator user Application Server. Used to
ID restart secure WebSphere
Application Servers. This
field is optional.
WebSphere Password that is used with
Application Server the WebSphere user name.
administrator This field is optional.
password
140 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Table 10. Tivoli Identity Manager typical pre-installation configuration
parameters (continued)
Default or example
Field name Description value Your value
Keystore password Used to unlock the Tivoli
Identity Manager keystore
file which stores the
encryption key used to
encrypt Tivoli Identity
Manager sensitive data.
ITDI_HOME The directory that contains Windows:
the IBM Tivoli Directory path\IBM\TDI\V6.1.1
Integrator Server code. Also,
path\IBM\TDI\V7.0
where adapters are installed.
This field is optional UNIX/Linux:
depending on whether you
are using IBM Tivoli path/IBM/TDI/V6.1.1
Directory Integrator. path/IBM/TDI/V7.0
TIVOLI_COMMON_ The central location for all Windows:
DIRECTORY serviceability-related files, path\IBM\tivoli\
such as logs and first-failure common
capture data.
UNIX/Linux:
path/IBM/tivoli/
common
142 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Table 11. Tivoli Identity Manager typical system configuration parameters (continued)
Default or example
Field name Description value Your value
EJB user password Specifies the EJB user
password.
Note: The EJB user
password is restricted to 12
characters.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other countries,
or both. If these and other IBM trademarked terms are marked on their first
occurrence in this information with a trademark symbol (® or ™), these symbols
indicate U.S. registered or common law trademarks owned by IBM at the time this
information was published. Such trademarks may also be registered or common
law trademarks in other countries. A current list of IBM trademarks is available on
the Web at ″Copyright and trademark information″ at http://www.ibm.com/legal/
copytrade.shtml.
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either
registered trademarks or trademarks of Adobe Systems Incorporated in the United
States, other countries, or both.
146 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer
Entertainment, Inc., in the United States, other countries, or both and is used under
license therefrom.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or
registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
delegate (verb). (1) To assign all or a subset of domain administrator. The owner of an
administrator privileges to a user, such that the user administrative domain. See also administrative domain.
can perform all or a subset of administrator activities
for a specific set of users. (2) To designate a user to dynamic content tags. A set of XML tags (based on
approve requests or provide information for requests the XML Text Template Language (XTTL) schema) that
for another user. enables the administrator to provide customized
information in a message, notification, or report. See
delegate administrator. The user who has all or a also XML Text Template Language.
subset of administrator privileges over a specific set of
users. dynamic organizational role. An organizational role
that is assigned to a person by using an LDAP filter.
When a user is added to the system and the LDAP
150 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
filter parameters are met, the user is automatically
added to the dynamic organizational role. See also
I
organizational role.
identity. The subset of profile data that uniquely
represents a person or entity and that is stored in one
E or more repositories.
entitlement. In security management, a data structure, identity feed. The automated process of creating one
service, or list of attributes that contains externalized or more identities from one or more common sources
security policy information. of identity data.
entitlement workflow. A workflow that defines the identity policy. The policy that defines the user ID to
business logic that is used when provisioning a policy. be used when creating an account for a user.
For example, an entitlement workflow is used to define
IIOP (Internet Inter-ORB Protocol). A protocol used
approvals for managing accounts. See also workflow.
for communication between Common Object Request
entity. An object about which you want to store Broker Architecture (CORBA) object request brokers
information or manage. For example, a person and an
ITIM group. A list of Tivoli Identity Manager
account are both entities.
accounts. Membership within an ITIM group
entity type. Categories of managed objects. See also determines the access to data within Tivoli Identity
entity. Manager.
escalation. The process that defines what happens and ITIM user. A user who has a Tivoli Identity Manager
who acts when an activity was not completed in the account.
specified amount of time.
failover. An automatic operation that switches to a join directive. The set of rules that define how to
redundant or standby system in the event of a handle attributes when two or more provisioning
software, hardware, or network interruption. policies are applied. Two or more policies might have
overlapping scope, so the join directive specifies what
FESI. See Free EcmaScript Interpreeter. actions to take when this overlap occurs.
group. A collection of Tivoli Identity Manager users. LDAP Data Interchange Format. See LDIF.
Glossary 151
LDAP filter. A search filter that narrows the results protection category. (2) An entity that defines the
from an LDAP search. schema for a service or an account.
LDIF (LDAP Data Interchange Format). A file format operation. A specific action (such as add, multiply, or
that is used to describe directory information as well as shift) that the computer performs when requested.
changes that need to be applied to a directory, such
that directory information can be exchanged between operational workflow. A workflow that defines the
directory servers that are using LDAP. lifecycle process for accounts, persons, and other
entities. See also workflow.
life cycle. Passage or transformation through different
stages over time. For example markets, brands and organization. A hierarchical arrangement of
offerings have life cycles. organizational units, such that each user is included
once and only once. See also organizational unit.
life cycle rules. A set of rules in a policy that
determine which operations to use when automatically organization tree. A hierarchical structure of an
handling commonly occurring events, such as organization that provides a logical place to create,
suspending an account that has been inactive for a access, and store organizational information.
period of time.
organizational container. An organization,
Lightweight Directory Access Protocol. See LDAP. organizational unit, location, business partner unit, or
administration domain.
location. An entity that is a subdivision of an
organization, usually based on geographical area. organizational role. In identity management, a list of
account owners that is used to determine which
entitlements are provisioned to them. See also dynamic
M organizational role and static organizational role.
mail. A type of workflow activity that sends a organizational unit. A type of organizational
notification to one or more users about a request. container that represents a department or similar
grouping of people.
managed resource. An entity that exists in the runtime
environment of an IT system and that can be managed. orphan account. On a managed resource, an account
whose owner cannot be automatically determined by
manager. A type of person who uses Tivoli Identity the provisioning system.
Manager to manage their own accounts and passwords
or the accounts and passwords of those people that
they supervise. P
manual service. A type of service that requires participant. In identity management, an individual, a
manual intervention by the service owner to complete role, a group, or a JavaScript script that has the
the provisioning request. authority to respond to a request that is part of a
workflow. See also workflow.
N password. In computer and network security, a
specific string of characters that is used by a program,
namespace. (1) The set of unique names that a service computer operator, or user to access the system and the
recognizes. (2) Space reserved by a file system to information stored within it.
contain the names of its objects.
password retrieval. In identity management, the
nested group. A group that is contained within method of retrieving a new or changed password by
another group. See also group. accessing a designated Web site and specifying a
shared secret. See also shared secret.
notification. A message that is sent to users or
systems that indicates that a change was made that password strength rules. The set of rules that a
might be of interest to the receiver. password must conform to, such as the length of the
password and the type of characters that are allowed
O (or not allowed) in the password.
152 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
password synchronization. The process of recertification policy. A policy that defines the life
coordinating passwords across services and systems cycle rule for automatically validating accounts and
such that only a single password is needed to access users in the provisioning system after a certain period
those multiple services and systems. of time. See also life cycle rules.
permission. Authorization to perform activities, such reconciliation. The process of synchronizing data in a
as reading and writing local files, creating network central data repository with data on a managed
connections, and loading native code. resource.
person. An individual in the system that has a person registration. The process of accessing a system and
record in one or more corporate directories. requesting an account on that system.
personal profile. The data that describes a user within registry. A repository that contains access and
the system, such as the user name, password, contact configuration information for users, systems, and
information, and so on. software.
plug-in. A software module that adds function to an relationship. A defined association between two or
existing program or application. more data entities, which is used when defining a Free
EcmaScript Interpreter (FESI) extension or when
policy. A set of considerations that influence the customizing the graphical user interface.
behavior of a managed resource or a user.
relevant data. The data that is used to complete a
post office. A component that collects notifications workflow activity in a workflow operation at runtime.
from the appropriate workflow activities and See also workflow.
distributes those notifications to the appropriate
workflow participants. repository. A persistent storage area for data and
other application resources. Common types of
principal. (1) A person or group that has been granted repositories are databases, directories, and file systems.
permissions. (2) An entity that can communicate
securely with another entity. request. The item that initiates a workflow and
instigates the various activities of a workflow. See also
privilege. See permission. workflow.
profile. Data that describes the characteristics of a request for information (RFI). A workflow activity
user, group, resource, program, device, or remote that requests additional information from the specified
location. participant. See also workflow.
protection category. The category of classes that an resource. A hardware, software, or data entity. See
access control item can protect. For example, accounts also managed resource.
or persons. See also object class.
restore. To activate an account that was suspended.
provision. (1) In identity management, to set up and
maintain the access of a user to a system. (2) In identity rights. See permission.
management, to create an account on a managed
resource. rule. A set of conditional statements that enable
computer systems to identify relationships and execute
provisioning. In identity management, the process of automated responses accordingly.
providing, deploying, and tracking a service or
component.
S
provisioning policy. A policy that defines the access
to various managed resources, such as applications or schema. The fields and rules in a repository that
operating systems. Access is granted to all users, users comprise a profile. See also profile.
with a specific role, or users who are not members of a
scope. In identity management, the set of entities that
specific role.
a policy or an access control item (ACI) can affect.
Glossary 153
security. The protection of data, system operations, topic. The subject of a notification message, which
and devices from accidental or intentional ruin, allows messages to be grouped together based on the
damage, or exposure. same task.
security administrator. A type of person who sets up transition. A connection between two workflow
and administers Tivoli Identity Manager for users, elements. See also workflow.
managers, help desk assistants, and application user
administrators.
U
self-registration. See registration.
universally unique identifier (UUID). The 128–bit
service. A representation of a managed resource, numerical identifier that is used to ensure that two
application, database, or system. entities do not have the same identifier. The identifier is
unique for all space and time.
service owner. An individual who uses Tivoli Identity
Manager to set up and administer the accounts on the user. (1) Any individual, organization, process, device,
services that are managed by Tivoli Identity Manager. program, protocol, or system that uses the services of a
See also service. computing system. (2) The individual who uses Tivoli
Identity Manager to manage their accounts and
service selection policy. A policy that determines passwords.
which service to use in a provisioning policy. See also
provisioning policy.
V
service type. A category of related services that share
the same schemas. See also service. view. A collection of various graphical user interfaces
for a product that represent the set of tasks that a
shared secret. An encrypted value that is used to particular type of user is allowed to perform.
retrieve the initial password of a user. This value is Administrators can customize views to contain different
defined when the personal information for the user is collections of graphical user interfaces.
initially loaded into the system.
T
tenant. In a hosted service environment, a virtual
enterprise instance of an application. Each tenant can
share directory servers or relational databases while
remaining completely separate service instances.
154 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Index
Special characters browser
active scripting 99
.profile file two session problems 99
Oracle 21 using supported 99
IDI_HOME
IBM Tivoli Directory Integrator Server installation
directory xiii
C
CA certificate
Numerics preserved during upgrade 104
certificate
50000, default DB2 listening port number 17 CA, preserved during upgrade 104
50002, default DB2 listening port number 17 demonstration, upgraded 104
60000, default DB2 listening port number 17 identical directory requirement, cluster member 59
CLASSPATH
verifying database 97
A Classpath field, specifying data directory 95
accessibility cleanup
pdf format, for screen-reader software xi cron job 77
statement for documentation xi recycle bin age limit 77
text, alternative for document images xi client
account database
LDAP storage 2 DB2 10
active scripting, browser 99 on remote computer 10
adapter interface 1
agent-less or agent-based 4 upgrading duplicate properties files 106
definition 4 cluster
location 4 configuration
addserviceselectionpolicy.xml, workflow process file 105 WebSphere Application Server 5
adhocreporting.properties 104 definition 5
administrative expanding
system management interface tool new computer 71
SMIT 16 installation
system management tool restart after 67
admintool 16 sequence 60
user sequential requirement 60
ID, DB2 11 Tivoli Identity Manager Server 58
mapping to role 131 wizard 60
administrative security and application security member
itimadmin 131 certificate files 59
wasadmin 131 certificate recognition 59
admintool, administrative tool (Solaris) 16 deployment manager installation deploys Tivoli Identity
alias, database 78 Manager 60
api_ejb.jar 106 HR feed 59
app_ctl_heap_sz example, update database 17, 35 identical database specification 78
applheapsz example, update database 17, 35 identical directory requirement 59
application server, WebSphere Application Server 3 identical LDAP specification 63
authentication alias, itim-init 97 installation sequence after deployment manager 60
authority multiples on same computer 62
installing Tivoli Identity Manager Server 49, 59 new, adding to cluster 71
logon user ID in Administrator Group 49, 59 partial start 68
root removing 71
ensuring 49, 59 prerequisites
was.policy file 132 database 59
deployment manager 59
directory server 59
B JMS servers 59
node agents 59
backup WebSphere Application Server base 59
Oracle 21 remove member 71
books Tivoli Identity Manager installation
see publications x wizard 61
156 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
database (continued) DB2 runtime client
Oracle (continued) type of JDBC driver 2
JVM feature required by Tivoli Identity Manager 20 DB2 Server
processes parameter 21 deployment 10
select during installation 52, 62 fix pack 12
shared_pool_size parameter 21 install, configure 10
schema preserved during upgrade 104 db2admin 11
select during installation 52, 62 db2admin, instance user ID for UNIX and Linux 10
server, definition 1 db2admin, user ID for UNIX and Linux 10
session persistence DB2COMM 17
Oracle environment variables 21 db2fs, command 12
SQL server, select during installation 52, 62 db2level, command 12
tab 78 db2ls, command 12
TCP/IP 17 db2set
transactional data 1 command 16, 17, 35
upgrade, schema preserved 104 DB2COMM 17
user itimuser 78 db2start, command 17, 36
database creation db2stop, command 17, 36
SQL Server 2005 25 dbConfig.stdout 102
DB_HOME dbUpgrade.stdout 102
DB2 installation directory xii dc=com
definition xii permissions 32
DB_INSTANCE_HOME default
DB2 installation directory xii ibm_banner.gif 79
definition xii logo image file 79
db2 demonstration certificate upgraded 104
force application all, command 17, 36 deployment
DB2 adapter 4
Administrative user ID 11 cluster member 71
client DB2 10
on remote computer 10 IBM HTTP Server 42, 44
command IBM Tivoli Directory Integrator 39
create 17 IBM Tivoli Directory Server 27
db2 force application all 17, 36 planning steps 5
db2cmd 16, 35 WebSphere Web Server plug-in 42, 44
db2set 17 deployment manager
db2start 17, 36 database configuration 73
db2stop 17, 36 LDAP data repository 75
update 17, 35 propagating Tivoli Identity Manager Server 60
configuration running before installing Tivoli Identity Manager
create user itimuser 16 Server 94
performance 18 directory
service listening port number 17 IDI_HOME xiii
steps 15 DB_HOME xii
TCP/IP communication 17 DB_INSTANCE_HOME xii
db2admin 11 identical requirement, on cluster members 59
db2admin, instance name on UNIX and Linux 10 installation
db2admin, user ID on UNIX and Linux 10 DB2 xii
deployment 10 IBM Tivoli Directory Integrator Server xiii
First Steps 11 IBM Tivoli Directory Server xiii
home directory for Windows 11 WebSphere Application Server base product xiv
home directory on UNIX and Linux 11 ITDS_HOME xiii
initially empty 10 ITIM_HOME xiv
instance name names, operating system notation xiv
db2 on Windows 11 WAS_HOME xiv
instance, db2admin on UNIX and Linux 10 WAS_NDM_PROFILE_HOME xiv
out of memory error 18 WAS_PROFILE_HOME xiv
relation to Tivoli Identity Manager 10 directory integrator
runtime adjustment 15 definition 3
storage space 18 installing 39
user ID, db2admin on UNIX and Linux 10 LDAP directory 3
user named itimuser 16 directory server
wizard, verifying installation 11 definition 2
db2 command determination if running 98
create 17 host name 77
update 17, 35 ibmslapd process 98
ibmslapd.log file 99
Index 157
directory server (continued)
identity management 2
F
LDAP directory 2 First Steps
organizational data 2, 27 DB2 installation 11
port number 77 verifying WebSphere installation 43, 44, 46
Principal DN 77 fix pack
process ID (PID) 98 database 12, 29
user account data 2, 27 IBM Tivoli Directory Integrator 39
disabilities, using documentation xi IBM Tivoli Directory Server 28
DN
top entry in a locally held directory hierarchy 29
documents G
related x garbage cleanup
Tivoli Identity Manager library vii recycle bin age limit 77
domain schedule_garbage.cron 77
objectclass 32
driver, JDBC 2
Dynamic Role Add/Modify/Remove, workflow process 105
H
heap size, DB2 18
heart beat 76
E home directories
e-mail IDI_HOME xiii
address for the Tivoli Identity Manager Server 79 DB_HOME xii
mail gateway 79 DB_INSTANCE_HOME xii
system administrator address 79 DB2 for Windows 11
editing password 83 DB2 on UNIX and Linux 11
EJB user ITDS_HOME xiii
initial values 80 ITIM_HOME xiv
itimadmin 131 WAS_HOME xiv
length limit 80 WAS_NDM_PROFILE_HOME xiv
manual steps 80 WAS_PROFILE_HOME xiv
mapping 131 host name
updating 80, 131 directory server 77
embedded HTTP transport, WebSphere HTTP
logon 68 embedded HTTP transport, WebSphere 68
empty, DB2 10
encryption
enrole.password.appServer.encrypted 80
enrole.password.database.encrypted 80
I
enrole.password.ldap.encrypted 80 IBM HTTP Server
enRole.properties 80 deployment 42, 44
key 52, 63 installing 47
settings 80 separate computer recommended 47
enrole.password.appServer.encrypted 80 IBM logo file, default 79
enrole.password.database.encrypted 80 IBM Tivoli Directory Integrator
enrole.password.ldap.encrypted 80 deployment 39
enRole.properties fix pack 39
/data directory 83 install, configure 39
configuring Tivoli Identity Manager Server 76 IBM Tivoli Directory Server
encryption properties 80 deployment 27
preserved during upgrade 104 fix pack 28
enroleAuditing.properties 104 install, configure 27
enRoleAuthentication.properties 104 LDAP suffix 29
enRoleDatabase.properties 104 referential integrity file 29
enRoleDatabase.properties file 97 setting up 29
enRoleLDAPConnection.properties 104 SSL, configuring 127
enRoleLogging.properties 104 ibm_banner.gif 79
enRoleMail.properties 104 ibmslapd
enroleworkflow.properties 104 log file 34, 35
environment variable process running 98
DB2COMM 17 ibmslapd.log file 99
operating system notation xiv identical directory, cluster members 59
Oracle 21 identity feed, lost if running during upgrade 105
processes, Oracle 21 image
setting with .profile file 21 directory 79
shared_pool_size, Oracle 21 logo 79
expired password 83
158 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Increment Count itimadmin
LDAP 77 EJB user 131
init.ora file, Oracle 21 itimdb
Initial Pool Size database
LDAP 77 database name 16
instaix.bin, installation program 50, 60, 109, 111 host name 78
installation setting initial values, SQL Server 2005 25
database 9 SQL Server 2005 25
directory itimuser
DB2 xii default user ID, database 78
IBM Tivoli Directory Integrator Server xiii password identical in enRoleDatabase.properties file 97
IBM Tivoli Directory Server xiii user
WebSphere Application Server base product xiv create 16
IBM HTTP Server 42, 44, 47 on DB2 server 16
instaix.bin 50, 60, 109, 111 privileges, no special 16
instlinux.bin 50, 61, 109, 111 itimxlp_setup.jar 69
instplinux.bin 50, 61, 109, 111
instsol.bin 51, 61, 109, 111
instwin.exe 50, 60, 109, 111
instzlinux.bin 51, 61, 109, 111
J
jar file 21
logs 101
api_ejb.jar 106
restarting clusters 67
itim_api.jar 106
select database 52, 62
itim_server_api.jar 106
sequence
itimxlp_setup.jar 69
cluster 60
jlog.jar 106
single-server 50
manual upgrade 106
SQL Server 2005 24
Java 2 security
Sun Enterprise Directory Server 36
customization, upgrading manually 114
Tivoli Identity Manager Server
lost during upgrade 105
authority 49, 59
Java Runtime Environment
cluster 58
language pack 69
single-server 49
required level 69
verifying
java_pool_size parameter, Oracle 21
Tivoli Identity Manager Server 57, 68, 94
java, command 69
WebSphere installation 43, 44, 46
JDBC
WebSphere Application Server 41
connection
WebSphere Web Server plug-in 42, 44, 47
fields 78
instance name
driver 21
DB2 10
DB2 runtime client 2
DB2 on Windows 11
SQL Server 2005 25
instlinux.bin, installation program 50, 61, 109, 111
type 2 2
instplinux.bin, installation program 50, 61, 109, 111
JDBC driver for Oracle 21
instsol.bin, installation program 51, 61, 109, 111
jlog.jar 106
instwin.exe, installation program 50, 60, 109, 111
instzlinux.bin, installation program 51, 61, 109, 111
Intended Audience vii
Internet Explorer, active scripting 99 K
ITDI_HOME kernel
definition xiii settings for DB2 9
ITDS_HOME
definition xiii
IBM Tivoli Directory Server installation directory xiii
ITIM user 58, 68, 95
L
language
itim_adhocSync queue 113
on installation panels 51, 61
itim_api.jar 106
pack
ITIM_DB_JDBC_DRIVER_PATH 97
default not English 69
ITIM_HOME
installing 69
definition xiv
jar file name 69
directory xiv
Java Runtime Environment 69
itim_installer_debug.txt 102
LDAP
itim_ms queue 113
connection increment 77
itim_rs queue 113
connection pool 77
itim_server_api.jar 106
directory integrator 3
itim_wf queue 113
directory server 2
itim_wf_pending queue 113
initial configuration 75
itim-init, authentication alias 97
initial connections 77
maximum connections 77
Index 159
LDAP (continued) multi-node (continued)
suffix security (continued)
definition 29 timeout interval 133
IBM Tivoli Directory Server 29
initializing with data 32
verifying configuration 32
ldapClean, command 77
N
name
ldapConfig.stdout 102
database 78
ldapsearch, command 32
naming context, definition 29
ldapUpgrade.stdout 102
node
libdelref
synchronization, multi-node deployment 133
success message 34, 35
notifytemplate.html, workflow process file 105
testing configuration 34, 35
limit, recycle bin age 77
list page size, as search control 80
listener O
service, Oracle 24 objectclass
logging domain 32
dbConfig.stdout 102 top 32
dbUpgrade.stdout 102 online publications
ibmslapd.log file 99 accessing x
install 101 operating system
itim_installer_debug.txt 102 identity provisioning 3
ldapConfig.stdout 102 Oracle
ldapUpgrade.stdout 102 .profile file 21
log.txt 101 backup 21
MAX 78 command to start server 24
MED 78 environment variables 21
MIN 78 init.ora file 21
performance settings 78 install, configure 18
runConfigTmp.stdout 102 java_pool_size parameter 21
setupEnrole.stdout 102 JDBC driver 21
StartStopWas.stdout 102 JVM feature required by Tivoli Identity Manager 20
system properties 82 listener service 24
tab 78 processes parameter 21
tracing 78 session persistence 21
logo shared_pool_size parameter 21
customized lost during upgrade 105 SQL script example 22
customized, upgrading manually 114 organization
default image 79 data, on directory server 27
logon out of memory error, DB2 18
attempts 83
command 68
logs
installation 101
P
password
msg.log 102
editing 83
trace.log 102
expiration period 83
lost password 83
itimuser user, password identical in
enRoleDatabase.properties file 97
lost 83
M retrieval expiration period 83
mail path names, notation xiv
tab 78 pdf format, for screen-reader software xi
manuals performance
see publications x DB2 18
MAX, logging 78 LDAP connection 77
Maximum Pool Size, LDAP 77 tracing level 78
MED, logging 78 permissions
message dc=com 32
preoperation 34, 35 libdelref file 33
MIN, logging 78 referential integrity file 33
msg.log was.policy file 132
in Tivoli Common Directory 102 planning
verifying Tivoli Identity Manager Server 95 major steps in installation 5
multi-node plug-in
security default installation directory 33
node synchronization 133 file permissions 33
160 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
plug-in (continued) problem determination (continued)
referential integrity file 32 SQL Server 2005
WebSphere Web Server plug-in 42, 44 testing 98
Policy Add/Modify/Remove, workflow process 105 Tivoli Identity Manager
pool embedded HTTP transport, WebSphere 68
JDBC connections, database 78 ITIM_HOME\data directory 95
port msg.log file 95
50000 17 properties files 95
50002 17 SystemOut.log file 94
60000 17 trace.log file 94
9080 68 WebSphere Application Server
directory server 77 server1 94
in services file 17 serverStatus command 94
service listening 17 process file, workflow
preoperation, message 34, 35 addserviceselectionpolicy.xml, preserved during
prerequisite upgrade 105
cluster notifytemplate.html, preserved during upgrade 105
database 59 process, workflow
deployment manager 59 Dynamic Role Add/Modify/Remove, lost if running
directory server 59 during upgrade 105
JMS servers 59 Policy Add/Modify/Remove, lost if running during
node agents 59 upgrade 105
WebSphere Application Server base 59 processes parameter, Oracle 21
single-server properties
database 50 configuring with Tivoli Identity Manager GUI 83
directory server 50 enRoleDatabase.properties file 97
IBM Tivoli Directory Integrator 50 file
WebSphere Application Server 50 configure 76
Principal DN data directory 95
directory server 77 encryption 80
privilege enRole.properties 76
logon 50, 60 list 83
user, itimuser 16 security tab 80
problem determination SystemOut.log file, indicating error 95
browser heart beat 76
avoiding two sessions 99 recycle bin age limit 77
using supported 99 tracing 78
database properties file
authentication alias 97 client, upgrading duplicate files 106
database connection file
CLASSPATH 97 adhocreporting.properties 104
testing 96 crystal.properties 104
DB2 user ID, password 97 CustomLabels_en.properties 104
directory server CustomLabels.properties 104
ibmslapd.log 99 enRole.properties 104
process ID (PID) 98 enroleAuditing.properties 104
embedded HTTP transport, WebSphere enRoleAuthentication.properties 104
logon 68 enRoleDatabase.properties 104
installation enRoleLDAPConnection.properties 104
(SOAP connection 100 enRoleLogging.properties 104
database configuration 54, 65 enRoleMail.properties 104
database connection 96 enroleworkflow.properties 104
DBConfig 54, 65 scriptframework.properties 105
directory server configuration 55, 65 SelfServiceHelp.properties 105
file permissions 93 SelfServiceHomePage.properties 105
hardware, software prerequisites 93 SelfServiceScreenText_en.properties 105
ldapConfig 55, 65 SelfServiceScreenText.properties 105
log files 56, 66, 93 SelfServiceUI.properties 105
permissions and display variables 93 ui.properties 104
real memory 93 preserved during upgrade 104
SOAP connection 56, 67 upgrade, preserved
SQL Server 2005 98 adhocreporting.properties 104
wasadmin user ID 57, 67, 100, 101 crystal.properties 104
WebSphere Application Server 54 CustomLabels_en.properties 104
wsadmin 56, 66, 100 CustomLabels.properties 104
logs and directories 101 enRole.properties 104
properties files 95 enroleAuditing.properties 104
Index 161
properties file (continued) runConfigTmp.stdout 102
upgrade, preserved (continued) runmqsc.exe utility, for queue status 113
enRoleAuthentication.properties 104 running process
enRoleDatabase.properties 104 database 97
enRoleLDAPConnection.properties 104 directory server 98
enRoleLogging.properties 104 logs and directories 101
enRoleMail.properties 104 using runConfig (System Configuration) 82
enroleworkflow.properties 104 WebSphere Application Server 94
scriptframework.properties 105 runtime
SelfServiceHelp.properties 105 adjust DB2 15
SelfServiceHomePage.properties 105 client
SelfServiceScreenText_en.properties 105 DB2 2
SelfServiceScreenText.properties 105 environment, WebSphere Application Server 3
SelfServiceUI.properties 105 Java Runtime Environment 69
ui.properties 104
provisioning
identity 3
relational database 1
S
schedule_garbage.cron, job 77
publications
scheduling
accessing online x
heart beat 76
related x
ldapClean 77
Tivoli Identity Manager library vii
periodic cleanup 77
Recycle Bin Age Limit 76
schedule_garbage 77
Q thread 76
queue script
itim_adhocSync 113 create Oracle database 22
itim_ms 113 scriptframework.properties 105
itim_rs 113 search, items displayed 80
itim_wf 113 security
itim_wf_pending 113 EJB user 131
runmqsc.exe utility 113 map administrative user to role 131
workflow, determining status 113 multi-node deployment
node synchronization 133
timeout interval 133
R tab 80
was.policy file 132
reconciliation, lost if running during upgrade 105
SelfServiceHelp.properties 105
recycle bin age limit 77
SelfServiceHomePage.properties 105
referential integrity file
SelfServiceScreenText_en.properties 105
definition 32
SelfServiceScreenText.properties 105
file permissions 33
SelfServiceUI.properties 105
IBM Tivoli Directory Server 29
sequence
loading success message 34, 35
installation, cluster 60
steps to configure 32
installation, single-server 50
testing configuration 34, 35
requirement, cluster installation 60
regular-cluster configuration
serverStatus, command 94
installing 60
service pack, SQL Server 2005 24
selecting 62
serviceability-related files, Tivoli Common Directory 53, 64
remote
services file, port number 17
computer, database client 10
session
removing cluster member 71
browser problem 99
requirement
LDAP 77
cluster 59
persistence
single-server 50
Oracle environment variables 21
retrieval period, password 83
settings
root
DB2
logon user ID, to install Tivoli Identity Manager
kernel, on Solaris 9
Server 49, 59
preserved, upgrading Tivoli Identity Manager 104
using system management tool 16
runtime, DB2 15
runConfig
WebSphere Application Server 41
change password, itmuser user 82
settings for WebSphere Application Server 41
command 75
setupEnrole.stdout 102
configuring Tivoli Identity Manager Server 75
shared_pool_size parameter, Oracle 21
EJB user 83
single-server
password encryption 83
configuration
system properties 82
installing 49
162 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
single-server (continued)
configuration (continued)
T
WebSphere Application Server 4 tab
definition 4 Database 78
installation Directory 77
authority 49, 59 General 76
sequence 50 Logging 78
Tivoli Identity Manager Server 49 Mail 78
wizard 51 Security 80
prerequisites UI 79
database 50 TCP/IP
IBM Tivoli Directory Integrator 50 configuration, DB2 17
WebSphere Application Server 50 testing
SMTP mail host 79 database 97
Solaris directory server 98
kernel settings for DB2 9 WebSphere Application Server 94
source text, alternative for document images xi
data 3 thread
SQL Server 2005 scheduling 76
configuring 24 timeout interval, multi-node security 133
creating database 25 Tivoli Common Directory
installing 24 CTGIM 53, 64
itimdb database 25 msg.log 102
service pack, obtaining 24 serviceability-related files 53, 64
XA transactions 25 trace.log 102
startServer, command 54 Tivoli Identity Manager Server
StartStopWas.stdout 102 configuration
status Database tab 78
Oracle listener 24 General tab 76
queues 113 definition 3
runmqsc.exe utility, for queues 113 Directory tab 77
WebSphere Application Server 94 installation, configuration 49
stopServer, command 53 installing
storage space authority 49, 59
cluster configuration 59 cluster 58
DB2 18 single-server 49
single-server configuration 49 Logging tab 78
Sun Enterprise Directory Server Mail tab 78
configuring 36 msg.log file 95
installing 36 Security tab 80
SSL, configuring 127 SystemOut.log file 94
system administrator e-mail address 79 test communication 93
system configuration tool trace.log file 94
Logging tab, tracing 78 UI tab 79
System Management Interface Tool (SMIT, AIX) 16 uninstalling
system properties additional products 121
enRole.properties 83 database tables 121
interval to recognize changes 82 directory server schema 121
logging 82 steps 122
logon attempts 83 Tivoli software information center x
managing 82 TIVOLI_COMMON_DIRECTORY
manual modification 83 definition xiv
password top, objectclass 32
editing 83 trace.log
expiration period 83 in Tivoli Common Directory 102
lost 83 verifying Tivoli Identity Manager Server 94
retrieval expiration period 83 tracing
restart Tivoli Identity Manager Server 82 logging 78
runConfig 82 MAX 78
Web user interface 83 MED 78
System user MIN 78
updating 131 performance settings 78
SystemOut.log type
errors and properties files 95 2 JDBC driver 2
verifying Tivoli Identity Manager Server 94 typeface conventions xi
Index 163
U user (continued)
itimuser
ui.properties 104 on DB2 server 16
uninstalling privileges, no special 16
Tivoli Identity Manager password, verifying for database 97
additional products 121 user password
database tables 121 identical in enRoleDatabase.properties file 97
directory server schema 121 user, ITIM 58, 68, 95
steps 122
utility for Tivoli Identity Manager 71
update, db2 command 17, 35
upgrading V
before upgrading 106 verifying
configuration 108, 111 database
crystal configuration 106 CLASSPATH 97
custom logos lost 105 connection 97
customization installation 11
Java 2 security, manually 114 user ID 97
logos, manually 114 user password 97
duplicate properties files on client side 106 installation
Dynamic Role Add/Modify/Remove lost if running 105 Tivoli Identity Manager Server 57, 68, 94
identity feed lost if running 105 WebSphere Application Server 94
jar files for client, manually 106 versionInfo.bat,command 43, 44
Java security lost 105 versionInfo.sh,command 44
Policy Add/Modify/Remove lost if running 105
reconciliation lost if running 105
shared libraries 106 W
steps WAS_HOME
cluster configuration 111 definition xiv
single-server configuration 108 WebSphere Application Server base installation
tasks directory xiv
cluster configuration 111 WAS_NDM_PROFILE_HOME
single-server configuration 108 definition xiv
Tivoli Identity Manager version 4.6 to 5.1 WebSphere Application Server base installation
CA certificates preserved 104 directory xiv
data directory 104 WAS_PROFILE_HOME
database schema 104 definition xiv
database server 103 WebSphere Application Server base installation
demonstration certificate upgraded 104 directory xiv
directory server 103 was.policy file, permissions 132
operating system requirements 103 wasadmin
property files 104 System User 131
settings preserved 104 Web address
stopping WebSphere Application Server 104 Tivoli Identity Manager 68
upgrade paths 103 WebSphere administrative console 43, 45, 46, 47
WebSphere Application Server configuration 104 Web user interface (Tivoli Identity Manager) 83
WebSphere Application Server installation 103 WebSphere administrative console
workflow files 105 starting 57, 94
workflow_systemprocess directory 105 Web address 43, 45, 46, 47
Tivoli Identity Manager version 5.0 to 5.1 WebSphere Application Server
CA certificates preserved 104 administrative security and application security
data directory 104 itimadmin 131
database schema 104 wasadmin 131
database server 103 configuration
demonstration certificate upgraded 104 cluster 5
directory server 103 installing 41
operating system requirements 103 preserved during upgrade 104
property files 104 single-server 4
settings preserved 104 definition 3
upgrade paths 103 installation 41
WebSphere Application Server configuration 104 installation, configuration 41
WebSphere Application Server installation 103 installing 41
workflow files 105 verifying 94
workflow_systemprocess directory 105 WebSphere installation
user custom installation recommended 42, 44
account data, on directory server 27 First Steps 43, 44, 46
ID, verifying for database 97 IBM HTTP Server installation 42, 44
164 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
WebSphere installation (continued)
WebSphere Web Server plug-in installation 42, 44
WebSphere Web Server plug-in
deployment 42, 44
installing 47
separate computer recommended 47
wizard
First Steps, WebSphere installation 43, 44, 46
Tivoli Identity Manager installation
cluster 61
single-server 51
verifying DB2 installation 11
workflow process file, preserved during upgrade
addserviceselectionpolicy.xml 105
notifytemplate.html 105
workflow process, lost if running during upgrade
Dynamic Role Add/Modify/Remove 105
Policy Add/Modify/Remove 105
worksheet
tables 139
Index 165
166 IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Printed in USA
SC27-2410-00