Tioli Identity Manager Serer Version 5.1 Installation and Configuration Guide SC27-2410-01
Tioli Identity Manager Serer Version 5.1 Installation and Configuration Guide SC27-2410-01
Note: Before using this information and the product it supports, read the information in Appendix E, Notices, on page 151. Edition notice This edition applies to ersion 5.1 of Tioli Identity Manager and to all subsequent releases and modifications until otherwise indicated in new editions. This edition obsoletes and replaces SC32-1562-01 Copyright International Business Machines Corporation 2009. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents Preface.............. ii Who should read this book......... ii Publications and related information...... ii Tioli Identity Manager library....... ii Prerequisite product publications...... ix Related publications........... x Accessing publications online........ x Accessibility.............. xi Support information........... xi Conentions used in this book........ xi Typeface conentions.......... xi Definitions for HOME and other directory ariables.............. xii Operating system differences....... xi Chapter 1. Oeriew of the Tioli Identity Manager enironment......... 1 Tioli Identity Manager components...... 1 Database serer products......... 1 Directory serer products......... 2 IBM Tioli Directory Integrator....... 2 WebSphere Application Serer....... 3 An HTTP serer and WebSphere Web Serer plug-in............... 3 Tioli Identity Manager Serer....... 3 Tioli Identity Manager adapters...... 3 Configuration options........... 4 Single-serer configuration........ 4 Cluster configuration.......... 4 Oeriew of the installation......... 5 Planning actiities for deployments at large sites.. 6 Chapter 2. Installing and configuring a database.............. 9 Before you install the database product..... 9 Installing and configuring IBM DB2 Database... 10 Recording user data.......... 10 Verifying the installation......... 11 Installing the required fix packs...... 12 Configuring IBM DB2 Database...... 12 Tuning the DB2 Database for performance... 18 Installing and configuring the Oracle database... 18 Before you create a database........ 19 Creating the Tioli Identity Manager database.. 21 Tuning the Oracle database for performance.. 23 Starting the Oracle product and the listener serice............... 23 Installing and configuring SQL Serer 2005 on the Windows operating system......... 24 Preparing to install SQL Serer 2005..... 24 Installing SQL Serer 2005........ 24 Configuring SQL Serer 2005....... 25 Creating the Tioli Identity Manager database.. 25 Chapter 3. Installing and configuring a directory serer........... 27 Before you install the directory serer product... 27 Installing and configuring IBM Tioli Directory Serer................ 27 Installing IBM Tioli Directory Serer.... 27 Installing the required fix packs...... 28 Configuring IBM Tioli Directory Serer.... 29 Sun Enterprise Directory Serer....... 36 Installing Sun Enterprise Directory Serer... 36 Configuring Sun Enterprise Directory Serer.. 36 Chapter 4. Optionally installing IBM Tioli Directory Integrator...... 39 Before you install the directory integrator product 39 Installing IBM Tioli Directory Integrator.... 39 Installing IBM Tioli Directory Integrator... 39 Installing the required fix packs...... 39 Installing agentless adapters........ 40 Chapter 5. Installing and configuring WebSphere Application Serer.... 41 Before you install WebSphere Application Serer.. 41 Installing the WebSphere Application Serer product 41 Installing WebSphere Application Serer in a single-serer enironment........ 42 Installing WebSphere Application Serer in a cluster enironment.......... 43 Tuning WebSphere Application Serer for performance............. 48 Chapter 6. Installing Tioli Identity Manager.............. 51 Installing Tioli Identity Manager in a single-serer configuration.............. 51 Before you begin........... 51 Starting the installation wizard....... 52 Completing the installation wizard pages... 53 Responding to major installation actions.... 55 Verifying that the Tioli Identity Manager Serer is operational............. 59 Installing Tioli Identity Manager in a cluster configuration.............. 60 Before you begin........... 60 Oeriew of the installation program in a cluster configuration............. 62 Starting the installation wizard....... 62 Completing the installation wizard pages... 63 Responding to major installation actions.... 66 Starting clusters............ 69 Verifying that the Tioli Identity Manager Serer is operational............. 70 Optional post-installation tasks........ 71 Optionally installing a language pack..... 71 Copyright IBM Corp. 2009 iii
Optionally installing adapter profiles..... 72 Changing cluster configurations after Tioli Identity Manager is installed....... 73 Chapter 7. Configuring the Tioli Identity Manager Serer....... 75 Configuring the Tioli Identity Manager database 75 Completing the database configuration windows 75 Manually starting the DBConfig database configuration tool........... 76 Configuring the directory serer....... 76 Completing the directory serer configuration windows.............. 77 Manually running the ldapconfig configuration tool................ 77 Configuring commonly used system properties.. 77 General tab............. 78 Directory tab............. 79 Database tab............. 79 Logging tab............. 80 Mail tab.............. 80 UI tab............... 81 Security tab............. 82 Manually starting the system configuration tool 82 Manually installing agentless adapters and adapter profiles................ 83 Installing agentless adapters........ 83 Installing agentless adapter profiles..... 83 Modifying system properties during normal operation............... 84 Modifying system properties with the system configuration tool........... 85 Modifying system properties manually.... 85 Modifying system properties with the Tioli Identity Manager GUI.......... 85 Chapter 8. Performing a silent installation and configuration of Tioli Identity Manager.......... 87 Before you begin............ 88 Performing a silent installation in a single-serer enironment.............. 88 Performing a silent installation in a cluster enironment.............. 89 Configuring the database silently....... 92 Configuring the directory serer silently..... 92 Configuring the system silently in a single-serer enironment.............. 92 Configuring the system silently in a cluster enironment.............. 93 Chapter 9. Verifying and troubleshooting the installation.... 95 Correcting problems with starting the installation. 95 Tioli Identity Manager configuration errors... 95 Verifying the installation.......... 96 Ensuring that the WebSphere Application Serer is running.............. 96 Verifying that the Tioli Identity Manager Serer is running.............. 96 Verifying that the database is running correctly 98 Verifying that the directory serer is properly running.............. 101 Checking the Web browser operation.... 101 Troubleshooting Tioli Identity Manager within WebSphere Application Serer........ 102 Correcting connection scripting errors.... 103 Correcting timeout errors........ 103 Determining the port number of the default host 104 Log files............... 104 Chapter 10. Upgrading to Tioli Identity Manager Version 5.1..... 105 Description of the upgrade process...... 105 Processes and settings that the upgrade process preseres.............. 106 Processes and settings that are not presered, or require manual upgrade......... 107 Before you begin........... 108 Upgrading from Tioli Identity Manager Version 4.6 or 5.0 to Version 5.1 or Version 5.1 on Websphere Application Serer 6.1 to Websphere Application Serer 7.0.......... 110 Upgrading a single-serer configuration... 110 Upgrading a cluster configuration..... 113 Clearing the serice integration bus...... 116 Determining that the WebSphere MQ message queue is empty............. 116 Presering customized data manually..... 117 Manually applying Jaa security...... 117 Customizing logos and style sheets..... 117 Presering WebSphere Application Serer customizations............ 117 Migrating notification templates...... 118 Manually upgrading the access control items 123 Configuring Crystal.......... 123 Chapter 11. Uninstalling Tioli Identity Manager............. 125 What is not remoed........... 125 Before you begin............ 125 Steps to uninstall Tioli Identity Manager.... 126 Verifying that the Tioli Identity Manager Serer is uninstalled.............. 126 Manually remoing components....... 126 Manually remoing the Tioli Identity Manager Serer from the WebSphere Application Serer. 126 Stopping and remoing the Tioli Identity Manager messaging engine........ 127 Remoing other Tioli Identity Manager configuration settings from the WebSphere Application Serer.......... 127 Manually remoing other files or directories.. 130 Reinstalling Tioli Identity Manager...... 130 Ensuring that Tioli Identity Manager objects are remoed from the Sun Enterprise Directory Serer............... 130 i IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Appendix A. Mapping Tioli Identity Manager application modules to IBM HTTP Serer............ 131 Appendix B. Configuring security for Tioli Identity Manager....... 133 Configuring security for the directory serer... 133 Configuring SSL for IBM Tioli Directory Serer 133 Configuring SSL for Sun Enterprise Directory Serer............... 133 Configuring the SSL client to trust the LDAP serer certificate........... 133 Configuring security for WebSphere Application Serer................ 137 Mapping an administratie user to a role... 137 Updating the system user and the EJB user.. 138 Enabling Jaa 2 security by creating and modifying policy files......... 138 Running Jaa 2 security on single-node deployments............ 139 Running Jaa 2 security on multi-node deployments............ 139 Increasing the timeout interal...... 139 Enabling FIPS compliance for WebSphere Application Serer.......... 140 Running the cipher migration tool..... 141 Appendix C. Installation images and fix packs............. 143 Installation images........... 143 Setting the SOAP timeout interal before installing fix packs............... 143 Obtaining fix packs........... 143 Appendix D. Worksheets...... 145 Appendix E. Notices........ 151 Trademarks.............. 152 Glossary............. 155 Index............... 161 Contents
i IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Preface Who should read this book This guide describes how to install and configure Tioli Identity Manager. This book is intended for system and security administrators who install, maintain, or administer software on their computer systems. Readers are expected to understand system and security administration concepts. Additionally, the reader must understand administration concepts for the following types of products: Database serers Directory serers Application serers Publications and related information Read the descriptions of the Tioli Identity Manager library. To determine which additional publications you might find helpful, read the Prerequisite product publications on page ix and the Related publications on page x. After you determine the publications you need, refer to the instructions in Accessing publications online on page x. Tioli Identity Manager library The publications in the Tioli Identity Manager technical documentation library can be found at the following URL: http://publib.boulder.ibm.com/infocenter/tiihelp/2r1/topic/com.ibm.itim.doc/ welcome.htm The publications in the Tioli Identity Manager technical documentation library are organized into the following categories: Release information Online user assistance Serer installation and configuration Problem determination Technical supplements Adapter installation and configuration Release Information: Tioli Identity Manager Quick Start Guide Helps you install a base configuration of Tioli Identity Manager. Tioli Identity Manager Information Center Proides software and hardware requirements for Tioli Identity Manager and additional fix, patch, and other support information. This publication also includes known limitations, problems, and workarounds. Online user assistance: Copyright IBM Corp. 2009 ii
Tioli Identity Manager Information Center proides online help topics and an information center for all Tioli Identity Manager administratie tasks. Serer installation and configuration: Tioli Identity Manager Serer Installation and Configuration Guide proides installation and configuration information for Tioli Identity Manager. Problem determination: Tioli Identity Manager Problem Determination Guide proides problem determination, and logging information for Tioli Identity Manager. Tioli Identity Manager Messages Guide proides message information for Tioli Identity Manager. Database and schema information: Tioli Identity Manager Database and Schema Reference describes some of the data structures used by Tioli Identity Manager. Technical supplements: The following technical supplements are proided by deelopers or by other groups who are interested in this product: Redbooks and white papers are aailable on the Web at: http://www.redbooks.ibm.com/ Technotes are aailable on the Web at: http://www.redbooks.ibm.com/redbooks.nsf/tips/ Field guides are aailable on the Web at: http://www.ibm.com/software/sysmgmt/products/support/field_guides.html For an extended list of other Tioli Identity Manager resources, search the following IBM deeloperworks Web site: http://www.ibm.com/deeloperworks/ Adapter installation and configuration: The Tioli Identity Manager Serer technical documentation library also includes an eoling set of platform-specific installation documents for the adapter components of an IBM Tioli Identity Manager implementation. Locate adapter documentation on the Web at: http://publib.boulder.ibm.com/tiidd/td/identitymanager5.0.html Performance and tuning: IBM Tioli Identity Manager Performance Tuning Guide proides information to help you optimize the use of resources for Tioli Identity Manager. Skills and training: Additional skills and technical training information might be aailable at the following Web sites: iii IBM Tioli Identity Manager Serer: Installation and Configuration Guide
IBM Professional Certification at: http://www.ibm.com/certify/ Search on identity manager to locate aailable classes and certification offerings. Virtual Skills Center for Tioli Software on the Web at: http://www.cgselearning.com/tioliskills/ Tioli Education Software Training Roadmaps on the Web at: http://www.ibm.com/software/tioli/education/eduroad_prod.html Tioli Technical Exchange on the Web at: http://www.ibm.com/software/sysmgmt/products/support/ supp_tech_exch.html Prerequisite product publications To use the information in this book effectiely, you must hae knowledge of the products that are prerequisites for Tioli Identity Manager. Publications are aailable from the following locations: Operating systems AIX http://publib.boulder.ibm.com/infocenter/pseries/5r3/topic/ com.ibm.aix.doc/doc/base/aixinformation.htm Sun Solaris http://docs.sun.com/app/docs/prod/solaris.10 Microsoft Windows Serer 2003 - Support http://www.microsoft.com/windowsserer2003/support/default.mspx - Documentation http://www.microsoft.com/windowsserer2003/proddoc/default.mspx Red Hat Linux http://www.redhat.com/docs/ SUSE Linux http://www.noell.com/documentation/suse.html WebSphere Application Serer Hardware and software requirements http://www.ibm.com/software/webserers/appser/was/ Support http://www.ibm.com/software/webserers/appser/was/support/ Information center http://publib.boulder.ibm.com/infocenter/wasinfo/6r1/index.jsp IBM DB2 Database Support: http://www.ibm.com/software/data/db2/udb/support.html Information center: http://publib.boulder.ibm.com/infocenter/db2help/index.jsp Documentation http://www-306.ibm.com/software/data/db2/support/db2_9/ http://www.ibm.com/software/data/db2/udb/support/manuals9.html Preface ix
DB2 product family: http://www.ibm.com/software/data/db2/ Fix packs by ersion: http://www-1.ibm.com/support/dociew.wss?rs=71&uid=swg21255572 System requirements: http://www.ibm.com/software/data/db2/udb/sysreqs.html IBM Tioli Directory Serer Support http://www.ibm.com/software/sysmgmt/products/support/ IBMDirectorySerer.html Information center http://publib.boulder.ibm.com/infocenter/tiihelp/2r1/topic/ com.ibm.ibmds.doc_6.0/welcome.htm http://publib.boulder.ibm.com/infocenter/tiihelp/2r1/topic/ com.ibm.ibmds.doc/welcome.htm IBM Tioli Directory Integrator Support http://www.ibm.com/software/sysmgmt/products/support/ IBMDirectoryIntegrator.html Information center http://publib.boulder.ibm.com/infocenter/tiihelp/2r1/index.jsp?toc=/ com.ibm.ibmdi.doc/toc.xml Related publications Information that is related to Tioli Identity Manager Serer is aailable in the following publications: The Tioli Software Library proides a ariety of Tioli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tioli Software Library is aailable on the Web at: http://www.ibm.com/software/tioli/literature/ The Tioli Software Glossary includes definitions for many of the technical terms related to Tioli software. The Tioli Software Glossary is aailable from the Glossary link of the Tioli Software Library Web page at: http://publib.boulder.ibm.com/tiidd/glossary/tioliglossarymst.htm Accessing publications online IBM posts publications for this and all other Tioli products, as they become aailable and wheneer they are updated, to the Tioli software information center Web site. Access the Tioli software information center at the following Web address: http://publib.boulder.ibm.com/tiidd/td/tdprodlist.html Click the I character in the A-Z list, and then click the Tioli Identity Manager link to access the product library. Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your local paper. x IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Accessibility Support information The product documentation includes the following features to aid accessibility: Documentation is aailable in conertible PDF format to gie the maximum opportunity for users to apply screen-reader software. All images in the online documentation are proided with alternatie text so that users with ision impairments can understand the contents of the images. If you hae a problem with your IBM software, you want to resole it quickly. IBM proides the following ways for you to obtain the support you need: Conentions used in this book Searching knowledge bases: You can search across a large collection of known problems and workarounds, Technotes, and other information. Obtaining fixes: You can locate the latest fixes that are already aailable for your product. Contacting IBM Software Support: If you still cannot sole your problem, and you need to work with someone from IBM, you can use a ariety of ways to contact IBM Software Support. This book uses seeral conentions for highlighting terms and actions and for operating system-dependent commands and paths. Typeface conentions This book uses the following typeface conentions: Bold Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), and labels (such as Tip:) Keywords and parameters in text Italic Words defined in text Emphasis of words (words as words) New terms in text (except in a definition list) Variables and alues that you must proide Monospace Examples and code examples File names, programming keywords, and other elements that are difficult to distinguish from surrounding text Message text and prompts addressed to the user Text that the user must type Values for arguments or command options Preface xi
Definitions for HOME and other directory ariables The following table contains the default definitions that are used in this guide to represent the HOME directory leel for arious product installation paths. You can customize the installation directory and HOME directory for your specific implementation. If this is the case, you need to make the appropriate substitution for the definition of each ariable represented in this table. The alue of path aries for these operating systems. For Windows, the default path is drie:\program Files. For UNIX/Linux, the default path is /opt Path Variable Default Definition Description DB_HOME Windows: path\ibm\sqllib UNIX/Linux: path/ibm/db2/v9.1 The directory that contains the DB2 Database for Tioli Identity Manager. DB_INSTANCE_HOME Windows: drie:\dbinstancename Solaris: /export/home/dbinstancename The directory that contains the DB2 instance for Tioli Identity Manager. ITDS_HOME Other UNIX/Linux: /home/dbinstancename Windows: Version 6.0 path\ibm\ldap\v6.0 Version 6.1 path\ibm\ldap\v6.1 UNIX/Linux: Version 6.0 path/ibm/ldap/v6.0 Version 6.1 path/ibm/ldap/v6.1 The directory that contains the IBM Tioli Directory Serer code. xii IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Path Variable Default Definition Description ITDS_INSTANCE_HOME Windows: drie:\ idsslapd-instance_owner_name The directory that contains the IBM Tioli Directory Serer Version 6.0 The alue of drie might be C:\ on Windows systems. An example of instance_owner_name might be ldapdb2. For example, the log file might be C:\idsslapd-ldapdb2\logs\ibmslapd.log. or Version 6.1 instance. UNIX/Linux: /home/instance_owner_name/ idsslapd-instance_owner_name Solaris: /export/home/instance_owner_name/ idsslapd-instance_owner_name ITDI_HOME ITIM_HOME TIVOLI_COMMON_ DIRECTORY WAS_HOME WAS_PROFILE_HOME An example of instance_owner_name might be ldapdb2. For example, the log file might be /export/home/ldapdb2/ idsslapd-ldapdb2/logs/ibmslapd.log Windows: path\ibm\tdi\v6.1.1 UNIX/Linux: path/ibm/tdi/v6.1.1 Windows: path\ibm\itim UNIX/Linux: path/ibm/itim Windows: path\ibm\tioli\common UNIX/Linux: path/ibm/tioli/common Windows: path\ibm\websphere\appserer UNIX/Linux: path/ibm/websphere/appserer Windows: path\ibm\websphere\appserer\ profiles\profile_name UNIX/Linux: path/ibm/websphere/appserer/ profiles/profile_name The directory that contains the IBM Tioli Directory Integrator Serer code. Also, where adapters are installed. The base directory that contains the Tioli Identity Manager code, configuration, and documentation. The central location for all sericeabilityrelated files, such as logs and first-failure capture data. The directory that contains the WebSphere Application Serer code. The directory that contains the WebSphere Application Serer custom profile. Preface xiii
Path Variable Default Definition Description WAS_NDM_PROFILE_ HOME Windows: path\ibm\websphere\appserer\ profiles\dmgr01 UNIX/Linux: path/ibm/websphere/appserer/ profiles/dmgr01 The directory that contains the WebSphere Application Serer Network Deployment Manager profile. Operating system differences This guide uses the Windows conention for specifying enironment ariables and for directory notation. When using the UNIX/Linux command line, replace %ariable% with $ariable for enironment ariables, and replace each backslash (\) with a forward slash (/) in directory paths. The names of enironment ariables are not always the same in Windows and UNIX/Linux. For example, %TEMP% in the Windows operating system is equialent to /tmp in a UNIX/Linux operating system. Note: If you are using the bash shell on a Windows system, you can use the UNIX/Linux conention for specifying file path notation. xi IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Chapter 1. Oeriew of the Tioli Identity Manager enironment This book focuses on the tasks that you must complete in order to install and configure Tioli Identity Manager. To determine the supported release leels and fix pack specifications for the supported UNIX, Linux and Windows operating systems, refer to the Tioli Identity Manager Information Center, which takes precedence oer this document. Tioli Identity Manager components Tioli Identity Manager proides life cycle management of user accounts on remote resources, using adapters to proide communication. The Tioli Identity Manager product: Proides user accounts to authorized users on one or more resources to which Tioli Identity Manager adapters are connected Runs in a WebSphere Application Serer enironment, either in a single-serer or a cluster configuration Stores historical and pending data in a database serer Stores user account and organizational data in an LDAP directory serer Stores Tioli Identity Manager information used for auditing and reporting in the database Proides administration from a client interface in a Web browser that communicates through an HTTP serer and WebSphere Web Serer plug-in or a WebSphere Application Serer embedded HTTP transport. Tioli Identity Manager requires the installation and configuration of the following components: A database serer A directory serer IBM Tioli Directory Integrator (optional) WebSphere Application Serer An HTTP serer (optional) Tioli Identity Manager Serer Tioli Identity Manager adapters Database serer products Tioli Identity Manager stores transactional and historical data in a database serer. For example, the Tioli Identity Manager proisioning processes use a relational database to maintain their current state as well as their history. Computers that communicate with the database require a Jaa Database Connectiity drier (JDBC drier). For example, a JDBC drier enables a Tioli Identity Manager Serer to communicate with the data source. Tioli Identity Manager supports a JDBC type 4 drier to connect a Jaa-based application to a database. Copyright IBM Corp. 2009 1
The supported database products are IBM DB2 Database, Oracle DB, and MS SQL Serer database. The following information is about the type 4 JDBC driers for each database product. IBM DB2 Database DB2 supports a Type 4 JDBC drier. The DB2 type 4 JDBC drier is bundled with the Tioli Identity Manager installation program. Oracle database The Oracle database supports a Type 4 JDBC drier. The Tioli Identity Manager installation program prompts for the location and name of this JDBC drier. Before you install the Tioli Identity Manager Serer, obtain this JDBC drier from your Oracle Database Serer installation in the ORACLE_HOME\jdbc\lib\ directory. Alternatiely, you can download the drier from this Web site: http://www.oracle.com/technology/software/tech/jaa/sqlj_jdbc/ index.html For WebSphere Application Serer ersion 6.1, the JDBC drier is ojdbc5.jar. For WebSphere Application Serer ersion 7.0, the JDBC drier is ojdbc6.jar. Microsoft SQL Serer database The SQL Serer database supports a Type 4 JDBC drier. The Tioli Identity Manager installation program prompts for the location and name of this JDBC drier. You can download the drier from this Web site: http://msdn.microsoft.com/en-us/data/aa937724.aspx For more information about supported database serer products, refer to the Tioli Identity Manager Information Center. Directory serer products Tioli Identity Manager stores the current state of managed identities in an LDAP directory, including user account and organizational data. Tioli Identity Manager supports the following products: IBM Tioli Directory Serer Sun Enterprise Directory Serer For more information about supported directory serer products, refer to the Tioli Identity Manager Information Center. IBM Tioli Directory Integrator IBM Tioli Directory Integrator is an optional installation component that synchronizes identity data residing in different directories, databases, and applications. IBM Tioli Directory Integrator synchronizes and manages information exchanges between applications or directory sources. For more information about IBM Tioli Directory Integrator, refer to the Tioli Identity Manager Information Center. 2 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
WebSphere Application Serer The WebSphere Application Serer is the primary component of the WebSphere enironment. The WebSphere Application Serer runs a Jaa irtual machine, proiding the runtime enironment for the enterprise application code. The application serer proides containers that specialize in enabling the execution of specific Jaa application components. The Tioli Identity Manager application can run on a single-serer configuration with the WebSphere Application Serer base serer. Tioli Identity Manager can also run in a larger cluster configuration that is composed of one or more WebSphere Application Serers and a deployment manager that manages the cluster. For additional information about the WebSphere Application Serer products, refer to additional documentation cited in Prerequisite product publications on page ix. An HTTP serer and WebSphere Web Serer plug-in An HTTP serer is an optional component that proides administration of Tioli Identity Manager through a client interface in a Web browser. Tioli Identity Manager requires the installation of a WebSphere Web Serer plug-in with the HTTP serer. WebSphere Application Serer proides separate installers to install the IBM HTTP Serer and WebSphere Web Serer plug-in. You can install these components either with the WebSphere Application Serer or on a separate computer. Note: If an HTTP serer is used, you must use the WebSphere Application Serer Administratie Console to map the Tioli Identity Manager applications to the HTTP Web serer name. See Appendix A, Mapping Tioli Identity Manager application modules to IBM HTTP Serer, on page 131 for more information about mapping the applications. Tioli Identity Manager Serer The Tioli Identity Manager Serer and its adapters enable you to proision identities to a set of heterogeneous resources, which might be operating systems, data stores, or other applications. Tioli Identity Manager adapters Tioli Identity Manager adapters enable you to connect the Tioli Identity Manager Serer to a set of heterogeneous resources, which can be operating systems, data stores, or other applications, in order to proision identities. An adapter is a program that proides an interface between a managed resource and the Tioli Identity Manager Serer. Adapters function as trusted irtual administrators on the target platform for account management. For example, adapters perform such tasks as creating accounts, suspending accounts, and modifying account attributes. A Tioli Identity Manager adapter can be either agent-based or agentless: Agent-based adapter You install adapter code directly onto the managed resource with which it is designed to communicate. Chapter 1. Oeriew of the Tioli Identity Manager enironment 3
Configuration options Agentless adapter Deploys its adapter code onto the Tioli Identity Manager Serer and the system hosting IBM Tioli Directory Integrator. The adapter code is separate from the managed resource with which it is designed to communicate. Note: For agentless adapters, the SSH process or daemon must be actie on the managed resource. Before you install Tioli Identity Manager, you must determine how to configure WebSphere Application Serer, either in a single-serer or a cluster configuration. Single-serer configuration A single-serer configuration contains the WebSphere Application Serer base serer and Tioli Identity Manager on one computer. Other required applications can run on the same computer or a different computer. You must ensure that the computer has the required memory, speed, and aailable disk space to meet the workload. A single-serer configuration requires the following components and products: A database serer A directory serer IBM Tioli Directory Integrator (optional) WebSphere Application Serer base serer Tioli Identity Manager Serer Tioli Identity Manager adapters Cluster configuration A cluster configuration contains WebSphere Application Serer nodes, which are logical groups of one or more application serers on computers. Nodes reside within an administratie domain called a cell, which the deployment manager manages. A node agent manages all managed processes on the node by communicating with the deployment manager to coordinate and synchronize the configuration. The deployment manager is the administratie process that proides a centralized management iew and control for all elements in the cell, including the management of clusters. Tioli Identity Manager assumes that the operating system is the same for each cluster member. For example, all Tioli Identity Manager cluster members run on the IBM AIX operating system. To aoid problems with identity feeds, do not use more than one operating system type within a Tioli Identity Manager cluster. Tioli Identity Manager does not support a ertical cluster configuration, which has more than one cluster member within a WebSphere Application Serer node. For example, one cluster configuration might consist of one or more WebSphere Application Serer nodes, each node consisting of one computer, controlled by a deployment manager on a separate serer. The remaining applications are configured on additional computers. 4 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Oeriew of the installation This task is an example cluster configuration: On the computer where you want to hae the deployment manager, install the following components and products: The WebSphere Application Serer deployment manager A JDBC drier, if required The Tioli Identity Manager Serer A cluster member is an instance of a WebSphere Application Serer in a cluster. On each cluster member, install the following components and products: WebSphere Application Serer base serer Tioli Identity Manager Serer A JDBC drier, if required On one or more additional computers that can be in or out of the cluster, install the following components and products: A database serer A directory serer IBM Tioli Directory Integrator (optional) An IBM HTTP Serer and WebSphere Web Serer plug-in (optional) This task is an example configuration only. An alternatie topology might configure these components on computers that are all inside the cluster, and the deployment manager might reside on the same computer as the WebSphere Application Serer base serer. You must ensure that the computer has the required memory, speed, and aailable space to meet the additional load. The installation consists of a collection of actiities. The major steps to install and test Tioli Identity Manager are: 1. Determine the Tioli Identity Manager Serer topology. The information in this chapter describes the major configuration choices. 2. Ensure that the operating system of each physical serer is at the leel that Tioli Identity Manager requires. For more information about software and hardware requirements, refer to the Tioli Identity Manager Information Center. 3. Ensure that the database serer is installed and preconfigured. See Chapter 2, Installing and configuring a database, on page 9 for steps to prepare the database. 4. Ensure that the directory serer is installed and preconfigured. See Chapter 3, Installing and configuring a directory serer, on page 27 for steps to prepare the directory serer. 5. Ensure that IBM Tioli Directory Integrator is installed and preconfigured. See Chapter 4, Optionally installing IBM Tioli Directory Integrator, on page 39 for steps to prepare IBM Tioli Directory Integrator. 6. Determine that the WebSphere Application Serer is ready. See Chapter 5, Installing and configuring WebSphere Application Serer, on page 41 for steps to prepare the WebSphere Application Serer in a single-cluster or cluster configuration. 7. Install and configure Tioli Identity Manager on one of these configurations: Single-serer. Tioli Identity Manager supports both regular and silent installation. For more information about single-serer install, see Installing Tioli Identity Manager in a single-serer configuration on page 51. Chapter 1. Oeriew of the Tioli Identity Manager enironment 5
Cluster. Tioli Identity Manager supports both regular and silent installation. For more information about cluster install, see Installing Tioli Identity Manager in a cluster configuration on page 60. For steps to upgrade from an existing installation of Tioli Identity Manager, see Chapter 10, Upgrading to Tioli Identity Manager Version 5.1, on page 105. For steps to perform a silent installation of Tioli Identity Manager, see Chapter 8, Performing a silent installation and configuration of Tioli Identity Manager, on page 87. 8. Verify the installation and troubleshoot to resole any problems that happened during installation and startup. For more information, see Chapter 9, Verifying and troubleshooting the installation, on page 95. Planning actiities for deployments at large sites In large organizations, there are additional tasks that require planning before you deploy Tioli Identity Manager. For more information, refer to the Planning section of the Tioli Identity Manager Information Center To preent initial deployment problems, consider proiding a ariation of the following planning actiities that are appropriate for your site, in adance of installing Tioli Identity Manager, and also subsequent fix packs: Establish a working practice that proides comprehensie and releant Tioli Identity Manager information to all the specialists who install middleware. For example, hae the team meet regularly to enumerate their problems and share their solutions. To ensure coordination, designate one person as a focal point for concerns that flow between your site and IBM customer support specialists. If possible, reduce the number of specialists who install and configure the applications. Encourage communication flow between specialists in the following ways. Proide a comprehensie library or list of FTP and Web sites for prerequisite installation and configuration information. Ensure that the specialists installing Tioli Identity Manager hae root or Administrator authority for the prerequisite middleware on the middleware serers. Ensure that all elements of the system or solution hae sufficient priileges to proide accounts. Support a centralized problem and solution database that identifies troubleshooting actions and assigns action owners. Maintain a common library of scripts that automate start up. Create a change control database that coordinates all customization actiities. Determine a working practice in which specialists proide a record of critical alues of configuration parameters like the ones that this publication proides. Ensure that all specialists hae access to and use a common worksheet that centralizes the information. For example, each installation chapter in this manual proides a checklist of prerequisites that must be installed, configured, and running before you begin installation. Additionally, Appendix B, Configuring security for Tioli Identity Manager, on page 133 proides a centralized collection point for 6 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
critical alues such as user IDs, passwords, and security settings. The IBM Tioli Identity Manager Information Center specifies prerequisite leels and fix packs or patches. Chapter 1. Oeriew of the Tioli Identity Manager enironment 7
8 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Chapter 2. Installing and configuring a database The Tioli Identity Manager application stores transactional and historical data, including schedules, access control item definitions (ACIs), and audit data in a database. This chapter focuses on configuring a Tioli Identity Manager database before Tioli Identity Manager installation. For more information about supported database releases and required fix packs, refer to the Tioli Identity Manager Information Center. The information in this chapter is not a substitute for the more extensie, prerequisite documentation that is proided by the database product. For more information that you must preiously know, refer to these sources: IBM DB2 Database http://www.ibm.com/software/data/db2/udb/support.html http://publib.boulder.ibm.com/infocenter/db2help/index.jsp (Information center) http://www.ibm.com/software/data/db2 http://www-1.ibm.com/support/dociew.wss?rs=71&uid=swg27007053 http://www.ibm.com/software/data/db2/udb/sysreqs.html (Operating system prerequisites) http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/ 9pubs.d2w/en_main Oracle http://otn.oracle.com/documentation/index.html http://otn.oracle.com/tech/index.html Microsoft SQL Serer 2005 http://www.microsoft.com/sql/ http://www.msdn.com/library/ Before you install the database product Before you install the database product, complete these steps: Read the installation information that the database product proides. Ensure that your installation meets the product hardware and software requirements. Verify that all required operating system patches are in place. Ensure that kernel settings are correct for some operating systems, such as the Solaris operating system. Each database application specifies its own requirements, such as additional operating system alues. Before installing the application, refer to its documentation for these additional settings. For example, these Web sites describe kernel settings that DB2 requires: AIX None required. Solaris http://publib.boulder.ibm.com/infocenter/db2luw/9/topic/ com.ibm.db2.udb.uprun.doc/doc/t0006476.htm Linux (Red Hat and SUSE) Copyright IBM Corp. 2009 9
http://publib.boulder.ibm.com/infocenter/db2luw/9/topic/ com.ibm.db2.udb.uprun.doc/doc/t0008238.htm Windows None required. Installing and configuring IBM DB2 Database This section describes installing and configuring the IBM DB2 Uniersal Database (DB2). The configuration steps in this section create a database for later use by the Tioli Identity Manager Serer installation program, which populates the database with data objects. You can install DB2 on the same computer with Tioli Identity Manager or on a separate computer. Installing DB2 on the same computer requires the installation of a Jaa Database Connectiity drier (JDBC drier, type 4). A JDBC drier enables Tioli Identity Manager to communicate with the data source. Installing DB2 automatically installs the type 4 JDBC drier. Tioli Identity Manager requires DB2 to run with a required leel of the DB2 fix pack. For more information about installing DB2 and any fix packs, refer to the Tioli Identity Manager Information Center and to documentation that the database product proides. For example, access these Web sites: http://www.ibm.com/software/data/db2/udb/support.html http://www.ibm.com/software/data/db2/udb/support/download9.html Recording user data The DB2 installation requires that you specify some system data, such as the DB2 administrator user ID and password. The installation wizard proides both status reports and an initial erification actiity. Recording user names and passwords on UNIX and Linux systems Table 1 shows the default alues that are created on UNIX and Linux systems. Record this information, which is required to configure the DB2 database that Tioli Identity Manager uses. If you choose not to use the middleware configuration utility to create a DB2 instance, installing DB2 can create a default DB2 instance. Table 1. DB2 Database typical configuration parameters on UNIX and Linux systems UNIX and Linux systems Description Value DB2 administrator user ID and instance name DB2 instance password The user ID that is used to connect to DB2 as the DB2 administrator and instance owner. The password for the administrator user ID. db2admin Note: If you do not use the middleware configuration utility, this alue is db2inst1 by default. A user-defined alue. 10 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Table 1. DB2 Database typical configuration parameters on UNIX and Linux systems (continued) UNIX and Linux systems Description Value DB2 instance home directory The home directory of the DB2 administrator and instance owner. AIX: /home/db2admin Linux: /home/db2admin Linux for System p: /home/db2admin Linux for System z: /home/db2admin Solaris: /export/home/ db2admin Note: If you do not use the middleware configuration utility, you might need to replace db2admin with db2inst1. Recording user names and passwords on Windows systems Table 2 shows the default alues that are created on Windows systems. If you choose not to use the middleware configuration utility to create a DB2 instance, installing DB2 can also create the default DB2 instance. For more information about using the middleware configuration utility, see Running the middleware configuration utility on page 13. Table 2. Field alues on Windows systems Windows systems Description Value DB2 instance name Administratie user ID Password DB2 instance home directory The name of the DB2 instance. The user ID that is used to connect to DB2 as the DB2 administrator and instance owner. The password for the administrator user ID. The home directory of the DB2 administrator and instance owner. db2admin Note: DB2 defaults to an instance alue of DB2. db2admin A user-defined alue drie: For example, C: Verifying the installation The installation wizard proides a status report when the installation is complete. Additionally, run the DB2 First Steps operation to erify that the installation is successful. To start the operation, complete these steps: UNIX or Linux operating systems Enter this command: DB_INSTANCE_HOME/sqllib/bin/db2fs Chapter 2. Installing and configuring a database 11
Note: For UNIX systems, the root user has to source the db2admin profile or switch to the instance owner before running this command. You hae already created a DB2 instance. Windows operating systems Click Start > Programs > IBM DB2 > DB2 Copy Name > Set-up Tools > First Steps. For more information about erifying the DB2 installation, isit this Web site: http://publib.boulder.ibm.com/infocenter/db2luw/9/index.jsp?topic=/ com.ibm.db2.udb.uprun.doc/doc/t0006838.htm Installing the required fix packs If your ersion of DB2 requires a fix pack, obtain and install the fixes that are aailable at these DB2 support Web sites: http://www.ibm.com/software/data/db2/udb/support.html Verify that the correct fix pack is installed on both the database serer and the database client computers. If you created a DB2 instance during installation, you can use the following commands: On UNIX and Linux systems, log on as the DB2 instance user ID and enter the db2leel command: su - DB2_instance_ID db2leel The alue of DB2_instance_ID is the DB2 instance name such as db2admin. On Windows, enter the db2leel command from the DB2 command window: db2leel If you did not create a DB2 instance during installation, use the following commands: On UNIX and Linux systems, enter the db2ls command: DB_HOME/install/db2ls or /usr/local/bin/db2ls On Windows, run the regedit command and look for the information in the following location: HKEY_LOCAL_MACHINE\SOFTWARE\IBM\DB2\InstalledCopies\db2_name\CurrentVersion For more information about these steps, refer to the Tioli Identity Manager Information Center and to documentation that the DB2 fix pack proides. Configuring IBM DB2 Database The Tioli Identity Manager installation product includes a middleware configuration utility that creates database instances and user IDs and configures parameters for DB2 and IBM Tioli Directory Serer. Default alues are supplied for many of the typical parameters and all the adanced parameters. If an entered parameter, such as the DB2 instance ID, exists, the middleware configuration utility skips the task of creation. You can choose to keep those alues, or proide alues 12 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
of your own. Required fields are marked by an asterisk (*). You can reisit any panel in the deployment wizard by clicking the Back button until you reach the panel. Note: The middleware configuration utility stores by default any input you proide in a response file called db2ldap.rsp located in the system temp directory; for example, the /tmp directory. This file is normally cleaned up after the utility completes. If you cancel the utility before it completes, this file might not be erased. Running the middleware configuration utility You can run the middleware configuration utility to set DB2 parameters for later Tioli Identity Manager deployment. The middleware configuration utility: Creates user IDs if needed Creates DB2 instances if needed Creates databases if needed Tunes DB2 (buffer pool, log tuning) Configures some DB2 settings (DB2ENVLIST=EXTSHM, DB2COMM=tcpip) The middleware configuration utility can be run manually or silently. For more information about silent configuration, see Configuring DB2 silently on page 15. Before you begin: On Windows operating systems, you must be an administrator or hae administratie authority. On UNIX and Linux operating systems, you must be a root user. Additionally, the umask setting must be 022. To erify the umask setting issue the command: umask To set the umask alue to 022, issue the command: umask 022 Note: Record the alues you proide for the middleware configuration utility for later use with the DBConfig and ldapconfig utilities used during Tioli Identity Manager serer installation. Procedure: To start the middleware configuration utility for DB2 manually, complete the following steps: 1. Log on to an account with system administration priileges on the computer where DB2 is installed. 2. Start the middleware configuration utility, located on the base directory of the DVD or a download directory: AIX: Start the middleware configuration utility by running the cfg_itim_mw_aix program. Solaris: Start the middleware configuration utility by running the cfg_itim_mw_solaris program. Linux for xseries: Start the middleware configuration utility by running the cfg_itim_mw_xlinux program. Linux for pseries: Start the middleware configuration utility by running the cfg_itim_mw_plinux program. Linux for zseries: Start the middleware configuration utility by running the cfg_itim_mw_zlinux program. Chapter 2. Installing and configuring a database 13
Windows: Start the middleware configuration utility by using the cfg_itim_mw.exe program if the Windows autorun feature is disabled. Each platform requires a file called cfg_itim_mw.jar to go along with the natie program. The JAR file and the natie program must be in the same directory location. 3. Select your language, and click OK. 4. From the Product Configuration panel, check only Configure IBM DB2 Database, and click Next. 5. You can receie a warning if DB2 is not at the correct leel or not installed. Action might be required to make sure DB2 is at the correct leel. To bypass this warning, click Next. 6. From the IBM DB2 Database Configuration Options panel, proide the following information, and then click Next: DB2 administrator ID or instance name Proide the user ID that is used to connect to DB2 Database as the DB2 administrator. For example, db2admin. If this alue is new, the utility creates a user ID and instance name. If you proide an existing user ID and instance name, no new user ID or instance is created. DB2 administrator password Enter the password that you hae set for the DB2 Database administrator account. Password confirmation Type the password again. DB2 serer database home Proide the directory on which the DB2 instance resides. For example, C: or /home/dbinstancename. DB2 database name Proide the name of the database you are creating. For example, itimdb. ITIM database user ID Proide the user ID for the ITIM database you are creating. For example, itimuser. Note: On Windows systems, disable password expiration for this user account after running the utility. Password for ITIM database user ID: Proide the password for the ITIM database user ID. Password confirmation Type the password again. Group for the DB2 administrator Select from the drop-down list a alid group, of which root is a member, to associate the DB2 administrator ID instance name. For example, bin. This alue is aailable only for UNIX or Linux operating systems. Note: The dollar sign ($) has special meaning in the installer frameworks used by the middleware configuration utility. Aoid using $ in any field alues. The installer framework or operating system platform might do ariable substitution for the alue. 7. If you hae changed the default DB2 instance name, or if a DB2 instance exists with that name, you are prompted with a warning message. If you are only 14 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
using the DB2 instance for Tioli Identity Manager, click Yes. Itisnot recommended to share the instance with another program. 8. Reiew your configuration options before clicking Next to begin the configuration process. 9. The configuration can take up to seeral minutes to complete. After the configuration completes successfully, click Finish to exit the deployment wizard. This step concludes the middleware configuration process for DB2 Database. To erify the middleware configuration utility completed for DB2 without error, check the cfg_itim_mw.log in the system temp directory. Configuring DB2 silently To start the middleware configuration utility silently, complete these steps: 1. Copy the sample response file cfg_itim_mw.rsp (or cfg_itim_mw_windows.rsp for Windows systems) to a directory on the target computer. 2. Update the response file with the correct alues. Make sure that the configuredb2 alue is set to "yes". If you are not configuring the directory serer at the same time, make sure that the configureldap alue is set to "no". 3. From a command window, run this command: cfg_itim_mw W ITIM.responseFile=cfg_itim_mw.rsp silent Where cfg_itim_mw is: AIX: cfg_itim_mw_aix Solaris: cfg_itim_mw_solaris Linux for xseries: cfg_itim_mw_xlinux Linux for pseries: cfg_itim_mw_plinux Linux for zseries: cfg_itim_mw_zlinux Windows: cfg_itim_mw_windows Note: If you run the middleware configuration utility silently, the response file is updated during the configuration process. Related topics: Running the middleware configuration utility on page 13 Manually configuring the DB2 serer You can manually configure the DB2 serer. The DB2 settings described in this chapter are initial settings that might require runtime adjustment. For more information, refer to the IBM Tioli Identity Manager Performance Tuning Guide technical supplement. Configuring the DB2 serer requires the following steps: 1. Creating a user on Windows and UNIX systems or Creating a user on a Linux system on page 16 2. Creating the Tioli Identity Manager database on page 16 3. Ensuring that TCP/IP communication is specified on page 17 Creating a user on Windows and UNIX systems: Create an operating system user named itimuser on the computer on which the DB2 serer is installed. The Tioli Identity Manager Serer uses the default user ID itimuser to access the database, although you hae the option to create a user ID other than the default Chapter 2. Installing and configuring a database 15
user ID or use an existing user ID. No special priileges are required for this user. Ensure that a password change is not required at the next logon and that the password neer expires. To create a user, follow these steps: 1. As root or as Administrator, start the system management tool for your operating system. AIX: SMIT or SMITTY Solaris: System Management Console (SMC) Windows: Click Start > Administratie Tools > Computer Management > Local Users and Groups > Users. 2. Add a new user itimuser and set the user password. 3. Exit the system management tool. 4. Test the user access. Ensure that you can log on with the user ID itimuser without encountering a password reset. 5. Proceed to the next step, Creating the Tioli Identity Manager database. Creating a user on a Linux system: You can use the console command interface or the GUI utility to create a user on Linux. To create a user by using the console command interface on a Linux (Red Hat) operating system, enter the following command: useradd -d /home/itimuser -p password itimuser The -d switch specifies the home directory. The entry itimuser specifies the user ID that is created. Proceed to the next step, Creating the Tioli Identity Manager database. Creating the Tioli Identity Manager database: You can specify any name for the Tioli Identity Manager database, such as itimdb. To create the Tioli Identity Manager database, follow these steps: 1. Open a DB2 command window. UNIX: Log on as the DB2 instance owner and ensure that the db2profile has been sourced into the enironment. Windows: Click Start > Run, and enter db2cmd. 2. In the DB2 command window, enter these commands to create the database: db2 create database itim_dbname using codeset UTF-8 territory us db2 connect to itim_dbname user itim_dbadmin_name using itim_dbadmin_password db2 create bufferpool ENROLEBP size automatic pagesize 32k db2 update db cfg for itim_dbname using logsecond 12 db2 update db cfg for itim_dbname using logfilsiz 10000 db2 update db cfg for itim_dbname using applheapsz 2048 db2 update db cfg for itim_dbname using app_ctl_heap_sz 1024 db2 update db cfg for itim_dbname using maxfilop 256 db2 update db cfg for itim_dbname using locklist 5000 db2 update db cfg for itim_dbname using auto_runstats off db2 update db cfg for itim_dbname using database_memory itim_dbmemory db2 alter bufferpool IBMDEFAULTBP size automatic db2 disconnect current The alue of itim_dbname is a name such as itimdb. The alue of itim_dbmemory is 40000 for a single-serer installation, COMPUTED for all platforms except AIX and Windows. For AIX and Windows, the alue is AUTOMATIC. For more 16 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
information about performance parameter tuning for DB2, refer to the IBM Tioli Identity Manager Performance Tuning Guide. 3. Stop and start the DB2 serer to reset the configuration. After you hae created the Tioli Identity Manager database and reset the configuration, stop and start the DB2 serer to allow the changes to take effect. Enter the following commands: db2stop db2start If entering db2stop fails and the database remains actie, enter db2 force application all to inactiate the database. Enter db2stop again. Ensuring that TCP/IP communication is specified: Installing DB2 specifies TCP/IP communication by default. To confirm that TCP/IP communication is specified on the DB2 serer and on the DB2 client, follow these steps: 1. Enter the following command: db2set -all DB2COMM 2. If a tcpip entry is not in the list that was returned, enter the following command, including tcpip and any other alues that were returned in the list that the command proided: db2set DB2COMM=tcpip,alues_from_db2set_command For example, if the db2set -all DB2COMM command returned alues such as npipe and ipxspx in the list, specify these alues again when you enter the db2set command the second time: db2set DB2COMM=tcpip,npipe,ipxspx Determining the correct serice listening port and serice name Running the middleware configuration utility configures the serice listening port number and the database serice name. There is a serice listening port associated with each DB2 instance. The port is used for establishing a DB2 connection from a DB2 application to the database owned by the instance. The default serice port number for the DB2 default instance (DB2 on windows and db2inst1 on Unix), which is created on installing the DB2 serer, is 50000. Running the middleware configuration utility to create a DB2 instance, the default serice port number of the instance is 50002. If you hae migrated DB2 8.2 to DB2 9.1 or DB2 9.5 along with the DB2 instance, the DB2 migration utility might reset the serice port of the instance as 60000. To determine whether the correct serice name or serice listening port is defined, complete these steps: 1. In the DB2 command window, enter these commands to check the serice name: db2 connect to itim_dbname user itim_dbadmin_id using itim_dbadmin_password db2 get dbm cfg Look for the SVCENAME attribute to locate the serice name. 2. Locate the statement that is like the following example, which specifies the current port number in the serices file on the computer on which the DB2 serer resides: Windows DB2 Version 9.1: serice_name: 50000/tcp UNIX DB2 Version 9.1: serice_name: 50000/tcp Chapter 2. Installing and configuring a database 17
where serice_name is the attribute you checked in the first step. The serices file has the following path: Windows %SYSTEMROOT%\system32\driers\etc\serices UNIX /etc/serices Related topics: See Before you begin on page 108 for topics related to DB2 migration. Tuning the DB2 Database for performance Performance issues can occur after you initially configure DB2. These tasks describe actions you can take to ensure DB2 performs correctly. Configuring TCP KeepAlie settings The failoer design of the messaging engine relies upon the database connections being broken when a messaging engine instance fails. In order for failoer to occur in high aailability enironments, ensure that the system notices the broken connection in a timely manner and releases database locks. This task is done by configuring the TCP KeepAlie settings. For example, if you run DB2 on Linux, login as a system administrator and complete these steps: 1. Run the following commands on the computer where your DB2 Serer resides: echo 30 > /proc/sys/net/ip4/tcp_keepalie_intl echo 30 > /proc/sys/net/ip4/tcp_keepalie_time Note: These settings are also used by IP6 implementations. 2. You might need to restart the network for changes to take effect, such as running the following Linux command: # /etc/init.d/network restart These settings will be effectie only after a restart of the computer. Changing the DB2 application heap size Loading many users can encounter performance issues. You might see this message: Not enough storage aailable for processing the sql statements. To proide additional storage space, change the DB2 application heap size to a larger alue. Using the IBM Tioli Identity Manager Performance Tuning Guide to tune DB2 is recommended for all systems, both for production and test enironments. Installing and configuring the Oracle database This section describes installing and configuring the Oracle database for Tioli Identity Manager. In all cases, refer to the installation and migration guides that the Oracle Corporation proides for complete information. For more information, refer to these Web sites: http://otn.oracle.com/documentation/index.html 18 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
http://otn.oracle.com/tech/index.html http://otn.oracle.com/tech/linux/index.html Before you create a database To use multiple instances of Tioli Identity Manager with the same Oracle Database serer, see Multiple instances of Tioli Identity Manager with an Oracle Database serer before creating the database. To create an Oracle database for Tioli Identity Manager, complete these steps: Installing the Oracle database serer on page 20 Configuring the init.ora file on page 20 Setting enironment ariables on page 21 Backing up an existing database on page 21 Installing the Oracle JDBC drier on page 21 Multiple instances of Tioli Identity Manager with an Oracle Database serer If you want to point seeral instances of Tioli Identity Manager to multiple databases on the same Oracle serer you need to copy and modify this code example in the $ITIM_home/config/rdbms/oracle/enrole_admin.sql file. This code needs to be added after the Tioli Identity Manager installation has started (to create the $ITIM_home/config/rdbms/oracle/enrole_admin.sql file), but before submitting the dbconfig portion of the installation. The alue enrole1_data_001.dbf has been changed to enrole1_data_002.dbf in this example. This alue needs to be modified incrementally in each copy of the code for each additional Tioli Identity Manager instance being used on the same Oracle serer. Note: The two lines where the code needs to be modified are highlighted in bold. # pwd /u02/enrole/config/rdbms/oracle # more enrole_admin.sql CREATE TABLESPACE enrole_data DATAFILE 'enrole1_data_002.dbf' SIZE 160M AUTOEXTEND ON NEXT 20M MAXSIZE 1024M DEFAULT STORAGE (INITIAL 10M NEXT 1M PCTINCREASE 10) PERMANENT ONLINE LOGGING; CREATE TABLESPACE enrole_indexes DATAFILE 'enrole1_idx_002.dbf' SIZE 160M AUTOEXTEND ON NEXT 20M MAXSIZE 1024M DEFAULT STORAGE (INITIAL 10M NEXT 1M PCTINCREASE 10) PERMANENT ONLINE LOGGING; Chapter 2. Installing and configuring a database 19
CREATE USER enrole IDENTIFIED BY enrole DEFAULT TABLESPACE enrole_data QUOTA UNLIMITED ON enrole_data QUOTA UNLIMITED ON enrole_indexes; GRANT CREATE SESSION TO enrole; GRANT CREATE TABLE to enrole; # Installing the Oracle database serer You might install the Oracle database serer on the same computer or on a computer that is separate from Tioli Identity Manager. For more information about installing the Oracle database serer, refer to documentation aailable at this Web site: http://otn.oracle.com/tech/index.html Note: If you manually create the Oracle database for Tioli Identity Manager, you must manually install the JVM feature, or any transactions from Tioli Identity Manager later fails. It is not required to manually create the database and install the JVM feature, howeer. You can use the Oracle Database Configuration Assistant wizard to create the database and install the JVM feature. Configuring the init.ora file You must configure the init.ora file for the Tioli Identity Manager database. Complete these steps: 1. Copy the init.ora file. Windows a. Under the ORACLE_HOME\admin\ directory, create a directory named db_name\pfile. The alue of db_name might be itimdb. b. Copy the sample initsmpl.ora file from the ORACLE_HOME\db_1\ admin\sample\pfile\ directory to the ORACLE_HOME\admin\db_name\ pfile directory. c. Rename the new init.ora file to a alue of initdb_name.ora. UNIX Copy the ORACLE_HOME/product/10.2.0/db_2/dbs/init.ora file to a new ORACLE_HOME/dbs/initdb_name.ora file. 2. Based on your enironment requirements, tune the alue of the following parameters in the initdb_name.ora file: db_name=itimdb compatible=10.2.0.1.0 processes=150 shared_pool_size=50000000 Additionally, define three control files for the Tioli Identity Manager database. This example statement defines the control files for a UNIX operating system: control_files=(oracle_home/oradata/db_name/control01.ctl, ORACLE_HOME/oradata/db_name/control02.ctl, ORACLE_HOME/oradata/db_name/control03.ctl) Using the IBM Tioli Identity Manager Performance Tuning Guide to tune Oracle database is recommended for all systems, both for production and test enironments. 3. Manually create all the directories defined in the initdb_name.ora file. 20 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Setting enironment ariables Set the enironment ariables for Oracle by editing the.profile file. Required enironment ariables include ORACLE_SID and ORACLE_HOME, and include the library path, and the system path. Source the profile on UNIX operating systems, which updates the enironment ariables in the current session, to ensure that Tioli Identity Manager can communicate with the database. To source the profile, enter the following command: #. /.profile For more information, refer to the Oracle Web site. Backing up an existing database Perform a full backup of any existing database, and reiew the preliminary steps that the documentation from the Oracle Corporation proides for upgrading an Oracle database, before you begin to install the Oracle product or upgrade an existing database. For Web sites that proide this information, see Installing the Oracle database serer on page 20. Installing the Oracle JDBC drier IBM Tioli Identity Manager Version 5.1 requires the Oracle 11g Release 1 (11.1.0.7.0) JDBC drier whether you are using an Oracle 10g or 11g database. Copy the Oracle JDBC drier from the Oracle serer directory or download it from the Oracle Web site into a directory on the computer on which Tioli Identity Manager is to be installed. The Tioli Identity Manager installation program prompts for the directory containing the JDBC drier and the drier name. In a cluster configuration, the JDBC drier is required on the computer that has the deployment manager and on each Tioli Identity Manager cluster member computer. For example, if Oracle database is installed on Linux, but Tioli Identity Manager is installed on Windows, create a directory C:\itim_jdbcdrier\ and copy the JDBC drier file to that directory, then point to this directory during installation. Creating the Tioli Identity Manager database Skip this step if you use the Oracle Database Configuration Assistant wizard, which creates the Tioli Identity Manager database. Manually create a Tioli Identity Manager database using these steps: 1. Create and start the database instance using these steps: Windows a. Create the instance with this command on one line: # oradim -new -sid db_name -pfile ORACLE_HOME\admin\db_name\pfile\ initdb_name.ora The alue of the -sid parameter specifies the database instance name. For example, the alue of db_name might be itimdb. The alue of the -pfile parameter specifies the file that you preiously configured in Configuring the init.ora file on page 20. b. Start the database instance with these commands: # sqlplus "/ as sysdba" SQL> startup nomount pfile=oracle_home\admin\db_name\pfile\initdb_name.ora c. Verify that the Windows serice OracleSerice db_name is started. UNIX Chapter 2. Installing and configuring a database 21
Start the database instance with these commands: #./sqlplus "/ as sysdba" SQL> startup nomount pfile= ORACLE_HOME/dbs/initdb_name.ora 2. Use an SQL script like the following example to create your database. Change the alues in the script to match any requirements at your site. In this example, the alue of the db_name is an instance name such as itimdb. -- Create database CREATE DATABASE db_name CONTROLFILE REUSE LOGFILE '/u01/oracle/db_name/redo01.log' SIZE 1M REUSE, '/u01/oracle/db_name/redo02.log' SIZE 1M REUSE, '/u01/oracle/db_name/redo03.log' SIZE 1M REUSE, '/u01/oracle/db_name/redo04.log' SIZE 1M REUSE DATAFILE '/u01/oracle/db_name/system01.dbf' SIZE 10M REUSE AUTOEXTEND ON NEXT 10M MAXSIZE 200M CHARACTER SET UTF8; -- Create another (temporary) system tablespace CREATE ROLLBACK SEGMENT rb_temp STORAGE (INITIAL 100 k NEXT 250 k); -- Alter temporary system tablespace online before proceeding ALTER ROLLBACK SEGMENT rb_temp ONLINE; -- Create additional tablespaces... -- RBS: For rollback segments -- USERs: Create user sets this as the default tablespace -- TEMP: Create user sets this as the temporary tablespace CREATE TABLESPACE rbs DATAFILE '/u01/oracle/db_name/db_name.dbf' SIZE 5M REUSE AUTOEXTEND ON NEXT 5M MAXSIZE 150M; CREATE TABLESPACE users DATAFILE '/u01/oracle/db_name/users01.dbf' SIZE 3M REUSE AUTOEXTEND ON NEXT 5M MAXSIZE 150M; CREATE TABLESPACE temp DATAFILE '/u01/oracle/db_name/temp01.dbf' SIZE 2M REUSE AUTOEXTEND ON NEXT 5M MAXSIZE 150M; -- Create rollback segments. CREATE ROLLBACK SEGMENT rb1 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs; CREATE ROLLBACK SEGMENT rb2 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs; CREATE ROLLBACK SEGMENT rb3 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs; CREATE ROLLBACK SEGMENT rb4 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs; -- Bring new rollback segments online and drop the temporary system one ALTER ROLLBACK SEGMENT rb1 ONLINE; ALTER ROLLBACK SEGMENT rb2 ONLINE; ALTER ROLLBACK SEGMENT rb3 ONLINE; ALTER ROLLBACK SEGMENT rb4 ONLINE; ALTER ROLLBACK SEGMENT rb_temp OFFLINE; DROP ROLLBACK SEGMENT rb_temp ; Note: Using the IBM Tioli Identity Manager Performance Tuning Guide to tune the Oracle database is recommended for all systems, both for production and test enironments. 3. Install the JVM for the database. Use these commands: # sqlplus "/ as sysdba" SQL> @$ORACLE_HOME/rdbms/admin/catalog.sql SQL> @$ORACLE_HOME/rdbms/admin/catproc.sql SQL> @?/jaam/install/initjm.sql SQL> @?/xdk/admin/initxml.sql SQL> @?/xdk/admin/xmlja.sql SQL> @?/rdbms/admin/catjaa.sql 22 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
SQL> connect system/manager SQL> @$ORACLE_HOME/sqlplus/admin/pupbld.sql The alue of the manager parameter is the password for the system user account. Tuning the Oracle database for performance This section describes some actions you can take to ensure the Oracle database functions properly. Enabling XA recoery operations Oracle requires the granting of special permissions to perform enable XA recoery operations. Failure to enable XA recoery can result in the following error: WTRN0037: The transaction serice encountered an error on an xa_recoer operation. As the database administrator, connect to the database and run the following commands: grant select on pending_trans$ to public; grant select on dba_2pc_pending to public; grant select on dba_pending_transactions to public; grant execute on dbms_system to itim_db_user; where itim_db_user is the user that owns the Tioli Identity Manager database, such as itimuser. Stop and restart the database instance for these changes to take effect. Configuring TCP KeepAlie settings The failoer design of the messaging engine relies upon the database connections being broken when a messaging engine incarnation fails. In order for failoer to occur in high aailability enironments, ensure that the RDBMS detects the broken connection in a timely manner and releases database locks. This task is done by configuring the TCP KeepAlie settings. If you run Oracle on Windows Serer, log in as a system administrator and complete these steps: 1. Run regedit from Start > Run. 2. Naigate to the following path in the left pane: My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Serices\Tcpip\Parameters 3. Right click in the right pane and select New > DWORD Value. 4. Enter the name as KeepAlieInteral for the new parameter. 5. Right click this new parameter and select Modify. 6. Select Base as Decimal and enter the alue as 30000 (30000 milliseconds = 30 seconds). 7. Similarly, add another DWORD alue with name KeepAlieTime and set the alue equal to 30000. These settings will be effectie only after a reboot of the computer. Starting the Oracle product and the listener serice To start the Oracle database, complete these steps: Windows Use the Serices menu to start the Oracle database serice called OracleSericedb_name. Chapter 2. Installing and configuring a database 23
UNIX Enter these commands: # su - oracle #./sqlplus "/ as sysdba" # SQL> startup To start the Oracle listener serice, complete these steps: Windows Use the Serices menu to start the Oracle TNS listener named OracleOraDb10_home1TNSListener. If the Oracle listener serice is idle, start the listener. UNIX # su - oracle #./lsnrctl start To ensure that Oracle processes are started, enter this command: ps -ef grep ora To ensure that the listener is running, enter this command: #./lsnrctl status Installing and configuring SQL Serer 2005 on the Windows operating system This section describes installing and configuring SQL Serer 2005 on the Windows operating system. Complete these steps: Preparing to install SQL Serer 2005 Installing SQL Serer 2005 Configuring SQL Serer 2005 on page 25 Creating the Tioli Identity Manager database on page 25 Preparing to install SQL Serer 2005 Complete the following procedures before installing SQL Serer 2005 on a Windows system: 1. Obtain the latest SQL Serer 2005 serice pack. 2. Log in to the Windows system with an Administrator account before launching the SQL Serer 2005 installation. Installing SQL Serer 2005 You might install SQL Serer 2005 on the same computer or on a computer that is separate from Tioli Identity Manager. After installing SQL Serer 2005, install the latest SQL Serer 2005 serice pack. For more information about installing SQL Serer 2005, refer to documentation aailable at these Web sites: http://www.msdn.com/library/ http://www.microsoft.com/sqlserer/2005/en/us/default.aspx Note: When you install SQL Serer 2005, you must set the codepage for the database to be case insensitie (CI). 24 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Configuring SQL Serer 2005 You must complete seeral post-installation tasks to configure SQL Serer 2005 for Tioli Identity Manager: Configuring SQL Serer 2005 for XA transactions To configure SQL Serer 2005 for XA transactions, complete these steps: 1. Download and extract the JDBC drier from the following Web site: http://msdn2.microsoft.com/en-us/data/aa937724.aspx 2. Assuming that you installed the MS SQL Serer 2005 JDBC 1.2 drier at JDBC_DRIVER_INSTALL_DIR, follow the instructions in Understanding XA Transactions by opening the JDBC_DRIVER_INSTALL_DIR\help\html\574e326f- 0520-4003-bdf1-62d92c3db457.htm file. Complete the instructions in these sections as follows: a. Running the MS DTC Serice b. Configuring the JDBC Distributed Transaction Components Note: You do not hae to complete the section titled Configuring the User-Defined Roles because Tioli Identity Manager creates the necessary ID and associate with the SqlJDBCXAUser role for you. Installing the SQL Serer JDBC drier IBM Tioli Identity Manager ersion 5.1 requires SQL Serer 2005 JDBC Drier 1.2. Copy the SQL Serer JDBC drier from where SQL Serer 2005 is installed or download it from the Microsoft Web site into a directory on the computer on which Tioli Identity Manager is to be installed. The Tioli Identity Manager installation program prompts for the directory containing the JDBC drier and the drier name. In a cluster configuration, the JDBC drier is required on the computer that has the deployment manager and on each Tioli Identity Manager cluster member computer. For example, on the computer on which Tioli Identity Manager is to be installed, create a directory C:\itim_jdbcdrier\ and copy the JDBC drier file to that directory, then point to this directory during installation. Verify the security configuration for SQL Serer 2005 To erify the security configuration for SQL Serer 2005, complete these steps: 1. Launch the Microsoft SQL Serer Management Studio. 2. Right click the SQL serer root node, and click Properties. 3. Select Security from the Select a page panel. 4. Ensure that SQL Serer and Windows Authentication Mode is selected. 5. Click OK. Creating the Tioli Identity Manager database You must complete seeral post-installation tasks to create the Tioli Identity Manager database. 1. Launch the Microsoft SQL Serer Management Studio. 2. Naigate the tree, right-click on the Databases node, and select New Database. 3. Under Database name, type in a database name such as itimdb, and click OK. 4. For data files and transaction logs enter the following alues: Initial file size: 20 MB Automatically grow files Allow unrestricted file growth Chapter 2. Installing and configuring a database 25
Note: Ensure that the SQL serer is in mixed authentication mode. 26 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Chapter 3. Installing and configuring a directory serer Tioli Identity Manager stores user account and organizational data, but not scheduling and audit data, in a directory serer. This chapter focuses on configuring the directory serer for use by Tioli Identity Manager. The supported combinations of directory serers and required fix packs are described in the Tioli Identity Manager Information Center. The information in this chapter is not a substitute for the more extensie, prerequisite documentation that is proided by the directory serer product itself. For more information that you must preiously know, refer to these sources: IBM Tioli Directory Serer Hardware and software requirements, and documentation http://publib.boulder.ibm.com/infocenter/tiihelp/2r1/topic/ com.ibm.ibmds.doc_6.0/welcome.htm http://publib.boulder.ibm.com/infocenter/tiihelp/2r1/index.jsp?toc=/ com.ibm.ibmds.doc/toc.xml Fixes http://www.ibm.com/software/sysmgmt/products/support/ IBMDirectorySerer.html Before you install the directory serer product Before you install the directory serer product, complete these steps: Read the installation guide that the directory serer product proides. Ensure that your installation meets the directory serer hardware and software requirements. Installing and configuring IBM Tioli Directory Serer You can install the IBM Tioli Directory Serer on the same computer with Tioli Identity Manager or on a separate computer. IBM Tioli Directory Serer ersion 6.1 and 6.2 support 64-bit on all operating system platforms. In addition, these ersions also support 32-bit for Windows and Linux operating systems. The IBM Tioli Directory Serer uses DB2 Database as a data store and WebSphere Application Serer for the Web Administration Tool. Installing IBM Tioli Directory Serer These steps proide information about installing IBM Tioli Directory Serer using the DVDs that are proided with the Tioli Identity Manager product, which does not contain embedded middleware for DB2 and WebSphere Application Serer. If you are using an IBM Tioli Directory Serer installation DVD that contains embedded middleware for DB2 and WebSphere Application Serer, you hae the option to install embedded DB2 and WebSphere Application Serer for IBM Tioli Directory Serer and your installation process might ary. Note: You cannot use embedded DB2 for the Tioli Identity Manager database or embedded WebSphere Application Serer for Tioli Identity Manager. Copyright IBM Corp. 2009 27
To install IBM Tioli Directory Serer using the Tioli Identity Manager product DVD, complete these steps: 1. Install DB2 from the DVD proided with the Tioli Identity Manager product, if DB2 is not already installed. 2. Install WebSphere Application Serer from the DVD proided with the Tioli Identity Manager product. If you are installing Tioli Identity Manager on the same computer as IBM Tioli Directory Serer, you must complete the WebSphere Application Serer installation first. For more information, see Installing WebSphere Application Serer in a single-serer enironment on page 42. 3. Install IBM Tioli Directory Serer from the DVD proided with the Tioli Identity Manager product. 4. During the IBM Tioli Directory Serer installation, you must select Custom as the installation type. Click Next. 5. On the next panel, do not select DB2 Database, Embedded WebSphere Application Serer, or IBM Tioli Directory Integrator. You must select IBM Tioli Directory Serer 6.1. Other features are optional. Click Next. 6. In the next panel, the installer detects your WebSphere Application Serer. You might be prompted to select a custom location of the WebSphere Application Serer installation path. You can also choose to skip the deployment of Web Administration Tools. Click Next. 7. Reiew the summary and click Install to install IBM Tioli Directory Serer. For information about installing the directory serer, refer to documentation that the directory serer product proides. For example, access this Web site: http://www.ibm.com/software/sysmgmt/products/support/ IBMDirectorySerer.html Installing the required fix packs If your ersion of the IBM Tioli Directory Serer requires a fix pack, obtain and install the fixes. For more information, refer to this support Web site: http://www.ibm.com/software/sysmgmt/products/support/ IBMDirectorySerer.html http://publib.boulder.ibm.com/infocenter/tiihelp/2r1/topic/ com.ibm.ibmds.doc_6.0/welcome.htm http://publib.boulder.ibm.com/infocenter/tiihelp/2r1/topic/ com.ibm.ibmds.doc/welcome.htm Verify that the correct fix pack is installed on the IBM Tioli Directory Serer. To erify that the correct fix pack is installed on the IBM Tioli Directory Serer, issue the following command: AIX: lslpp -l 'idsldap*' Linux: rpm -qa grep idsldap Solaris: 1. Type pkginfo grep IDSl to query the ersion for a particular package. 28 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
2. Type pkgparam package_name VERSION for each installed package. For example, pkgparam IDSl64s61 VERSION for IBM Tioli Directory Serer ersion 6.1, or pkgparam IDSl32s60 VERSION for IBM Tioli Directory Serer ersion 6.0. Windows: 1. From the command line, type regedit. 2. Look in the following registry area: 6.1 - My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\IBM\IDSLDAP\6.1 6.2 - My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\IBM\IDSLDAP\6.2 For more information about these steps, refer to the Tioli Identity Manager Information Center and to the documentation that the IBM Tioli Directory Serer fix pack proides. Configuring IBM Tioli Directory Serer Setting up the IBM Tioli Directory Serer requires creating the LDAP suffix for your organization before you install the Tioli Identity Manager Serer. Setting up the IBM Tioli Directory Serer also requires configuring the Tioli Identity Manager referential integrity file. An LDAP suffix, also known as a naming context, is a distinguished name (DN) that identifies the top entry in a locally held directory hierarchy. The Tioli Identity Manager installation product includes a middleware configuration utility that creates database instances and user IDs and configures parameters for DB2 and IBM Tioli Directory Serer. Default alues are supplied for many of the typical parameters and all the adanced parameters. If an entered parameter, such as the directory serer administrator ID, exists, the middleware configuration utility will skip the task of creation. You can choose to keep those alues, or proide alues of your own. Required fields are marked by an asterisk (*). You can reisit any panel in the deployment wizard by clicking the Back button until you reach the panel. Note: The middleware configuration utility stores by default any input you proide in a response file called db2ldap.rsp located in the system temp directory, for example the /tmp directory. This file is normally cleaned up after the utility completes. If you cancel the utility before it completes, this file might not be erased. Running the middleware configuration utility You can run the middleware configuration utility to set IBM Tioli Directory Serer parameters for later Tioli Identity Manager deployment. The middleware configuration utility: Creates user IDs if needed Creates IBM Tioli Directory Serer instances if needed Creates directory serer databases if needed Tunes LDAP (buffer pool, log tuning) Adds the LDAP suffix Configures the non-ssl port IBM Tioli Directory Serer ersion 6.1 copies and configures the referential integrity plug-in. IBM Tioli Directory Serer ersion 6.2 configures the referential integrity plug-in (included in ersion 6.2) for Tioli Identity Manager. Chapter 3. Installing and configuring a directory serer 29
The middleware configuration utility can be run manually or silently. For more information about silent configuration, see Configuring IBM Tioli Directory Serer silently on page 31. Before you begin: On Windows operating systems, you must be an administrator or hae administratie authority. On UNIX and Linux operating systems, you must be a root user. Additionally, the umask setting must be 022. To erify the umask setting issue the command: umask To set the umask alue to 022, issue the command: umask 022 Procedure: To start the middleware configuration utility for IBM Tioli Directory Serer manually, complete the following steps: 1. Log on to an account with system administration priileges on the computer where IBM Tioli Directory Serer is installed. 2. Start the middleware configuration utility from the DVD or a download directory: AIX: Start the middleware configuration utility by running the cfg_itim_mw_aix program. Solaris: Start the middleware configuration utility by running the cfg_itim_mw_solaris program. Linux for xseries: Start the middleware configuration utility by running the cfg_itim_mw_xlinux program. Linux for pseries: Start the middleware configuration utility by running the cfg_itim_mw_plinux program. Linux for zseries: Start the middleware configuration utility by running the cfg_itim_mw_zlinux program. Windows: Start the middleware configuration utility by using the cfg_itim_mw.exe program if the Windows autorun feature is disabled. Each platform requires a file called cfg_itim_mw.jar to go along with the natie program. The JAR file and the natie program must be in the same directory location. 3. Select your language, and click OK. 4. From the Product Configuration panel, check only Configure IBM Tioli Directory Serer, and click Next. 5. You can receie a warning if IBM Tioli Directory Serer is not at the correct leel or not installed. Action might be required to make sure that IBM Tioli Directory Serer is at the correct leel. To bypass this warning, click Next. 6. From the IBM Tioli Directory Serer configuration options panel, proide the following information, and then click Next: Directory serer administrator ID and instance name Proide the user ID that is used to connect to IBM Tioli Directory Serer as the directory serer administrator. For example, itimldap. Note: On Windows systems, disable password expiration for this user account after running the utility. Directory serer administrator password Enter the password that you hae set for the IBM Tioli Directory Serer administrator account. 30 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Password confirmation Type the password again. Group for the DB2 administrator Select from the drop-down list a alid group, of which root is a member, to associate the DB2 administrator ID. For example, bin. This alue is aailable only for UNIX/Linux. Directory serer database home Proide the directory on which the DB2 instance of directory serer resides. For example, C: or /home/directory_serer_instancename. Directory serer database name Proide the name of the database you are creating. For example, ldapdb2. Encryption seed Proide an encryption key, which can be any word or phrase. The key is used to encrypt Tioli Identity Manager passwords and other sensitie text. The encryption seed must be at least 12 characters in length. Note: The dollar sign ($) has special meaning in the installer frameworks used by the middleware configuration utility. Aoid using $ in any field alues. The installer framework or operating system platform might do ariable substitution for the alue. 7. Proide the following LDAP information, and then click Next. Administrator DN The user ID that represents the principal distinguished name. This DN is the root suffix for Tioli Identity Manager. For example, cn=root. Administrator DN password The password of the user ID that represents the principal distinguished name. For example, secret. Password confirmation Type the password again. User-defined suffix Proide the LDAP suffix. This suffix can be any alid suffix and is used as the context root under which Tioli Identity Manager information is located. For example, choose dc=com. Non-SSL port The port on which the directory serer is listening. The default port is 389. Note: This default port might conflict with other serices. For example, a Windows serer could run Windows Actie Directory serices, which uses a default port of 389. 8. Reiew your configuration options before clicking Next to begin the configuration process. 9. The configuration can take up to seeral minutes to complete. Once the configuration completes successfully, click Finish to exit the deployment wizard. This task concludes the middleware configuration process for IBM Tioli Directory Serer. To erify the middleware configuration utility completed for IBM Tioli Directory Serer without error, check the cfg_itim_mw.log in the system temp directory. Configuring IBM Tioli Directory Serer silently To start the middleware configuration utility silently, complete these steps: Chapter 3. Installing and configuring a directory serer 31
1. Copy the sample response file cfg_itim_mw.rsp (or cfg_itim_mw_windows.rsp for Windows systems) to a directory on the target computer. 2. Update the response file with the correct alues. Make sure that the configureldap alue is set to "yes". If you are not configuring the database serer at the same time, make sure the configuredb2 alue is set to "no". 3. From a command window, run this command: cfg_itim_mw W ITIM.responseFile=cfg_itim_mw.rsp silent Where cfg_itim_mw is: AIX: cfg_itim_mw_aix Solaris: cfg_itim_mw_solaris Linux for xseries: cfg_itim_mw_xlinux Linux for pseries: cfg_itim_mw_plinux Linux for zseries: cfg_itim_mw_zlinux Windows: cfg_itim_mw_windows Note: If you run the middleware configuration utility silently, the response file is updated during the configuration process. Related topics Running the middleware configuration utility on page 29 Verifying successful suffix object configuration To erify the suffix object configuration in this example, enter this command: Windows systems: ITDS_HOME\bin\ldapsearch.cmd -h localhost -b dc=com "(objectclass=domain)" UNIX or Linux systems: ITDS_HOME/bin/ldapsearch.sh -h localhost -b dc=com "(objectclass=domain)" The options are: -h Specifies an alternate host on which the LDAP serer is running. -b Specifies the search base of the initial search, instead of the default. The output confirms that you hae configured permissions for dc=com and initialized the suffix with data. dc=com objectclass=domain objectclass=top dc=com Manually configuring the referential integrity plug-in on the IBM Tioli Directory Serer The referential integrity plug-in for Tioli Identity Manager on the IBM Tioli Directory Serer helps maintain consistency in references to objects that are deleted from the directory. The referential integrity plug-in is configured when you run the middleware configuration utility. The following steps explain how to manually configure the referential integrity plug-in on the IBM Tioli Directory Serer: IBM Tioli Directory Serer ersions 6.1: 1. Stop the IBM Tioli Directory Serer. 32 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
2. Copy the referential integrity plug-in file libdelref.* from the Middleware Configuration DVD to the default installation directory for IBM Tioli Directory Serer. The referential integrity plug-in file is located on the Middleware Configuration DVD under delref\itds_version\platform\lib where ITDS_VERSION is ITDS6.1 for IBM Tioli Directory Serer ersion 6.1 PLATFORM is aix, linux, win, plinux, sun, or zlinux LIB is lib (for 32-bit binary files) or lib64 (for 64-bit binary files) Plug-in files are also located on the respectie Supplemental DVD2 (IBM Tioli Directory Serer DVD) under delref\lib\ directory. The default installation directory for IBM Tioli Directory Serer is in the following location: Windows: 32-bit: ITDS_HOME\lib. For example, copy the file to the C:\Program Files\IBM\LDAP\lib directory. 64-bit: ITDS_HOME\lib64. For example, copy the file to the C:\Program Files\IBM\LDAP\lib64 directory. UNIX: 32-bit: ITDS_HOME/lib. For example, copy the file to the usr/ibm/ldap/lib directory. 64-bit: ITDS_HOME/lib64. For example, copy the file to the usr/ibm/ldap/lib64 directory. On UNIX systems, ensure that the file permission on the referential integrity plug-in file is set to -r-xr-xr-x, ia the chmod 755 command.. 3. Copy the timdelref.conf file from the Middleware Configuration DVD under the delref\etc directory to the ITDS_INSTANCE_HOME\etc directory. For example, copy the file to the C:\idsslapd-ldapdb2\etc directory. 4. Edit the ibmslapd.conf configuration file for IBM Tioli Directory Serer in the following directory: UNIX: ITDS_INSTANCE_HOME/etc. For example, locate the file in the /home/instance_owner_name/etc directory. Windows: ITDS_INSTANCE_HOME\etc. For example, locate the file in the C:\idsslapd-idsinst\etc directory. 5. In the configuration file, specify the referential integrity file for Tioli Identity Manager: a. Locate the following line: ibm-slapdplugin: database path_to_rdbmfilename rdbm_backend_init The path_to_rdbmfilename ariable is one of the following files: AIX: /lib/libback-rdbm.a UNIX other than AIX: /lib/libback-rdbm.so Windows: \lib\libback-rdbm.dll The Windows path is specified with a forward slash. b. Add the following line, all on one line, directly after the preious line (for 64-bit enironments, replace lib with lib64): Solaris: ibm-slapdplugin: preoperation ITDS_HOME/lib/lib_filename DeleteReferenceInit file="itds_instance_home/etc/timdelref.conf" dn="itim_suffix" UNIX other than Solaris: Chapter 3. Installing and configuring a directory serer 33
ibm-slapdplugin: preoperation ITDS_HOME/lib/lib_filename DeleteReferenceInit file=itds_instance_home/etc/timdelref.conf dn=itim_suffix Windows: ibm-slapdplugin: preoperation "ITDS_HOME/lib/lib_filename" DeleteReferenceInit file="itds_instance_home/etc/timdelref.conf" dn=itim_suffix Notes: 1) The ITDS_HOME ariable is the default installation directory for the IBM Tioli Directory Serer. The lib_filename ariable is the name of the referential integrity plug-in filename, as identified in step 2 on page 33. 2) The itim_suffix ariable is a alue such as dc=com. 3) On the Windows operating system, to specify the path to the libdelref.dll and the timdelref.conf files, ensure that you enclose the alue of lib_filename in quotation marks. Additionally, specify the path to the libdelref.dll file with a forward slash (/). 6. Sae the changes that you made to the configuration file. 7. Start the IBM Tioli Directory Serer. 8. Determine whether the referential integrity plug-in is reconfigured and loaded appropriately. Locate the IBM Tioli Directory Serer log file for the configuration. Windows: ITDS_INSTANCE_HOME\logs\ibmslapd.log. For example, the file is in the C:\idsslapd-ldapdb2\logs directory. UNIX/Linux: ITDS_INSTANCE_HOME/etc/ibmslapd.log. On Linux, for example, the file is in the /home/ldapdb2/idsslapd-ldapdb2/etc/logs directory. You see a message like this one: Plugin of type PREOPERATION is successfully loaded from /usr/ldap/lib/libdelref.a If you stop and start the IBM Tioli Directory Serer multiple times, more than one message occurs in the log file. Examine the timestamp on the most recent message in the file. If the operation does not succeed, ensure that the referential integrity plug-in and configuration files are in their target directories. IBM Tioli Directory Serer ersions 6.2: 1. Stop the IBM Tioli Directory Serer. 2. Copy the timdelref.conf file from the Middleware Configuration DVD under the delref\etc directory to the ITDS_INSTANCE_HOME\etc directory. For example, copy the file to the C:\idsslapd-idsinst\etc directory. 3. Edit the ibmslapd.conf configuration file for IBM Tioli Directory Serer in the following directory: UNIX: ITDS_INSTANCE_HOME/etc. For example, locate the file in the /home/instance_owner_name/etc directory. Windows: ITDS_INSTANCE_HOME\etc. For example, locate the file in the C:\idsslapd-idsinst\etc directory. 4. In the configuration file, specify the referential integrity file for Tioli Identity Manager (for 64-bit enironments, replace lib with lib64): 34 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
a. Locate the line that starts ibm-slapdplugin: preoperation \lib\libdelref.dll DeleteReferenceInit and edit the file and dn alues. If the line does not exist, add this sample and edit the file and dn alues. ibm-slapdplugin: preoperation \lib\libdelref.dll DeleteReferenceInit file=c:\idsslapd-ldaptest\etc\tdsdelref.conf dn=o=sample where C:\idsslapd-ldaptest\etc\tdsdelref.conf is the path where you copied the timdelref.conf file and o=sample is the suffix you used for the Tioli Identity Manager LDAP database. b. Ensure that the ibm-slapdreferentialintegrityplugin attribute is set to true otherwise the plug-in does not get loaded. The default setting is false. ibm-slapdreferentialintegrityplugin: TRUE c. Sae the changes that you made to the configuration file. d. Start the IBM Tioli Directory Serer. e. Determine whether the referential integrity plug-in is reconfigured and loaded appropriately. Locate the IBM Tioli Directory Serer log file for the configuration. Windows: ITDS_INSTANCE_HOME\logs\ibmslapd.log. For example, the file is in the C:\idsslapd-ldapdb2\logs directory. UNIX/Linux: ITDS_INSTANCE_HOME/etc/ibmslapd.log. On Linux, for example, the file is in the /home/ldapdb2/idsslapd-ldapdb2/etc/logs directory. You see a message like this one: Plugin of type PREOPERATION is successfully loaded from /usr/ldap/lib/libdelref.a If you stop and start the IBM Tioli Directory Serer multiple times, more than one message occurs in the log file. Examine the timestamp on the most recent message in the file. If the operation does not succeed, ensure that the referential integrity plug-in and configuration files are in their target directories. Manually tuning the IBM Tioli Directory Serer database You can manually tune the performance of the DB2 instance that IBM Tioli Directory Serer uses. Complete these steps: 1. Open a DB2 command window. UNIX: Log on as the DB2 instance owner and enter db2 to open a DB2 command window. Windows: Click Start > Run, and enter db2cmd. When the DB2 command window opens, enter db2. 2. In the DB2 command window, enter these commands to tune the IBM Tioli Directory Serer database instance: db2 connect to itds_dbname user itds_dbadmin_name using itds_dbadmin_password db2 alter bufferpool IBMDEFAULTBP size automatic db2 alter bufferpool ldapbp size automatic db2 update db cfg for itds_dbname using logsecond 12 db2 update db cfg for itds_dbname using logfilsiz 10000 db2 update db cfg for itds_dbname using database_memory itds_dbmemory db2 disconnect current The alue of itds_dbname is a name such as ldapdb2. The alue of itds_dbmemory is 40000 for a single-serer installation, COMPUTED for all platforms except AIX and Windows. For AIX and Windows, the alue is AUTOMATIC. For more Chapter 3. Installing and configuring a directory serer 35
information about performance parameter tuning for DB2, refer to the IBM Tioli Identity Manager Performance Tuning Guide. 3. Stop and start the DB2 serer to reset the configuration. After you hae reset the configuration, stop and start the DB2 serer to allow the changes to take effect. Enter the following commands: db2stop db2start If entering db2stop fails and the database remains actie, enter db2 force application all to deactiate the database. Enter db2stop again. Sun Enterprise Directory Serer This section describes installing and configuring Sun Enterprise Directory Serer. Installing Sun Enterprise Directory Serer For the instructions and more information about installing the Sun Enterprise Directory Serer, refer to documentation aailable at these Web sites: http://www.sun.com/software/products/directory_srr_ee/index.html http://docs.sun.com/app/docs/coll/1224.4 http://docs.sun.com/app/docs/doc/820-2762/dsoutline?a=iew http://www.sun.com/software/products/directory_srr_ee/get.jsp Configuring Sun Enterprise Directory Serer To configure the Sun Enterprise Directory Serer, complete these steps: 1. Create a Tioli Identity Manager LDAP serer instance. Issue the command: dsadm.sh create dsadm create -p portnumber -P SSL-port instance-path Where portnumber the port number for the Sun Enterprise Directory Serer and SSL-port is the SSL port number for the Sun Enterprise Directory Serer. For examples: For UNIX systems, dsadm.sh create p 1389 P 1363 /local/itimldap For Windows systems, dsadm.exe create p 1389 P 1363 C:\itimldap 2. Start the Tioli Identity Manager LDAP serer. Issue the command: dsadm.sh start instance-path For example, dsadm.sh start /local/itimldap 3. Create a root suffix. Issue the command: dsconf.sh create-suffix h host p portnumber rootsuffix For example, dsconf.sh create-suffix h localhost p 1389 dc=com This command creates the root suffix dc=com on the Tioli Identity Manager LDAP serer. If you receie an Unable to bind securely on host:portnumber message, use the unsecured parameter: dsconf create-suffix - unsecured h localhost p 1389 dc=com 36 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
4. Create and sae a file called dcequalscom.ldif with the following content: dn:dc=com dc:com objectclass:top objectclass:domain 5. Import the dcequalscom.ldif file to the dc=com root suffix. Issue the command: dsconf.sh import -h hostname -p portnumber path/dcequalscom.ldif rootsuffix For example, dsconf.sh import -h localhost -p 1389 /temp/dcequalscom.ldif dc=com If you receie an Unable to bind securely on host:portnumber message, use the -unsecured parameter: dsconf.sh import --unsecured -h localhost -p 1389 /temp/dcequalscom.ldif dc=com 6. Restart the directory serer. Note: Sun Enterprise Directory Serer access control instructions might hae enabled anonymous read access. To proide more secure data, modify the default access control instructions to disable anonymous read access. For more information, refer to the Sun Enterprise Directory Serer documentation. Chapter 3. Installing and configuring a directory serer 37
38 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Chapter 4. Optionally installing IBM Tioli Directory Integrator IBM Tioli Directory Integrator synchronizes and manages information exchanges between applications or directory sources. This chapter focuses on installing the IBM Tioli Directory Integrator for use by Tioli Identity Manager. The supported ersions and required fix packs for IBM Tioli Directory Integrator are described in the Tioli Identity Manager Information Center. The information in this chapter is not a substitute for the more extensie, prerequisite documentation that is proided by the directory integrator product itself. Before you install the directory integrator product Before you install IBM Tioli Directory Integrator, complete these steps: Read the installation guide that the directory integrator product proides. Ensure that your installation meets the directory integrator hardware and software requirements. IBM Tioli Directory Integrator - Hardware and software requirements, and documentation http://publib.boulder.ibm.com/infocenter/tiihelp/2r1/topic/ com.ibm.ibmdi.doc_6.1.1/welcome.htm - Fixes http://www.ibm.com/software/sysmgmt/products/support/ IBMDirectoryIntegrator.html Installing IBM Tioli Directory Integrator You can install the IBM Tioli Directory Integrator on the same computer with Tioli Identity Manager or on a separate computer. Installing IBM Tioli Directory Integrator For information about installing IBM Tioli Directory Integrator, refer to documentation that the product proides. For example, access this Web site: http://www.ibm.com/software/sysmgmt/products/support/j958636n88774a05- doc.html Installing the required fix packs If your ersion of the IBM Tioli Directory Integrator requires a fix pack, obtain and install the fixes. For more information, refer to this support Web site: Support http://www.ibm.com/software/sysmgmt/products/support/ IBMDirectoryIntegrator.html Information center http://publib.boulder.ibm.com/infocenter/tiihelp/2r1/index.jsp?toc=/ com.ibm.ibmdi.doc/toc.xml Copyright IBM Corp. 2009 39
Installing agentless adapters Adapters allow Tioli Identity Manager to manage resources. Agent-based adapters require the installation of the adapter on the managed resource, and the installation of an adapter profile on the Tioli Identity Manager serer. Agentless adapters require adapter installation on the computer that hosts IBM Tioli Directory Integrator, and the installation of an adapter profile on the Tioli Identity Manager serer. You can install IBM Tioli Directory Integrator on the same computer as Tioli Identity Manager or remotely. If you install Tioli Identity Manager locally, the Tioli Identity Manager installation program automatically installs agentless adapters and you can also choose to automatically install agentless adapter profiles. If you install Tioli Identity Manager remotely, you must manually install the agentless adapters on the computer that hosts IBM Tioli Directory Integrator, and manually install agentless adapter profiles on the computer that hosts Tioli Identity Manager. For more information about manually installing agentless adapters, see Manually installing agentless adapters and adapter profiles on page 83. 40 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Chapter 5. Installing and configuring WebSphere Application Serer WebSphere Application Serer deliers a secure, scalable application infrastructure for Tioli Identity Manager Serer. WebSphere Application Serer can run in a single-serer or a cluster serer enironment. This chapter describes generic steps to create a WebSphere Application Serer enironment before you install the Tioli Identity Manager Serer in either the single-serer or cluster configurations. The supported releases and required fix packs for WebSphere Application Serer are described in the Tioli Identity Manager Information Center. Before you install WebSphere Application Serer Before you install WebSphere Application Serer, complete the following tasks: Read the WebSphere Application Serer installation guide. Determine whether you are installing WebSphere Application Serer in a single-serer or cluster enironment. Ensure that your system meets the product hardware and software requirements. Ensure that all required operating system fix packs are in place. For more information about tuning operating systems for the WebSphere Application Serer, refer to this Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/6r1/topic/ com.ibm.websphere.nd.doc/info/ae/ae/tprf_tuneopsys.html For more information about installing the WebSphere Application Serer, refer to the following Web sites: Hardware and software requirements http://www.ibm.com/software/webserers/appser/was/ Support http://www.ibm.com/software/webserers/appser/was/support/ Information center http://publib.boulder.ibm.com/infocenter/wasinfo/6r1/index.jsp Installing the WebSphere Application Serer product WebSphere Application Serer Version 6 introduces the concept of a profile in which installing the product becomes a two-step process: 1. Install a shared set of core product files using the WebSphere Application Serer installation product. 2. Use profiles to define multiple application serer runtime enironments, each with its own administratie interfaces, that share the core files. Profiles are necessary for the enironment to function. There are three types of profiles which can be created: Application serer: Can run as a stand-alone node or run as part of a deployment manager cell. Deployment manager: Proides centralized management of application serers. Copyright IBM Corp. 2009 41
Custom: Must be federated and then customized through the deployment manager. A custom profile does not hae its own administratie console. It is managed under the deployment manager node. For example, once the core files hae been installed, create one or more deployment manager profiles, application serer profiles, or custom profiles. A profile can be created at any time after installation by using the Profile Creation wizard GUI or the manageprofiles command. Additional configuration steps are required if you want to install the IBM HTTP Serer and WebSphere Web Serer plug-in. For more information about installing the IBM HTTP Serer, refer to the following Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/6r1/ index.jsp?topic=/com.ibm.websphere.ihs.doc/info/welcome_ihs.html For more information about planning to install the WebSphere Web Serer plug-in, refer to the following Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/6r1/ index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tins_scenario5.html Installing WebSphere Application Serer in a single-serer enironment To install WebSphere Application Serer in a single-serer enironment, complete these steps: 1. Install the WebSphere Application Serer product from the root user on UNIX systems, or from a user with administrator authority on the Windows operating system. 2. Start the WebSphere Application Serer installation program. 3. Select the Application Serer profile. 4. By default, administratie security is enabled. Enabling administratie security protects your serer from unauthorized users. 5. Enter any additional alues that the WebSphere installation program requires. 6. When installation is complete, download and install the Update Installer for WebSphere Application Serer from the product support Web site. 7. Use the Update Installer to install a serice pack containing a supported ersion of WebSphere Application Serer. See "Software prerequisites" in the Tioli Identity Manager Information Center. Make sure that you use the same operating system administrator account that you used for the installation. 8. Ensure that you are using the IBM Jaa 2 Platform Standard Edition Deelopment Kit 1.5 Serice Release 6 or later. Serice Release 6 is needed if you intend to enable Jaa 2 security. You can download the serice release and follow the instructions to apply the fix at the following WebSphere Application Serer fix pack Web site: http://www-1.ibm.com/support/dociew.wss?rs=180&uid=swg24017492 9. After you apply the WebSphere Application Serer fix pack, start the WebSphere Application Serer using the following command: Windows, run the following command: WAS_PROFILE_HOME\bin\startSerer.bat serer_name UNIX/Linux, run the following command: WAS_PROFILE_HOME/bin/startSerer.sh serer_name 42 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
The alue of serer_name is the name of the WebSphere Application Serer. For example, serer1. 10. Open the First Steps panel for WebSphere Application Serer and click Installation Verification to erify that there are no installation problems. To run the first steps, use the following command: Windows: WAS_PROFILE_HOME\firststeps\firststeps.bat UNIX/Linux: WAS_PROFILE_HOME/firststeps/firststeps.sh 11. Verify that the WebSphere Application Serer fix pack is at the correct leel. Enter one of these commands: Windows: WAS_PROFILE_HOME\bin\ersionInfo.bat UNIX: WAS_PROFILE_HOME/bin/ersionInfo.sh For example, the ersion is like the following output: WebSphere Application Serer base Installed Product ----------------------------------------------- Name IBM WebSphere Application Serer Version 6.1.0.23 ID BASE 12. Use the following Web address to access the WebSphere administratie console: http://hostname:port/ibm/console The alue of hostname is either the fully qualified host name or the IP address of the computer on which you installed the WebSphere Application Serer base product. The alue of port is the port number for the WebSphere administratie HTTP transport. The default alue is 9060. The port number might not be 9060 if there is another instance of the WebSphere Application Serer on the computer. 13. Examine the SystemOut.log and SystemErr.log files in the WAS_PROFILE_HOME\logs\serer_name to ensure that there are no other problems. For more information, see Log files on page 104. Once you hae completed the installation, the next step is installing IBM Tioli Directory Serer. For more information, see Installing and configuring IBM Tioli Directory Serer on page 27. Installing WebSphere Application Serer in a cluster enironment To install WebSphere Application Serer in a cluster enironment, complete these steps: 1. Install the WebSphere Application Serer package, and create a deployment manager profile. 2. Install the WebSphere Application Serer package, create a custom profile, and federate the node to the cell managed by the deployment manager on each computer in the cluster. 3. Optionally install and configure IBM HTTP Serer and WebSphere Web Serer plug-in. Chapter 5. Installing and configuring WebSphere Application Serer 43
Install the WebSphere Application Serer deployment manager To install WebSphere Application Serer deployment manager, complete these steps: 1. Install the WebSphere Application Serer product from the root user on UNIX systems, or from a user with administrator authority on the Windows operating system. 2. Start the WebSphere Application Serer installation program. 3. Select the Deployment Manager profile. 4. By default, administratie security is enabled. Enabling administratie security protects your serer from unauthorized users. 5. Enter any additional alues that the WebSphere installation program requires. 6. When installation is complete, download and install the Update Installer for WebSphere Application Serer from the product support Web site. 7. Use the Update Installer to install a serice pack containing a supported ersion of WebSphere Application Serer. See "Software prerequisites" in the Tioli Identity Manager Information Center. Make sure that you use the same administrator account that you used for the installation. 8. Ensure that you are using the IBM Jaa 2 Platform Standard Edition Deelopment Kit 1.5 Serice Release 6 or later. Serice Release 6 is needed if the user intends to enable Jaa 2 security. You can download the serice release and follow the instructions to apply the fix at the following WebSphere Application Serer fix pack Web site: http://www-1.ibm.com/support/dociew.wss?rs=180&uid=swg24017492 9. Start the deployment manager using the following command: Windows: WAS_NDM_PROFILE_HOME\bin\startManager.bat UNIX/Linux: WAS_NDM_PROFILE_HOME/bin/startManager.sh 10. Open the First Steps panel for WebSphere Application Serer and click Installation Verification to erify that there are no installation problems. To run the First Steps panel, use the following command: Windows: WAS_NDM_PROFILE_HOME\firststeps\firststeps.bat UNIX/Linux: WAS_NDM_PROFILE_HOME/firststeps/firststeps.sh 11. Verify that the WebSphere Application Serer fix pack is at the correct leel. Enter one of these commands: Windows: Cluster member WAS_PROFILE_HOME\bin\ersionInfo.bat Deployment manager WAS_NDM_PROFILE_HOME\bin\ersionInfo.bat UNIX: Cluster member WAS_PROFILE_HOME/bin/ersionInfo.sh Deployment manager WAS_NDM_PROFILE_HOME/bin/ersionInfo.sh For example, the ersion is like the following output: 44 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
WebSphere Application Serer base Installed Product ----------------------------------------------- Name IBM WebSphere Application Serer Version 6.1.0.23 ID BASE Deployment manager Installed Product ----------------------------------------------- Name IBM WebSphere Application Serer Deployment Manager Version 6.1.0.23 ID ND 12. Use the following Web address to access the WebSphere administratie console: http://hostname:port/ibm/console The alue of hostname is either the fully qualified host name or the IP address of the computer on which you installed the WebSphere Application Serer base product. The alue of port is the port number for the WebSphere administratie HTTP transport. The default alue is 9060. The port number might not be 9060 if there is another instance of the WebSphere Application Serer on the computer. 13. Examine the SystemOut.log and SystemErr.log files in the WAS_NDM_PROFILE_HOME\logs\dm_serer_name directory to ensure that there are no other problems. Install the WebSphere Application Serer product on each node member Install WebSphere Application Serer on each computer on which Tioli Identity Manager Serer runs as a Tioli Identity Manager cluster member and federate each node member to the cell. To install WebSphere Application Serer on each cluster member host, complete these generic steps: 1. Install the WebSphere Application Serer product from the root user on UNIX systems, or from a user with administrator authority on the Windows operating system. 2. Start the WebSphere Application Serer installation program. 3. Select the Custom profile. 4. In the Federation panel, complete these fields: a. Type the host name or IP address of the deployment manager. b. Type the SOAP port of the deployment manager or accept the default port. c. If administratie security is enabled, type the deployment manager administratie user name and password. 5. When installation is complete, download and install the Update Installer for WebSphere Application Serer from the product support Web site. 6. Use the Update Installer to install a serice pack containing a supported ersion of WebSphere Application Serer. See "Software prerequisites" in the Tioli Identity Manager Information Center. Make sure that you use the same administrator account that you used for the installation. 7. Ensure that you are using the IBM Jaa 2 Platform Standard Edition Deelopment Kit 1.5 Serice Release 6 or later. Serice Release 6 is needed if Chapter 5. Installing and configuring WebSphere Application Serer 45
the user intends to enable Jaa 2 security. You can download the serice release and follow the instructions to apply the fix at the following WebSphere Application Serer fix pack Web site: http://www-1.ibm.com/support/dociew.wss?rs=180&uid=swg24017492 8. After you apply the WebSphere Application Serer fix pack, erify the status of the WebSphere Application Serer node agent using the following command: Windows systems: WAS_PROFILE_HOME\bin\startNode.bat UNIX or Linux systems: WAS_PROFILE_HOME/bin/startNode.sh 9. Open the First Steps panel for WebSphere Application Serer and click Installation Verification to erify that there are no installation problems. To run the first steps, use the following command: Windows: WAS_PROFILE_HOME\firststeps\firststeps.bat UNIX/Linux: WAS_PROFILE_HOME/firststeps/firststeps.sh Manually federate a WebSphere Application Serer node member This step is optional if you either used a custom profile but did not federate the node to the cell during installation, or you created a base WebSphere Application Serer profile, which does not federate the node member during installation. To manually federate a WebSphere Application Serer node member, run the addnode command: Windows: WAS_HOME\bin\addNode.bat dmgr_host portnumber -profilename profile_name UNIX/Linux: WAS_HOME/bin/addNode.sh dmgr_host portnumber -profilename profile_name The alue of WAS_HOME is the location of the WebSphere Application Serer home directory where the WebSphere Application Serer core files are installed. The dmgr_host parameter is the host name of the computer on which the deployment manager is installed. The portnumber parameter specifies the SOAP port number that is assigned to the deployment manager. The default port number is 8887. A node agent is created and started after a node is successfully added to a cell. Verify the federation of nodes within the cell To erify that all nodes hae been federated and are running, complete these steps: 1. Use the following Web address to access the WebSphere administratie console: http://hostname:port/ibm/console The alue of hostname is either the fully qualified host name or the IP address of the WebSphere Application Serer deployment manager. The alue of port is the port number for the WebSphere administratie HTTP transport. The default alue is 9060. The port number might not be 9060 if there is another instance of the WebSphere Application Serer on the computer. 2. Click System administration from the Integrated Solutions Console root structure. Click Nodes. Verify that the manager node and federated nodes are listed and are aailable. You can also click Nodeagent to see the status of all nodeagents. 46 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Create the WebSphere clusters for the Tioli Identity Manager application Tioli Identity Manager requires the creation of two serer clusters in your WebSphere Application Serer enironment. One cluster is used to host the Tioli Identity Manager application. The other cluster is used as a messaging serice. Before you create the cluster, make sure that all nodeagents are up. To create the WebSphere Application Serer clusters, complete these steps: 1. Use the following Web address to access the WebSphere administratie console: http://hostname:port/ibm/console The alue of hostname is either the fully qualified host name or the IP address of the WebSphere Application Serer deployment manager. The alue of port is the port number for the WebSphere administratie HTTP transport. The default alue is 9060. The port number might not be 9060 if there is another instance of the WebSphere Application Serer on the computer. 2. Click Serers from the Integrated Solutions Console root structure. 3. For WebSphere Application Serer 6.1 deployment manager console, Click Clusters, and click New. For WebSphere Application Serer 7.1 deployment manager console, Click Clusters, and click WebSphere Application Serer clusters. 4. Specify the name of the host application cluster. For example, ITIM_Application_Cluster. The cluster name must be unique within the cell. Use the default check box settings, and click Next. 5. Specify a member name for the first cluster member. 6. Specify the node you want to use to host the first cluster member. 7. Click the radio button adjacent to Create the member using an application serer template and select default. 8. Keep all other default settings and click Next. 9. Create a cluster member for each additional node by specifying a member name, selecting a node, and clicking Add Member. Tioli Identity Manager does not support multiple cluster members on a single node. Click Next when you hae finished adding cluster members. 10. Verify the summary of information and click Finish. 11. Repeat this process for the messaging cluster, specifying unique names for the messaging cluster and cluster members, such as ITIM_Messaging_Cluster. 12. When you hae finished creating the second cluster, click on Serers from the Integrated Solutions Console root structure. Click Clusters, and erify that your clusters appear. 13. Click the name of each cluster, and click Cluster members to iew detailed information about each cluster member. Optionally installing and configuring IBM HTTP Serer and WebSphere Web Serer plug-in Although you can install the IBM HTTP Serer and the WebSphere Web Serer plug-in on the same computer that has the deployment manager, you might want to install the IBM HTTP Serer and the WebSphere Web Serer plug-in on a separate computer for additional security and load balancing. For more information on installing IBM HTTP Serer, refer to the following Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/6r1/ index.jsp?topic=/com.ibm.websphere.ihs.doc/info/welcome_ihs.html Chapter 5. Installing and configuring WebSphere Application Serer 47
For more information planning to install the WebSphere Web Serer plug-in, refer to the following Web site:http://publib.boulder.ibm.com/infocenter/wasinfo/ 6r1/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tins_scenario5.html Change TCP KeepAlie settings on WebSphere Application Serer The failoer design of the messaging engine relies upon the database connections being broken when a messaging engine instance fails. In order for failoer to occur in high aailability enironments, ensure that the system detects the broken connection in a timely manner and releases database locks. This task is done by configuring the TCP KeepAlie settings. For example, if you are using Linux, login as an administrator and complete these steps on all WebSphere Application Serer nodes: 1. Run the following command: echo 30 > /proc/sys/net/ip4/tcp_keepalie_intl Note: These settings are also used by IP6 implementations. 2. Ensure that the alue of the heartbeat interal is set to 30 seconds: a. From the WebSphere Application Serer administratie console, click Serers > Core groups > Core group settings > Default core group. b. Under the Additional properties section, click Custom properties. Verify that this alue is not blank. If it is not blank, change the alues specified for the IBM_CS_FD_PERIOD_SECS custom property. This property specifies the time interal, in seconds, between consecutie heartbeats. The default alue for this property is 30 seconds. Note: These settings are also used by IP6 implementations. Tuning WebSphere Application Serer for performance Performance issues can occur after you initially configure WebSphere Application Serer These tasks describe actions you can take to ensure WebSphere Application Serer performs correctly. Disable Performance Monitoring Infrastructure (PMI) tracking By default, WebSphere Application Serer has the Performance Monitoring Infrastructure (PMI) enabled and set at the Basic leel. At this leel, URIRequestCount and URISericeTime monitoring is enabled. These enablements cause performance problems when using the Console GUI due to the unique URLs that are generated for that interface. To preent performance degradation, either disable PMI entirely or disable these specific PMI flags. Complete these steps: 1. Log in to the WebSphere administratie console. 2. From the left naigation pane, click Monitoring and Tuning > Performance Monitoring Infrastructure (PMI). 3. Click the name of the serer you want to manage. 4. Select Custom and click the Custom link. 5. Select Web Applications from the tree listing. 6. Select URIConcurrentRequests. 7. Select URIRequestCount. 8. Select URISericeTime. 9. Click Disable at the top of the pane. 10. Click Sae to sae the configuration. 48 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
11. Repeat this procedure for each application serer that run Tioli Identity Manager. 12. Restart all application serers for the changes to take effect. Chapter 5. Installing and configuring WebSphere Application Serer 49
50 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Chapter 6. Installing Tioli Identity Manager This chapter describes tasks that install and configure the Tioli Identity Manager Serer in a single-serer or a cluster configuration. The installation program installs only the Tioli Identity Manager Serer. You can also install and configure Tioli Identity Manager silently. For more information, see Chapter 8, Performing a silent installation and configuration of Tioli Identity Manager, on page 87. Installing Tioli Identity Manager in a single-serer configuration This section describes tasks that install and configure the Tioli Identity Manager Serer in a single-serer configuration. The installation program installs only the Tioli Identity Manager Serer. Before you begin Before you begin to install Tioli Identity Manager Serer in a single-serer enironment, complete these tasks: 1. Determine which product DVDs that you need to install Tioli Identity Manager. For an itemization of the DVD contents, refer to a text file such as itim-5.1-dd-images-operatingsystem.txt that is proided with the DVD image. For a complete list of these image files, see Appendix C, Installation images and fix packs, on page 143. 2. Ensure that free disk space and memory requirements are met. Additionally, ensure that there is adequate free disk space in the system temp directory and in the WAS_PROFILE_HOME directory. The target computer must meet the computer requirements described in the Tioli Identity Manager Information Center. 3. Ensure that you hae the needed administratie authority. On Windows systems, the logon user ID must be in the Administrators Group. On UNIX systems, the logon user ID must be root. 4. Installing the Tioli Identity Manager Serer writes data to the Tioli Identity Manager database. 5. If you are using IBM Tioli Directory Serer, ensure that you hae run the middleware configuration utility or that the directory serer has loaded the appropriate referential integrity plug-in. For more information, see Manually configuring the referential integrity plug-in on the IBM Tioli Directory Serer on page 32. 6. Ensure that the prerequisite applications as described in Table 3 are installed and running: Table 3. Prerequisite applications Prerequisite For more information, see Database Chapter 2, Installing and configuring a database, on page 9 Directory serer Chapter 3, Installing and configuring a directory serer, on page 27 Directory integrator (optional) Chapter 4, Optionally installing IBM Tioli Directory Integrator, on page 39 Copyright IBM Corp. 2009 51
Table 3. Prerequisite applications (continued) Prerequisite WebSphere Application Serer For more information, see Chapter 5, Installing and configuring WebSphere Application Serer, on page 41 Only Tioli Identity Manager and WebSphere Application Serer require installation on the same computer. All other applications can be run locally or remotely to the computer on which Tioli Identity Manager is installed. IBM Tioli Directory Integrator is an optional component. 7. Ensure that the WebSphere Application Serer can be stopped and started before you install the Tioli Identity Manager Serer. To be sure, stop and start the WebSphere Application Serer. See Chapter 5, Installing and configuring WebSphere Application Serer, on page 41 for more information about these steps. 8. Capture the details of your configuration. For a detailed list of configuration parameters, see Appendix D, Worksheets, on page 145. 9. If you are upgrading a ersion of Tioli Identity Manager that is already on the computer, see Chapter 10, Upgrading to Tioli Identity Manager Version 5.1, on page 105 for more information about protecting Tioli Identity Manager customizations and data. Starting the installation wizard To install the Tioli Identity Manager Serer in a single-serer configuration, complete the following steps: 1. Log on to an account with system administration priileges on the computer where the Tioli Identity Manager Serer is to be installed. 2. Install the installation program, or insert the Tioli Identity Manager product DVD into the DVD drie. To locate the correct DVD for your enironment, refer to Appendix C, Installation images and fix packs, on page 143. 3. To run the installation program, complete these steps: Windows: a. Click Start > Run. b. Enter the drie and path where the installation program is located and then enter the following command: instwin.exe The Welcome window opens. UNIX/Linux: a. Open a command shell prompt window, and naigate to the directory where the installation program is located. b. Enter the following command for the Tioli Identity Manager installation program: AIX: instaix.bin Linux: instlinux.bin plinux: instplinux.bin zlinux: instzlinux.bin 52 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Solaris: instsol.bin The installation program starts and displays the Welcome window. If you are running the installation program on a UNIX/Linux system that does not hae at least 150MB of free space in the /tmp directory, you should set the IATEMPDIR enironment ariable to a directory on a disk partition with enough free disk space. To set the ariable, enter one of the following commands at the command line prompt before running the installation program again: Bourne shell (sh), ksh, bash, and zsh: $ IATEMPDIR=temp_dir $ export IATEMPDIR C shell (csh) and tcsh: $ seten IATEMPDIR temp_dir where temp_dir is the path to the directory, for example /your/free/ directory, where free disk space is aailable. Completing the installation wizard pages Use the first set of installation wizard pages to set up the installation. The dollar sign ($) has special meaning in the installer frameworks used by Install Anywhere. Aoid using $ in any field alues. The installer framework or operating system platform might do ariable substitution for the alue. To complete the installation wizard pages, complete these steps: 1. To change the language that is used for the installation wizard pages, select another language from the drop-down list. This choice only affects the installation wizard and not the language ersion of Tioli Identity Manager to be installed. Then, click OK. Note: The license is always shown in the system locale of the machine and not the installation language selected. 2. Click Next to adance past the copyright and legal text. 3. In the License Agreement window, read the license agreement and decide whether to accept its terms. Optionally click Read non-ibm terms to read the terms of any non-ibm products or Print to print out the license agreement. To accept the terms and continue with the installation, select Accept, and then click Next. 4. Accept the default ITIM_HOME installation directory, or select Choose to select another directory. Then, click Next. 5. In the Installation Type window, select Single WebSphere Application Serer. Then, click Next. 6. The WebSphere Application Serer Installation Directory window appears and displays a alue for the WebSphere Application Serer installation directory, or WAS_HOME, directory. There can be multiple installations of the WebSphere Application Serer on a computer. If the directory displayed is not the directory in which you intend to install the Tioli Identity Manager Serer, click Choose, enter the correct directory alue, and click Next. 7. From the WebSphere profile selection panel, select the WebSphere Application Serer profile name in which Tioli Identity Manager is to be installed from the list, and click Next. Chapter 6. Installing Tioli Identity Manager 53
8. In the next window, erify the following WebSphere Application Serer data: WebSphere Application Serer name, which defaults to serer1, where you intend to deploy the Tioli Identity Manager Serer. Host name of the computer. Accept the displayed alue unless the computer has multiple host names and the WebSphere Application Serer is installed under a host name other than the displayed alue. Verify the WebSphere Application Serer data and click Next. 9. If WebSphere Application Serer administratie security is on, you are prompted to specify the administrator user ID and password, then click Next. 10. In the Database Type window, select one of the following database types, and then click Next: DB2 Database Oracle Database Microsoft SQL Serer (only listed for Windows operating systems) Caution windows open to prompt you to confirm that these conditions are true: If DB2 is selected, click Continue. If the Oracle database or the Microsoft SQL serer is selected, a window prompts you for the location and name of the JDBC drier. Proide the location and name, and click Next. For more information see Installing the Oracle JDBC drier on page 21 and Installing the SQL Serer JDBC drier on page 25. The directory serer ersion is at the correct leel. Confirm that the ersion is correct and click Continue. 11. A Keystore Password window requires you to specify the keystore password. The keystore password entered here is used to unlock the Tioli Identity Manager keystore file which stores the encryption key used to encrypt Tioli Identity Manager sensitie data. Then, click Next. 12. A window appears to choose whether to install Agentless Adapters on IBM Tioli Directory Integrator. The Tioli Identity Manager installation program installs these POSIX adapters for the following managed resources: AIX HP-UX LDAP Linux Solaris Installation programs for the agentless adapters that are installed by the Tioli Identity Manager installation program are located in the ITIM_HOME\config\ adapters directory so that you can reinstall adapters later if needed. Een though the Tioli Identity Manager installation program installs POSIX adapters, it is recommended that you install the latest adapter profiles. For more information about manual adapter installation, see Manually installing agentless adapters and adapter profiles on page 83. Select an option, and click Next. Note: If IBM Tioli Directory Integrator is installed remotely, select Do Not Install Agentless Adapters. 54 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
13. In the Directory Integrator Home Directory window, enter or confirm the correct directory alue, optionally click Choose to enter an alternate location, and click Next. 14. In the Tioli Common Directory window, accept the default directory that the Tioli Identity Manager installation program defines, or choose a new one. Then, click Next. Ensure that the directory has at least 25 MB of free space. The Tioli Common Directory is the central location for all sericeability-related files, such as logs and first-failure capture data. 15. In the Single Serer Pre-Installation Summary window, reiew the components to be installed, the Tioli Identity Manager installation directory, your choice to install agentless adapters, the WebSphere Application Serer installation directory, and the required and aailable free disk space. If eerything is acceptable, click Install. Note: Once you click Install, if you click Cancel to cancel the installation you get a message indicating that Tioli Identity Manager is not installed. Howeer files are not automatically cleaned up through this action, and this condition might result in a partial installation. Clean up any partial installation manually before running Install again. 16. Complete the remaining automated installation program steps in Responding to major installation actions. Responding to major installation actions The Tioli Identity Manager installation program opens a series of progress windows for additional, major installation actions. Some windows require your input. The installation program installs and configures Tioli Identity Manager on the WebSphere Application Serer, sets up the Tioli Identity Manager database on the database serer, and sets up the LDAP schema and a configuration of data on the directory serer. The major installation actions include these steps: 1. Copying Tioli Identity Manager files to the target computer. The installation program copies Tioli Identity Manager files to the ITIM_HOME directory. 2. Ensuring that the WebSphere Application Serer is running. The WebSphere Application Serer must be running to allow Tioli Identity Manager deployment and configuration to occur. The Tioli Identity Manager installation program erifies the status of the WebSphere Application Serer. If the WebSphere Application Serer is not running, the Tioli Identity Manager installation program attempts to start the WebSphere Application Serer. An error message appears if the Tioli Identity Manager installation program fails to start the WebSphere Application Serer. If an error occurs, you can do either of these steps: Quit the installation program and complete these steps: a. Resole the problem that preents starting the WebSphere Application Serer. b. Manually delete all files in the ITIM_HOME directory. c. Run the Tioli Identity Manager installation program again. Continue the installation program after you ensure that you can manually start and stop the WebSphere Application Serer without error. Complete these steps: a. Stop the WebSphere Application Serer: Chapter 6. Installing Tioli Identity Manager 55
Windows operating systems "WAS_PROFILE_HOME\bin\stopSerer.bat serername" UNIX or Linux operating systems WAS_PROFILE_HOME/bin/stopSerer.sh serername Start the WebSphere Application Serer: Windows operating systems "WAS_PROFILE_HOME\bin\startSerer.bat serername" UNIX or Linux operating systems WAS_PROFILE_HOME/bin/startSerer.sh serername Proceed to the next step in the Tioli Identity Manager installation program. 3. Gathering database data and configuring the database. In this step, the Tioli Identity Manager installation program sets up the Tioli Identity Manager database. For more information, see Configuring the Tioli Identity Manager database on page 75. If an error occurs, examine the error and proide a correctie action. There is more information in the ITIM_HOME\install_logs\dbConfig.stdout log file. You might need to refer to documentation that the database product proides. Continue the Tioli Identity Manager installation program. When the installation completes, complete these steps: a. Sae the current log data by renaming the ITIM_HOME\install_logs\ dbconfig.stdout log file. b. Make sure that the Tioli Identity Manager messaging engine is not running. Log in to the WebSphere administratie console, and complete these steps: 1) Click Serice Integration > Buses. 2) Click itim_bus, if it exists. 3) In the Topology section, click Messaging engines. For a single-serer installation, you see an engine named nodename.serername-itim_bus. For a cluster installation, you see n+1 messaging engines, where n is the number of Tioli Identity Manager cluster members. An additional messaging engine is used for the Tioli Identity Manager messaging cluster. 4) Select one or more messaging engines and click Stop. c. When the correction is complete, use this command to configure the Tioli Identity Manager database: Windows: ITIM_HOME\bin\DBConfig.exe UNIX/Linux: ITIM_HOME/bin/DBConfig New log data is recorded in the ITIM_HOME\install_logs\dbConfig.stdout log file. Note: The DBConfig command creates the database table definitions that Tioli Identity Manager requires. Run this command only if the command failed to configure the database during installation. If the Tioli Identity Manager database tables hae been preiously set, running the DBConfig command first, drops all the existing Tioli Identity Manager tables. 4. Gathering directory serer data and configuring the directory serer. 56 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
In this step, the Tioli Identity Manager installation program sets up the LDAP schema and the default data entries for Tioli Identity Manager. For more information, see Configuring the directory serer on page 76. If an error occurs, record the error message that is displayed. The message might describe a problem in setting up the LDAP schema or creating a configuration of data on the directory serer. Continue the Tioli Identity Manager installation program. When the installation completes, complete these steps: a. Examine the errors and proide a correctie action. There is more information in the ITIM_HOME\install_logs\ldapConfig.stdout log file. You might also need to refer to documentation that the directory serer product proides. b. Sae the current log data by renaming the ITIM_HOME\install_logs\ ldapconfig.stdout log file. c. When the correction is complete, use this command to configure the directory serer: Windows operating systems: ITIM_HOME\bin\ldapConfig.exe UNIX or Linux operating systems: ITIM_HOME/bin/ldapConfig New log data is recorded in the ITIM_HOME\install_logs\ ldapconfig.stdout log file. Note: Running the ldapconfig command will restore default alues that Tioli Identity Manager uses. If you hae changed the alue of any of these Tioli Identity Manager attributes, such as the password of the itim manager user ID, the alue is oerwritten. Do not run the ldapconfig command a second time, unless the LDAP configuration fails during the Tioli Identity Manager Serer installation process. 5. Gathering Tioli Identity Manager data and configuring the Tioli Identity Manager Serer. The Tioli Identity Manager installation program copies a set of Tioli Identity Manager property files to the ITIM_HOME\data directory. During this step, you can use the GUI to change some of the Tioli Identity Manager properties. For more information, see Configuring commonly used system properties on page 77. The Tioli Identity Manager installation program also configures the WebSphere enironment settings that the Tioli Identity Manager Serer requires. This step takes seeral minutes to complete. If an error occurs, record the error message that is displayed. The message might describe a problem in configuring the WebSphere enironment settings that the Tioli Identity Manager Serer requires. Continue the Tioli Identity Manager installation program. When the installation completes, complete these steps: a. Examine the errors and proide a correctie action. There is more information in the ITIM_HOME\install_logs\runConfigFirstTime.stdout log file. You might also need to refer to documentation that the WebSphere product proides. b. When the correction is complete, use this command: To update commonly-used Tioli Identity Manager properties, run the following command: Chapter 6. Installing Tioli Identity Manager 57
Windows: ITIM_HOME\bin\runConfig.exe UNIX/Linux: ITIM_HOME/bin/runConfig The runconfig utility also accepts an install parameter. Use runconfig with the install parameter when there is a problem reported for runconfig during the Tioli Identity Manager installation. Note that system configuration requires seeral minutes to complete if the install option is used. Windows: ITIM_HOME\bin\runConfig.exe install UNIX/Linux: ITIM_HOME/bin/runConfig install New log data is recorded in the ITIM_HOME\install_logs\runConfig.stdout log file. 6. Deploying the Tioli Identity Manager Serer onto the WebSphere Application Serer. The Tioli Identity Manager application runs within the WebSphere Application Serer as an enterprise application. The Tioli Identity Manager installation program uses the WebSphere command-line interface (wsadmin) to deploy the Tioli Identity Manager application onto the WebSphere Application Serer. Deploying the Tioli Identity Manager application also performs certain configuration steps on the WebSphere Application Serer. These steps require seeral minutes to complete. When the deployment completes, the Tioli Identity Manager files are in these directories: WAS_PROFILE_HOME\installedApps\cellname\ITIM.ear WAS_PROFILE_HOME\config\cells\cellname\applications\ITIM.ear Note: For the deployment manager node, these files are only in the WAS_NDM_PROFILE_HOME\config\cells\cellname\applications\ ITIM.ear directory If the log data indicates failure to establish a SOAP connection to the WebSphere Application Serer configuration manager, or some type of WebSphere Application Serer scripting error, complete these steps: a. Exit the Tioli Identity Manager installation program. b. Resole the problem that preents connection to the WebSphere Application Serer or a problem described as a scripting error. For more information, refer to the WebSphere documentation. c. Manually delete all files in the ITIM_HOME directory. d. Run the Tioli Identity Manager installation program again. If the log data indicates that failure is due to a timeout, continue the Tioli Identity Manager installation program. If the Tioli Identity Manager installation program has completed, delete the following directories if they exist: WAS_PROFILE_HOME\installedApps\cellname\ITIM.ear WAS_PROFILE_HOME\config\cells\cellname\applications\ITIM.ear Run one of the following commands to deploy the Tioli Identity Manager Serer onto the WebSphere Application Serer: If WebSphere administratie security and application security is on, run this command: ITIM_HOME\bin\setupEnrole install serer:serer_name user:user_id password:pwd ejbuser:ejb_user_id 58 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
The alue of serer_name is the name of the WebSphere Application Serer on which the Tioli Identity Manager application is deployed. The alue of user_id is the WebSphere administrator user ID, such as wasadmin. The alue of pwd is the password for the WebSphere administrator user ID, such as wasadmin. The alue of ejb_user_id is the Tioli Identity Manager EJB user ID, which uses the WebSphere Application Serer administrator user ID by default. If WebSphere administratie security and application security is off, enter this command: ITIM_HOME\bin\setupEnrole install serer:serer_name The default of serer_name is serer1. 7. Restart the WebSphere Application Serer to make the new WebSphere Application Serer configuration aailable after completing the Tioli Identity Manager Serer installation. If an error message indicates failure to restart the WebSphere Application Serer, complete the installation and then attempt to restart the WebSphere Application Serer. To restart the WebSphere Application Serer, complete these steps: a. Stop the WebSphere Application Serer: Windows, run the following command: WAS_HOME\bin\stopSerer.bat serer_name UNIX/Linux, run the following command: WAS_HOME/bin/stopSerer.sh serer_name The alue of serer_name is the name of the WebSphere Application Serer. For example, serer1. b. Start the WebSphere Application Serer: Windows, run the following command: WAS_PROFILE_HOME\bin\startSerer.bat serer_name UNIX/Linux, run the following command: WAS_PROFILE_HOME/bin/startSerer.sh serer_name The alue of serer_name is the name of the WebSphere Application Serer. For example, serer1. For more information, see Verifying that the Tioli Identity Manager Serer is operational. Verifying that the Tioli Identity Manager Serer is operational To erify that the Tioli Identity Manager Serer and related processes are running, complete these steps: 1. Ensure that the WebSphere Application Serer is running. Start the WebSphere administratie console. On a browser, enter this Web address: http://hostname:port/ibm/console The alue of hostname is the fully qualified host name or the IP address of the computer on which the WebSphere Application Serer is running. The alue of port is the port number for the WebSphere administratie HTTP transport. The default alue is 9060. If you hae multiple instances of the WebSphere Application Serer on the same computer, the port number might be a different alue, such as 9061. Chapter 6. Installing Tioli Identity Manager 59
2. On the WebSphere administratie console, click Applications > Enterprise Application and erify that the Tioli Identity Manager Serer is running. For additional steps to erify that the Tioli Identity Manager Serer and other processes are running, see Chapter 9, Verifying and troubleshooting the installation, on page 95. 3. Log on to the Tioli Identity Manager Serer using the WebSphere embedded HTTP transport. For example, at a browser window, enter this command: http://hostname:port/itim/console/ The alue of hostname is the host name of the WebSphere Application Serer. The alue of port is the default port number of the WebSphere irtual host. The default port number is 9080. If you hae multiple installations of the WebSphere Application Serer on the same system, this port number might hae a different alue, such as 9081. The port number can be remoed if an HTTP serer is used as the front-end proxy. The browser displays the Tioli Identity Manager logon window. Enter the Tioli Identity Manager Serer administrator user ID (itim manager) and password (immediately after installation, the alue is secret). 4. After successfully logging on to Tioli Identity Manager Serer using the WebSphere embedded HTTP transport, attempt to log on to the Tioli Identity Manager Serer using the IBM HTTP Serer if the IBM HTTP Serer and the WebSphere Web Serer plug-in are installed and configured. Log on at this address: http://hostname:port/itim/console The alue of hostname is the host name of the IBM HTTP Serer. The alue of port is the port number of the WebSphere irtual host. The default port number is 9080. The port number can be remoed if an HTTP serer is used as the front end proxy. 5. After a first, successful logon, the logon window immediately prompts you to change the administrator password. Ensure that your password change is successful. After you change the password, you are ready to create your organization object and a user that is termed an ITIM User. If you cannot start and log on to Tioli Identity Manager, see Chapter 9, Verifying and troubleshooting the installation, on page 95. To perform optional post-installation tasks, see Optional post-installation tasks on page 71. Installing Tioli Identity Manager in a cluster configuration This section describes installing and configuring the Tioli Identity Manager in a cluster configuration. Before continuing, read Configuration options on page 4. For required application ersions and fix packs, refer to the Tioli Identity Manager Information Center. Before you begin Before you begin to install Tioli Identity Manager Serer in a cluster configuration, complete these tasks: 1. Determine which product DVDs that you need to install Tioli Identity Manager. For an itemization of the DVD contents, refer to a text file such as itim-5.0-dd-images-operatingsystem.txt that is proided with the DVD image. For a complete list of these image files, see Appendix C, Installation images and fix packs, on page 143. 60 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
2. Ensure that free disk space and memory requirements are met on eery computer in the cluster. Additionally, ensure that there is adequate free disk space in the system temp directory and in the WAS_PROFILE_HOME and WAS_NDM_PROFILE_HOME directories. The target computers must meet the computer requirements described in the Tioli Identity Manager Information Center. 3. Ensure that you hae the needed administratie authority. On Windows systems, the logon user ID must be in the Administrators Group. On UNIX systems, the logon user ID must be root. 4. Installing the Tioli Identity Manager Serer writes data to the Tioli Identity Manager database. 5. In a cluster, the name of the Tioli Identity Manager installation directory must be the same for all cluster members. Specify an identical directory to aoid later runtime difficulties in identity feed actiities on different cluster member computers. 6. If you are using IBM Tioli Directory Serer, ensure that you hae run the middleware configuration utility or that the directory serer has loaded the appropriate referential integrity plug-in. For more information, see Manually configuring the referential integrity plug-in on the IBM Tioli Directory Serer on page 32. 7. Ensure that the prerequisite applications are running that are described in Table 4: Table 4. Prerequisites that must be running Prerequisite Database Directory serer Directory integrator (optional) WebSphere Application Serer For more information Chapter 2, Installing and configuring a database, on page 9 Chapter 3, Installing and configuring a directory serer, on page 27 Chapter 4, Optionally installing IBM Tioli Directory Integrator, on page 39 Chapter 5, Installing and configuring WebSphere Application Serer, on page 41 Only Tioli Identity Manager and WebSphere Application Serer require installation on the same computer. All other applications can be run locally or remotely to the computer on which Tioli Identity Manager is installed. IBM Tioli Directory Integrator is an optional component. 8. Determine that the WebSphere Application Serer cell and cluster are ready for Tioli Identity Manager installation. Complete the steps to construct a WebSphere Application Serer cell and a cluster, described in Installing WebSphere Application Serer in a cluster enironment on page 43. These processes must be running before and after you install the Tioli Identity Manager Serer: Deployment manager WebSphere Application Serer node agents 9. Capture the details of your configuration. For a detailed list of configuration parameters, see Appendix D, Worksheets, on page 145. 10. If you are upgrading a ersion of Tioli Identity Manager that is already on the computer, see Chapter 10, Upgrading to Tioli Identity Manager Version 5.1, on page 105 for more information about protecting Tioli Identity Manager customizations and data. Chapter 6. Installing Tioli Identity Manager 61
Oeriew of the installation program in a cluster configuration Installation in a cluster configuration requires that you install the Tioli Identity Manager Serer on the following computers: The deployment manager Install the Tioli Identity Manager Serer on the computer that has the deployment manager before you install the Tioli Identity Manager Serer on cluster nodes. The deployment of the Tioli Identity Manager application and the configuration of the database and the directory serer for Tioli Identity Manager occurs during this installation. The deployment manager distributes and expands the Tioli Identity Manager application to all cluster member computers. Cluster members Repeat the steps in this chapter to install the Tioli Identity Manager Serer on each computer that is a cluster member. The installation program does these tasks: Copies Tioli Identity Manager files to the target computer Configures the WebSphere Application Serer that hosts the cluster member Installing the Tioli Identity Manager Serer on clusters must be done sequentially, one computer at a time. Running the Tioli Identity Manager installation program simultaneously on more than one computer might result in synchronization problems with the WebSphere master configuration file. Note: If the same computer has both the deployment manager and a Tioli Identity Manager cluster member, you must select both the deployment manager and the cluster member node types when you run the Tioli Identity Manager installation program. Starting the installation wizard To install Tioli Identity Manager Serer in a cluster configuration, complete the following steps: 1. Log on to an account with system administration priileges on the computer where the Tioli Identity Manager Serer is to be installed. 2. Install the installation program, or insert the Tioli Identity Manager product DVD into the DVD drie. To locate the correct DVD for your enironment, refer to Appendix C, Installation images and fix packs, on page 143. 3. To run the installation program, complete these steps: Windows: a. Click Start > Run. b. Enter the drie and path where the installation program is located and then enter the following command: instwin.exe The Welcome window opens. UNIX/Linux: a. Open a command shell prompt window, and naigate to the directory where the installation program is located. b. Enter the following command for the Tioli Identity Manager installation program: AIX: instaix.bin Linux: 62 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
instlinux.bin plinux: instplinux.bin zlinux: instzlinux.bin Solaris: instsol.bin The installation program starts and displays the Welcome window. If you are running the installation program on a UNIX/Linux system that does not hae at least 150MB of free space in the /tmp directory, you should set the IATEMPDIR enironment ariable to a directory on a disk partition with enough free disk space. To set the ariable, enter one of the following commands at the command line prompt before running the installation program again: Bourne shell (sh), ksh, bash, and zsh: $ IATEMPDIR=temp_dir $ export IATEMPDIR C shell (csh) and tcsh: $ seten IATEMPDIR temp_dir where temp_dir is the path to the directory, for example /your/free/ directory, where free disk space is aailable. Completing the installation wizard pages Use the first set of installation wizard pages to set up the installation: The dollar sign ($) has special meaning in the installer frameworks used by Install Anywhere. Aoid using $ in any field alues. The installer framework or operating system platform might do ariable substitution for the alue. To complete the installation wizard pages, complete these steps: 1. To change the language that is used for the installation wizard pages, select another language from the drop-down list. This choice only affects the installation wizard and not the language ersion of Tioli Identity Manager to be installed. Then, click OK. Note: The license is always shown in the system locale of the machine and not the installation language selected. 2. Click Next to adance past the copyright and legal text. 3. In the License Agreement window, read the license agreement and decide whether to accept its terms. Optionally click Read non-ibm terms to read the terms of any non-ibm products or Print to print out the license agreement. To accept the terms and continue with the installation, select Accept, and then click Next. 4. Accept the default ITIM_HOME installation directory, or select Choose to select another directory. Then, click Next. 5. In the Installation Type window, select Regular WebSphere cluster. Then, click Next. 6. In the Installing Tioli Identity Manager on a Cluster Enironment window, read the conditions that apply to a cluster enironment. Before continuing, apply any other changes that are necessary to configure the enironment for these conditions. For example, erify that the deployment manager and all Chapter 6. Installing Tioli Identity Manager 63
WebSphere node agents are running. For more information, see Verify the federation of nodes within the cell on page 46. Click Next. The Database Type window opens. 7. In the Choose Cluster Node Type window, select one or both of these node types: Deployment manager You must install Tioli Identity Manager first on the computer that has the deployment manager. Cluster member Install Tioli Identity Manager on eery cluster member that does not reside on the same computer as the deployment manager, after you install Tioli Identity Manager on the computer that has the deployment manager. If you hae the deployment manager and a Tioli Identity Manager cluster member on the same computer, you must select both node types. 8. The WebSphere Application Serer Installation Directory window appears and displays a alue for a WAS_HOME directory. There can be multiple installations of the WebSphere Application Serer on a computer. If the WAS_HOME directory is not the directory on which you intend to install the Tioli Identity Manager Serer, enter the correct directory alue. Click Next. 9. If you selected a cluster member for the Tioli Identity Manager installation, select the WebSphere Application Serer profile that hosts the cluster member. 10. If you selected the deployment manager for the Tioli Identity Manager installation, select the WebSphere Application Serer profile name of the network deployment manager in which Tioli Identity Manager is to be installed from the list, and click Next. 11. If you selected the deployment manager for the Tioli Identity Manager installation, caution windows open to prompt you to confirm that the directory serer ersion is at the correct leel. Confirm that the ersion is correct and click Next. 12. In the data window that requests the cluster name, enter the names of both the Tioli Identity Manager application cluster and the messaging cluster you created. Then, click Next. 13. A window opens to prompt you to erify the host name of the computer. Accept the displayed alue unless the computer has multiple host names, and either the deployment manager or the WebSphere Application Serer is installed under a host name other than the displayed alue. Verify the WebSphere Application Serer data and click Next. 14. If WebSphere Application Serer administratie security is on, specify the administrator user ID and password, and click Next. 15. In the Database Type window, select one of the following database types, and then click Next: DB2 Database Oracle Database If the Oracle database is selected, another window prompts you for the location and name of the Oracle JDBC drier. Proide the location and name, and click Next. For more information, see Installing the Oracle JDBC drier on page 21. Microsoft SQL Serer (only listed for Windows operating systems) 64 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
If the Microsoft SQL Serer is selected, another window prompts you for the location and name of the JDBC drier. Proide the location and name, and click Next. For more information see Installing the SQL Serer JDBC drier on page 25. 16. If you are installing Tioli Identity Manager on a cluster member, the Directory Serer Information window opens. On cluster members, complete the window containing LDAP fields. This window does not appear during Tioli Identity Manager installation on the computer that has the deployment manager. Enter organization data in the fields in the window. For eery cluster member, the information must be identical and must match the LDAP specification that was entered during Tioli Identity Manager installation on the deployment manager. Click Next. 17. A Keystore Password window requires you to specify the keystore password. The keystore password entered here is used to unlock the Tioli Identity Manager keystore file which stores the encryption key used to encrypt Tioli Identity Manager sensitie data. When you hae entered the password, click Next. Tioli Identity Manager creates the keystore file itim_keystore.jceks at the deployment manager node under the WAS_NDM_PROFILE\config\cells\ cell_name\itim directory. This file then propagates to all cluster member nodes in the WAS_PROFILE_HOME\config\cells\cell_name\itim directory. The installer erifies the keystore password by attempting to open the keystore on installing Tioli Identity Manager at the cluster member node (except in the case when the deployment manager node and cluster member node are on the same computer). If the password is not correct, or the keystore file is not present, an error message occurs. If the keystore file is not present, copy the file from the deployment manager node to the cluster member node, and click Next again. 18. A window appears to choose whether to install agentless adapters on IBM Tioli Directory Integrator. The Tioli Identity Manager installation program installs these POSIX adapters for the following managed resources: AIX HP-UX LDAP Linux Solaris Installation programs for the agentless adapters that are installed by the Tioli Identity Manager installation program are located in the ITIM_HOME\config\ adapters directory. You can reinstall adapters later if needed. For more information about manual adapter installation, see Manually installing agentless adapters and adapter profiles on page 83. Select an option, and click Next. Note: If IBM Tioli Directory Integrator is installed remotely, select Do Not Install Agentless Adapters. 19. In the Location of IBM Tioli Directory Integrator window, enter or confirm the correct directory alue, click Choose, and click Next. 20. In the Tioli Common Directory window, accept the default directory for the Tioli Common Directory that the Tioli Identity Manager installation program defines, or choose a new one. For more information about directory Chapter 6. Installing Tioli Identity Manager 65
paths, see Definitions for HOME and other directory ariables on page xii. Then, click Next. Ensure that the directory has at least 25 MB of free space. The Tioli Common Directory is the central location for all sericeability-related files, such as logs and first-failure capture data. 21. In the Pre-install Summary window, reiew the components to be installed, the required free disk space, and the Tioli Identity Manager installation directory. If eerything is acceptable, click Install. Note: Once you click Install, if you click Cancel to cancel the installation you get a message indicating that Tioli Identity Manager is not installed. Howeer files are not automatically cleaned up through this action. This condition might result in a partial installation. Clean up any partial installation manually before running Install again. 22. Complete the remaining automated installation program. Responding to major installation actions describes these major steps. Responding to major installation actions The Tioli Identity Manager installation program opens a series of progress windows for additional, major installation actions. Some windows require your input. The installation program installs and configures the Tioli Identity Manager application on the WebSphere Application Serer, sets up the Tioli Identity Manager database on the database serer, and sets up the LDAP schema and a configuration of data on the directory serer. The major installation actions include these steps: 1. Copying Tioli Identity Manager files to the target computer. The installation program copies Tioli Identity Manager files to the ITIM_HOME directory. 2. If installation is on the deployment manager, the next step is gathering database data and configuring the database. In this step, the Tioli Identity Manager installation program sets up the Tioli Identity Manager database and configures the JDBC drier proider in the WebSphere Application Serer. For more information, see Configuring the Tioli Identity Manager database on page 75. If an error occurs, examine the error and proide a correctie action. There is more information in the ITIM_HOME\install_logs\dbConfig.stdout log file. You might need to refer to documentation that the database product or that the WebSphere product proides. Continue the Tioli Identity Manager installation program. When the installation completes, complete these steps: a. Sae the current log data by renaming the ITIM_HOME\install_logs\ dbconfig.stdout log file. b. Make sure that the Tioli Identity Manager messaging engine is not running. Log in to the WebSphere administratie console, and complete these steps: 1) Click Serice Integration > Buses. 2) Click itim_bus, if it exists. 3) In the Topology section, click Messaging engines. For a single-serer installation, you see an engine named nodename.serername-itim_bus. 66 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
For a cluster installation, you see n+1 messaging engines, where n is the number of Tioli Identity Manager cluster members. An additional messaging engine is used for the Tioli Identity Manager messaging cluster. 4) Select one or more messaging engines and click Stop. c. When the correction is complete, type this command to configure the Tioli Identity Manager database: Windows: ITIM_HOME\bin\DBConfig.exe UNIX/Linux: ITIM_HOME/bin/DBConfig New log data is recorded in the ITIM_HOME\install_logs\dbConfig.stdout log file. Note: The DBConfig command creates the database table definitions that Tioli Identity Manager requires. Run this command only if the command failed to configure the database during installation. If the Tioli Identity Manager database tables hae been preiously set, running the DBConfig command first, drops all the existing Tioli Identity Manager tables. 3. If installation is on the deployment manager, the next step is gathering directory serer data and configuring the directory serer. In this step, the Tioli Identity Manager installation program sets up the LDAP schema and defines default settings for Tioli Identity Manager. For more information, see Configuring the directory serer on page 76. If an error occurs, record the error message. The message might describe a problem in setting up the LDAP schema or creating a configuration of data on the directory serer. Continue the Tioli Identity Manager installation program. When the installation completes, complete these steps: a. Examine the errors and proide a correctie action. There is more information in the ITIM_HOME\install_logs\ldapConfig.stdout log file. You might also need to refer to documentation that the directory serer product proides. b. Sae the current log data by renaming the ITIM_HOME\install_logs\ ldapconfig.stdout log file. c. When the correction is complete, use these commands to configure the directory serer: Windows operating systems: ITIM_HOME\bin\ldapConfig.exe UNIX or Linux operating systems: ITIM_HOME/bin/ldapConfig New log data is recorded in the ITIM_HOME\install_logs\ ldapconfig.stdout log file. Note: Running the ldapconfig command will restore default alues that Tioli Identity Manager uses. If you hae changed the alue of any of these Tioli Identity Manager attributes, such as the password of the itim manager user ID, the alue is oerwritten. Do not run the ldapconfig command a second time, unless the LDAP configuration fails during the Tioli Identity Manager Serer installation process. 4. If installation is on the deployment manager or on a cluster member, the Tioli Identity Manager installation program copies a set of Tioli Identity Manager Chapter 6. Installing Tioli Identity Manager 67
property files to the ITIM_HOME directory. During this step, you can use the GUI to change some of the Tioli Identity Manager properties. If the installation is on a cluster member, ensure that the directory and database connection information that you enter on the Directory tab and the Database tab match the information that you entered on these tabs when you configure the deployment manager. The default database user ID is itimuser. The user ID password is the password that is used for the user ID itimuser during the deployment manager setup. The user ID and password used for the cluster member needs to be the same as the user ID and password used on the deployment manager. The Tioli Identity Manager does not function properly if any user information is incorrect. For more information, see Configuring commonly used system properties on page 77. The Tioli Identity Manager installation program also configures the WebSphere enironment settings that the Tioli Identity Manager Serer requires. This step takes seeral minutes to complete. If an error occurs, record the error message. The message might describe a problem in configuring the WebSphere enironment settings that the Tioli Identity Manager Serer requires. Continue the Tioli Identity Manager installation program. When the installation completes, complete these steps: a. Examine the errors and proide a correctie action. There is more information in the ITIM_HOME\install_logs\runConfigFirstTime.stdout log file. You might also need to refer to documentation that the WebSphere product proides. b. When the correction is complete, enter one of the following commands: To update commonly-used Tioli Identity Manager properties, run the following command: Windows: ITIM_HOME\bin\runConfig.exe UNIX/Linux: ITIM_HOME/bin/runConfig The runconfig utility also accepts an install parameter. Use runconfig with the install parameter when there is a problem reported for runconfig during the Tioli Identity Manager installation. Note that system configuration requires seeral minutes to complete if the install option is used. Windows: ITIM_HOME\bin\runConfig.exe install UNIX/Linux: ITIM_HOME/bin/runConfig install New log data is recorded in the ITIM_HOME\install_logs\runConfig.stdout log file. 5. Deploying Tioli Identity Manager onto the deployment manager. The Tioli Identity Manager application runs within the WebSphere Application Serer as an enterprise application. The Tioli Identity Manager installation program uses the WebSphere command-line interface (wsadmin) to deploy the Tioli Identity Manager application onto the deployment manager. The Tioli Identity Manager installation program also configures the WebSphere enironment settings that the Tioli Identity Manager Serer requires. The deployment takes seeral minutes to complete. When the deployment completes, the Tioli Identity Manager files are in the WAS_NDM_PROFILE_HOME\config\cells\cellname\applications\ITIM.ear directory. 68 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
If the deployment fails, an error message proides the location of the setupenrole.stdout log file. Examine the errors in the setupenrole.stdout log file. Then, complete these tasks: If the log data indicates failure to create a SOAP connection to the deployment manager, or some type of deployment manager scripting error, complete these steps: a. Exit the Tioli Identity Manager installation program. b. Resole the problem that preents connection to the WebSphere Application Serer or a problem described as a scripting error. For more information, refer to the WebSphere documentation. c. Manually delete all files in the ITIM_HOME directory. d. Run the Tioli Identity Manager installation program again. If the log data indicates that failure is due to a timeout, continue the Tioli Identity Manager installation program. When installation finishes, complete these steps: a. If the WAS_NDM_PROFILE_HOME\config\cells\cellname\applications\ ITIM.ear directory was created, delete the directory on the computer that has the deployment manager. b. Run one of the following commands to deploy the Tioli Identity Manager Serer onto the deployment manager: If WebSphere administratie security and application security is on, run this command: ITIM_HOME\bin\setupEnrole install user:user_id password:pwd ejbuser:ejb_user_id The alue of serer_name is the name of the WebSphere Application Serer on which the Tioli Identity Manager application is deployed. The alue of user_id is the WebSphere administrator user ID, such as wasadmin. The alue of pwd is the password for the WebSphere administrator user ID, such as wasadmin. The alue of ejb_user_id is the Tioli Identity Manager EJB user ID, which uses the WebSphere Application Serer administrator user ID by default. If WebSphere administratie security and application security is off, enter this command: ITIM_HOME\bin\setupEnrole install 6. Restart the cluster. For more information, see Starting clusters. 7. Verify that the Tioli Identity Manager Serer is working correctly. For more information, see Verifying that the Tioli Identity Manager Serer is operational on page 70. Starting clusters When installation completes and configuration and security modification is done, restart all node agents where cluster members are running, then start your clusters. On the WebSphere administratie console, complete these steps: 1. Start both the Tioli Identity Manager application and the Tioli Identity Manager messaging cluster. a. Click Serers > Clusters. b. Select the Tioli Identity Manager clusters. c. Click Start. The Tioli Identity Manager application starts when the clusters start. Chapter 6. Installing Tioli Identity Manager 69
Use the WebSphere administratie console to erify that all required cluster members are started. Complete these steps: 1. Click Applications > Enterprise Applications. Examine the status of the Tioli Identity Manager application. 2. Click Serers > Application Serers. Examine the status of the cluster members. 3. Additionally, examine the log files for other problems. For more information, see Log files on page 104. If the status of the Tioli Identity Manager application indicates a partial start, complete these steps: 1. Locate the computer that has the cluster member that fails to start. 2. Examine the following log files of the computer where the cluster member resides to determine whether the Tioli Identity Manager serer has started successfully: WAS_PROFILE_HOME\logs\serer_name\SystemOut.log TIVOLI_COMMON_DIRECTORY\CTGIM\logs\trace.log 3. Correct the problem. Then, use the WebSphere administratie console to start the cluster member. Verifying that the Tioli Identity Manager Serer is operational To erify that the Tioli Identity Manager Serer and related processes are running, complete these steps: 1. Start both clusters. For more information, see Starting clusters on page 69. 2. Log on to Tioli Identity Manager Serer using the WebSphere embedded HTTP transport. For example, at a browser window, enter this command: http://hostname:port/itim/console/ The alue of hostname is the fully qualified name or IP address of the computer which hosts the WebSphere Application Serer cluster member and the Tioli Identity Manager Serer application. The alue of port is the port number of the WebSphere irtual host. The default port number is 9080. If you hae multiple instances of the WebSphere Application Serer on the same computer, the port number might be a different alue, such as 9081. The port number can be remoed if an HTTP serer is used as the front-end proxy. For more information, see Determining the port number of the default host on page 104. The browser displays the Tioli Identity Manager logon window. Enter the Tioli Identity Manager administrator user ID (itim manager) and password (immediately after installation, the alue is secret). 3. After a first, successful logon, the logon window immediately prompts you to change the administrator password. Ensure that your password change is successful. After you change the password, you are ready to create your organization object and a user that is called an ITIM User. If you cannot start and log on to Tioli Identity Manager, see Chapter 9, Verifying and troubleshooting the installation, on page 95. 70 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Optional post-installation tasks Optionally installing a language pack After installing Tioli Identity Manager, you can install a language pack that proides support for languages other than English. To install the language pack, complete these steps: 1. Before you run the Tioli Identity Manager language pack setup program, ensure that the ersion of the Jaa Runtime Enironment that Tioli Identity Manager requires is accessible from the command line. For more information, refer to the Tioli Identity Manager Information Center. For example, you can use the ersion of Jaa that comes with WebSphere Application Serer. Enter this command: WAS_HOME\jaa\bin\jaa -fullersion You should receie a response similar to the following: jaa full ersion "1.5.0 IBM Windows 32 build pwi32deifx-20061107 (ifix 111765 SR3 + 111700)" 2. Download the language pack installer jar file. 3. Use command line mode to install the language pack using the itimlp_setup.jar file. For example, enter this language pack command at a command prompt: WAS_HOME\jaa\bin\jaa jar itimlp_setup.jar For Linux, ensure you use the ersion of Jaa installed with WebSphere Application Serer, located in WAS_HOME/jaa/bin, to install the language pack. The Tioli Identity Manager language pack setup program starts. To complete the language pack installation, follow the instructions that appear in the setup program windows. 4. Restart the WebSphere Application Serer to make these changes effectie, by completing these steps: a. Stop the WebSphere Application Serer: Windows, run the following command: WAS_HOME\bin\stopSerer.bat serer_name UNIX/Linux, run the following command: WAS_HOME/bin/stopSerer.sh serer_name The alue of serer_name is the name of the WebSphere Application Serer. For example, serer1. b. Start the WebSphere Application Serer: Windows, run the following command: WAS_PROFILE_HOME\bin\startSerer.bat serer_name UNIX/Linux, run the following command: WAS_PROFILE_HOME/bin/startSerer.sh serer_name The alue of serer_name is the name of the WebSphere Application Serer. For example, serer1. After the language pack has been successfully installed, you can change the language displayed in the Tioli Identity Manager interface by changing the language preference for your browser: Make language preference changes prior to logging into Tioli Identity Manager. For Internet Explorer, complete the following steps: Chapter 6. Installing Tioli Identity Manager 71
1. Select Tools > Internet Options 2. On the General tab, click Languages. 3. Click Add, select languages to add, and click OK. 4. Select a language and set the language priority using the buttons to moe the priority up or down. 5. Click OK. 6. Click OK again to sae your changes. For Mozilla Firefox 2.0, complete the following steps: 1. Select Tools > Options 2. On the Adanced tab, under the Languages section, click Choose. 3. Select a language and click Add. 4. Select a language and set the language priority using the buttons to moe the priority up or down. 5. Click OK to sae your changes. To uninstall the language pack from the system, change to the ITIM_HOME\timlp directory, and then enter this language pack command at a command prompt: jaa jar timlp_uninstall.jar Optionally installing adapter profiles You can choose to install and import any adapter profiles that you did not install during the Tioli Identity Manager installation process. Note: If you hae upgraded from Tioli Identity Manager ersion 5.0 to ersion 5.1 and are using a serice instance that was created using a Tioli Identity Manager 5.0 profile, you must upgrade to the 5.1 adapter before you create groups on the serice. The adapters for Tioli Identity Manager 5.0 do not support group management. For more information about the role of adapters, see Tioli Identity Manager adapters on page 3 To install and import adapter profiles, complete these steps: 1. Open and extract the compressed adapter file. 2. Place the JAR file that contains the adapter profile in a temporary directory on the computer that is running Tioli Identity Manager. 3. As administrator, open the Tioli Identity Manager user interface. 4. Click Configure System > Manage Serice Types. 5. On the Manage Serice Types window, click Import. 6. On the Serice Definition File field, click Browse. Then, locate the JAR file that contains the adapter profile. 7. When the Serice Definition File field contains the adapter profile file name, click OK. 8. On the Success page, click Close. 9. After installing Tioli Identity Manager and installing the Tioli Identity Manager language pack, if the default language is not English and the adapter labels are displayed in English, complete these steps: a. Click Configure System > Manage Serice Types. b. Click Import on the Serice Type table. c. Click Browse next to the Serice Definition File field. 72 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
d. Locate the timx_agents.jar file under the ITIM_HOME\timlp directory and click OK. e. Click Close on the Success page. Changing cluster configurations after Tioli Identity Manager is installed This section describes expanding or reducing the members in a cluster for performance reasons after Tioli Identity Manager is installed. Expanding a cluster using a new computer To add a new cluster member to an existing Tioli Identity Manager cluster, complete these steps to add a computer with a WebSphere Application Serer that was not preiously in the WebSphere cell. 1. Create a profile on a new computer and federate the new node into the cell. There are two ways to complete this step: Create a custom profile Create a custom profile on the new computer and federate the profile into the deployment manager cell. Create a base profile Create a base profile on the new computer and then run the addnode command to federate the new node into the cell. For more information, see Manually federate a WebSphere Application Serer node member on page 46. 2. Create a Tioli Identity Manager cluster member on the new node. Repeat this procedure to create cluster members on both the application cluster and the messaging engine cluster. On the WebSphere administratie console, complete these steps: a. Click Serers > Cluster. b. On the next window, click the Tioli Identity Manager cluster name. c. Click Cluster Members, then click New. d. Select the node name that is the node that you added to the cell. Enter the node name. Then, click Next. e. Verify the summary window, then click Finish. f. Sae the changes. 3. Run the Tioli Identity Manager installation program on the new computer, choosing cluster member installation. 4. Run the following command on the deployment manager node to set the policy for the association of the messaging engine and the cluster member: Windows operating systems: ITIM_HOME\bin\runConfig.exe install UNIX or Linux operating systems: ITIM_HOME/bin/runConfig install 5. Start the new cluster member. Click Serers > Clusters and select the cluster. In the cluster, click Cluster Members. Select the new member and click Start. Remoing cluster members To remoe cluster members, complete these steps: 1. Run the Tioli Identity Manager uninstallation program on the computer that has the cluster member that you intend to remoe. For more information, see Chapter 11, Uninstalling Tioli Identity Manager, on page 125. Chapter 6. Installing Tioli Identity Manager 73
2. On the WebSphere administratie console, delete the cluster members from both Tioli Identity Manager clusters. 74 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Chapter 7. Configuring the Tioli Identity Manager Serer Configuring the Tioli Identity Manager Serer has these steps: Configuring the Tioli Identity Manager database Configuring the directory serer on page 76 Configuring commonly used system properties on page 77 Modifying system properties during normal operation on page 84 Optionally, you can configure security after installing Tioli Identity Manager. For more information about configuring security post-install for Tioli Identity Manager, see Appendix B, Configuring security for Tioli Identity Manager, on page 133. Configuring the Tioli Identity Manager database The Tioli Identity Manager installation program automatically uses the DBConfig database configuration tool during a single-serer installation, or during a cluster installation on the deployment manager, to set up the database to work with Tioli Identity Manager. For more information about initial installation and configuration for a database, see Chapter 2, Installing and configuring a database, on page 9. Completing the database configuration windows A database configuration window opens to allow you to configure the database property file and to set up tables in the Tioli Identity Manager database. The fields that appear in the window might ary, depending on which database you use. For more information about database fields, see Recording user data on page 10. In the database configuration window, follow these steps: 1. Complete the Identity Manager Database Information fields. The data is required to configure and connect to the Tioli Identity Manager database. You can configure these fields: Host Name Specify the name of the database host. Port Number Specify the port number of the database instance. Database Name For DB2 or Microsoft SQL databases: Specify the database name. For Oracle database: a. Click the radio button adjacent to SID or Serice Name. b. Specify the Oracle system identifier (SID) or serice name depending on the radio button you selected. Admin ID Specify the administrator ID for the database host. Ensure that the administrator ID has the rights to create tablespace and stop and start the database. Copyright IBM Corp. 2009 75
Admin Password Specify the password for the administrator ID. 2. Click Test to ensure that the connection to the database is actie. When the database test is successful, the Tioli Identity Manager User Password field becomes actie and the Test button changes to Continue. The User ID field displays the default alue itimuser, although you can change this user ID. Before you continue, ensure that the user ID itimuser exists. 3. Enter the correct password for the existing database user ID that is named itimuser, and then click Continue. The database configuration requires seeral minutes to complete. Manually starting the DBConfig database configuration tool The DBConfig command creates the database table definitions that Tioli Identity Manager requires. Run this command only if the command failed to configure the database during installation. If the Tioli Identity Manager database tables hae been preiously set, running the DBConfig command first drops all of the preiously existing Tioli Identity Manager tables. If you run this command after installation, ensure the messaging engines under the serice integration bus (itim_bus) hae been stopped from the WebSphere Application Serer administratie console before running DBConfig. Running the database configuration tool writes data to the ITIM_HOME\ install_logs\dbconfig.stdout log file. If you want to sae the original file, back up the file before running the command. The database configuration requires seeral minutes to complete. To manually start the database configuration tool (DBConfig), complete these tasks: 1. Back up the ITIM_HOME\install_logs\dbConfig.stdout file. 2. Run the following command: Windows: ITIM_HOME\bin\DBConfig.exe UNIX/Linux: ITIM_HOME/bin/DBConfig Note: You must run the runconfig command after running DBConfig to ensure that database changes are updated. If DBConfig has neer run after an install completes, you must run the following commands to update changes: Windows operating systems: ITIM_HOME\bin\runConfig.exe install UNIX or Linux operating systems: ITIM_HOME/bin/runConfig install Configuring the directory serer The Tioli Identity Manager installation program automatically uses the ldapconfig database configuration tool during a single-serer installation, or during a cluster installation on the deployment manager, to set up the directory serer to work with Tioli Identity Manager. For more information about initial installation and configuration for a directory serer, see Chapter 3, Installing and configuring a directory serer, on page 27. Running the ldapconfig command will restore default alues that Tioli Identity Manager uses. If you hae changed the alue of any of these Tioli Identity 76 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Manager attributes, such as the password of the itim manager user ID, the alue is oerwritten. Do not run the ldapconfig command a second time, unless the LDAP configuration fails during the Tioli Identity Manager Serer installation process. Completing the directory serer configuration windows To configure the LDAP data repository with Tioli Identity Manager alues, complete these steps: 1. Enter the alues for the LDAP Serer Information fields (Principal DN, Password, Host Name, Port) to set up the connection to the directory serer. For example, the alue of the Host Name field is the fully qualified host name of the computer on which the directory serer is running. 2. Click Test to ensure that the connection to the directory serer can be established. When the test for a connection to the directory serer is successful, the fields in the Identity Manager Directory Information section become actie. 3. Enter the alues for the Identity Manager Directory Information fields. You can configure these fields: Number of hash buckets Specify the number of hash buckets. Name of Your Organization Specify the name of your organization. For example, My Organization. Default Org Short Name Specify the short name of your organization. For example, myorg. Identity Manager DN Location Specify the Tioli Identity Manager suffix. For example, dc=com. When you are finished, click Continue. Manually running the ldapconfig configuration tool To aoid the loss of existing directory serer data, you must not manually run this tool unless a directory serer configuration problem occurs during installation. Running the configuration tool writes data to the ITIM_HOME\install_logs\ ldapconfig.stdout log file. If you want to sae the original file, back up the file before running the command. The directory serer configuration requires seeral minutes to complete. To manually start the ldapconfig configuration tool, complete these steps: 1. Back up the ITIM_HOME\install_logs\ldapConfig.stdout file. 2. Run the following command: ITIM_HOME\bin\ldapConfig Configuring commonly used system properties The Tioli Identity Manager installation program automatically runs the runconfig system configuration tool to edit commonly used system properties for the Tioli Identity Manager Serer and also to configure WebSphere Application Serer settings for the Tioli Identity Manager application. The Tioli Identity Manager installation program runs the system configuration tool for both a single-serer and cluster configuration, which includes the deployment manager and the cluster members. The system configuration tool proides these windows: Chapter 7. Configuring the Tioli Identity Manager Serer 77
General tab Directory tab on page 79 Database tab on page 79 Logging tab on page 80 Mail tab on page 80 UI tab on page 81 Security tab on page 82 You can run the system configuration tool manually. For more information, see Manually starting the system configuration tool on page 82. For alternatie ways to configure system properties, see Modifying system properties during normal operation on page 84. Related topics: Single-serer installation: Responding to major installation actions on page 55 Cluster installation: Responding to major installation actions on page 66 General tab Click the General tab. The General tab of the system configuration tool configures the general information about the Tioli Identity Manager Serer. The following field alues on the General tab are prefilled by the installation program: Scheduling information Heart Beat (seconds) The Scheduling Information field displays information about how frequently a scheduling thread queries the scheduled message stores for eents to process (Heart Beat). You might want to consider performance issues before you enable a more frequent beat. Only system administrators can modify the Heart Beat, which is measured in seconds. Recycle Bin Age Limit (days) When you delete Tioli Identity Manager objects (such as organization units, persons, or accounts), the objects are not immediately remoed from the system. Instead, they are moed to a recycle bin container. Emptying the recycle bin is a separate deletion process that inoles running cleanup scripts. The recycle bin is disabled by default but can be enabled by editing the enrole.properties file in the ITIM_HOME\data directory. For example, to aoid assigning an old user ID to a new user, the assignment process might check the recycle bin to determine if an old user ID exists. You might set the alue of the recycle bin interal to an interal that determines the length of time to retain old user IDs. The Recycle Bin Age Limit field specifies the number of days that an object remains in the recycle bin of the system before it becomes aailable for deletion by cleanup scripts. The cleanup scripts can only remoe those objects that are older than the age limit setting. For example, if the age limit setting is 62 days (the default alue), only objects that hae been in the recycle bin for more than 62 days can be deleted by cleanup scripts. You can use the following scripts to either manually remoe or to schedule the periodic cleanup of recycle bin entries with expired age limits: 78 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
- Windows: ITIM_HOME\bin\win\ldapClean.cmd To schedule periodic cleanup, register the preceding command script with the Windows scheduler. - UNIX: ITIM_HOME/bin/unix/ldapClean.sh To schedule periodic cleanup, create a UNIX cron job such as the following example: ITIM_HOME/bin/unix/schedule_garbage.cron Related topics: See Configuring commonly used system properties on page 77. Directory tab Click the Directory tab. The Directory tab of the system configuration tool displays directory connection information and LDAP connection pool information. The tab also has a Test button to test the connection to the directory serer. If you update any field on this tab, click Test to ensure that the connection works. The information is pre-filled for the deployment manager, but not for a WebSphere Application Serer. If necessary, modify the following information for the directory serer: Principal DN and password that the Tioli Identity Manager Serer uses to log on to the directory serer Host name or IP address for the directory serer For IP6, literal addresses need to be enclosed in brackets. For example, [abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd] where abcd is a hexadecimal number from 0000-FFFF. Port number for the directory serer The LDAP connection pool information defines a pool of LDAP connections accessible by the Tioli Identity Manager Serer. After a connection is established and data is stored in the LDAP directory serer, changing the host name or the port number might hae detrimental effects. In the Maximum Pool Size field, specify the maximum number of connections that the LDAP Connection Pool can hae at any time. In the Initial Pool Size field, specify the initial number of connections to be created for the LDAP Connection Pool. In the Increment Count field, specify the number of connections to be added to the LDAP Connection Pool eery time a connection is requested after all connections are in use. Related topics: See Configuring commonly used system properties on page 77. Database tab Click the Database tab. The Database tab displays general database information and database pool information. The tab also has a Test button to test the Chapter 7. Configuring the Tioli Identity Manager Serer 79
connection to the database. If you update any field on this tab, click Test to ensure that the connection works. Changing the configuration after the system is set up can hae detrimental effects. Depending on the type of connection that is used, one of seeral windows is displayed when configuring database properties. The window in this example displays the Database tab when Tioli Identity Manager does not use an Oracle Client to connect to the Oracle database. If this installation is on a cluster member, the information must match the database specification preiously made for the deployment manager. In the JDBC URL field, specify the URL alue with type 4 JDBC Drier URL format. For IP6, literal addresses need to be enclosed in brackets. For example, jdbc:db2://[abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd]:50002/itimdb where abcd is a hexadecimal number from 0000-FFFF. In the Database User and the User Password fields, specify the database account and password that Tioli Identity Manager uses to log on to the database. The default user ID is itimuser, which is created by the Tioli Identity Manager database configuration program (DBConfig). The account must hae a alid user password. The database pool information determines the number of JDBC connections. For more information about supported JDBC driers, see Database serer products on page 1. In the Initial Capacity field, specify the initial number of JDBC connections. In the Maximum Capacity field, specify the maximum number of JDBC connections that the Tioli Identity Manager Serer can open to the database at any one time. Related topics: See Configuring commonly used system properties on page 77. Logging tab Click the Logging tab. The Logging tab of the system configuration tool enables you to set the leel of tracing. Choose one of these alues: MIN MID MAX Writes less information to the log file. Use this setting for best performance. Writes an increased amount of information to the log file. Writes the maximum amount of information to the log file. The increased amount of logging actiity might affect performance. This setting is approximately the equialent of VERBOSE. Related topics: See Configuring commonly used system properties on page 77. Mail tab Click the Mail tab. 80 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
The Mail tab of the system configuration tool displays mail notification and gateway parameters: In the Tioli Identity Manager Base URL field, specify the login Uniersal Resource Locator (URL) for the Tioli Identity Manager Serer. This address is the first part of a URL that is sent to the recipient of mail messages at runtime. The URL also points to the login page of the Tioli Identity Manager administratie console. The alue is the URL of the proxy serer (for example, the IBM HTTP Serer). Specify the host name (or IP address) and port in the base URL. Ensure that the alue matches the published login URL to your Tioli Identity Manager system. Single-serer configuration base URL is the address of the Web serer (for example, the IBM HTTP Serer) which by default uses port 80. Cluster configuration base URL is the address of the Web serer which load-balances to all application serer instances in the cluster (not the base URL of a specific application serer instance). For IP6, literal addresses need to be enclosed in brackets. For example, http://[abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd]:80 where abcd is a hexadecimal number from 0000-FFFF. In the Mail From field, specify the address to the Tioli Identity Manager system administrator e-mail address for your site. All e-mail is deliered from the Mail From parameter. You must change this address, otherwise you send spam to the e-mail address listed. In the Mail Serer Name field, specify the SMTP mail host that sends mail notification. SMTP mail serers are supported. The SMTP host is the mail gateway. For example, enter a host name such as swiftcreek.mycity.ibm.com. Related topics: See Configuring commonly used system properties on page 77. UI tab Click the UI tab. The UI tab of the system configuration tool displays information to customize the Tioli Identity Manager Serer GUI. In the Customer Logo field, specify the path and file name of the logo graphic. In the Customer Logo Link field, specify an optional URL link actiated by clicking the logo image. System administrators can specify these two ariables to replace the IBM logo with their company logo throughout the Tioli Identity Manager system. The default IBM logo file is the ibm_banner.gif file, which is located in the WAS_PROFILE_HOME\installedApps\cellname\ITIM.ear\ itim_console.war\html\images directory. In a cluster configuration, this default logo can be found in the node member workstation and not on the Deployment Manager workstation. In the List Page Size field, specify how many items that require a search in the directory are displayed on lists throughout the user interface. If the total number of items exceeds the set List Page Size, the list is spread oer multiple pages. For Chapter 7. Configuring the Tioli Identity Manager Serer 81
example, the alue controls the size of the names list that appears when you browse the My Organization > Manage People tab in the Tioli Identity Manager GUI. Related topics: See Configuring commonly used system properties on page 77. Security tab Click the Security tab. The Security tab of the system configuration tool displays information to manage database, LDAP, and application serer user IDs and passwords that are stored in Tioli Identity Manager properties files. The tab displays the encryption settings and application serer user management preferences in Tioli Identity Manager. By default, passwords in the Tioli Identity Manager property files are encrypted. In the Encryption box, check the box to encrypt the passwords used for database and directory serer connections and the password of the EJB user that is used for EJB authentication. The encryption flags are set to true. Clear the box to decrypt the passwords and set the flags to false. The flags are represented by the following properties in the enrole.properties file: enrole.password.database.encrypted enrole.password.ldap.encrypted enrole.password.appserer.encrypted In the System User and System User Password fields, specify the system user and the system user password. The fields are pre-filled if WebSphere administratie security and application security is on, and an administrator user ID and password hae been entered. The fields are blank if WebSphere administratie security and application security is not on. In the EJB User and EJB User Password fields, specify the EJB user and the EJB user password. The fields initially take the alues of the System User and Password fields. If you define your own EJB user during installation to be different from the System User, you might need to modify the EJB User and EJB User Password fields. If you change the alue of the EJB user ID or the EJB password on this system configuration Security window and run runconfig as a stand-alone command, additional manual steps are required after Tioli Identity Manager installation to map the security role to the Tioli Identity Manager user in order to start Tioli Identity Manager. For more information, see Mapping an administratie user to a role on page 137. Note: The EJB user password is restricted to 12 characters. Related topics: See Configuring commonly used system properties on page 77. Manually starting the system configuration tool To update commonly-used Tioli Identity Manager properties, run the following command: Windows: ITIM_HOME\bin\runConfig.exe UNIX/Linux: ITIM_HOME/bin/runConfig 82 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
The runconfig utility also accepts an install parameter. Use runconfig with the install parameter when there is a problem reported for runconfig during the Tioli Identity Manager installation. Note that system configuration requires seeral minutes to complete if the install option is used. Windows: ITIM_HOME\bin\runConfig.exe install UNIX/Linux: ITIM_HOME/bin/runConfig install Running the system configuration tool writes log data to the ITIM_HOME\ install_logs\runconfig.stdout log file. Manually installing agentless adapters and adapter profiles Agentless adapter profiles are installed automatically by the Tioli Identity Manager installation program during a new installation. The adapter is installed depending on whether the IBM Tioli Directory Integrator is installed on the same serer as Tioli Identity Manager. You can erify they installed correctly by looking for the POSIX adapters listed under Configure System > Serice Types in the administratie console user interface. Howeer, if either the adapters or profiles failed to install, you can install them manually. The following tasks are for agentless adapter installation only. For information about installing agent-based adapters and adapter profiles, see the Installing section of the Tioli Identity Manager Information Center. Installing agentless adapters Tioli Identity Manager Version 5.1 supports both Tioli Directory Integrator Version 6.1.1 and 7.1. You can install agentless adapters for Tioli Directory Integrator interactiely or silently. To install agentless adapters interactiely on Windows for example, run the following command to install the adapters: WAS_HOME\jaa\bin\jaa.exe -cp PosixAdapterInstall_.jar run where is the Tioli Directory Integrator ersion. For example, use 70 for ersion 7.0 or 611 for ersion 6.1.1. To install agentless adapters silently, complete these steps: 1. Update the ITIM_HOME\config\adapters\response.txt file, replacing eery occurrence of %1 with the alue of ITDI_HOME. 2. Run the following command to install the adapters: cd ITIM_HOME\config\adapters "WAS_HOME\jaa\bin\jaa.exe" -cp PosixAdapterInstall_.jar run -silent -options response.txt Installing agentless adapter profiles It is recommended that you download the latest POSIX adapters from the adapter download site. To install agentless adapter profiles, run the following commands: For Window operating systems: cd ITIM_HOME\config\adapters "ITIM_HOME/bin/unix/config_remote_serices.sh" -profile LdapProfile -jar LdapProfile.jar Chapter 7. Configuring the Tioli Identity Manager Serer 83
"ITIM_HOME/bin/unix/config_remote_serices.sh" -profile PosixSolarisProfile -jar PosixSolarisProfile.jar "ITIM_HOME/bin/unix/config_remote_serices.sh" -profile PosixLinuxProfile -jar PosixLinuxProfile.jar "ITIM_HOME/bin/unix/config_remote_serices.sh" -profile PosixHpuxProfile -jar PosixHpuxProfile.jar "ITIM_HOME/bin/unix/config_remote_serices.sh" -profile PosixAixProfile -jar PosixAixProfile.jar For UNIX operating systems: -bash-3.00#./config_remote_serices.sh -profile LdapProfile -jar /opt/ibm/itim/config/adapters/ldapprofile.jar -bash-3.00#./config_remote_serices.sh -profile PosixSolarisProfile -jar /opt/ibm/itim/config/adapters/posixsolarisprofile.jar -bash-3.00#./config_remote_serices.sh -profile PosixLinuxProfile -jar /opt/ibm/itim/config/adapters/posixlinuxprofile.jar -bash-3.00#./config_remote_serices.sh -profile PosixHpuxProfile -jar /opt/ibm/itim/config/adapters/posixhpuxprofile.jar -bash-3.00#./config_remote_serices.sh -profile PosixAixProfile -jar /opt/ibm/itim/config/adapters/posixaixprofile.jar Note: You can also install them by selecting Configure System > Manage Serice Types > Import from the administratie console user interface. Related topics: Installing agentless adapters on page 40 Modifying system properties during normal operation You configure the Tioli Identity Manager Serer by managing system properties. For example, a system property determines how the serer responds to the correct completion of a challenge question. System properties can be modified at any time. You might need to restart the Tioli Identity Manager Serer when changes are made to certain system properties such as the serer startup modules, which are not recognized unless you restart the serer. Restart the Tioli Identity Manager Serer after modifying any property using the system configuration tool. Changes to other system properties can be recognized within 30 seconds. Logging properties can be changed without restarting the serer and changes take effect within 5 minutes. To modify system properties, use these choices: Use the system configuration tool, runconfig. For more information, see Modifying system properties with the system configuration tool on page 85. Change manually. For more information, see Modifying system properties manually on page 85. Use the Tioli Identity Manager Serer GUI. For more information, see Modifying system properties with the Tioli Identity Manager GUI on page 85. 84 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Modifying system properties with the system configuration tool After installation, use the system configuration tool (runconfig) for the following tasks: Changing the password of the database user. Specifying password encryption and updating Tioli Identity Manager EJB user IDs and passwords. Modifying system properties manually Alternatiely, you can manually modify system properties by editing the appropriate property file. System and supplemental property files are located on the Tioli Identity Manager Serer in the ITIM_HOME\data directory. These files contain all the system and supplemental properties used by the serer. For more information about system properties located in the enrole.properties file, refer to the IBM Tioli Identity Manager Information Center. Modifying system properties with the Tioli Identity Manager GUI You can also modify certain system properties from within the Configuration section of the main menu naigation bar in the Tioli Identity Manager Serer GUI. From the Set Systems Security tab, you can modify the following properties: Enable/disable password editing Password expiration period (number of days) This property is only for the Tioli Identity Manager Serer account. The user has to change the password before this period is reached. Wheneer a new password is set for the Tioli Identity Manager Serer account, the password expiration period is affected from that time. You can disable password expiration by setting this alue to zero. Password retrieal expiration period (number of hours) After the new account is created, the user receies an e-mail with the URL link that proides the password. The user has to get the password before this password retrieal period expires. Maximum number of inalid logon attempts Sets the maximum number of inalid logon attempts. If exceeded, the account is suspended. The default setting is 0 (unlimited logon attempts). From the Configure Forgotten Password Settings tab, you can modify the following properties: Lost password question behaior Chapter 7. Configuring the Tioli Identity Manager Serer 85
86 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Chapter 8. Performing a silent installation and configuration of Tioli Identity Manager Tioli Identity Manager can be run in a silent mode, which reads response files that contain input alues to configure the directory serer, database serer, WebSphere Application Serer, and Tioli Identity Manager. Silent installation is supported in both single-serer and cluster enironments, and for clean installation and upgrade. Example response files are proided in the base DVD in the response_files directory. The installation program reads input from the two response files, installariables.properties and configresponse.properties. The installariables.properties file has the installer-related input alues such as the installation directory, database type, directory serer type, and so on. The configresponse.properties file has the properties required for database configuration, LDAP configuration, and system configuration programs with different prefixes for each configuration program: Database configuration dbconfigresponse.propertyname=alue LDAP configuration ldapconfigresponse.propertyname=alue System configuration sysconfigresponse.propertyfilename.propertyname=alue There are different filenames for an upgrade scenario. The following set of response files are needed for clean installation and for the upgrade depending on the application serer type: Clean installation: For single-serer or deployment manager: installariables.properties, configresponse.properties For cluster members: installariables.properties, configresponsecm.properties Upgrade: For single-serer or deployment manager: installariablesupgrade.properties, configresponseupgrade.properties For cluster members: installariablesupgrade.properties, configresponsecmupgrade.properties Notes: 1. You can use a different file name for the installation response file (for example, installariablesupgrade.properties) because it can be passed to the installer with the "-f" flag, but the name of the configuration response file must always be configresponse.properties 2. For the system configuration program, the configresponse.properties or configresponseupgrade.properties template only contains the minimum set of required system properties (with prefix sysconfigresponse ). You can add additional system properties to the file if necessary. Use the conention: sysconfigresponse.propertyfilename.propertyname=alue. For example, an IBM Tioli Directory Serer configuration whose authorization ID is cn=root: Copyright IBM Corp. 2009 87
Before you begin sysconfigresponse.enroleldapconnection.jaa.naming.proider.url=ldap: //hostname:389 sysconfigresponse.enroleldapconnection.jaa.naming.security.principal=cn=root sysconfigresponse.enroleldapconnection.jaa.naming.security.credentials=xxxxxx The system configuration program running in silent mode sets the alues of the listed properties in the enroleldapconnection.properties file. 3. The silent installer reads the alues from the configresponse.properties file and configures the Tioli Identity Manager components. If a specific component configuration fails, then the utilities and the associated lax file can be found in ITIM_HOME\bin. Each component of the install can ran silently by modifying the IS_SILENT=<true/false> property in the.lax file of the component. Before you run the silent install, install and configure any necessary middleware, such as a directory serer, database serer, directory integrator, and application serer. Ensure that all these components are working correctly and that you hae entered the correct data; any errors in setting up the system can result in the failure of silent installation. Performing a silent installation in a single-serer enironment To perform a silent installation in a single-serer enironment, complete these tasks: Clean installation: 1. Copy the response files installariables.properties and configresponse.properties to a directory on the target computer. 2. Update the response files with the correct alues. 3. Run instplatform -i silent -f installariables.properties if you hae the installer and the response files are at the same directory. The names for the system platform installer programs are: Windows: instwin.exe AIX: instaix.bin Linux: instlinux.bin Linux for System p: instplinux.bin Linux for System z: instzlinux.bin Solaris: instsol.bin Note: If you hae the installer and the response files in the different directory or in the different drie, then you hae to use the relatie or absolute path for the installariables.properties file and you hae to use the absolute path for the configresponse.properties file. For example, if the response files are in the C:\temp directory on a Windows machine, use this command: instwin.exe -i silent -f C:\temp\installariables.properties -DITIM_CFG_RESP_FILE_DIR=C:\temp UNIX machines use a different installer command, such as instaix.bin for AIX, and a different path. Upgrade: 1. Copy the response files installariablesupgrade.properties and configresponseupgrade.properties to a directory on the target computer. 88 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
2. Rename the configresponseupgrade.properties file as configresponse.properties. 3. Update the response files with the correct alues. 4. Run instplatform -i silent -f installariablesupgrade.properties if you hae the installer and the response files are at the same directory. The names for the system platform installer programs are: Windows: instwin.exe AIX: instaix.bin Linux: instlinux.bin Linux for System p: instplinux.bin Linux for System z: instzlinux.bin Solaris: instsol.bin Note: If you hae the installer and the response files in the different directory or in the different drie, then you hae to use the relatie or absolute path for the installariables.properties file and you hae to use the absolute path for the configresponse.properties file. For example, if the response files are in the C:\temp directory on a Windows machine, use this command: instwin.exe -i silent -f C:\temp\installariablesUpgrade.properties -DITIM_CFG_RESP_FILE_DIR=C:\temp UNIX machines use a different installer command, such as instaix.bin for AIX, and a different path. Silent installation might take some time to complete. To check on the installation progress, check the itim_install_actiity.log file located in the ITIM_HOME\ install_logs directory. Verify the installation and troubleshoot to resole any problems that happened during installation and startup. For more information, see Chapter 9, Verifying and troubleshooting the installation, on page 95. Performing a silent installation in a cluster enironment To perform a silent installation in a cluster enironment, complete these tasks: Clean installation: On the deployment manager: 1. Copy the response files installariables.properties and configresponse.properties to a directory on the target computer. 2. Update the response files with the correct alues. 3. Run instplatform -i silent -f installariables.properties if you hae the installer and the response files are at the same directory. The names for the system platform installer programs are: - Windows: instwin.exe - AIX: instaix.bin - Linux: instlinux.bin - Linux for System p: instplinux.bin - Linux for System z: instzlinux.bin - Solaris: instsol.bin Chapter 8. Performing a silent installation and configuration of Tioli Identity Manager 89
Note: If you hae the installer and the response files in the different directory or in the different drie, then you hae to use the relatie or absolute path for the installariables.properties file and you hae to use the absolute path for the configresponse.properties file. For example, if the response files are in the C:\temp directory on a Windows machine, use this command: instwin.exe -i silent -f C:\temp\installariables.properties -DITIM_CFG_RESP_FILE_DIR=C:\temp UNIX machines use a different installer command, such as instaix.bin for AIX, and a different path. On the cluster members: 1. Copy the response files installariables.properties and configresponsecm.properties to a directory on the target computer. 2. Rename the configresponsecm.properties file as configresponse.properties. 3. Update the response files with the correct alues. 4. Run instplatform -i silent -f installariables.properties if you hae the installer and the response files are at the same directory. The names for the system platform installer programs are: - Windows: instwin.exe - AIX: instaix.bin - Linux: instlinux.bin - Linux for System p: instplinux.bin - Linux for System z: instzlinux.bin - Solaris: instsol.bin Note: If you hae the installer and the response files in the different directory or in the different drie, then you hae to use the relatie or absolute path for the installariables.properties file and you hae to use the absolute path for the configresponse.properties file. For example, if the response files are in the C:\temp directory on a Windows machine, use this command: instwin.exe -i silent -f C:\temp\installariables.properties -DITIM_CFG_RESP_FILE_DIR=C:\temp UNIX machines use a different installer command, such as instaix.bin for AIX, and a different path. Upgrade: On the deployment manager: 1. Copy the response files installariablesupgrade.properties and configresponseupgrade.properties to a directory on the target computer. 2. Rename the configresponseupgrade.properties file as configresponse.properties. 3. Update the response files with the correct alues. 4. Run instplatform -i silent -f installariablesupgrade.properties if you hae the installer and the response files are at the same directory. The names for the system platform installer programs are: - Windows: instwin.exe - AIX: instaix.bin - Linux: instlinux.bin 90 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
- Linux for System p: instplinux.bin - Linux for System z: instzlinux.bin - Solaris: instsol.bin Note: If you hae the installer and the response files in the different directory or in the different drie, then you hae to use the relatie or absolute path for the installariablesupgrade.properties file and you hae to use the absolute path for the configresponse.properties file. For example, if the response files are in the C:\temp directory on a Windows machine, use this command: instwin.exe -i silent -f C:\temp\installariablesUpgrade.properties -DITIM_CFG_RESP_FILE_DIR=C:\temp UNIX machines use a different installer command, such as instaix.bin for AIX, and a different path. On the cluster members: 1. Copy the response files installariablesupgrade.properties and configresponsecmupgrade.properties to a directory on the target computer. 2. Rename the configresponsecmupgrade.properties file as configresponse.properties. 3. Update the response files with the correct alues. 4. Run instplatform -i silent -f installariablesupgrade.properties if you hae the installer and the response files are at the same directory. The names for each system platform installer programs are: - Windows: instwin.exe - AIX: instaix.bin - Linux: instlinux.bin - Linux for System p: instplinux.bin - Linux for System z: instzlinux.bin - Solaris: instsol.bin Note: If you hae the installer and the response files in the different directory or in the different drie, then you hae to use the relatie or absolute path for the installariablesupgrade.properties file and you hae to use the absolute path for the configresponse.properties file. For example, if the response files are in the C:\temp directory on a Windows machine, use this command: instwin.exe -i silent -f C:\temp\installariablesUpgrade.properties -DITIM_CFG_RESP_FILE_DIR=C:\temp UNIX machines use a different installer command, such as instaix.bin for AIX, and a different path. Silent installation might take some time to complete. To check on the installation progress, check the itim_install_actiity.log file located in the ITIM_HOME\ install_logs directory. Verify the installation and troubleshoot to resole any problems that happened during installation and startup. For more information, see Chapter 9, Verifying and troubleshooting the installation, on page 95. Chapter 8. Performing a silent installation and configuration of Tioli Identity Manager 91
Configuring the database silently If the database configuration failed during the silent installation, correct the database information in the response file. Follow these steps to then configure the database silently. To configure the database using a response file: 1. Copy the configresponse.properties file to a directory on the target computer. 2. Update configresponse.properties file with correct database information. 3. Edit the ITIM_HOME/bin/DBConfig.lax file to set the alue for the following two properties: IS_SILENT=true RESPONSE_FILE=full path to the configresponse.properties file 4. Inoke the database configuration program: ITIM_HOME/bin/DBConfig The database configuration might take a few minute to complete. To monitor on the configuration progress, iew the dbconfig.stdout file located in the ITIM_HOME/install_logs directory. Configuring the directory serer silently If the directory serer configuration failed during the silent installation, correct the incorrect data parameters in the response file. Follow these steps to then configure the directory serer silently. To configure the directory serer using a response file: 1. Copy the configresponse.properties file to a directory on the target computer. 2. Update configresponse.properties file with correct directory serer information. 3. Edit the ITIM_HOME/bin/ldapConfig.lax file to set the alue for the following two properties: IS_SILENT=true RESPONSE_FILE=full path to the configresponse.properties file 4. Inoke the LDAP configuration program: ITIM_HOME/bin/ldapConfig The directory serer configuration might take a few minute to complete. To monitor the configuration progress, iew the ldapconfig.stdout file located in the ITIM_HOME/install_logs directory. Configuring the system silently in a single-serer enironment If the system configuration failed during the silent installation, correct the incorrect data parameters in the response file. Follow these steps to then configure the system silently. To configure the system using a response file: 1. Copy the configresponse.properties file to a directory on the target computer. 2. Update configresponse.properties file with correct information. 3. Edit the ITIM_HOME/bin/runConfig.lax file to set the alue for the following two properties: IS_SILENT=true RESPONSE_FILE=full path to the configresponse.properties file 92 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
4. Start the WebSphere Application Serer. 5. Inoke the system configuration program: ITIM_HOME/bin/runConfig -install The system configuration might take a few minute to complete. To monitor the configuration progress, iew the runconfig.stdout file located in the ITIM_HOME/install_logs directory. Configuring the system silently in a cluster enironment If the system configuration failed during the silent installation, correct the incorrect data parameters in the response file. Follow these steps to then configure the system silently. To configure the system using a response file: 1. On the deployment manager, copy the configresponse.properties to a directory on the target computer. 2. On the cluster member system copy the configresponsecm.properties file and rename it to configresponse.properties in a directory on the target computer. 3. Update configresponse.properties file with correct information. 4. Edit the ITIM_HOME/bin/runConfig.lax file to set the alue for the following two properties: IS_SILENT=true RESPONSE_FILE=full path to the configresponse.properties file 5. Start the WebSphere deployment manager and all the node agents. 6. Inoke the system configuration program: ITIM_HOME/bin/runConfig -install The system configuration might take a few minute to complete. To monitor the configuration progress, iew the runconfig.stdout file located in the ITIM_HOME/install_logs directory. Chapter 8. Performing a silent installation and configuration of Tioli Identity Manager 93
94 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Chapter 9. Verifying and troubleshooting the installation This section describes how to correct problems with the Tioli Identity Manager installation. It also explains how to erify that the Tioli Identity Manager Serer and its prerequisite processes are running correctly. You can test whether the database, the directory serer, and other programs that the Tioli Identity Manager Serer uses are correctly configured and are in full communication with each other. Correcting problems with starting the installation If you cannot start the Tioli Identity Manager installation program, check these requirements: Is there enough real memory aailable to run the installation program? For more information, refer to the IBM Tioli Identity Manager Information Center. Are the correct operating system leels, patches, and space requirements proided for the hardware and software prerequisites? For more information, refer to the IBM Tioli Identity Manager Information Center. Does the installation program hae the correct file permissions to run? Administratie priileges are required. Is your firewall preenting processes that are actie during installation from accessing external resources? For example, if you hae a firewall that preents ldapsearch from connecting to the directory serer, the Tioli Identity Manager installation fails. If the installation is on a UNIX or Linux system, do you hae the correct permissions and display ariables set? A common mistake is to log in to the desktop, omit disabling access control, and then telnet or SSH to a remote host on which you intend to install the Tioli Identity Manager Serer. To correct this problem, complete these tasks: 1. Run this command at the command shell of your desktop to disable access control for the X Serer: xhost + 2. After you telnet or SSH to the remote host, run this command to set the DISPLAY enironment ariable: export DISPLAY=hostname:0.0 The alue of hostname is the host name or IP address of your local desktop computer. Tioli Identity Manager configuration errors Check the Tioli Identity Manager actiity summary log file (itim_install_actiity.log). If a non-fatal error is reported and it inoles DBConfig, ldapconfig, or system configuration, you can use stand-alone Tioli Identity Manager configuration utilities to recoer. For more information about these utilities, see Chapter 7, Configuring the Tioli Identity Manager Serer, on page 75. Copyright IBM Corp. 2009 95
Verifying the installation This section describes erifying whether the database, the directory serer, and other programs that the Tioli Identity Manager Serer uses are correctly configured and are in full communication with the Tioli Identity Manager Serer. Ensuring that the WebSphere Application Serer is running The WebSphere Application Serer on which the Tioli Identity Manager application is deployed needs to be running. To determine whether the WebSphere Application Serer is running, enter this command: Windows operating systems: WAS_PROFILE_HOME\bin\sererStatus.bat -all UNIX or Linux operating systems: WAS_PROFILE_HOME/bin/sererStatus.sh -all If you do not find the process running, run this command to start the serer: Windows operating systems: WAS_PROFILE_HOME\bin\startSerer.bat serer_name UNIX or Linux operating systems: WAS_PROFILE_HOME/bin/startSerer.sh serer_name The alue of serer_name is the name of the WebSphere Application Serer. For example, serer1. Additionally, examine the log files in the logs directory for entries that indicate the status of serer1. For example, examine the log files in the WAS_PROFILE_HOME\ logs\serer1 directory. Verifying that the Tioli Identity Manager Serer is running To erify that the Tioli Identity Manager Serer and related processes are running, complete these steps: 1. Ensure that the WebSphere Application Serer is running. Start the WebSphere administratie console. On a browser, enter this Web address: http://hostname:port/ibm/console The alue of hostname is the fully qualified host name or the IP address of the computer on which the WebSphere Application Serer is running. The alue of port is the port number for the WebSphere administratie HTTP transport. The default alue is 9060. 2. On the WebSphere administratie console, click Applications > Enterprise Applications and erify that the Tioli Identity Manager Serer is running. If the Tioli Identity Manager Serer is not running, select the application, and then click Start. If the Tioli Identity Manager Serer does not start, examine the following log files: WAS_PROFILE_HOME\logs\serer_name\SystemOut.log The alue of profile_name is the name of the WebSphere Application Serer profile running Tioli Identity Manager. The alue of serername is typically serer1 for single-serer enironments. TIVOLI_COMMON_DIRECTORY\CTGIM\logs\trace.log 96 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
In this directory, also examine the msg.log file. Installing Tioli Identity Manager Serer defines the alue of TIVOLI_COMMON_DIRECTORY. 3. Log on to the Tioli Identity Manager Serer using the WebSphere embedded HTTP transport. For example, at a browser window, enter this command: http://hostname:port/itim/console The alue of hostname is the fully qualified host name or the IP address of the computer on which the WebSphere Application Serer is running. The alue of port is the port number of the WebSphere irtual host. The default port number is 9080. The port number can be remoed if an HTTP serer is used as the front-end proxy. The browser displays the Tioli Identity Manager login window. To log in to Tioli Identity Manager, enter the Tioli Identity Manager Serer administrator user ID (itim manager) and password (immediately after installation, the alue is secret). 4. After a first, successful login, the login window immediately prompts you to change the administrator password. Ensure that your password change is successful. Note: It is recommended you create a backup administrator user ID with the same access rights as the "itim manager user ID. 5. If continued attempts fail to log on to Tioli Identity Manager, determine whether the SystemOut.log file contains errors about referencing Tioli Identity Manager properties files. Ensure that the ITIM_HOME\data directory contains the properties files. Additionally, ensure that the WebSphere Application Serer also references the ITIM_HOME\data directory. Complete these steps: a. On the WebSphere administratie console, click Serers > Application Serers. b. Select a serer such as serer1 and under Serer Infrastructure > Jaa and Process Management, click Process Definition. c. In the Process Definition, click Jaa Virtual Machine. d. Ensure that the Classpath field specifies the {ITIM_HOME}\data directory. 6. If continued attempts fail, examine the status of the Tioli Identity Manager middleware. Testing the database connection on page 98 Ensuring that the directory serer is operational on page 101 Checking the Tioli Identity Manager bus and messaging engine Before starting the Tioli Identity Manager Serer, use the WebSphere administratie console to check the status of the bus and messaging engine. To check the bus and messaging engine, complete these steps: 1. Start the WebSphere administratie console. http://hostname:port/ibm/console The alue of hostname is the fully qualified host name or the IP address of the computer on which the WebSphere Application Serer is running. The alue of port is the port number for the WebSphere administratie HTTP transport. The default alue is 9060. 2. Click Serice Integration > Buses. 3. If the bus has been set, you see the itim_bus. Click itim_bus. 4. In the Topology section, click Messaging engines. Chapter 9. Verifying and troubleshooting the installation 97
For a single-serer installation, you see an engine named nodename.serernameitim_bus and the status of the engine is started. For a cluster installation, you see n+1 messaging engines, where n is the number of Tioli Identity Manager cluster members. An additional messaging engine is used for the Tioli Identity Manager messaging cluster. All these engines need to be started. If a message engine is not started, click the messaging engine name, and under the Additional Properties section, click Message store to see the data source JNDI name. From this JNDI name, you can link the Tioli Identity Manager data source defined under the Resources section and test the data source connection. If the data source connection test fails, see Testing the database connection for more information about how to resole the issue. If the connection test succeeds, examine the WAS_PROFILE_HOME\logs\serer_name\SystemOut.log file to determine the reason that the messaging engine cannot be started. Verifying that the database is running correctly Testing the database connection Before starting the Tioli Identity Manager Serer, use the WebSphere administratie console to test the database connection. Complete these steps: 1. Start the WebSphere administratie console. http://hostname:port/ibm/console The alue of hostname is the fully qualified host name or the IP address of the computer on which the WebSphere Application Serer is running. The alue of port is the port number for the WebSphere administratie HTTP transport. The default alue is 9060. 2. Click Resources > JDBC > Data Sources. 3. Select ITIM Data Source. 4. Click Test Connection. A message appears that indicates the test result. Repeat these steps for the ITIM Bus DataSource, and for clusters, additionally test the ITIM BUS Shared DataSource. If any connections do not work, complete these steps: 1. The CLASSPATH definition of the JDBC proider is set up during the Tioli Identity Manager installation. Verify that the CLASSPATH alue is correct. Complete these steps: a. Start the WebSphere administratie console. http://hostname:port/ibm/console The alue of hostname is the fully qualified host name or the IP address of the computer on which the WebSphere Application Serer is running. The alue of port is the port number for the WebSphere administratie HTTP transport. The default alue is 9060. b. Click Resources > JDBC > JDBC Proiders > ITIM XA DB2 JDBC Proider. c. Examine the properties to erify that the CLASSPATH alue is correct. For example, its alue is like these alues for DB2: $ITIM_DB_JDBC_DRIVER_PATH\db2jcc.jar $ITIM_DB_JDBC_DRIVER_PATH\db2jcc_license_cisuz.jar $ITIM_DB_JDBC_DRIVER_PATH\db2jcc_license_cu.jar 98 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
To determine the alue of $ITIM_DB_JDBC_DRIVER_PATH, click Enironment > WebSphere Variables. Scroll through the list to locate the ariable and confirm it is correct. 2. Verify that the DB2 user ID and password are correct. Complete these steps: a. Start the WebSphere administratie console. http://hostname:port/ibm/console The alue of hostname is the fully qualified host name or the IP address of the computer on which the WebSphere Application Serer is running. The alue of port is the port number for the WebSphere administratie HTTP transport. The default alue is 9060. b. Click Resources > JDBC > Data Sources > ITIM Data Source. c. Examine these fields to erify the correct alues: Component-managed Authentication Alias The alue isitim-init. Container-managed Authentication Alias The alue is itim-init. d. Under the Related Items category, click JAAS - J2C authentication data Examine the Alias list to ensure that an itim-init entry exists. 1) Click itim-init. 2) Verify that the alue of the user ID field is identical to the Tioli Identity Manager Database User specified in ITIM_HOME\data\ enrole.properties file, for example, itimuser. Do not change this alue. 3) Note the password field. If you use this field to reset the password, ensure that the password alue that you enter is identical to the alue defined in the ITIM_HOME\data\enRoleDatabase.properties file. 3. Ensure that other database settings are correct by checking the status of the DB2 serice listening port (typically 50000, 50002, or 60000) by using a utility such as netstat. The system etc directory contains a file called serices which contains the actual port number being used. For more information, see Determining the correct serice listening port and serice name on page 17. 4. If DB2 is not listening on the port and you are using IP6 and UNIX/Linux to connect to DB2, you might need to modify your /etc/hosts file. Complete these steps: a. On the machine running IP6, append these two lines to your /etc/hosts file: IP4_address hostname IP6_address hostname For example, if the hostname is myhost, the IP6_address is 0000:ffff:ffff:0000:20e:cff:fe50:39c8 and the IP4_address is 192.168.4.4, then you need to append these two lines in the /etc/hosts file. b. Log in as the DB2 instance owner and restart the DB2 serer by issuing the following commands: db2stop db2start c. Ensure that DB2 is running on the IP6 address by issuing the following command: netstat -an grep db2port For example, if the db2 is running on the port 50000, then you see the following line as the output: Chapter 9. Verifying and troubleshooting the installation 99
tcp 0 0 :::50000 :::* LISTEN Troubleshooting SQL Serer 2005 issues When the itim manager account logs in for the first time the user is typically prompted to change the password. This prompt might not work in case of SQL Serer 2005. In order to resole this issue, complete these steps: 1. After installing Tioli Identity Manager, log in to the SQL Serer 2005 host computer. 2. Launch the Microsoft SQL Serer Management Studio. 3. Expand the SQL serer in the object explorer. 4. Expand Databases and moe to the master database. 5. Expand Security > Schemas. 6. Right click DBO and click Properties 7. Click Permissions, click Add, and browse to add the required users. 8. Grant all permissions to these required users and click OK. 9. Restart the serer, disconnect, and reconnect with user sa in mixed authentication mode. Data Base Configuration is too restrictie for MS SQL Serer If Tioli Identity Manager is configured with MSSQL Serer 2005 as the Tioli Identity Manager database, you might receie the following message in trace.log file. The error might occur the first time you access the Tioli Identity Manager serer after you perform the DBConfig operation jaax.transaction.xa.xaexception: jaa.sql.sqlexception: Failed to create the XA control connection. Error: EXECUTE permission denied on object 'xp_sqljdbc_xa_init', database 'master', schema 'dbo'.. To resole this issue, complete following steps: Note: In this task, itimuser is the database user configured for ITIM database, and itimdb is the name of the database configured for Tioli Identity Manager. 1. Stop the application serer. 2. Launch the Microsoft SQL Serer Management Studio. 3. Expand the SQL serer in the object explorer. 4. Expand Databases and delete itimdb. 5. Delete the itimuser schema from master database: a. Expand Databases > System Databases > master > Security > Schemas. b. Delete itimuser. 6. Delete itimuser, ITIML000, ITIML001, and so forth login from Security > Logins. 7. Create Database. SeeChapter 2, Installing and configuring a database, on page 9. 8. Perform dbconfig. 9. Start the application serer. Note: If name of the database or database user is changed, perform runconfig and restart the application serer. 100 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Verifying that the directory serer is properly running Ensuring that the directory serer is operational This section describes the steps to ensure that the installed directory serer for Tioli Identity Manager is running. To determine whether the IBM Tioli Directory Serer is running, complete these steps: On Windows systems, click Start > Programs > Administratie Tools > Serices. Locate the directory serer entry, such as IBM Tioli Directory Serer Instance V6.2 - ldapdb2 Ensure that the directory serer serice is started. If the serice has not started, select it, and then select Action > Start from the main menu of the Serices window. On UNIX/Linux systems, ensure that the ibmslapd process is running. Enter this command: ps -ef grep ibmslapd The ps (process) command searches for processes. The grep command selects the processes that contain a string. The parameters in this example include: -e Select all processes. -f Display a full listing. If the IBM Tioli Directory Serer is running, a process ID (PID) number is returned. If a PID number is not returned, the serer must be restarted. First, stop the serer: ibmslapd -I <instancename> -k Restart the serer: ibmslapd -I <instancename> If the IBM Tioli Directory Serer is running, you must ensure that the IBM Tioli Directory Serer is not in configuration mode only. Enter this command: ldapsearch -s base -b " " objectclass=* ibm-slapdisconfigurationmode If the IBM Tioli Directory Serer is not in configuration mode, the alue of the ibm-slapdisconfigurationmode parameter is FALSE. The ldapsearch command opens a connection to an LDAP serer, binds, and performs a search. The -s parameter specifies the scope of the search to be base, one, or sub, which searches the base object, one leel, or subtree. The -b parameter uses searchbase as the starting point for the search, instead of the default. If problems continue, examine the ibmslapd.log file for messages that indicate whether the directory serer is completely or partially started. The location of the log file depends on the IBM Tioli Directory Serer ersion: Windows: ITDS_INSTANCE_HOME\logs\ibmslapd.log. For example, the file is in the C:\idsslapd-ldapdb2\logs directory. UNIX/Linux: ITDS_INSTANCE_HOME/etc/ibmslapd.log. On Linux, for example, the file is in the /home/ldapdb2/idsslapd-ldapdb2/etc/logs directory. Checking the Web browser operation This section describes potential problems associated with the Web browser. Chapter 9. Verifying and troubleshooting the installation 101
Ensuring that the browser registers the Jaa plug-in Tioli Identity Manager uses applets that require the Jaa plug-in, which is proided by the Jaa 2 Runtime Enironment, Standard Edition (JRE). The Jaa plug-in proides a connection between browsers and the Jaa platform, and enables applets to run within a browser. For more information about the ersion of the Jaa plug-in that Tioli Identity Manager supports, refer to the Tioli Identity Manager Information Center. If the Jaa plug-in is not installed on your system, or is not at a supported leel, the browser prompts you to install the plug-in. For more information about these steps, refer to the Tioli Identity Manager Information Center. Microsoft Internet Explorer: Enabling actie scripting For Microsoft Internet Explorer, ensure that the Actie Scripting item is enabled in the Scripting section of the Internet Options. Complete these steps: 1. Click Tools > Internet Options on the main menu. 2. On the Security tab, click the Internet icon, and then click the Custom Leel button. 3. In the Scripting, Actie Scripting area, select Enable. 4. Click OK. 5. In the Internet Options window, click OK. Using a supported browser You might not be able to log on to Tioli Identity Manager for arious reasons. For example, you could be using an unsupported Web browser. For a list of supported browsers, refer to the Tioli Identity Manager Information Center. Aoiding two Web browser sessions on the same computer Do not start two separate browser sessions from the same client computer. The two sessions are regarded as one session ID, which causes problems with data. Troubleshooting Tioli Identity Manager within WebSphere Application Serer The Tioli Identity Manager application runs within the WebSphere Application Serer as an enterprise application. The Tioli Identity Manager installation program uses the WebSphere command-line interface (wsadmin) to deploy the Tioli Identity Manager application onto the WebSphere Application Serer. Deploying the Tioli Identity Manager application also performs certain configuration steps on the WebSphere Application Serer. When the deployment completes, the Tioli Identity Manager files are in these directories: WAS_PROFILE_HOME\installedApps\cellname\ITIM.ear WAS_PROFILE_HOME\config\cells\cellname\applications\ITIM.ear If the deployment fails, check the installation log files under ITIM_HOME\ install_logs\ starting with the itim_install_actiity.log, and examine the setupenrole.stdout log file. 102 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Correcting connection scripting errors If the log data indicates a failure to establish a SOAP connection to the WebSphere Application Serer configuration manager, or some type of WebSphere Application Serer scripting error, complete these steps: 1. Resole the problem that preents the connection to the WebSphere Application Serer or the problem described as a scripting error. For more information, refer to the WebSphere documentation. 2. Run one of the following commands to deploy the Tioli Identity Manager Serer onto the WebSphere Application Serer: If WebSphere administratie security and application security is on, run this command (this command is one line): ITIM_HOME\bin\setupEnrole.exe install serer:name user:user_id password:pwd ejbuser:ejb_user_id The alue of serer_name is the name of the WebSphere Application Serer on which the Tioli Identity Manager application is deployed. The alue of user_id is the WebSphere administrator user ID, such as wasadmin. The alue of pwd is the password for the WebSphere administrator user ID, such as wasadmin. The alue of ejb_user_id is the Tioli Identity Manager EJB user ID, which uses the WebSphere Application Serer administrator user ID by default. If WebSphere administratie security and application security is off, enter this command: ITIM_HOME\bin\setupEnrole.exe install serer:name Correcting timeout errors If the log data indicates that the failure is due to a timeout error, continue the Tioli Identity Manager installation process. If the Tioli Identity Manager installation program has completed, delete the following directories if they exist: WAS_PROFILE_HOME\installedApps\cellname\ITIM.ear WAS_PROFILE_HOME\config\cells\cellname\applications\ITIM.ear Run one of the following commands to deploy the Tioli Identity Manager Serer onto the WebSphere Application Serer: If WebSphere administratie security and application security is on, run this command: Windows operating systems: ITIM_HOME\bin\setupEnrole.exe install serer:name user:user_id password:pwd ejbuser:ejb_user_id UNIX or Linux operating systems: ITIM_HOME/bin/setupEnrole.sh install serer:name user:user_id password:pwd ejbuser:ejb_user_id The alue of serer_name is the name of the WebSphere Application Serer on which the Tioli Identity Manager application is deployed. The alue of user_id is the WebSphere administrator user ID, such as wasadmin. The alue of pwd is the password for the WebSphere administrator user ID, such as wasadmin. The alue of ejb_user_id is the Tioli Identity Manager EJB user ID, which uses the WebSphere Application Serer administrator user ID by default. If WebSphere administratie security and application security is off, enter this command: Windows operating systems: Chapter 9. Verifying and troubleshooting the installation 103
Log files ITIM_HOME\bin\setupEnrole.exe install serer:name UNIX or Linux operating systems: ITIM_HOME/bin/setupEnrole.sh install serer:name Determining the port number of the default host If you hae multiple instances of WebSphere Application Serer running on the same computer, the port number might be a different alue. To determine the port number of the default host, complete these steps: 1. Log in to the WebSphere Application Serer administratie interface. 2. Click Serer > Application serers. 3. Click the serer which hosts the Tioli Identity Manager application cluster member. 4. Under the Communications section, click the Ports link. 5. Find the port number listed next to the WC_defaulthost port name. This port number is the one used to connect to Tioli Identity Manager. When the system configuration is complete, you can find the log files in Table 5 in the directories specified. Table 5. Installation log file names and directories File names log.txt Description and location Installation log file for WebSphere Application Serer. itim_install.stdout itim_install.stderr dbconfig.stdout ldapconfig.stdout itim_installer_debug.txt runconfigfirsttime.stdout runconfig.stdout setupenrole.stdout StartStopWas.stdout itim_install_actiity.log Located in the system temp directory. Standard out and error log files for Tioli Identity Manager. Located in the system root directory. Located in the ITIM_HOME\install_logs directory. trace.log msg.log Located in the TIVOLI_COMMON_DIRECTORY\ CTGIM\logs\ directory. The Tioli Common Directory is the central location for all sericeability-related files, such as log files and first-failure capture data. cfg_itim_mw.log Located in the System %TEMP% directory. The middleware configuration utility log file. 104 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Chapter 10. Upgrading to Tioli Identity Manager Version 5.1 The Tioli Identity Manager installation program upgrades a computer that has the following ersions of Tioli Identity Manager: Tioli Identity Manager Version 4.6 Tioli Identity Manager Version 5.0 Tioli Identity Manager Version 5.1 with WebSphere Application Serer 6.1 Some manual steps are required to presere or recustomize settings. This section describes upgrading both single-serer and cluster configurations. For more information about prerequisite software that this release supports, refer to the Tioli Identity Manager Information Center. Description of the upgrade process The upgrade process has these major tasks: 1. Migrate your operating system to a leel that this release of Tioli Identity Manager supports, and ensure that the system has the required fix pack or patches. For more information about operating system requirements, see the IBM Tioli Identity Manager Information Center Release Information. Note: If you are upgrading from Linux SUSE 9 to SUSE 10, make sure to back up your existing /etc/serices file before the upgrade and copy the file back to the /etc directory after upgrade. 2. Migrate your database to the supported ersion, and ensure that you can perform database commands. 3. Migrate your directory serer to the supported ersion, and ensure that you can perform directory serer commands. 4. If you are using IBM Tioli Directory Integrator, migrate it to the supported ersion. 5. If you are upgrading from Tioli Identity Manager Version 4.6, install WebSphere Application Serer in a separate directory. Running WebSphere Application Serer upgrade utilities (WASPreUpgrade and WASPostUpgrade) is not recommended. To perform the installation, perform the following tasks: Single-serer: Install WebSphere Application Serer and any necessary fix packs for a stand-alone node. Cluster: Install WebSphere Application Serer and any necessary fix packs on the deployment manager node and each cluster member node, then federate the nodes to the cell and create a cluster. If you do not want to disable the old ersion of WebSphere Application Serer upon installing WebSphere Application Serer, make sure to choose the option to allow coexistence with WebSphere Application Serer Version 5.1. The WebSphere Application Serer detects any port conflicts with the older ersion. For more information about installation, refer to Chapter 5, Installing and configuring WebSphere Application Serer, on page 41 or the WebSphere documentation at this Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/6r1/index.jsp If you are upgrading from Tioli Identity Manager Version 5.0, apply any necessary fix packs to WebSphere Application Serer. Copyright IBM Corp. 2009 105
6. If you are upgrading from Tioli Identity Manager Version 4.6, stop the old ersion of WebSphere Application Serer where Tioli Identity Manager is running: Single-serer: Stop WebSphere Application Serer Version 5.1. Cluster: Stop WebSphere Application Serer Version 5.1 on all nodes in the cell where Tioli Identity Manager is running and stop the WebSphere Application Serer deployment manager. 7. Upgrade the Tioli Identity Manager Serer using the Tioli Identity Manager Version 5.1 installation program. The Tioli Identity Manager installation program upgrades the database schema and data, the directory serer schema and data, the WebSphere Application Serer configuration for Tioli Identity Manager, the Tioli Identity Manager property files, and other Tioli Identity Manager files. During the upgrade process, the ITIM_HOME\data directory is backed up to the ITIM_HOME\data\backup directory for later recoery if necessary. If you are using IBM Tioli Directory Integrator, you need to upgrade the adapters separately. See the IBM Tioli Identity Manager Information Center Adapter document for detailed instructions. Note: To perform the upgrade, you must select the current ITIM_HOME directory as the Tioli Identity Manager Version 5.1 installation location. After making an upgrade, you can alidate the current Tioli Identity Manager ersion by examining the copyright notice in the header of the Messages.properties file in the ITIM_HOME\data directory. Processes and settings that the upgrade process preseres The upgrade process preseres running workflow processes pending for approal or other related actions such as password changes. If you are upgrading from Tioli Identity Manager 4.6, for these workflow processes to continue to run after upgrade, you need to ensure that no messages are in the Jaa Message Serice (JMS) queues. For more information, see Determining that the WebSphere MQ message queue is empty on page 116. The upgrade process preseres the following settings: Certificate-authority (CA) certificates. Tioli Identity Manager demonstration certificates are updated. Tioli Identity Manager properties defined in the following files: enrole.properties enroleauthentication.properties enroledatabase.properties enroleldapconnection.properties enrolemail.properties enrolelogging.properties enroleauditing.properties enroleworkflow.properties ui.properties CustomLabels.properties CustomLabels_en.properties adhocreporting.properties crystal.properties 106 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
SelfSericeScreenText.properties SelfSericeScreenText_en.properties SelfSericeHelp.properties SelfSericeUI.properties SelfSericeHomePage.properties scriptframework.properties The following workflow system files in the data\workflow_systemprocess directory: notifytemplate.html Note: The notification template has been modified since Tioli Identity Manager Version 5.0. To use the new template, rename notifytemplate.html.5.0 back to notifytemplate.html. For more information about migration of notification templates, see Migrating notification templates on page 118. addsericeselectionpolicy.xml Any default notification templates stored in LDAP if they were modified in Tioli Identity Manager Version 4.6 or 5.0. If you are upgrading from Tioli Identity Manager 4.6 and none of the default notification templates were modified in Version 4.6, the upgrade process replaces all of them with the new templates. For more information about manual migration of notification templates, see Migrating notification templates on page 118. Processes and settings that are not presered, or require manual upgrade The upgrade process does not presere the following workflow processes, which you must stop or allow to complete before you upgrade Tioli Identity Manager: Policy Add/Modify/Remoe Dynamic Role Add/Modify/Remoe Reconciliations Identity feeds All other customized data and settings are lost after the upgrade process. For more information, see Presering customized data manually on page 117. These user customizations are not presered: Jaa security (for Tioli Identity Manager 4.6 on WebSphere Application Serer 5.1) If you are upgrading from Tioli Identity Manager 4.6, you need to manually apply the changes that you made for the preious IBM Deelopment Kit for Jaa to the new IBM Deelopment Kit for Jaa bundled with the WebSphere Application Serer. Custom logos used in a Welcome page and XLS style sheets. If you modified the welcome page, you must reimplement the Styles.css file. EJB user ID and password (for Tioli Identity Manager 4.6 on WebSphere Application Serer 5.1) During upgrade the user enters the WebSphere Application Serer administrator user ID and password. If you are running Tioli Identity Manager 4.6 on WebSphere Application Serer 5.1, the user ID and password might be the same or different from this new entry. The default Tioli Identity Manager EJB user ID and password on the Security tab of the system configuration GUI is set as the same as the WebSphere Application Serer 6.1 administratie user ID and Chapter 10. Upgrading to Tioli Identity Manager Version 5.1 107
password. Change the EJB user ID and password if the user ID and password are different from the WebSphere Application Serer administratie user ID and password. Any customized WebSphere Application Serer configurations. Examples include the ITIM_CLIENT role mapping, which must be remapped, and the shared library used by Tioli Identity Manager through a WebSphere Application Serer shared library definition. Crystal configuration Back up all existing Crystal configuration scripts before performing the upgrade so the same scripts can be referenced later. For more information about Crystal configuration, see Configuring Crystal on page 123. Additionally, manually upgrade the following components: Tioli Identity Manager jar files that the Tioli Identity Manager client applications use. Tioli Identity Manager client applications must replace their current itim_api.jar, api_ejb.jar, itim_serer_api.jar and jlog.jar files with those files from Tioli Identity Manager Version 5.1. For any Tioli Identity Manager client application that has a duplicate copy of Tioli Identity Manager properties files on the client side, take these steps: 1. Rename the duplicate property files on the client application to presere any manual changes that you might hae made. 2. Copy the property files from the Tioli Identity Manager Serer to the duplicate copy on the client application. 3. If you manually changed the duplicate property files earlier, manually apply the changes again. The HR Feed serices forms in Tioli Identity Manager 5.1 add a new check box for ealuating Separation Of Duty policies. To enable this feature, use Configure System -> Design Form to include the new attribute erealuatesod in the HR feed serice definition form. The erealuatesod attribute is of the type boolean and needs to be include as a check box on the form. Tioli Identity manager Version 5.1 has introduced new default access control items, howeer the upgrade process does not change the access control items for the existing organizations. You need to manually upgrade them. For more details, see Manually upgrading the access control items on page 123. Before you begin Before upgrading Tioli Identity Manager complete these steps: 1. Reduce system actiity before starting the upgrade process. It is recommended that you aoid starting policy enforcements or reconciliation requests before upgrading Tioli Identity Manager. Do not delete entries directly from the SCHEDULED_MESSAGES table in the Tioli Identity Manager database. 2. Complete or stop the following workflow processes, which are not presered during upgrade: Policy Add/Modify/Remoe Dynamic Role Add/Modify/Remoe Reconciliations Identity feeds 3. Make sure that no new workflow requests are submitted before the upgrade process by shutting down API clients and turning off web access to the Tioli 108 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Identity Manager application. If you are upgrading from Tioli Identity Manager 4.6, for running workflow processes to continue to run after upgrade, make sure that the JMS messages in the JMS queues are clear. See Determining that the WebSphere MQ message queue is empty on page 116 for details on how to check the JMS queues. 4. Migrate the database serer to the supported ersion. Then, back up the Tioli Identity Manager database, and ensure that the database serer is running. DB2 Database For information about upgrading DB2 Database, refer to this Web site: http://publib.boulder.ibm.com/infocenter/db2luw/9/index.jsp Note: Upon upgrade of DB2 Database, the port number might change. Verify that the port number you are using. For more information, see Determining the correct serice listening port and serice name on page 17. Oracle For information about upgrading Oracle, refer to this Web site: http://www.oracle-base.com/articles/11g/upgradingto11g.php SQL Serer 2005 For information about upgrading SQL Serer 2005, refer to this Web site: http://www.microsoft.com/sql/solutions/upgrade/default.mspx For information about configuring SQL Serer 2005, see Configuring SQL Serer 2005 on page 25. 5. Migrate the directory serer to the supported ersion. Then, back up the Tioli Identity Manager schema and data, and ensure that the directory serer is running. For Tioli Identity Manager Version 4.6 or 5.0 recoery purposes, export the Tioli Identity Manager LDAP directory to an LDIF file. If you are running the IBM Tioli Directory Serer, configure the IBM Tioli Directory Serer referential integrity plug-in. For more information, see Manually configuring the referential integrity plug-in on the IBM Tioli Directory Serer on page 32. Note: Migration is not necessary if you are using IBM Tioli Directory Serer Version 6.1 or 6.2 or Sun Enterprise Directory Serer 6.3, which are supported directory serers. 6. Complete these steps for the WebSphere Application Serer installation and configuration: Single-serer: Install any necessary fix packs. If you are upgrading from Tioli Identity Manager 4.6, install the WebSphere Application Serer and any necessary fix packs for a stand-alone node. Cluster: Install any necessary fix packs. If you are upgrading from Tioli Identity Manager 4.6, install the WebSphere Application Serer and any necessary fix packs on the deployment manager node and each cluster member node, then federate the nodes to the cell and create clusters for the Tioli Identity Manager application and the messaging engine. 7. On a single-serer configuration, and on each cluster member in a cluster configuration, complete these steps: a. Back up the itim directory. b. If you are upgrading from Tioli Identity Manager 4.6, access the OLD_WAS_HOME\installedApps\cellname\enRole.ear directory and store any customized files in a temporary holding area. Chapter 10. Upgrading to Tioli Identity Manager Version 5.1 109
c. If you are upgrading from Tioli Identity Manager 5.0, access the WAS_HOME\installedApps\cellname\ITIM.ear directory and store any customized files in a temporary holding area. 8. Ensure that the appropriate serers are running in the WebSphere enironment. Complete this step: Single-serer configuration: Start WebSphere Application Serer with the latest fix packs that you installed (refer to the Tioli Identity Manager Information Center for the most current fix pack and possible APARs). Cluster configuration: Using the WebSphere administratie console, ensure that the deployment manager and all the nodes are federated and the node agents are running and that the latest fix packs hae been installed (refer to the Tioli Identity Manager Information Center for the most current fix pack and possible APARs). 9. If you are upgrading from Tioli Identity Manager 4.6, stop and remoe the Tioli Identity Manager application enrole using the WebSphere administratie console for 5.1. Upgrading from Tioli Identity Manager Version 4.6 or 5.0 to Version 5.1 or Version 5.1 on Websphere Application Serer 6.1 to Websphere Application Serer 7.0 These tasks can be use to upgrade a single-serer configuration or a cluster configuration. Note: In Tioli Identity Manager ersion 4.6 and earlier, the eralias attribute was the default basis for the global adoption policy. After ersion 5.0 the global adoption policy is based on the UID attribute. If you are upgrading to Tioli Identity Manager ersion 5.1 from ersion 4.6 or earlier, you need to presere the existing adoption policy. Upgrading a single-serer configuration The upgrade process performs these tasks in a single-serer configuration: 1. Backs up files in the ITIM_HOME\data directory. 2. Replaces the files in the ITIM_HOME directory. 3. Checks the WebSphere Application Serer Version status and tries to start the WebSphere Application Serer if it is not running. Refer to the Tioli Identity Manager Information Center for the most current fix pack and possible APARs. 4. Starts the system configuration tool (runconfig) to prompt the user to examine current system configuration alues. 5. Updates seeral Tioli Identity Manager properties files. For more information, see Processes and settings that the upgrade process preseres on page 106. 6. Configures WebSphere Application Serer for Tioli Identity Manager Version 5.1. 7. Upgrades the Tioli Identity Manager database schema and data. 8. Upgrades the Tioli Identity Manager directory serer schema and data. 9. Deploys the Tioli Identity Manager application (ITIM.ear) to WebSphere Application Serer. 110 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
10. Stops and starts WebSphere Application Serer as well as Tioli Identity Manager application. To upgrade a single-serer configuration, complete these steps: 1. To run the installation program, complete these steps: Windows: a. Click Start > Run. b. Enter the drie and path where the installation program is located and then enter the following command: instwin.exe The Welcome window opens. UNIX/Linux: a. Open a command shell prompt window, and naigate to the directory where the installation program is located. b. Enter the following command for the Tioli Identity Manager installation program: AIX: instaix.bin Linux: instlinux.bin plinux: instplinux.bin zlinux: instzlinux.bin Solaris: instsol.bin The installation program starts and displays the Welcome window. If you are running the installation program on a UNIX/Linux system that does not hae at least 150MB of free space in the /tmp directory, you should set the IATEMPDIR enironment ariable to a directory on a disk partition with enough free disk space. To set the ariable, enter one of the following commands at the command line prompt before running the installation program again: Bourne shell (sh), ksh, bash, and zsh: $ IATEMPDIR=temp_dir $ export IATEMPDIR C shell (csh) and tcsh: $ seten IATEMPDIR temp_dir where temp_dir is the path to the directory, for example /your/free/directory, where free disk space is aailable. 2. Select the appropriate language and click OK. 3. Click Next to adance past the copyright and legal text. 4. In the License Agreement window, read the license agreement and decide whether to accept its terms. If you do, select Accept and click Next. 5. In the Choose Install Directory window, you must select the existing Tioli Identity Manager home directory that you want to upgrade. Accept the existing directory, or click Choose and select the correct directory. Then, click Next. Chapter 10. Upgrading to Tioli Identity Manager Version 5.1 111
6. In the Upgrade IBM Tioli Identity Manager window, click Continue to Next to start the upgrade. 7. Read the caution windows to ensure that the prerequisite applications meet the requirements that Tioli Identity Manager supports. Then, click Next. 8. In the WebSphere Application Serer installation directory window, specify the location of WebSphere Application Serer. There can be multiple instances of the WebSphere Application Serer on the computer. Click Next. 9. In the next window, choose the WebSphere Application Serer base profile where the Tioli Identity Manager application is to be deployed. Click Next. 10. If WebSphere Application Serer administratie security is on, a WebSphere Application Serer user ID and password window is presented. Enter the user ID and password and click Next. 11. In the Jaa home window, note the directory to which Tioli Identity Manager Version 5.1 now points. You might need to manually migrate any files that reference the preious directory to reference the current directory. Click OK. 12. If you use Oracle database or Microsoft SQL Serer, a Where is the JDBC Drier? Window is presented. Specify the JDBC drier location and name. Click Next. For more information, see Installing the Oracle JDBC drier on page 21 and Installing the SQL Serer JDBC drier on page 25. Note: If you are upgrading from Tioli Identity Manager 5.1 on WebSphere Application Serer 6.1.1 to Tioli Identity Manager 5.1 on WebSphere Application Serer 7.0, the JDBC drier setup panel is not displayed. Additional manual steps are needed for the Oracle database. a. After deploying Tioli Identity Manager 5.1 on WebSphere Application Serer 7.0 Fix Pack 5, remoe the ojdbc.jar file from ITIM_HOME/lib and replace it with ojdbc6.jar. Then, rename ojdbc6.jar to ojdbc.jar. This is necessary because WebSphere Application Serer 7.0 uses JDK1.6. b. Clear the serice integration bus. See Clearing the serice integration bus on page 116. 13. In the Tioli Common Directory window, accept the default directory for the Tioli Common Directory or specify a different directory. The Tioli Identity Manager installation program creates the CTGIM subdirectory to store sericeability-related files for Tioli Identity Manager. Ensure that the directory has at least 25 MB of free space. Click Next. 14. In the Pre-install Summary window, click Install. 15. The installation program launches the system configuration tool runconfig to enable you to change configuration settings, if necessary. In the System Configuration Tool window, examine the alues of all parameters, which are presered from the preious ersion of Tioli Identity Manager. On the Database tab, erify that the JDBC URL has the correct format of type 4 JDBC drier URL, and click Test to test the database connection. Change the EJB user ID and password on the Security tab if the user ID and password are different from the WebSphere Application Serer administratie user ID and password. Verify the alues and click OK. The system configuration requires seeral minutes to complete. For more information about runconfig, see Configuring commonly used system properties on page 77. 16. The installer inokes the database upgrade program to upgrade the database schema and data. You are prompted to proide the database administratie 112 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
user ID and password to create or ugrade the database schema required for the messaging engine. If the administratie user ID does not hae the proper priileges to create the database schema, an error message is displayed during the upgrade. Run the ITIM_HOME\bin\DBUpgrade program after the upgrade completes and enter the correct database administratie ID. This program ensures that the database schema and tables for the messaging engine are created. 17. The installer inokes the LDAP upgrade program to upgrade the LDAP schema and data silently. Note: For Sun Enterprise Directory Serer 6.3, if the upgrade adds new indexes, you must index your data again after the upgrade to Tioli Identity Manager Version 5.1 has completed. 18. After the installation has completed, you might hae to manually update any customizations which were not presered during the upgrade process. For more information, see Presering customized data manually on page 117. Upgrading a cluster configuration The upgrade process performs these tasks in a cluster configuration: 1. Backs up files in the ITIM_HOME\data directory. 2. Replaces the files in the ITIM_HOME directory. 3. On the computer that has the deployment manager, does these tasks: a. Deploys the Tioli Identity Manager application to WebSphere Application Serer. b. Starts the system configuration tool (runconfig), which prompts the user to examine current system configuration alues, updates seeral Tioli Identity Manager properties files, and configures WebSphere Application Serer for Tioli Identity Manager. For more information, see Processes and settings that the upgrade process preseres on page 106. c. Upgrades the Tioli Identity Manager database schema and data. d. Upgrades the Tioli Identity Manager directory serer schema and data. 4. On each computer that has a Tioli Identity Manager cluster member, starts the system configuration tool (runconfig), which prompts the user to examine current system configuration alues, updates seeral Tioli Identity Manager properties files, and configures WebSphere Application Serer for Tioli Identity Manager. For more information, see Processes and settings that the upgrade process preseres on page 106. To upgrade a cluster configuration on the deployment manager, and on each cluster member computer, complete these steps: 1. To run the installation program, complete these steps: Windows: a. Click Start > Run. b. Enter the drie and path where the installation program is located and then enter the following command: instwin.exe The Welcome window opens. UNIX/Linux: a. Open a command shell prompt window, and naigate to the directory where the installation program is located. Chapter 10. Upgrading to Tioli Identity Manager Version 5.1 113
b. Enter the following command for the Tioli Identity Manager installation program: AIX: instaix.bin Linux: instlinux.bin plinux: instplinux.bin zlinux: instzlinux.bin Solaris: instsol.bin The installation program starts and displays the Welcome window. If you are running the installation program on a UNIX/Linux system that does not hae at least 150MB of free space in the /tmp directory, you should set the IATEMPDIR enironment ariable to a directory on a disk partition with enough free disk space. To set the ariable, enter one of the following commands at the command line prompt before running the installation program again: Bourne shell (sh), ksh, bash, and zsh: $ IATEMPDIR=temp_dir $ export IATEMPDIR C shell (csh) and tcsh: $ seten IATEMPDIR temp_dir where temp_dir is the path to the directory, for example /your/free/directory, where free disk space is aailable. 2. Select the appropriate language and click OK. 3. Click Next to adance past the copyright and legal text. 4. In the License Agreement window, read the license agreement and decide whether to accept its terms. If you do, select Accept and click Next. 5. In the Choose Install Directory window, you must select the existing Tioli Identity Manager home directory that you want to upgrade. Accept the existing directory, or click Choose. and select the correct directory. Then, click Next. 6. In the Upgrade IBM Tioli Identity Manager? window, click Continue to Next to start the upgrade. 7. Read the caution windows to ensure that the prerequisite applications meet Tioli Identity Manager requirements. Then, click Next. 8. If the Tioli Identity Manager cluster member is installed on the computer, specify the WebSphere Application Serer installation directory, click Next. Then select the WebSphere Application Serer profile name and click Next. 9. If the deployment manager is installed on the computer, specify the deployment manager installation directory, click Next. Then select the WebSphere Deployment Manager profile name and click Next. 10. If WebSphere Application Serer administratie security is on, a WebSphere Application Serer user ID and password window is presented. Enter the user ID and password and click Next. 114 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
11. In the Jaa home window, notice the directory to which Tioli Identity Manager Version 5.1 now points. You might need to manually migrate any files that reference the preious directory to reference the current directory. Click OK. 12. If you use Oracle database or Microsoft SQL Serer, a Where is the JDBC Drier? Window is presented. Specify the JDBC drier location and name. Click Next. For more information, see Installing the Oracle JDBC drier on page 21 and Installing the SQL Serer JDBC drier on page 25. Note: If you are upgrading from Tioli Identity Manager 5.1 on WebSphere Application Serer 6.1.1 to Tioli Identity Manager 5.1 on WebSphere Application Serer 7.0, the JDBC drier setup panel is not displayed. Additional manual steps are needed for the Oracle database. a. After deploying Tioli Identity Manager 5.1 on WebSphere Application Serer 7.0 Fix Pack 5, remoe the ojdbc.jar file from ITIM_HOME/lib and replace it with ojdbc6.jar. Then, rename ojdbc6.jar to ojdbc.jar. This is necessary because WebSphere Application Serer 7.0 uses JDK1.6. b. Clear the serice integration bus. See Clearing the serice integration bus on page 116. 13. In the Tioli Common Directory window, accept the default directory for the Tioli Common Directory or specify a different directory. The Tioli Identity Manager installation program creates the CTGIM subdirectory to store sericeability-related files for Tioli Identity Manager. Ensure that the directory has at least 25 MB of free space. 14. In the Pre-install Summary window, read the summary. Then, click Install. 15. The installation program launches the system configuration tool runconfig to enable you to change configuration settings, if necessary. In the System Configuration Tool window, examine the alues of all parameters, which are presered from the preious ersion of Tioli Identity Manager. On the Database tab, erify that the JDBC URL has the correct format of type 4 JDBC drier URL, and click Test to test the database connection. Change the EJB user ID and password on the Security tab if the user ID and password are different from the WebSphere Application Serer administratie user ID and password. Verify the alues and click OK. The system configuration requires seeral minutes to complete. For more information about runconfig, see Configuring commonly used system properties on page 77. 16. On the deployment manager, the installer inokes the database upgrade program to upgrade the database schema and data. You are prompted to proide the database administratie user ID and password to create or ugrade the database schema required for the messaging engine. If the administratie user ID does not hae the proper priileges to create the database schema, an error message is displayed during the upgrade. Run the ITIM_HOME\bin\ DBUpgrade program after the upgrade completes and enter the correct database administratie ID. This program ensures that the database schema and tables for the messaging engine are created. 17. On the deployment manager, the installer inokes the LDAP upgrade program to upgrade the LDAP schema and data silently. Chapter 10. Upgrading to Tioli Identity Manager Version 5.1 115
Note: For Sun Enterprise Directory Serer 6.3, if the upgrade adds new indexes, you must index your data again after the upgrade to Tioli Identity Manager Version 5.1 has completed. 18. After the installation has completed, you might hae to manually update any customizations which were not presered during the upgrade process. For more information, see Presering customized data manually on page 117. Clearing the serice integration bus This task is necessary, if you are upgrading Tioli Identity Manager ersion 5.1 from WebSphere Application Serer 6.1 to WebSphere Application Serer 7.0 and are using an Oracle database. Note: Jaa Message Serice (JMS) queues must be empty before performing this task, otherwise critical data might be lost. For more information, see Determining that the WebSphere MQ message queue is empty. On the target Tioli Identity Manager Version 5.1 Oracle serer: 1. Start the Oracle database. 2. Issue the following commands for each of the system integration bus (SIB) schemas in your enironment: delete from schema_name.sib000 delete from schema_name.sib001 delete from schema_name.sib002 delete from schema_name.sibclasmap delete from schema_name.sibkeys delete from schema_name.siblisting delete from schema_name.sibxacts delete from schema_name.sibowner delete from schema_name.sibownero where the SIB schema, schema_name is: Table 6. Serice integration bus schema names Tioli Identity Manager enironment Single-serer Clustered Schema name ITIML000 ITIML000, ITIML001, ITIML002, ITIML003, and ITIMS000 Note: The SIBOWNERO might not exist in all Tioli Identity Manager enironments. If it does not exist and the delete statement fails, you can ignore the failure message. Determining that the WebSphere MQ message queue is empty To determine if the number of messages in the workflow queues is zero and therefore empty, run the WAS_MQ_HOME\bin\runmqsc.exe utility and use the display command to show the status of the following queues: WQ_itim_ms, the mail serices queue WQ_itim_rs, the remote serices queue WQ_itim_wf, the workflow queue WQ_itim_adhocSync, the custom report serices queue WQ_itim_rs_pending, the remoe serices pending queue 116 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
WQ_itim_ps, the remote serices queue WQ_itim_policy, the policy queue WQ_itim_policy_simulation, the policy simulation queue WQ_itim_import_export, the import/export queue For example, in a single-serer enironment, assume that WebSphere MQ is deployed on the node named A and the serer is named serer1. Enter this command: runmqsc WAS_A_serer1 In a clustered enironment, enter this command: runmqsc WAS_A_jmsserer The following command displays the status of the Tioli Identity Manager workflow queue: display qlocal('wq_itim_ms') curdepth maxdepth Ensure that all message queues are empty. In the resulting display, the CURDEPTH attribute shows the number of messages in the queue. For example: AMQ8409: Display Queue details. QUEUE(WQ_itim_ms) MAXDEPTH(640000) CURDEPTH(0) If all queue depths ( CURDEPTH ) are zero, then no messages need processing, continue with the Tioli Identity Manager upgrade. Do not restart WebSphere Application Serer 5.1. If you hae current queue depths greater than zero, messages are still being processed. Wait and check the queue depths again. To return to the pre-upgrade steps, see Before you begin on page 108. Presering customized data manually To presere customized data that is not presered by the upgrade process, complete these manual steps if applicable. For more information about processes that are not presered, see Processes and settings that are not presered, or require manual upgrade on page 107. Manually applying Jaa security Manually apply the changes that you made for the preious IBM Deelopment Kit for Jaa to the new IBM Deelopment Kit for Jaa. For more information about enabling Jaa security, see Enabling Jaa 2 security by creating and modifying policy files on page 138. Customizing logos and style sheets If you need to insert customized logos and style sheets in the WAS_HOME\ cellname\itim.ear directory, restore these files from a backup location. Presering WebSphere Application Serer customizations You can presere WebSphere customizations, such as specific JAR files using settings for a WebSphere Application Serer shared library. For a shared library, you need to define the name of the shared library to the newly deployed Tioli Chapter 10. Upgrading to Tioli Identity Manager Version 5.1 117
Identity Manager Version 5.1. For example, Tioli Identity Manager Version 4.6 or 5.0 might load a shared library with a name such as user_shared_library. Complete these tasks on the WebSphere administratie console to associate the preiously defined shared library with Tioli Identity Manager Version 5.1: 1. Click Applications > Enterprise Applications > ITIM. 2. Click Shared library references. 3. Select the shared library, and click OK and Apply to apply the changes. 4. Sae the configuration. 5. Restart the WebSphere Application Serer to allow the changes to take effect. You might need to presere other WebSphere customizations. Migrating notification templates If you hae updated the default templates in the Tioli Identity Manager 4.6 or 5.0 enironment, the Tioli Identity Manager upgrade program does not oerwrite (upgrade) any notification templates. To migrate old notification templates to match those in Tioli Identity Manager Version 5.1, you must manually update both the XML Text Template Language (XTTL) content and style. The following table lists templates and their locations in the Tioli Identity Manager configuration file tenant.tmpl. Use this list as a reference for the updated default notification template content. Table 7. Templates contained in tenant.tmpl Template name Todo Item Reminder Notification Default Compliance Alert Notification Default New Account Notification Default New Password Account Notification Default Change Account Notification Default Restore Account Notification Default Suspended Account Notification Default Deproision Account Notification Default Actiity Timeout Notification Default Process Timeout Notification Default Process Completion Notification Template DN cn=reminder,erglobalid=<%config.workflow %>,ou=config,ou=itim, <%tenant.dn%> cn=compliance,erglobalid=<%config.workflow %>,ou=config,ou=itim, <%tenant.dn%> cn=newaccount,erglobalid=<%config.workflow %>,ou=config,ou=itim, <%tenant.dn%> cn=newpassword,erglobalid=<%config.workflow %>,ou=config,ou=itim,<%tenant.dn%> cn=changeaccount,erglobalid=<%config.workflow %>,ou=config,ou=itim,<%tenant.dn%> cn=restoreaccount,erglobalid=<%config.workflow %>,ou=config,ou=itim,<%tenant.dn%> cn=suspendedaccount,erglobalid=< %config.workflow%>, ou=config,ou=itim,< %tenant.dn%> cn=deproision,erglobalid=<%config.workflow %>,ou=config,ou=itim, <%tenant.dn%> cn=actiitytimeout,erglobalid=<%config.workflow %>,ou=config,ou=itim,<%tenant.dn%> cn=processtimeout,erglobalid=<%config.workflow %>,ou=config,ou=itim,<%tenant.dn%> cn=processcompletion,erglobalid=< %config.workflow%>, ou=config,ou=itim,< %tenant.dn%> 118 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Table 7. Templates contained in tenant.tmpl (continued) Template name Template DN Default ManualActiity Notification Default ManualActiityRFI Notification Default ManualActiityWorkOrder Notification cn=manualactiityapproal,erglobalid=< %config.workflow%>,ou=config,ou=itim,< %tenant.dn%> cn=manualactiityrfi,erglobalid=< %config.workflow%>, ou=config,ou=itim,< %tenant.dn%> cn=manualactiityworkorder,erglobalid=< %config.workflow%>, ou=config,ou=itim,< %tenant.dn%> Updating XML Text Template Language (XTTL) contents The new XTTL contents needed for the default workflow notification templates in Tioli Identity Manager Version 5.1 include: The following XTTL contents are needed for the default workflow notification templates if upgrading from Tioli Identity Manager ersion 4.6 or 5.0: Todo Item Reminder Notification Remoe: <RE key="escalation_note"/> <escalationtime/> Add: <RE><KEY><JS> ar currentdate = new Date(); ar currenttime = currentdate.gettime(); if (currenttime < reminderctx.getescalationdate().gettime()) { return "workitem_due_note"; } else { return "workitem_oerdue_note"; } </JS></KEY> <PARM><escalationTime/></PARM> </RE> The following XTTML contents are needed for default workflow notification templates if upgrading from Tioli Identity Manger ersion 4.6. They are not required if upgrading from Tioli Identity Manager ersion 5.0: Default Compliance Alert Notification Add: <ITIMURL/> Default New Account Notification Add: <ITIMURL/> <JS>if (EmailContext.hasNewAccess()) { '<RE key="accountnewaccess"/>: <JS>EmailContext.getAccountNewAccessAsString(); </JS>\n'; }</JS> Default New Password Account Notification Add: Chapter 10. Upgrading to Tioli Identity Manager Version 5.1 119
<ITIMURL/> Default Change Account Notification Add: <ITIMURL/> <JS>if (EmailContext.hasNewAccess()) { '<RE key="accountnewaccess"/>: <JS>EmailContext.getAccountNewAccessAsString(); </JS>\n'; }</JS> Default Restore Account Notification Add: <ITIMURL/> Default Suspended Account Notification Add: <ITIMURL/> Default Deproision Account Notification Add: <ITIMURL/> <JS>if (EmailContext.hasRemoedAccess()) { '<RE key="accountremoedaccess"/>: <JS>EmailContext.getAccountRemoedAccessAsString(); </JS>\n'; }</JS> Default Actiity Timeout Notification Add: <ITIMURL/> <JS>if (EmailContext.hasRemoedAccess()) { '<RE key="accountremoedaccess"/>: <JS>EmailContext.getAccountRemoedAccessAsString(); </JS>\n'; }</JS> Remoe the following: <RE key="description"/>: <RE><KEY><JS>actiity.description;</JS></KEY> </RE> Modify the following: <RE key="state"/>: <RE> <KEY><JS>process.STATE_PREFIX+actiity.state;</JS> </KEY> </RE> <RE key="detail"/>: <JS>Enrole.localize(process.resultDetail, "$LOCALE"); </JS> Default Process Timeout Notification Add: <ITIMURL/> Modify the following: 120 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
<RE key="detail"/>: <JS>Enrole.localize(process.resultDetail, "$LOCALE"); </JS> Default Process Completion Notification Add: <ITIMURL/> Modify the following: <RE key="detail"/>: <JS>Enrole.localize(process.resultDetail, "$LOCALE"); </JS> Default ManualActiityApproal Notification Add: <ITIMURL/> <JS>if (process.subjectaccess!=null) if (process.subjectaccess.length>0) { '<RE key="accessname"/>: <JS>process.subjectAccess;</JS>\n'; }</JS> Modify the following: <JS>if (process.parentid == '0') { 'left align="middle"><td class="text-description" bgcolor="ebedf3"><re key="requestedby"/>:</td><td width="773" class="text-description" bgcolor="white"><js>process.requestorname;</js></td></tr>'; }</JS> Default ManualActiityRFI Notification Add: <ITIMURL/> <JS>if (process.subjectaccess!=null) if (process.subjectaccess.length>0) { '<RE key="accessname"/>: <JS>process.subjectAccess;</JS>\n'; }</JS> Default ManualActiityWorkOrder Notification No changes required. For upgrades from Tioli Identity Manager ersion 4.6, the following six new templates are added. For upgrades from Tioli Identity Manager ersion 5.0, these templates are modified by the installation utility. Decline Mark notification Decline Marked notification Decline Deletes Access notification Decline Deleted Access notification Decline Marks Access notification Decline Marked Access notification To modify the contents of default workflow notification templates, log in to the Tioli Identity Manager Version 5.1 GUI administratie console with administratie permission and complete these steps: 1. Go to Configure System > Workflow Notification Properties 2. Select the template to modify. Chapter 10. Upgrading to Tioli Identity Manager Version 5.1 121
3. On the Notification Template page, modify the appropriate section of the notification template. Updating notification template style For upgrades from Tioli Identity Manager ersion 4.6, the style of e-mail notifications (XHTML templates) has changed. To design an XHTML template use the following cascading style sheet (CSS) file and images: Imperatie style sheet BASE_URL/console/css/imperatie.css Images Tioli logo BASE_URL/console/html/images/left-ti-1.gif IBM banner BASE_URL/console/html/images/ibm_banner.gif Background image BASE_URL/console/html/images/mid-part-1.gif Template body BASE_URL/console/html/images/portfolio_background.gif Note: The alue of BASE_URL is http://serername:port/itim The following colors are used to format the background: Title bar: #a8a8a8 Tables containing alues: gray and EBEDF3 Copy Right Table: #a8a8a8 To apply a style sheet, link the style sheet in the following way: <link type="text/css" title="styles" rel="stylesheet" href="base_url/console/css/imperatie.css" /> Note: The alue of BASE_URL is http://serername:port/itim The text-description class of the aboe CSS is used to format the text in the e-mail notification. For example, to format the title, use the following code: <!-- Title Bar --> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tbody> <tr bgcolor="#a8a8a8"> <td height="20" width="8"></td> <!-- ITIM Notification Label --> <td height="20" class="text-description" width="979" align="middle">$title</td> <td height="20" width="5"></td> </tr> </tbody> </table> To modify the contents of default workflow notification templates, log in to the Tioli Identity Manager Version 5.1 GUI administratie console with administratie permission and complete these steps: 1. Go to Configure System > Workflow Notification Properties 2. Select the template to modify. 122 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
3. On the Notification Template page, modify the appropriate section of the notification template. Manually upgrading the access control items The upgrade process does not affect the access control items for the existing organizations. The process does not add the new default access control items. Nor does it modify or delete the existing access control items. Howeer, it does add the new default user groups, if they do not exist. New organizations created after the upgrade hae all the default access control items and user groups. Tioli Identity Manager introduced the customizable persona-based console for managing the organizations in ersion 5.0. For an upgraded Tioli Identity Manager ersion 5.1 to use the new features, you must manually create the access control items for the targeted persona. For example, for an auditor to run all the ready-to-use reports and iew all the reporting data, you need to hae all the access control items for the Auditor principal listed in the Tioli Identity Manager Version 5.1 Information Center topic "Default access control items" (Administering>Security administration). For more details on how to create an access control item, refer to the Tioli Identity Manager Version 5.1 Information Center topic "Access control item management" (Administering>Security administration). Configuring Crystal Perform these steps to configure Crystal following an upgrade to Tioli Identity Manager Version 5.1: WebSphere Application Serer single-serer: 1. Ensure that correct alues are present in the ITIM_HOME\data\ crystal.properties file. 2. Edit and run the following script: Windows: importcrystaljars_was.bat UNIX/Linux: importcrystaljars_was.sh 3. Edit and run the following script: Windows: CrystalTestWAS.bat UNIX/Linux: CrystalTestWAS.sh 4. Edit and run the following script: Windows: buildcrystalwebarchie_was.bat UNIX/Linux: buildcrystalwebarchie_was.sh 5. Edit and run the following script: Windows: CrystalUpgradeWAS.bat UNIX/Linux: CrystalUpgradeWAS.sh WebSphere Application Serer cluster configuration: On the federated nodes, perform these steps: 1. Ensure that correct alues are present in the ITIM_HOME\data\ crystal.properties file. 2. Edit and run the following script: - Windows: importcrystaljars_was.bat - UNIX/Linux: importcrystaljars_was.sh On the network deployment manager, perform these steps: Chapter 10. Upgrading to Tioli Identity Manager Version 5.1 123
1. Ensure that correct alues are present in the ITIM_HOME\data\ crystal.properties file. 2. Edit and run the following script: - Windows: importcrystaljars_was.bat - UNIX/Linux: importcrystaljars_was.sh 3. Edit and run the following script: - Windows: CrystalTestWAS.bat - UNIX/Linux: CrystalTestWAS.sh 4. Edit and run the following script: - Windows: buildcrystalwebarchie_was.bat - UNIX/Linux: buildcrystalwebarchie_was.sh 5. Edit and run the following script: - Windows: CrystalUpgradeWAS.bat - UNIX/Linux: CrystalUpgradeWAS.sh For more information about Crystal configuration, refer to the Tioli Identity Manager Information Center. 124 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Chapter 11. Uninstalling Tioli Identity Manager What is not remoed Before you begin Uninstalling Tioli Identity Manager consists of using the Tioli Identity Manager uninstallation program, which performs the following tasks: Remoes all files in the ITIM_HOME directory that the Tioli Identity Manager installation program created, including certificates in the ITIM_HOME\cert directory and the itimkeystore.jceks keystore file in the ITIM_HOME\config\ keystore directory. Clears all configuration settings that were created for the Tioli Identity Manager Serer on the WebSphere Application Serer. Remoes the Tioli Identity Manager Serer that was deployed on these computers: Single-serer configuration: Computer that has the WebSphere Application Serer. Cluster configuration: Computer that has the deployment manager. In a cluster configuration, uninstalling the Tioli Identity Manager Serer from the deployment manager remoes the aailability of the Tioli Identity Manager Serer to the cluster. The deployed Tioli Identity Manager application files are automatically remoed from Tioli Identity Manager cluster members. Reboot the Windows operating system after uninstallation to clean up any residual Tioli Identity Manager files which were not able to be remoed during the uninstallation process. Uninstalling the Tioli Identity Manager Serer does not modify existing database tables or the directory serer schema and data. The Tioli Identity Manager log files are not remoed. For more information about manually remoing the database tables, directory serer schema, and log files, see Manually remoing components on page 126. Before you uninstall the Tioli Identity Manager Serer, complete these tasks: Single-serer configuration Back up any certificates in the ITIM_HOME\cert directory and the itimkeystore.jceks keystore file in the ITIM_HOME\config\keystore directory. Ensure that the WebSphere Application Serer is running. Cluster configuration Back up any certificates in the ITIM_HOME\cert directory and the itimkeystore.jceks keystore file in the ITIM_HOME\config\keystore directory. If you are uninstalling the Tioli Identity Manager Serer from a cluster configuration, ensure that the node agents are running and that the deployment manager is also running. Copyright IBM Corp. 2009 125
Steps to uninstall Tioli Identity Manager You can uninstall Tioli Identity Manager from UNIX, Linux or Windows operating systems by using the Tioli Identity Manager uninstallation program directly, or from Windows operating systems by using Add/Remoe Programs from the Windows Control Panel. If you are planning to reinstall Tioli Identity Manager, use the Tioli Identity Manager uninstallation program directly. To uninstall Tioli Identity Manager, complete these steps: 1. Uninstall the Tioli Identity Manager Serer using this command: ITIM_HOME\itimUninstallerData\Uninstall_ITIM Single-serer configuration Run the command on computer on which the Tioli Identity Manager Serer is installed. Cluster configuration Run the command on each cluster member first, and then run the command on the computer on which the deployment manager is installed. 2. Complete the uninstallation wizard panels and confirm that you want to uninstall the Tioli Identity Manager Serer. 3. Reboot the Windows system after uninstallation to clean up any residual Tioli Identity Manager files that were not able to be remoed during uninstallation. Verifying that the Tioli Identity Manager Serer is uninstalled To erify that the Tioli Identity Manager Serer has been uninstalled and remoed as an application from the WebSphere Application Serer, complete these steps: 1. Examine the ITIM_HOME directory and remoe any residual Tioli Identity Manager directories, configuration files, and log files. 2. Launch the WebSphere administratie console and log in. 3. From the naigation tree, naigate to the target node, and click the Applications > Enterprise Applications link. A list is displayed of the enterprise applications that are installed on the application serer. If you see an application named ITIM listed, the uninstallation process was unable to automatically remoe the Tioli Identity Manager Serer from the WebSphere Application Serer. You can remoe the application manually. For more information, see Manually remoing the Tioli Identity Manager Serer from the WebSphere Application Serer. Manually remoing components This section describes manually remoing or stopping components that are not remoed by the uninstallation process. Manually remoing the Tioli Identity Manager Serer from the WebSphere Application Serer To uninstall the Tioli Identity Manager Serer in a single-serer or a cluster configuration, complete these tasks: 1. On the WebSphere administratie console, take these steps: a. Select Applications > Enterprise Applications 126 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
b. Select the ITIM application. c. Click Stop. d. When the ITIM application stops, select the ITIM application again. e. Click Uninstall. 2. Manually ensure that the ITIM.ear directory is remoed. Take these steps: a. Open the applications directory: Single-serer and each cluster member WAS_PROFILE_HOME\config\cells\cellname\applications Notes: 1) Cluster members do not hae the application directory, if the.ear file is already remoed. 2) The.ear file also needs to be remoed from the WAS_PROFILE_HOME\ config\cells\cellname\installedapps\itim.ear directory. Deployment manager WAS_NDM_PROFILE_HOME\config\cells\cellname\applications b. If the ITIM.ear directory exists, remoe the directory. Stopping and remoing the Tioli Identity Manager messaging engine To stop and remoe the Tioli Identity Manager Serer messaging engine in a single-serer or a cluster configuration, complete these tasks on the WebSphere administratie console: 1. Select Serice Integration > Buses. 2. Click itim_bus. 3. In the Topology section, click on Messaging engines. For a single-serer installation, you see an engine named nodename.serernameitim_bus. For a cluster installation, you see n+1 messaging engines, where n is the number of Tioli Identity Manager cluster members. An additional messaging engine is used for the Tioli Identity Manager messaging cluster. 4. Select one or more messaging engines and click Stop. 5. Remoe the itim_bus configuration from the WebSphere administratie console. 6. In the Tioli Identity Manager database, drop the tables and schema used by the messaging engines. Refer to the documentation for your database system for the appropriate commands. The file ITIM_HOME/config/rdbms/dbtype/ drop_itim_sib.ddl proides an example. Remoing other Tioli Identity Manager configuration settings from the WebSphere Application Serer To manually remoe other Tioli Identity Manager configuration settings from the WebSphere Application Serer, complete the following tasks on the WebSphere administratie console: Remoe the JDBC proiders and data source. Remoe the JMS queue connection factories, queues, and actiation specifications. Remoe the object cache instances. Remoe the security settings. Remoe the core group policies (cluster configurations only). Chapter 11. Uninstalling Tioli Identity Manager 127
Remoe the shared libraries. Remoe the JVM classpath. Remoe the WebSphere ariables. Remoing the JDBC proiders and data sources. To manually remoe the JDBC proider and data source configuration settings from the WebSphere Application Serer, complete the following steps on the WebSphere administratie console: 1. Click Resources > JDBC > JDBC Proiders. 2. Choose All scopes as the scope leel. 3. Select the JDBC proider names starting with ITIM XA or ITIM non-xa". 4. Click Delete. The JDBC proiders and the associated data sources are both remoed. 5. Click Sae to sae the configuration. Remoing the JMS queue connection factories, queues, and actiation specifications. To manually remoe the JMS queue connection factory, queue, and actiation specification configuration settings from the WebSphere Application Serer, complete the following steps on the WebSphere administratie console: 1. Click Resources > JMS > Queue connection factories. 2. Choose All scopes as the scope leel. 3. Select ITIM Queue Connection Factory and ITIM Shared Queue Connection Factory. 4. Click Delete. 5. Click Sae to sae the configuration. 6. Click Resources > JMS > Queues. 7. Choose All scopes as the scope leel. 8. Select all the queue names starting with itim. 9. Click Delete. 10. Click Sae to sae the configuration. 11. Click Resources > JMS > Actiation specifications. 12. Choose All scopes as the scope leel. 13. Select all the specification names starting with itim". 14. Click Delete. 15. Click Sae to sae the configuration. Remoing object cache instances To manually remoe the object cache instance configuration settings from the WebSphere Application Serer, complete the following steps on the WebSphere administratie console: 1. Click Resources > Cache instances. 2. Choose All scopes as the scope leel. 3. Select LdapCache and SecondaryLdapCache. 4. Click Delete. 5. Click Sae to sae the configuration. 128 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Remoing security settings To manually remoe the security configuration settings from the WebSphere Application Serer, complete the following steps on the WebSphere administratie console: 1. Click Security > Secure administration... > Jaa Authentication and Authorizations > J2C authentication data. 2. Select itim_init and itim_jms. 3. Click Delete. 4. Click Sae to sae the configuration. 5. Click Security > Secure administration... > Jaa Authentication and Authorizations > Application logins. 6. Select ITIM and sericelogincontext. 7. Click Delete. 8. Click Sae to sae the configuration. Remoing core group policies (cluster enironments only) To manually remoe the core group policy configuration settings from the WebSphere Application Serer, complete the following steps on the WebSphere administratie console: 1. Click Serers > Core group settings. 2. Click DefaultCoreGroup. 3. Click Policies. 4. Select all the policy names starting with itim_bus. 5. Click Delete. 6. Click Sae to sae the configuration. Remoing shared libraries To manually remoe the shared library configuration settings from the WebSphere Application Serer, complete the following steps on the WebSphere administratie console: 1. Click Enironment > Shared Libraries. 2. Choose All scopes as the scope leel. 3. Select ITIM_LIB. 4. Click Delete. 5. Click Sae to sae the configuration. Remoing the JVM classpath To manually remoe the JVM classpath configuration settings from the WebSphere Application Serer, complete the following steps on the WebSphere administratie console: 1. Click Serers > Application serers > serername > Jaa and Process Management > Process definition > Jaa Virtual Machine. 2. Remoe {ITIM_HOME}/data from the classpath field. 3. Click Sae to sae the configuration. Note: In a cluster configuration, repeat the steps for each member serer of the application cluster. Chapter 11. Uninstalling Tioli Identity Manager 129
Remoing WebSphere ariables To manually remoe the WebSphere ariable configuration settings from the WebSphere Application Serer, complete the following steps on the WebSphere administratie console: 1. Click Enironment > WebSphere Variables. 2. Choose All scopes as the scope leel. 3. Select all ariables with the name of ITIM_HOME and ITIM_DB_JDBC_DRIVER_PATH. 4. Click Delete. 5. Click Sae to sae the configuration. Manually remoing other files or directories To clean up any residual Tioli Identity Manager files that were not remoed during uninstallation. 1. Restart the operating system after uninstallation. 2. Examine the ITIM_HOME directory and remoe any residual Tioli Identity Manager directories, configuration files, log,.dll,.so,.a, and.jar files. 3. Restart the operating system. Reinstalling Tioli Identity Manager Clean up the database and the LDAP serer before running the Tioli Identity Manager installation program again, for a cleaner installation. Ensure that the Tioli Identity Manager messaging engine is not running and reboot the Windows computer after uninstallation and before attempting to reinstall. Ensuring that Tioli Identity Manager objects are remoed from the Sun Enterprise Directory Serer Before you reinstall Tioli Identity Manager, ensure that any preious Tioli Identity Manager schema objects, object classes, and other attributes are remoed from the Sun Enterprise Directory Serer. Complete these steps: 1. Start the Sun Enterprise Directory Serer administration console. 2. On the Configuration tab, remoe the Tioli Identity Manager suffix. 3. On the Directory tab, complete these steps: a. Remoe the Tioli Identity Manager domain. b. Click Config > Plugins. Then, open the properties for the referential integrity postoperation entry and delete all attributes that begin with the characters er. 4. Stop the directory serer. 5. Open the ldapsererinstance\config\schema\99user.ldif file. Then, remoe all Tioli Identity Manager object classes and attribute types that begin with the characters er. 6. Start the directory serer. 130 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Appendix A. Mapping Tioli Identity Manager application modules to IBM HTTP Serer Use the WebSphere administratie console to map Tioli Identity Manager applications to the IBM HTTP Web serer. 1. Log in to the WebSphere administratie console on the WebSphere Application Serer Network Deployment Manager for the Tioli Identity Manager cluster using the WebSphere Application Serer administrator credentials. 2. Click Applications > Application Types > WebSphere enterprise applications in the task menu. 3. Click ITIM in the Enterprise Applications list. 4. Click Manage Modules. 5. Select the ITIM Application Cluster name (not the JMS cluster name) and select the check boxes for these modules: PasswordSynch ITIM_Console EnRole ITIM_Self_Serice ITIM_Self_Serice_Help ITIM_Console_Help ITIM_Message_Help EHS3.01 PasswordReset 6. Click Apply (next to the Clusters and serers field). 7. Click OK. 8. Click Sae configuration in the message box. Copyright IBM Corp. 2009 131
132 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Appendix B. Configuring security for Tioli Identity Manager This section describes how to configure security for Tioli Identity Manager and middleware components. For more security information, see the Additional Security section of the IBM Tioli Identity Manager Information Center. Configuring security for the directory serer To hae secure socket layer (SSL) communication between an LDAP serer and Tioli Identity Manager, the LDAP serer must be configured to use SSL for secure communications. If you are using IBM Tioli Directory Serer or Sun Enterprise Directory Serer to store Tioli Identity Manager information, you must set the serer to use SSL, and then configure the SSL certificates that you want to use. This task is performed after installing Tioli Identity Manager, and cannot be performed before a new installation. If you want to configure LDAP only through an SSL connection, skip the LDAP configuration during the installation, and run ldapconfig after the installation has completed. Configuring SSL for IBM Tioli Directory Serer To hae secure socket layer (SSL) communication between the IBM Tioli Directory Serer and Tioli Identity Manager, IBM Tioli Directory Serer must be configured to listen on a port with a certificate defined. The certificate authority must be in the signer certificate database on the SSL client. Use GSKit to create the key database file and certificates. Make sure to extract the serer certificate (the one created for the LDAP serer) for client use. The certificate must be copied to the machine where Tioli Identity Manager is running. The location of the serer certificate is required to set up a trusted certificate for Tioli Identity Manager in a later task. For more information about enabling SSL on LDAP for IBM Tioli Directory Serer, see the documentation aailable at the following Web site: http://publib.boulder.ibm.com/infocenter/tiihelp/2r1/topic/ com.ibm.ibmds.doc/admin_gd16.htm Configuring SSL for Sun Enterprise Directory Serer For detailed information about setting up SSL on Sun Enterprise Directory Serer, see the documentation aailable at the following Web site: http://docs.sun.com/app/docs/prod/s1dirsr Configuring the SSL client to trust the LDAP serer certificate The Tioli Identity Manager Serer operates as a Jaa application (not as an embedded part of WebSphere Application Serer) and uses Jaa secure socket extension (JSSE) to implement SSL support. Consequently, SSL certificates and CA certificates are retrieed from a standard format Jaa truststore or keystore. The truststore and keystore use the same file formats that the Jaa irtual machine and WebSphere Application Serer use for other certificate configuration. You can use Copyright IBM Corp. 2009 133
standard Jaa tools to maintain the trust and keystores, including the IBM Key Management tool and the Jaa keytool command-line utility. To successfully configure the SSL connection between the Tioli Identity Manager Serer and the LDAP Serer, you must import the self-signed certificate (or CA certificate) created for the LDAP Serer into the truststore that is used by JSSE (the IBM JSSE, which is part of WebSphere Application Serer). Additionally, you must first configure Tioli Identity Manager to use SSL (configuring it to use the ldaps protocol instead of the ldap protocol) when communicating with the LDAP Serer. Installing the self-signed certificate in the JSSE truststore For this task, the default truststore that is present in the JRE of the WebSphere Application Serer is used. Also, the ikeyman utility is used to configure the certificates. To install the self-signed certificate for the LDAP Serer in the JSEE truststore, complete these steps: 1. Start the ikeyman utility (ikeyman.bat or ikeyman.sh) located in the WAS_HOME\bin directory. 2. From the Key Database File menu, select New. 3. In the File Name field, type cacerts. Cacerts is the default name for the JRE certificates file. 4. In the Location field, type WAS_HOME\jaa\jre\lib\security\. 5. In the Password Prompt window, type the password for the keystore in the Password and Confirm Password window. The default password is changeit. Click OK. The next task is to add the certificate you created for the LDAP serer into this certificate store. Complete these steps: 1. In the main window, in the Key database content area, select Signer Certificates from the drop-down list, and click Add. 2. From the Data Type drop-down list, select Binary Der data. 3. In the Certificate file name field, browse and locate the serer certificate file that was created for the LDAP serer. Verify that the appropriate directory is displayed in the Location field. Click OK. 4. In the prompt that is displayed, type a label for this certificate. For example, type LDAPCA. Click OK. The certificate is added for the LDAP Serer. You can now close the ikeyman utility. Configuring Tioli Identity Manager to use SSL when communicating with the LDAP serer To configure Tioli Identity Manager to use SSL when communicating with the LDAP serer, complete these steps: 1. Edit the enroleldapconnection.properties file in the ITIM_HOME\data directory, and make the following changes: a. Set the port alue on the jaa.naming.proider.url property to the SSL port number configured on directory serer [LDAP]. For example, jaa.naming.proider.url=ldaps://localhost:636 b. Set the alue of the jaa.naming.security.protocol property to ssl. This setting indicates to the Tioli Identity Manager Serer to use SSL to communicate to LDAP. Alternately you can change the protocol in jaa.naming.proider.url from ldap to ldaps. For example, jaa.naming.security.protocol=ssl 134 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
2. Sae the changes. Defining the truststore and password as a custom property on the JVM Tioli Identity Manager Serer does not use the WebSphere Application Serer SSL Configuration Repositories settings in the WebSphere Administratie Console Security SSL tab. Instead, you must configure the SSL settings using the following menus to specify the jaax properties. Complete these steps: 1. Select Serers > Application Serers > serer_name > Process Definition > Jaa Virtual Machine > Custom Properties > New. 2. Define the name of the jaax properties that you hae changed using the ikeyman key management tool. In Installing the self-signed certificate in the JSSE truststore on page 134, you installed certificates into the truststore of the JVM used by WebSphere Application Serer. Alternately you can create your own certificate store location, for which you hae to define some additional properties. The following table proides information about the jaax properties you need to define. Table 8. JSSE SSL truststore properties Property name Description Default alue jaax.net.ssl.truststore jaax.net.ssl. truststorepassword jaax.net.ssl. truststoretype jaax.net.ssl.keystore jaax.net.ssl. keystorepassword File path of the truststore file. You can use the truststore to install CA certificates and client certificates. If you do not use jaax.net.ssl.keystore to specify a client certificate, you must use this truststore. Password that protects the truststore. Key database type. This property is required for truststore. The alue is specified when creating a self-signed certificate. File path of the keystore file. The keystore contains the certificate that is used by the Tioli Identity Manager Serer. The certificate must be present either in the keystore or the truststore if the application operating as an SSL serer (for example, an agent-based adapter) is set to require client authentication. If this property is not defined, the truststore must contain the certificate when client authentication is required. Password that protects the keystore. jre_install_dir\lib\security\ cacerts Example: C:\Program Files\WebSphere\AppSerer\ jaa\jre\lib\security\ cacerts changeit None. None. The truststore file path is searched by default. changeit Running ldapconfig and runconfig with SSL Note: If LDAP is configured to use SSL only, the ldapconfig utility does not work during a new Tioli Identity Manager installation. You will hae to skip Appendix B. Configuring security for Tioli Identity Manager 135
ldapconfig during installation and run it after performing the following steps, after the Tioli Identity Manager installation has completed: 1. Verify that enroleldapconnections.properties, has jaa.naming.security.protocol set to ssl. 2. Edit ITIM_HOME\bin\ldapConfig.lax and ITIM_HOME\bin\runConfig.lax and add the following property. Please note that the following property is one line.: lax.nl.jaa.option.additional=-djaax.net.ssl.truststoretype=type_of_truststore -Djaax.net.ssl.trustStore=truststore_location -Djaax.net.ssl. truststorepassword=truststore_password - Djaa.ext.dirs=WAS_HOME \jaa\jre\lib\ext:was_home\plugins:was_home\lib:was_home\lib\ext Note: Skip this step if the CA certificate (which is required to erify the authenticity of the authority that has issued an LDAP serer certificate) is installed in the truststore of the JVM that is used by ldapconfig/runconfig. Running Fix pack installation or upgrading from preious ersions with SSL configured between Tioli Identity Manager and LDAP If LDAP is configured to use SSL only with Tioli Identity Manager, the following steps need to be performed to run the ldapupgrade utility successfully during a fix pack installation. 1. Verify that enroleldapconnections.properties, has jaa.naming.security.protocol set to ssl. 2. Edit ITIM_HOME\bin\ldapUpgrade.lax and ITIM_HOME\bin\runConfig.lax and add the following property. Please note that the following property is one line.: lax.nl.jaa.option.additional=-djaax.net.ssl.truststoretype=type_of_truststore -Djaax.net.ssl.trustStore=truststore_location -Djaax.net.ssl. truststorepassword=truststore_password - Djaa.ext.dirs=WAS_HOME \jaa\jre\lib\ext:was_home\plugins:was_home\lib:was_home\lib\ext For example on a Windows system: lax.nl.jaa.option.additional=-djaax.net.ssl.truststoretype=jks -Djaax.net.ssl.trustStore= C:\Progra~1\IBM\WebSphere\AppSerer\jaa\jre\lib\security\cacerts -Djaax.net.ssl.trustStorePassword=changeit -Djaa.ext.dirs= C:\Progra~1\IBM\WebSphere\AppSerer\jaa\jre\lib\ext; C:\Progra~1\IBM\WebSphere\AppSerer\plugins; C:\Progra~1\IBM\WebSphere\AppSerer\lib; C:\Progra~1\IBM\WebSphere\AppSerer\lib\ext You can test if this property is set correctly by copying the property into ITIM_HOME\bin\ldapConfig.lax. Click Test on the ldapconfig screen. If the test returns a success message, the property is set correctly. Note: Do not click Continue on the ldapconfig screen. Click Cancel to exit. Running the utilities that access the LDAP serer with SSL To successfully run the following utilities present in the ITIM_HOME\bin\platform directory: addindex addintegrity config_remote_serices createlinks ldapclean 136 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
remoe_serice_profiles loaddsmlschema sericeability you must perform these steps when SSL is configured: 1. Verify that enroleldapconnections.properties, has jaa.naming.security.protocol set to ssl. 2. Open the utility file (for example, addindex.sh or addindex.cmd) with a text editor. 3. Add the following properties as Jaa runtime properties (the following property is one line): -Djaax.net.ssl.trustStoreType=type_of_truststore -Djaax.net.ssl.trustStore =truststore_location -Djaax.net.ssl.trustStorePassword=truststore_password - Djaa.ext.dirs=WAS_HOME\jaa\jre\lib\ext:WAS_HOME\plugins: WAS_HOME\lib:WAS_HOME\lib\ext For example, ldapclean.sh modified for SSL would look like this example: $JAVA -Djaax.net.ssl.trustStoreType=jks -Djaax.net.ssl.trustStore= /opt/ibm/cacerts -Djaax.net.ssl.trustStorePassword=changeit -Djaa.ext. dirs=/opt/ibm/websphere61/appserer/jaa/jre/lib/ext: /opt/ibm/websphere61/appserer/plugins:/opt/ibm/websphere61/ AppSerer/lib:/opt/IBM/WebSphere61/AppSerer/lib/ext -cp $CLASSPATH com.ibm.itim.systemconfig.ldapsweeper 4. Sae the changes to the utility file. Configuring security for WebSphere Application Serer If you chose to enable administratie security and application security on the WebSphere Application Serer, additional security configuration might be required. Each of the following security tasks applies to both single and multi-node deployments. You can perform these additional security tasks: Map the itimadmin administratie user to the ITIM_SYSTEM role to further limit access. If the System User or EJB User are modified outside of Tioli Identity Manager, run the runconfig command to update the Tioli Identity Manager configuration. If you also enabled Jaa 2 security, modify the library.policy file and erify that the was.policy file exists. Modify the token expiration to preent accidental timeouts in a cluster configuration. Enable FIPS compliance for WebSphere Application Serer. Mapping an administratie user to a role You can map an administratie user to a Tioli Identity Manager role. The installer typically performs this mapping during the installation process. Howeer this task is required if you change the Tioli Identity Manager EJB user ID after you install Tioli Identity Manager. Complete these steps: 1. On the WebSphere administratie console, click Applications > Enterprise Applications. 2. Click ITIM. 3. In Detail Properties, scroll down and click Security role to user/group mapping. 4. Select the check box for ITIM_SYSTEM. Appendix B. Configuring security for Tioli Identity Manager 137
5. Click Lookup users. 6. Click Search. 7. Select the EJB User (For example, wasadmin) from the list. 8. Click OK. 9. To preent unauthorized access, clear the Eeryone? or All Authenticated? check boxes. 10. Sae the configuration changes. Updating the system user and the EJB user If you changed the System User or to the EJB User fields, you must update Tioli Identity Manager configurations with these new alues. Complete these steps: 1. Start the system configuration tool. To do so, enter the following command: Windows ITIM_HOME\bin\runConfig UNIX ITIM_HOME/bin/runConfig.sh 2. Select the Security tab. 3. Update the System User field and its password with the wasadmin user ID that you created in the local OS registry. 4. Update the EJB User field and its password with the itimadmin user ID that you created in the local operating system registry. 5. Click OK. Enabling Jaa 2 security by creating and modifying policy files If you want to turn on Jaa 2 security, create the library.policy file and modify the was.policy file to add permissions to access any necessary resources. Enabling Jaa 2 security for the Tioli Identity Manager application also causes Jaa 2 security to be enforced on all applications that are running on the WebSphere Application Serer. If you enable Jaa 2 security for the Tioli Identity Manager application, you should also appropriately configure all other applications running on the WebSphere Application Serer to support Jaa 2 security. Note: Ensure that you are using the IBM Jaa 2 Platform Standard Edition Deelopment Kit 1.5 Serice Release 6 or later. Serice Release 6 is needed if you intend to enable Jaa 2 security. You can download the serice release and follow the instructions to apply the fix at the following WebSphere Application Serer fix pack Web site: http://www-1.ibm.com/support/dociew.wss?rs=180&uid=swg24017492 Creating the library.policy file to enable Jaa 2 security Create the library.policy file to add permissions to access any necessary resources. To grant all permissions, complete these steps: 1. Create and edit the library.policy file in the following directory location: WAS_PROFILE_HOME/config/cell/cellname/nodes/nodename 2. Enter the following statement to the library.policy file: grant { permission jaa.security.allpermission; } 138 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Note: This sample policy file proides blanket access to the Tioli Identity Manager shared library but does not proide any extra security. Set the policy file according to your security requirements by configuring this file correctly. Ensuring that the was.policy file exists The Tioli Identity Manager installation program automatically creates a sample was.policy policy file with all the permissions that the Tioli Identity Manager application needs to run with Jaa 2 security enabled. Ensure that the was.policy file exists. If the file does not exist, create the file in the following directory on the node: WAS_PROFILE_HOME/config/cells/cellname/applications/ITIM.ear/ deployments/application_name/meta-inf The file contents are like these lines: grant codebase "file::${application}" { permission jaa.security.allpermission; }; Note: This sample policy file proides blanket access to Tioli Identity Manager but does not proide any extra security. Set the policy file according to your security requirements by configuring this file correctly. Running Jaa 2 security on single-node deployments To run the Jaa 2 security component after installing and setting up Tioli Identity Manager in a single-node deployment, use the WebSphere administratie console to restart Tioli Identity Manager and log in when prompted. Complete these steps: 1. Click Applications > Enterprise Applications. 2. Select the check box for ITIM and click Stop. Wait for the Tioli Identity Manager application to stop, then click Start. Running Jaa 2 security on multi-node deployments To run the Jaa 2 security component after installing and setting up Tioli Identity Manager on multi-node deployments, synchronize the nodes in the cell. Synchronizing the nodes in the cell Synchronize the deployment manager configuration with the nodes in the cell. Restart the Tioli Identity Manager cluster. Restart Tioli Identity Manager with these steps: 1. Click Serer > Clusters. 2. Select the check box next to the cluster name. 3. Click Stop. Wait for the cluster to stop, and then click Start. Increasing the timeout interal Ensure that the token expiration alue is large enough to preent accidental timeouts in a cluster configuration. Security uses a Lightweight Third Party Authentication (LTPA) token that expires after an interal of system inactiity. The default is 120 minutes, which might not be large enough to use with Tioli Identity Manager. On some systems, the actual timeout interal might be shorter than the alue that is specified. A timeout might Appendix B. Configuring security for Tioli Identity Manager 139
preent you from logging on. When a timeout occurs, you must recycle the deployment manager, the cluster, and all node agents. Complete these steps: 1. Start the WebSphere administratie console. 2. Click Security > Secure administration, applications, and infrastructure > Authentication mechanisms and expiration > Authentication expiration. 3. Set the token expiration interal to a alue that exceeds the longest anticipated interal of system inactiity at your site. Enabling FIPS compliance for WebSphere Application Serer Federal Information Processing Standards (FIPS) are guidelines that set best practices for software and hardware computer security products. Products that support FIPS standards can be set into a mode where the product only uses FIPS approed algorithms and methods. Security toolkits typically support both FIPS approed and non-fips approed functions. In FIPS mode, the product is incapable of using any non-fips approed methods. To enable FIPS compliance for WebSphere Application Serer, complete these steps: 1. Add these IBM cryptographic proiders as entries in the jaa.security cryptographic proider list, as shown in this example. security.proider.1=com.ibm.crypto.fips.proider.ibmjsse2 security.proider.2=com.ibm.crypto.fips.proider.ibmjcefips The jaa.security file is located at WAS_HOME\jaa\jre\lib\security This step ensures that Jaa uses these cryptographic proiders for all cryptographic functions. Note: The order in which you specify the security proiders is important. The security proiders are processed in numeric order. The first security proider that supports the encryption method being requested is used. On Solaris systems, the first proider must always be sun.security.proider.sun. 2. Enable FIPS in WebSphere Application Serer. To enable FIPS for WebSphere Application Serer, complete these steps: a. On the WebSphere administratie console, click Security > SSL certificate and key management. b. Select the check box next to Use the United States Federal Information Processing Standard (FIPS) algorithms c. Click Apply. d. Sae the configuration changes. 3. To set the enironment ariable to restrict the IBMJSSE2 proider to FIPS-compliant algorithms, complete these steps: a. On the WebSphere administratie console, click Serers > Application serers and click a serer, such as serer1. b. In the Serer Infrastructure field, click the link for Jaa and Process Management > Process Definition c. In the Additional Properties field, click the link for Jaa Virtual Machine d. In the Generic JVM Arguments field, set the enironment ariable by adding the following statement: 140 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
-Dcom.ibm.jsse2.JSSEFIPS=true For more information about enabling FIPS in WebSphere Application Serer 6.1, see the documentation aailable at the following Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/6r1/topic/ com.ibm.websphere.base.doc/info/aes/ae/tsec_fips.html Running the cipher migration tool A cipher migration utility, changecipher, is proided to change cipher keys and transition from non-compliant FIPS algorithms to FIPS-compliant algorithms and keys. Using the new cipher key, the migration utility re-encrypts all data in the property files and in LDAP. The utility is found in the following location: Windows: ITIM_HOME\bin\win\changeCipher.cmd UNIX/Linux: ITIM_HOME/bin/unix/changeCipher.sh Run the utility once on a single serer or at the deployment manager to migrate the data in the LDAP repository and in the property files. Also run the utility on each managed node (in a clustered enironment) to migrate the property files on that node. The following example shows the supported usage and command-line parameters for the changecipher command: changekey resume {keystore_name} {keystore_password} [-algorithm AES] [-keysize 128 192 256] [-skiperrors] [-skiperrors] For example, to migrate cipher settings from PBEWithMD5AndDES to AES, run the following command: changecipher changekey itimkeystore2.jceks sunshine This command performs the following tasks: Generates a 128-bit AES key and writes it to the specified keystore Migrates encrypted data in the LDAP repository to the new cipher Note: The new encrypted data is longer in length. If the attribute length in LDAP is too small you get an Object Class iolation and the script ends. Migrates the encrypted data in the property files to the new cipher Sets the new cipher settings to enrole.properties While running, the tool creates and maintain a file which contains its current state information. This file is written to ITIM_HOME\temp\CipherMigrator.properties. If an error occurs during migration (for instance, if the LDAP serer goes down), correct the problem and inoke the tool with the resume parameter. This parameter tells the utility to pick up from where it left off before the error occurred. The optional skiperrors parameter tells the tool to continue running een if it encounters data that cannot be decrypted with the old cipher. If specified, undecipherable LDAP data does not cause the tool to fail. Back up all LDAP data before running the tool. There are a number of things that can go wrong when migrating LDAP data. For example, if the keystore file is Appendix B. Configuring security for Tioli Identity Manager 141
accidentally deleted before the LDAP migration is completed, some of the encrypted LDAP data becomes inaccessible. Backing up LDAP data along with the current keystore ensures you can return to a safe state. Before running the tool, stop the Tioli Identity Manager Serer and ensure that there are no pending transactions in the database because encrypted data in the database is not migrated. For each LDAP object it finds, the cipher migration utility decrypts the attribute using the old cipher and re-encrypts the attribute using the new cipher. No changes are made to attributes that are hashed. By default, the Jaa Cryptography Extension (JCE) is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit Adanced Encryption Standard (AES) encryption algorithms, you must apply unlimited jurisdiction policy files. For more information, please see the following Web site: http://www.ibm.com/deeloperworks/jaa/jdk/security/index.html 142 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Appendix C. Installation images and fix packs Installation images This section itemizes the installation images, and proides information on product fix packs. Refer to the Tioli Identity Manager Quick Start Guide for the download location of the installation images that Tioli Identity Manager proides. For more information about all supported platforms and their prerequisite applications, refer to the Tioli Identity Manager Information Center. Setting the SOAP timeout interal before installing fix packs Obtaining fix packs To aoid timeout exception errors during fix pack installation, before eery fix pack installation set the SOAP timeout interal to at least 15 minutes (900 seconds). Complete these steps: 1. Edit the soap.client.props file located in the WAS_HOME\profiles\profile_name\ properties directory. 2. Set the com.ibm.soap.requesttimeout property to 900. For example, com.ibm.soap.requesttimeout=900 3. Sae the changes to the file. A fix pack file for Tioli Identity Manager has a name like the following example: 5.1.0-TIV-TIM-FP000n.pak where n is an integer such as 1. Tioli Identity Manager fixes and information about fix pack installation are aailable at this Web site: http://www-306.ibm.com/software/sysmgmt/products/support/ IBMTioliIdentityManager.html Copyright IBM Corp. 2009 143
144 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Appendix D. Worksheets Before you begin to install and configure Tioli Identity Manager, you can fill out these worksheets to identify the configuration parameters needed to complete the Tioli Identity Manager installation. The alue of path aries for these operating systems. For Windows, the default path is drie:\program Files. For UNIX/Linux, the default path is /opt Table 9. Tioli Identity Manager typical database configuration parameters Field name Host name Port number Database name Admin ID Admin password Database user ID Database password Description Name of the computer that hosts the database. Database serice listening port. Name of the Tioli Identity Manager database. Database administrator user ID. Password for the database administrator user ID. The account that Tioli Identity Manager uses to log in to the database. The password for the itimuser user ID. Default or example alue Examples: 50000, 50002, or 60000 Example: itimdb Example: db2admin Note: If you do not use the middleware configuration utility, this alue is dasusr1 by default on UNIX systems. Example: itimuser Your alue Table 10. Tioli Identity Manager typical directory serer configuration parameters Field name Principal DN Password Host name Port Description The user ID that represents the principal distinguished name. The password of the user ID that represents the principal distinguished name. The host name of the directory serer Directory serer listening port. Default or example alue Example: cn=root Example: 389 Your alue Copyright IBM Corp. 2009 145
Table 10. Tioli Identity Manager typical directory serer configuration parameters (continued) Field name Description Number of hash buckets Name of your organization Default org short name Identity Manager DN location The number of hash buckets. The name of the organization. The short name of the organization. The Tioli Identity Manager suffix. Default or example alue 1 Example: My Organization Example: myorg Example: dc=com Your alue Table 11. Tioli Identity Manager typical pre-installation configuration parameters Field name ITIM_HOME WAS_HOME Description The installation directory for the Tioli Identity Manager Serer. The installation directory for WebSphere Application Serer. Default or example alue Windows: path\ibm\itim UNIX/Linux: path/ibm/itim Windows: path\ibm\websphere\ AppSerer Your alue WebSphere Application Serer profile name WebSphere Application Serer serer name Computer host name WebSphere Application Serer administrator user ID WebSphere Application Serer administrator password The name of the WebSphere Application Serer profile. The name of the WebSphere Application Serer serer. The host name of the computer. User name that is used to administer WebSphere Application Serer. Used to restart secure WebSphere Application Serers. This field is optional. Password that is used with the WebSphere user name. This field is optional. UNIX/Linux: path/ibm/websphere/ AppSerer Single-serer: AppSr01 Deployment manager: Dmgr01 Cluster member: Custom01 Example: serer1 Example: wsadmin 146 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Table 11. Tioli Identity Manager typical pre-installation configuration parameters (continued) Field name Keystore password ITDI_HOME TIVOLI_COMMON_ DIRECTORY Description Used to unlock the Tioli Identity Manager keystore file which stores the encryption key used to encrypt Tioli Identity Manager sensitie data. The directory that contains the IBM Tioli Directory Integrator Serer code. Also, where adapters are installed. This field is optional depending on whether you are using IBM Tioli Directory Integrator. The central location for all sericeability-related files, such as logs and first-failure capture data. Default or example alue Windows: path\ibm\tdi\v6.1.1 path\ibm\tdi\v7.0 UNIX/Linux: path/ibm/tdi/v6.1.1 path/ibm/tdi/v7.0 Windows: path\ibm\tioli\ common UNIX/Linux: path/ibm/tioli/ common Your alue Table 12. Tioli Identity Manager typical system configuration parameters Field name Heart beat (seconds) Recycle bin age limit (days) Maximum pool size Initial pool size Increment count Database pool initial capacity Description Defines how frequently a scheduling thread queries the scheduled message stores for eents to process. Specifies the number of days that an object remains in the recycle bin of the system before it becomes aailable for deletion by cleanup scripts. Specifies the maximum number of connections that the LDAP Connection Pool can hae at any time. Specifies the initial number of connections to be created for the LDAP Connection Pool. Specifies the number of connections to be added to the LDAP Connection Pool eery time a connection is requested after all connections are in use. Specifies the initial number of JDBC connections. Default or example alue 30 62 100 50 3 5 Your alue Appendix D. Worksheets 147
Table 12. Tioli Identity Manager typical system configuration parameters (continued) Field name Database pool maximum capacity Logging trace leel Identity Manager Base Serer URL Mail from Mail serer name Customer logo Customer logo link List page size Encryption System user System user password EJB user Description Specifies the maximum number of JDBC connections that the Tioli Identity Manager Serer can open to the database at any one time. Specifies the amount of information written to the log file. Specifies the published login Uniersal Resource Locator (URL) for the Tioli Identity Manager Serer. This is the first part of a URL that is sent to the recipient of mail messages at run time. Specifies the Tioli Identity Manager system administrator e-mail address for your site. Specifies the SMTP mail host that sends mail notification and functions as the mail gateway. Specifies the path and file name of the logo graphic. Specifies an optional URL link actiated by clicking the logo image. Specifies how many items that require a search in the directory are displayed on lists throughout the user interface. Option to encrypt the passwords used for database and directory serer connections and the password of the EJB user that is used for EJB authentication. Specifies the system user and the system user password. Specifies the system user password. Specifies the EJB user ID. Default or example alue 50 MIN Examples: http://hostname:9080 /itim/console Example: admin@mysite.com Example: smtp.mysite.com ibm_banner.gif www.ibm.com 50 True (On) Your alue 148 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Table 12. Tioli Identity Manager typical system configuration parameters (continued) Field name EJB user password Description Specifies the EJB user password. Note: The EJB user password is restricted to 12 characters. Default or example alue Your alue Appendix D. Worksheets 149
150 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Appendix E. Notices This information was deeloped for products and serices offered in the U.S.A. IBM may not offer the products, serices, or features discussed in this document in other countries. Consult your local IBM representatie for information on the products and serices currently aailable in your area. Any reference to an IBM product, program, or serice is not intended to state or imply that only that IBM product, program, or serice may be used. Any functionally equialent product, program, or serice that does not infringe any IBM intellectual property right may be used instead. Howeer, it is the user s responsibility to ealuate and erify the operation of any non-ibm product, program, or serice. IBM may hae patents or pending patent applications coering subject matter described in this document. The furnishing of this document does not gie you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drie Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such proisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are proided for conenience only and do not in any manner sere as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it beliees appropriate without incurring any obligation to you. Copyright IBM Corp. 2009 151
Licensees of this program who wish to hae information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact: IBM Corporation 2ZA4/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be aailable, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material aailable for it are proided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equialent agreement between us. Any performance data contained herein was determined in a controlled enironment. Therefore, the results obtained in other operating enironments may ary significantly. Some measurements may hae been made on deelopment-leel systems and there is no guarantee that these measurements will be the same on generally aailable systems. Furthermore, some measurements may hae been estimated through extrapolation. Actual results may ary. Users of this document should erify the applicable data for their specific enironment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly aailable sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is aailable on the Web at Copyright and trademark information at http://www.ibm.com/legal/ copytrade.shtml. The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: IBM, IBM logo, AIX, DB2, Domino, Lotus, SecureWay, Tioli, Tioli logo, Uniersal Database, WebSphere. Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both. 152 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Toralds in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Goernment Commerce, and is registered in the U.S. Patent and Trademark Office IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Goernment Commerce. Jaa and all Jaa-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, or serice names may be trademarks or serice marks of others. Appendix E. Notices 153
154 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Glossary A access. (1) The ability to read, update, delete, or otherwise use a resource. Access to protected resources is usually controlled by system software. (2) The ability to use data that is stored and protected on a computer system. access control. In computer security, the process of ensuring that users can access only those resources of a computer system for which they are authorized. access control list. In computer security, a list that is associated with a resource that identifies all the principals that can access the resource and the permissions for those principals. See also permission and principal. access control item (ACI). Data that (a) identifies the permissions of principals and (b) is assigned to a resource. account. An entity that contains a set of parameters that define the application-specific attributes of a principal, which include the identity, user profile, and credentials. ACI target. The resource for which you define the access control items. For example, an ACI target can be a serice. actiity. In a workflow, the smallest unit of work. When a request requires approal, information, or additional actions, the workflow for that request generates the appropriate actiities that are presented in the appropriate users to-do lists. See also workflow. adapter. (1) A set of software components that communicate with an integration broker and with applications or technologies in order to perform tasks, such as executing application logic or exchanging data. (2) A transparent, intermediary software component that allows different software components with different interfaces to work together. administratie domain. A logical collection of resources that is used to separate responsibilities and manage permissions. See also permission. adopt. To assign an orphan account to the appropriate owner. See also orphan account. adoption rules. The set of rules that determine which orphan accounts belong to which owners. See also orphan account. agent. A process that manages target resources on behalf of a system such that the system can respond to requests. aggregate message. A collection of notification messages that are combined into a single e-mail, along with optional user defined text. alias. In identity management, an identity for a user, which might match the user ID. The alias can be used during reconciliation to determine who owns the account. A person can hae seeral aliases, for example, GSmith, GWSmith, and SmithG. application serer. A serer program in a distributed network that proides the execution enironment for an application program. application user administrator. A type of person who uses Tioli Identity Manager to set up and administer (a) the serices that are managed by Tioli Identity Manager or (b) the Tioli Identity Manager users of those serices. approal. A type of workflow actiity that allows someone to approe or reject a request. See also workflow. audit trail. A chronological record of eents or transactions. You can use audit trails for examining or reconstructing a sequence of eents or transactions, managing security, and for recoering lost transactions. authentication. The process of erifying that an entity is the entity that it claims to be, often by erifying a user ID and password combination. Authentication does not identify the permissions that a person has in the system. See also authorization. authorization. The process of granting a user, system, or process either complete or restricted access to an object, resource, or function. See also authentication. authorization owner. A user who can manage access control items (ACIs) for a resource. C certificate. In computer security, a digital document that binds a public key to the identity of the certificate owner, thereby enabling the certificate owner to be authenticated. A certificate is issued by a certificate authority and is digitally signed by that authority. See also certificate authority. Certificate Authority (CA). An organization that issues certificates. The CA authenticates the certificate Copyright IBM Corp. 2009 155
owner s identity and the serices that the owner is authorized to use, issues new certificates, renews existing certificates, and reokes certificates that belong to users who are no longer authorized to use them. challenge-response authentication. An authentication method that requires users to respond to a prompt by proiding information to erify their identity when they log in to the system. For example, when users forget their password, they are prompted (challenged) with a question to which they must proide an answer (response) in order to either receie a new password or receie a hint for specifying the correct password. comma separated alues (CSV) file. See CSV file. Common Criteria. A standardized method, which is used by international goernments, the United States federal goernment, and other organizations, for expressing security requirements in order to assess the security and assurance of technology products. connector. A plug-in that is used to access and update data sources. A connector accesses the data and separates out the details of data manipulations and relationships. See also adapter. credentials. Authentication information that is associated with a principal. See also authentication and principal. CSV file. A common type of file that contains data that is separated by commas. D DAML. See Directory Access Markup Language. data model. A description of the organization of data in a manner that reflects the information structure of an enterprise. data warehouse. (1) A subject-oriented collection of data that is used to support strategic decision making. (2) A central repository for all or significant parts of the data that an organization s business systems collect. delegate (noun). The user who is designated to approe requests or proide information for requests for another user. delegate (erb). (1) To assign all or a subset of administrator priileges to a user, such that the user can perform all or a subset of administrator actiities for a specific set of users. (2) To designate a user to approe requests or proide information for requests for another user. delegate administrator. The user who has all or a subset of administrator priileges oer a specific set of users. delegate administration. The ability to apply all or a subset of administrator priileges to another user (the delegate administrator), such that the user can perform all or a subset of administrator actiities for a specific set of the users. deproision. To remoe a serice or component. For example, to deproision an account means to delete an account from a resource. See also proision. digital certificate. An electronic document that is used to identify an indiidual, serer, company, or some other entity, and to associate a public key with the entity. A digital certificate is issued by a certification authority and is digitally signed by that authority. See also Certificate Authority. Directory Access Markup Language (DAML). An XML specification that extends the functions of Directory Serices Markup Language (DSML) 1.0 in order to represent directory operations. In Tioli Identity Manager, DAML is mainly used for serer to agent communications. See also Directory Serices Markup Language 2.0. directory serer. A serer that can add, delete, change, or search directory information on behalf of a client. Directory Serices Markup Language 1.0 (DSML1). An XML implementation that describes the structure of data in a directory and the state of the directory. DSML can be used to locate data into a directory. DSML1 is an open standard defined by OASIS. See alsodirectory Serices Markup Language 2.0. Directory Serices Markup Language 2.0 (DSML2). An XML implementation that describes the operations that a directory can perform (such as how to create, modify, and delete data) as well as the results of those operations. Whereas DSML1 can be used to describe the structure of data in a directory, DSML2 can be used to communicate with other products about that data. DSML2 is an open standard defined by OASIS. See also Directory Serices Markup Language 1.0. distinguished name (DN and dn). The name that uniquely identifies an entry in a directory. A distinguished name is made up of name-component pairs. For example: cn=john Doe,o=My Organization,c=US domain administrator. The owner of an administratie domain. See also administratie domain. dynamic content tags. A set of XML tags (based on the XML Text Template Language (XTTL) schema) that enables the administrator to proide customized information in a message, notification, or report. See also XML Text Template Language. dynamic organizational role. An organizational role that is assigned to a person by using an LDAP filter. When a user is added to the system and the LDAP 156 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
filter parameters are met, the user is automatically added to the dynamic organizational role. See also organizational role. E entitlement. In security management, a data structure, serice, or list of attributes that contains externalized security policy information. entitlement workflow. A workflow that defines the business logic that is used when proisioning a policy. For example, an entitlement workflow is used to define approals for managing accounts. See also workflow. entity. An object about which you want to store information or manage. For example, a person and an account are both entities. entity type. entity. Categories of managed objects. See also escalation. The process that defines what happens and who acts when an actiity was not completed in the specified amount of time. escalation limit. The amount of time, for example, hours or days, that a participant has to respond to a request, before an escalation occurs. See also escalation. eent. The encapsulated data that is sent as a result of an occurrence, or situation, in the system. F failoer. An automatic operation that switches to a redundant or standby system in the eent of a software, hardware, or network interruption. FESI. See Free EcmaScript Interpreeter. FESI extension. A Jaa extension that can be used to enhance JaaScript code and then be embedded within a FESI script. Free EcmaScript Interpreter (FESI). An implementation of the EcmaScript scripting language, which is an ISO standard scripting language that is similar to the JaaScript scripting language. G group. H A collection of Tioli Identity Manager users. help desk assistant. A person who uses Tioli Identity Manager to assist users and managers with managing their accounts and passwords. I identity. The subset of profile data that uniquely represents a person or entity and that is stored in one or more repositories. identity feed. The automated process of creating one or more identities from one or more common sources of identity data. identity policy. The policy that defines the user ID to be used when creating an account for a user. IIOP (Internet Inter-ORB Protocol). A protocol used for communication between Common Object Request Broker Architecture (CORBA) object request brokers ITIM group. A list of Tioli Identity Manager accounts. Membership within an ITIM group determines the access to data within Tioli Identity Manager. ITIM user. account. J A user who has a Tioli Identity Manager Jaa Database Connectiity. See JDBC. JDBC (Jaa Database Connectiity). An industry standard for database-independent connectiity between the Jaa platform and a wide range of databases. The JDBC interface proides a call-leel API for SQL-based and XQuery-based database access. join directie. The set of rules that define how to handle attributes when two or more proisioning policies are applied. Two or more policies might hae oerlapping scope, so the join directie specifies what actions to take when this oerlap occurs. L LDAP (Lightweight Directory Access Protocol). An open protocol that uses TCP/IP to proide access to directories that support an X.500 model and that does not incur the resource requirements of the more complex X.500 Directory Access Protocol (DAP). For example, LDAP can be used to locate people, organizations, and other resources in an Internet or intranet directory. LDAP Data Interchange Format. See LDIF. LDAP directory. A type of repository that stores information on people, organizations, and other resources and that is accessed using the LDAP protocol. The entries in the repository are organized into a hierawrchical structure, and in some cases the hierarchical structure reflects the structure or geography of an organization. Glossary 157
LDAP filter. A search filter that narrows the results from an LDAP search. LDIF (LDAP Data Interchange Format). A file format that is used to describe directory information as well as changes that need to be applied to a directory, such that directory information can be exchanged between directory serers that are using LDAP. life cycle. Passage or transformation through different stages oer time. For example markets, brands and offerings hae life cycles. life cycle rules. A set of rules in a policy that determine which operations to use when automatically handling commonly occurring eents, such as suspending an account that has been inactie for a period of time. Lightweight Directory Access Protocol. See LDAP. location. An entity that is a subdiision of an organization, usually based on geographical area. M mail. A type of workflow actiity that sends a notification to one or more users about a request. managed resource. An entity that exists in the runtime enironment of an IT system and that can be managed. manager. A type of person who uses Tioli Identity Manager to manage their own accounts and passwords or the accounts and passwords of those people that they superise. manual serice. A type of serice that requires manual interention by the serice owner to complete the proisioning request. N namespace. (1) The set of unique names that a serice recognizes. (2) Space resered by a file system to contain the names of its objects. nested group. A group that is contained within another group. See also group. notification. A message that is sent to users or systems that indicates that a change was made that might be of interest to the receier. O object class. (1) The specific type of object, or subcategory of classes, that an access control item can protect. For example, if the protection category is account, then the object class can be the type of account, such as an LDAP user account. See also protection category. (2) An entity that defines the schema for a serice or an account. operation. A specific action (such as add, multiply, or shift) that the computer performs when requested. operational workflow. A workflow that defines the lifecycle process for accounts, persons, and other entities. See also workflow. organization. A hierarchical arrangement of organizational units, such that each user is included once and only once. See also organizational unit. organization tree. A hierarchical structure of an organization that proides a logical place to create, access, and store organizational information. organizational container. An organization, organizational unit, location, business partner unit, or administration domain. organizational role. In identity management, a list of account owners that is used to determine which entitlements are proisioned to them. See also dynamic organizational role and static organizational role. organizational unit. A type of organizational container that represents a department or similar grouping of people. orphan account. On a managed resource, an account whose owner cannot be automatically determined by the proisioning system. P participant. In identity management, an indiidual, a role, a group, or a JaaScript script that has the authority to respond to a request that is part of a workflow. See also workflow. password. In computer and network security, a specific string of characters that is used by a program, computer operator, or user to access the system and the information stored within it. password retrieal. In identity management, the method of retrieing a new or changed password by accessing a designated Web site and specifying a shared secret. See also shared secret. password strength rules. The set of rules that a password must conform to, such as the length of the password and the type of characters that are allowed (or not allowed) in the password. password policy. A policy that defines the password strength rules. A password strength policy is applied wheneer a password is set or modified. See also password strength rules. 158 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
password synchronization. The process of coordinating passwords across serices and systems such that only a single password is needed to access those multiple serices and systems. permission. Authorization to perform actiities, such as reading and writing local files, creating network connections, and loading natie code. person. An indiidual in the system that has a person record in one or more corporate directories. personal profile. The data that describes a user within the system, such as the user name, password, contact information, and so on. plug-in. A software module that adds function to an existing program or application. policy. A set of considerations that influence the behaior of a managed resource or a user. post office. A component that collects notifications from the appropriate workflow actiities and distributes those notifications to the appropriate workflow participants. principal. (1) A person or group that has been granted permissions. (2) An entity that can communicate securely with another entity. priilege. See permission. profile. Data that describes the characteristics of a user, group, resource, program, deice, or remote location. protection category. The category of classes that an access control item can protect. For example, accounts or persons. See also object class. proision. (1) In identity management, to set up and maintain the access of a user to a system. (2) In identity management, to create an account on a managed resource. proisioning. In identity management, the process of proiding, deploying, and tracking a serice or component. proisioning policy. A policy that defines the access to arious managed resources, such as applications or operating systems. Access is granted to all users, users with a specific role, or users who are not members of a specific role. R recertification. The process of alidating and possibly updating your credentials with a system, usually after a specified time interal. recertification policy. A policy that defines the life cycle rule for automatically alidating accounts and users in the proisioning system after a certain period of time. See also life cycle rules. reconciliation. The process of synchronizing data in a central data repository with data on a managed resource. registration. The process of accessing a system and requesting an account on that system. registry. A repository that contains access and configuration information for users, systems, and software. relationship. A defined association between two or more data entities, which is used when defining a Free EcmaScript Interpreter (FESI) extension or when customizing the graphical user interface. releant data. The data that is used to complete a workflow actiity in a workflow operation at runtime. See also workflow. repository. A persistent storage area for data and other application resources. Common types of repositories are databases, directories, and file systems. request. The item that initiates a workflow and instigates the arious actiities of a workflow. See also workflow. request for information (RFI). A workflow actiity that requests additional information from the specified participant. See also workflow. resource. A hardware, software, or data entity. See also managed resource. restore. rights. To actiate an account that was suspended. See permission. rule. A set of conditional statements that enable computer systems to identify relationships and execute automated responses accordingly. S schema. The fields and rules in a repository that comprise a profile. See also profile. scope. In identity management, the set of entities that a policy or an access control item (ACI) can affect. Secure Sockets Layer (SSL). A security protocol that proides communication priacy. With SSL, client/serer applications can communicate in a way that is designed to preent eaesdropping, tampering, and message forgery. Glossary 159
security. The protection of data, system operations, and deices from accidental or intentional ruin, damage, or exposure. security administrator. A type of person who sets up and administers Tioli Identity Manager for users, managers, help desk assistants, and application user administrators. self-registration. See registration. serice. A representation of a managed resource, application, database, or system. serice owner. An indiidual who uses Tioli Identity Manager to set up and administer the accounts on the serices that are managed by Tioli Identity Manager. See also serice. serice selection policy. A policy that determines which serice to use in a proisioning policy. See also proisioning policy. serice type. A category of related serices that share the same schemas. See also serice. shared secret. An encrypted alue that is used to retriee the initial password of a user. This alue is defined when the personal information for the user is initially loaded into the system. single sign-on (SSO). The ability of a user to log on once and access multiple applications without haing to log on to each application separately. static organizational role. An organizational role that is manually assigned to a person. See also organizational role. superisor. A role that identifies the person who superises another set of users and who is often responsible for approing or rejecting requests that are made by those users. suspend. To deactiate an account so that the account owner cannot access the serice. system administrator. An indiidual who is responsible for the configuration, administration, and maintenance of Tioli Identity Manager. topic. The subject of a notification message, which allows messages to be grouped together based on the same task. transition. A connection between two workflow elements. See also workflow. U uniersally unique identifier (UUID). The 128 bit numerical identifier that is used to ensure that two entities do not hae the same identifier. The identifier is unique for all space and time. user. (1) Any indiidual, organization, process, deice, program, protocol, or system that uses the serices of a computing system. (2) The indiidual who uses Tioli Identity Manager to manage their accounts and passwords. V iew. A collection of arious graphical user interfaces for a product that represent the set of tasks that a particular type of user is allowed to perform. Administrators can customize iews to contain different collections of graphical user interfaces. W workflow. The sequence of actiities performed in accordance with the business processes of an enterprise. See also actiity. work order. A workflow actiity that requires a participant to perform an actiity outside of the scope of the system. See also workflow. X XML Text Template Language (XTTL). An XML schema that proides a means for representing dynamic content within a message, notification, or report. The XML tags are also called dynamic content tags. See also dynamic content tags. T tenant. In a hosted serice enironment, a irtual enterprise instance of an application. Each tenant can share directory serers or relational databases while remaining completely separate serice instances. to-do list. A collection of outstanding actiities. See also actiity. 160 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Index Special characters.profile file Oracle 21 IDI_HOME IBM Tioli Directory Integrator Serer installation directory xiii Numerics 50000, default DB2 listening port number 17 50002, default DB2 listening port number 17 60000, default DB2 listening port number 17 A accessibility pdf format, for screen-reader software xi statement for documentation xi text, alternatie for document images xi account LDAP storage 2 actie scripting, browser 102 adapter agent-less or agent-based 4 definition 4 location 4 addsericeselectionpolicy.xml, workflow process file 107 adhocreporting.properties 106 administratie system management interface tool SMIT 16 system management tool admintool 16 user ID, DB2 11 mapping to role 137 administratie security and application security itimadmin 138 wasadmin 138 admintool, administratie tool (Solaris) 16 alias, database 80 api_ejb.jar 108 app_ctl_heap_sz example, update database 17, 36 applheapsz example, update database 17, 36 application serer, WebSphere Application Serer 3 audience, who should read this book ii authentication alias, itim-init 99 authority installing Tioli Identity Manager Serer 51, 61 logon user ID in Administrator Group 51, 61 root ensuring 51, 61 was.policy file 138 B backup Oracle 21 books see publications x browser actie scripting 102 two session problems 102 using supported 102 C CA certificate presered during upgrade 106 certificate CA, presered during upgrade 106 demonstration, upgraded 106 identical directory requirement, cluster member 61 CLASSPATH erifying database 99 Classpath field, specifying data directory 97 cleanup cron job 79 recycle bin age limit 79 client database DB2 10 on remote computer 10 interface 1 upgrading duplicate properties files 108 cluster configuration WebSphere Application Serer 5 definition 5 expanding new computer 73 installation restart after 69 sequence 62 sequential requirement 62 Tioli Identity Manager Serer 60 wizard 62 member certificate files 61 certificate recognition 61 deployment manager installation deploys Tioli Identity Manager 62 HR feed 61 identical database specification 80 identical directory requirement 61 identical LDAP specification 65 installation sequence after deployment manager 62 multiples on same computer 64 new, adding to cluster 73 partial start 70 remoing 73 prerequisites database 61 deployment manager 61 directory serer 61 JMS serers 61 node agents 61 WebSphere Application Serer base 61 remoe member 73 Copyright IBM Corp. 2009 161
cluster (continued) Tioli Identity Manager installation wizard 63 command db2 create 17 force application all 17, 36 update 17, 36 db2cmd 16, 35 db2fs 12 db2leel 12 db2ls 12 db2set 17 db2start 17, 36 db2stop 17, 36 jaa 71 ldapclean 79 ldapsearch 32 line, Linux systems xi line, Windows systems xi logon 70 runconfig 77 sererstatus 96 startserer 56 stopserer 55 ersioninfo.bat 43, 44 ersioninfo.sh 44 configuration database 75 DB2 create user itimuser 16 performance 18 oeriew 1 SQL Serer 2005 24, 25 Sun Enterprise Directory Serer 36 Tioli Identity Manager Database tab 80 Directory tab 79 enrole.properties 78 General tab 78 Logging tab 80 Mail tab 80 Security tab 82 UI tab 81 WebSphere Application Serer cluster 5 presered during upgrade 106 single-serer 4 configuration file ibmslapd.conf 33, 34 configuring SSL IBM Tioli Directory Serer 133 Sun Enterprise Directory Serer 133 conflict HTTP serer ports 48 connection Increment Count 79 Initial Pool Size 79 JDBC 80 Maximum Pool Size 79 pool, LDAP 79 conentions home directory DB_INSTANCE_HOME xii HOME directory IDI_HOME xiii TIVOLI_COMMON_DIRECTORY xiii conentions (continued) HOME directory (continued) DB_HOME xii ITDS_HOME xii ITIM_HOME xiii WAS_HOME xiii WAS_NDM_PROFILE_HOME xi WAS_PROFILE_HOME xiii typeface xi used in this document xi ariables, directory notation xi create, db2 command 17, 36 crystal.properties 106 CTGIM, Tioli Common Directory 55, 66 customer logo image file 81 link 81 upgrading manually 117 CustomLabels_en.properties 106 CustomLabels.properties 106 D data directory contains properties file 97 copied during upgrade 106 specified by Classpath field 97 historical, on database 1 initializing LDAP suffix 32 organizational, on directory serer 2, 27 transactional, on database 1 user account, on directory serer 2, 27 database itim_dbname create 17 update 17, 36 authentication alias, itim-init 99 CLASSPATH 99 client remote computer 10 command to create 17 configuration fields 76 initial 75 installing 9 connection testing 98 DB2 initially empty 10 select during installation 54, 64 enroledatabase.properties file 99 fix pack 12, 29 historical data 1 installation 9 installation, configuration 9 installing 9 itimdb 80 database name 16 JDBC connections 80 login delay 80 name alias 80 Oracle.profile file 21 enironment ariables 21 162 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
database (continued) Oracle (continued) init.ora file 21 install, configure 18 jaa_pool_size parameter 21 JVM feature required by Tioli Identity Manager 20 processes parameter 21 select during installation 54, 64 shared_pool_size parameter 21 schema presered during upgrade 106 select during installation 54, 64 serer, definition 1 session persistence Oracle enironment ariables 21 SQL serer, select during installation 54, 64 tab 80 TCP/IP 17 transactional data 1 upgrade, schema presered 106 user itimuser 80 database creation SQL Serer 2005 25 DB_HOME DB2 installation directory xii definition xii DB_INSTANCE_HOME DB2 installation directory xii definition xii db2 force application all, command 17, 36 DB2 Administratie user ID 11 client on remote computer 10 command create 17 db2 force application all 17, 36 db2cmd 16, 35 db2set 17 db2start 17, 36 db2stop 17, 36 update 17, 36 configuration create user itimuser 16 performance 18 serice listening port number 17 steps 15 TCP/IP communication 17 db2admin 11 db2admin, instance name on UNIX and Linux 10 db2admin, user ID on UNIX and Linux 10 deployment 10 First Steps 11 home directory for Windows 11 home directory on UNIX and Linux 11 initially empty 10 instance name db2 on Windows 11 instance, db2admin on UNIX and Linux 10 out of memory error 18 relation to Tioli Identity Manager 10 runtime adjustment 15 storage space 18 user ID, db2admin on UNIX and Linux 10 user named itimuser 16 wizard, erifying installation 11 db2 command create 17 update 17, 36 DB2 runtime client type of JDBC drier 2 DB2 Serer deployment 10 fix pack 12 install, configure 10 db2admin 11 db2admin, instance user ID for UNIX and Linux 10 db2admin, user ID for UNIX and Linux 10 DB2COMM 17 db2fs, command 12 db2leel, command 12 db2ls, command 12 db2set command 16, 17, 35 DB2COMM 17 db2start, command 17, 36 db2stop, command 17, 36 dbconfig.stdout 104 dc=com permissions 32 default ibm_banner.gif 81 logo image file 81 demonstration certificate upgraded 106 deployment adapter 4 cluster member 73 DB2 10 IBM HTTP Serer 42, 44 IBM Tioli Directory Integrator 39 IBM Tioli Directory Serer 27 planning steps 5 WebSphere Web Serer plug-in 42, 44 deployment manager database configuration 75 LDAP data repository 77 propagating Tioli Identity Manager Serer 62 running before installing Tioli Identity Manager Serer 96 directory IDI_HOME xiii DB_HOME xii DB_INSTANCE_HOME xii identical requirement, on cluster members 61 installation DB2 xii IBM Tioli Directory Integrator Serer xiii IBM Tioli Directory Serer xii WebSphere Application Serer base product xiii, xi ITDS_HOME xii ITIM_HOME xiii names, operating system notation xi WAS_HOME xiii WAS_NDM_PROFILE_HOME xi WAS_PROFILE_HOME xiii directory integrator definition 3 installing 39 LDAP directory 3 directory serer definition 2 determination if running 101 host name 79 Index 163
directory serer (continued) ibmslapd process 101 ibmslapd.log file 101 identity management 2 LDAP directory 2 organizational data 2, 27 port number 79 Principal DN 79 process ID (PID) 101 user account data 2, 27 disabilities, using documentation xi DN top entry in a locally held directory hierarchy 29 documents related x Tioli Identity Manager library ii domain objectclass 32 drier, JDBC 2 Dynamic Role Add/Modify/Remoe, workflow process 107 enironment ariable (continued) shared_pool_size, Oracle 21 expired password 85 F First Steps DB2 installation 11 erifying WebSphere installation 43, 44, 46 fix pack database 12, 29 IBM Tioli Directory Integrator 39 IBM Tioli Directory Serer 28 G garbage cleanup recycle bin age limit 79 schedule_garbage.cron 79 E e-mail address for the Tioli Identity Manager Serer 81 mail gateway 81 system administrator address 81 editing password 85 EJB user initial alues 82 itimadmin 138 length limit 82 manual steps 82 mapping 137 updating 82, 138 embedded HTTP transport, WebSphere logon 70 empty, DB2 10 encryption enrole.password.appserer.encrypted 82 enrole.password.database.encrypted 82 enrole.password.ldap.encrypted 82 enrole.properties 82 key 54, 65 settings 82 enrole.password.appserer.encrypted 82 enrole.password.database.encrypted 82 enrole.password.ldap.encrypted 82 enrole.properties /data directory 85 configuring Tioli Identity Manager Serer 78 encryption properties 82 presered during upgrade 106 enroleauditing.properties 106 enroleauthentication.properties 106 enroledatabase.properties 106 enroledatabase.properties file 99 enroleldapconnection.properties 106 enrolelogging.properties 106 enrolemail.properties 106 enroleworkflow.properties 106 enironment ariable DB2COMM 17 operating system notation xi Oracle 21 processes, Oracle 21 setting with.profile file 21 H heap size, DB2 18 heart beat 78 home directories IDI_HOME xiii DB_HOME xii DB_INSTANCE_HOME xii DB2 for Windows 11 DB2 on UNIX and Linux 11 ITDS_HOME xii ITIM_HOME xiii WAS_HOME xiii WAS_NDM_PROFILE_HOME xi WAS_PROFILE_HOME xiii host name directory serer 79 HTTP embedded HTTP transport, WebSphere 70 I IBM HTTP Serer deployment 42, 44 installing 48 separate computer recommended 48 IBM logo file, default 81 IBM Tioli Directory Integrator deployment 39 fix pack 39 install, configure 39 IBM Tioli Directory Serer deployment 27 fix pack 28 install, configure 27 LDAP suffix 29 referential integrity file 29 setting up 29 SSL, configuring 133 ibm_banner.gif 81 ibmslapd log file 34, 35 process running 101 ibmslapd.log file 101 identical directory, cluster members 61 164 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
identity feed, lost if running during upgrade 107 image directory 81 logo 81 Increment Count LDAP 79 init.ora file, Oracle 21 Initial Pool Size LDAP 79 instaix.bin, installation program 52, 62, 111, 114 installation database 9 directory DB2 xii IBM Tioli Directory Integrator Serer xiii IBM Tioli Directory Serer xii WebSphere Application Serer base product xiii, xi IBM HTTP Serer 42, 44, 48 instaix.bin 52, 62, 111, 114 instlinux.bin 52, 63, 111, 114 instplinux.bin 52, 63, 111, 114 instsol.bin 53, 63, 111, 114 instwin.exe 52, 62, 111, 113 instzlinux.bin 53, 63, 111, 114 logs 104 restarting clusters 69 select database 54, 64 sequence cluster 62 single-serer 52 SQL Serer 2005 24 Sun Enterprise Directory Serer 36 Tioli Identity Manager Serer authority 51, 61 cluster 60 single-serer 51 erifying Tioli Identity Manager Serer 59, 70, 96 WebSphere installation 43, 44, 46 WebSphere Application Serer 41 WebSphere Web Serer plug-in 42, 44, 48 instance name DB2 10 DB2 on Windows 11 instlinux.bin, installation program 52, 63, 111, 114 instplinux.bin, installation program 52, 63, 111, 114 instsol.bin, installation program 53, 63, 111, 114 instwin.exe, installation program 52, 62, 111, 113 instzlinux.bin, installation program 53, 63, 111, 114 Internet Explorer, actie scripting 102 ITDI_HOME definition xiii ITDS_HOME definition xii IBM Tioli Directory Serer installation directory xii ITIM user 60, 70, 97 itim_adhocsync queue 117 itim_api.jar 108 ITIM_DB_JDBC_DRIVER_PATH 99 ITIM_HOME definition xiii directory xiii itim_installer_debug.txt 104 itim_ms queue 116 itim_rs queue 116, 117 itim_serer_api.jar 108 itim_wf queue 116 itim_wf_pending queue 116 itim-init, authentication alias 99 itimadmin EJB user 138 itimdb database database name 16 host name 80 setting initial alues, SQL Serer 2005 25 SQL Serer 2005 25 itimuser default user ID, database 80 password identical in enroledatabase.properties file 99 user create 16 on DB2 serer 16 priileges, no special 16 itimxlp_setup.jar 71 J jar file 21 api_ejb.jar 108 itim_api.jar 108 itim_serer_api.jar 108 itimxlp_setup.jar 71 jlog.jar 108 manual upgrade 108 Jaa 2 security customization, upgrading manually 117 lost during upgrade 107 Jaa Runtime Enironment language pack 71 required leel 71 jaa_pool_size parameter, Oracle 21 jaa, command 71 JDBC connection fields 80 drier 21 DB2 runtime client 2 SQL Serer 2005 25 type 2 2 JDBC drier for Oracle 21 jlog.jar 108 K kernel settings for DB2 9 L language on installation panels 53, 63 pack default not English 71 installing 71 jar file name 71 Jaa Runtime Enironment 71 LDAP connection increment 79 connection pool 79 directory integrator 3 directory serer 2 initial configuration 77 Index 165
LDAP (continued) initial connections 79 maximum connections 79 suffix definition 29 IBM Tioli Directory Serer 29 initializing with data 32 erifying configuration 32 ldapclean, command 79 ldapconfig.stdout 104 ldapsearch, command 32 libdelref success message 34, 35 testing configuration 34, 35 limit, recycle bin age 79 list page size, as search control 82 listener serice, Oracle 24 logging dbconfig.stdout 104 ibmslapd.log file 101 install 104 itim_installer_debug.txt 104 ldapconfig.stdout 104 log.txt 104 MAX 80 MED 80 MIN 80 performance settings 80 runconfigtmp.stdout 104 setupenrole.stdout 104 StartStopWas.stdout 104 system properties 84 tab 80 tracing 80 logo customized lost during upgrade 107 customized, upgrading manually 117 default image 81 logon attempts 85 command 70 logs installation 104 msg.log 104 trace.log 104 lost password 85 M mail tab 80 manuals see publications x MAX, logging 80 Maximum Pool Size, LDAP 79 MED, logging 80 message preoperation 34, 35 MIN, logging 80 msg.log in Tioli Common Directory 104 erifying Tioli Identity Manager Serer 97 multi-node security node synchronization 139 timeout interal 139 N name database 80 naming context, definition 29 node synchronization, multi-node deployment 139 notifytemplate.html, workflow process file 107 O objectclass domain 32 top 32 online publications accessing x operating system identity proisioning 3 Oracle.profile file 21 backup 21 command to start serer 24 enironment ariables 21 init.ora file 21 install, configure 18 jaa_pool_size parameter 21 JDBC drier 21 JVM feature required by Tioli Identity Manager 20 listener serice 24 processes parameter 21 session persistence 21 shared_pool_size parameter 21 SQL script example 22 organization data, on directory serer 27 out of memory error, DB2 18 P password editing 85 expiration period 85 itimuser user, password identical in enroledatabase.properties file 99 lost 85 retrieal expiration period 85 path names, notation xi pdf format, for screen-reader software xi performance DB2 18 LDAP connection 79 tracing leel 80 permissions dc=com 32 libdelref file 33 referential integrity file 33 was.policy file 138 planning major steps in installation 5 plug-in default installation directory 33 file permissions 33 referential integrity file 32 WebSphere Web Serer plug-in 42, 44 Policy Add/Modify/Remoe, workflow process 107 pool JDBC connections, database 80 166 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
port 50000 17 50002 17 60000 17 9080 70 directory serer 79 in serices file 17 serice listening 17 preoperation, message 34, 35 prerequisite cluster database 61 deployment manager 61 directory serer 61 JMS serers 61 node agents 61 WebSphere Application Serer base 61 single-serer database 52 directory serer 52 IBM Tioli Directory Integrator 52 WebSphere Application Serer 52 Principal DN directory serer 79 priilege logon 52, 62 user, itimuser 16 problem determination browser aoiding two sessions 102 using supported 102 database authentication alias 99 database connection CLASSPATH 99 testing 98 DB2 user ID, password 99 directory serer ibmslapd.log 101 process ID (PID) 101 embedded HTTP transport, WebSphere logon 70 installation database configuration 56, 67 database connection 98 DBConfig 56, 67 directory serer configuration 57, 67 file permissions 95 hardware, software prerequisites 95 ldapconfig 57, 67 log files 58, 68, 95 permissions and display ariables 95 real memory 95 SOAP connection 58, 69, 103 SQL Serer 2005 100, 101 wasadmin user ID 59, 69, 103 WebSphere Application Serer 56 wsadmin 58, 68, 102 logs and directories 104 properties files 97 SQL Serer 2005 restrictions 101 testing 100 Tioli Identity Manager embedded HTTP transport, WebSphere 70 ITIM_HOME\data directory 97 msg.log file 97 problem determination (continued) Tioli Identity Manager (continued) properties files 97 SystemOut.log file 96 trace.log file 96 WebSphere Application Serer serer1 96 sererstatus command 96 process file, workflow addsericeselectionpolicy.xml, presered during upgrade 107 notifytemplate.html, presered during upgrade 107 process, workflow Dynamic Role Add/Modify/Remoe, lost if running during upgrade 107 Policy Add/Modify/Remoe, lost if running during upgrade 107 processes parameter, Oracle 21 properties configuring with Tioli Identity Manager GUI 85 enroledatabase.properties file 99 file configure 78 data directory 97 encryption 82 enrole.properties 78 list 85 security tab 82 SystemOut.log file, indicating error 97 heart beat 78 recycle bin age limit 79 tracing 80 properties file client, upgrading duplicate files 108 file adhocreporting.properties 106 crystal.properties 106 CustomLabels_en.properties 106 CustomLabels.properties 106 enrole.properties 106 enroleauditing.properties 106 enroleauthentication.properties 106 enroledatabase.properties 106 enroleldapconnection.properties 106 enrolelogging.properties 106 enrolemail.properties 106 enroleworkflow.properties 106 scriptframework.properties 107 SelfSericeHelp.properties 107 SelfSericeHomePage.properties 107 SelfSericeScreenText_en.properties 107 SelfSericeScreenText.properties 107 SelfSericeUI.properties 107 ui.properties 106 presered during upgrade 106 upgrade, presered adhocreporting.properties 106 crystal.properties 106 CustomLabels_en.properties 106 CustomLabels.properties 106 enrole.properties 106 enroleauditing.properties 106 enroleauthentication.properties 106 enroledatabase.properties 106 enroleldapconnection.properties 106 enrolelogging.properties 106 enrolemail.properties 106 Index 167
properties file (continued) upgrade, presered (continued) enroleworkflow.properties 106 scriptframework.properties 107 SelfSericeHelp.properties 107 SelfSericeHomePage.properties 107 SelfSericeScreenText_en.properties 107 SelfSericeScreenText.properties 107 SelfSericeUI.properties 107 ui.properties 106 proisioning identity 3 relational database 1 publications accessing online x related x Tioli Identity Manager library ii Q queue itim_adhocsync 117 itim_ms 116 itim_rs 116, 117 itim_wf 116 itim_wf_pending 116 runmqsc.exe utility 116 workflow, determining status 116 R reconciliation, lost if running during upgrade 107 recycle bin age limit 79 referential integrity file definition 32 file permissions 33 IBM Tioli Directory Serer 29 loading success message 34, 35 steps to configure 32 testing configuration 34, 35 regular-cluster configuration installing 62 selecting 64 remote computer, database client 10 remoing cluster member 73 requirement cluster 61 single-serer 52 retrieal period, password 85 root logon user ID, to install Tioli Identity Manager Serer 51, 61 using system management tool 16 runconfig change password, itmuser user 85 command 77 configuring Tioli Identity Manager Serer 77 EJB user 85 password encryption 85 system properties 85 runconfigtmp.stdout 104 runmqsc.exe utility, for queue status 116 running process database 99 directory serer 101 running process (continued) logs and directories 104 using runconfig (System Configuration) 85 WebSphere Application Serer 96 runtime adjust DB2 15 client DB2 2 enironment, WebSphere Application Serer 3 Jaa Runtime Enironment 71 S schedule_garbage.cron, job 79 scheduling heart beat 78 ldapclean 79 periodic cleanup 79 Recycle Bin Age Limit 78 schedule_garbage 79 thread 78 script create Oracle database 22 scriptframework.properties 107 search, items displayed 82 security EJB user 137 map administratie user to role 137 multi-node deployment node synchronization 139 timeout interal 139 tab 82 was.policy file 138 SelfSericeHelp.properties 107 SelfSericeHomePage.properties 107 SelfSericeScreenText_en.properties 107 SelfSericeScreenText.properties 107 SelfSericeUI.properties 107 sequence installation, cluster 62 installation, single-serer 52 requirement, cluster installation 62 sererstatus, command 96 serice pack, SQL Serer 2005 24 sericeability-related files, Tioli Common Directory 55, 66 serices file, port number 17 session browser problem 102 LDAP 79 persistence Oracle enironment ariables 21 settings DB2 kernel, on Solaris 9 presered, upgrading Tioli Identity Manager 106 runtime, DB2 15 WebSphere Application Serer 41 settings for WebSphere Application Serer 41 setupenrole.stdout 104 shared_pool_size parameter, Oracle 21 single-serer configuration installing 51 WebSphere Application Serer 4 definition 4 installation authority 51, 61 168 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
single-serer (continued) installation (continued) sequence 52 Tioli Identity Manager Serer 51 wizard 53 prerequisites database 52 IBM Tioli Directory Integrator 52 WebSphere Application Serer 52 SMTP mail host 81 Solaris kernel settings for DB2 9 source data 3 SQL Serer 2005 configuring 25 creating database 25 installing 24 itimdb database 25 serice pack, obtaining 24 XA transactions 25 startserer, command 56 StartStopWas.stdout 104 status Oracle listener 24 queues 116 runmqsc.exe utility, for queues 116 WebSphere Application Serer 96 stopserer, command 55 storage space cluster configuration 61 DB2 18 single-serer configuration 51 Sun Enterprise Directory Serer configuring 36 installing 36 SSL, configuring 133 system administrator e-mail address 81 system configuration tool Logging tab, tracing 80 System Management Interface Tool (SMIT, AIX) 16 system properties enrole.properties 85 interal to recognize changes 84 logging 84 logon attempts 85 managing 84 manual modification 85 password editing 85 expiration period 85 lost 85 retrieal expiration period 85 restart Tioli Identity Manager Serer 84 runconfig 85 Web user interface 85 System user updating 138 SystemOut.log errors and properties files 97 erifying Tioli Identity Manager Serer 96 tab (continued) General 78 Logging 80 Mail 80 Security 82 UI 81 TCP/IP configuration, DB2 17 testing database 99 directory serer 101 WebSphere Application Serer 96 text, alternatie for document images xi thread scheduling 78 timeout interal, multi-node security 139 Tioli Common Directory CTGIM 55, 66 msg.log 104 sericeability-related files 55, 66 trace.log 104 Tioli Identity Manager Serer configuration Database tab 80 General tab 78 definition 3 Directory tab 79 installation, configuration 51 installing authority 51, 61 cluster 60 single-serer 51 Logging tab 80 Mail tab 80 msg.log file 97 Security tab 82 SystemOut.log file 96 test communication 95 trace.log file 96 UI tab 81 uninstalling additional products 125 database tables 125 directory serer schema 125 steps 126 Tioli software information center x TIVOLI_COMMON_DIRECTORY definition xiii top, objectclass 32 trace.log in Tioli Common Directory 104 erifying Tioli Identity Manager Serer 96 tracing logging 80 MAX 80 MED 80 MIN 80 performance settings 80 type 2 JDBC drier 2 typeface conentions xi T tab Database 80 Directory 79 U ui.properties 106 Index 169
uninstalling Tioli Identity Manager additional products 125 database tables 125 directory serer schema 125 steps 126 utility for Tioli Identity Manager 73 update, db2 command 17, 36 upgrading before upgrading 108 configuration 110, 113 crystal configuration 108 custom logos lost 107 customization Jaa 2 security, manually 117 logos, manually 117 duplicate properties files on client side 108 Dynamic Role Add/Modify/Remoe lost if running 107 identity feed lost if running 107 jar files for client, manually 108 Jaa security lost 107 Policy Add/Modify/Remoe lost if running 107 reconciliation lost if running 107 shared libraries 108 steps cluster configuration 113 single-serer configuration 111 tasks cluster configuration 113 single-serer configuration 110 Tioli Identity Manager ersion 4.6 to 5.1 CA certificates presered 106 data directory 106 database schema 106 database serer 105 demonstration certificate upgraded 106 directory serer 105 operating system requirements 105 property files 106 settings presered 106 stopping WebSphere Application Serer 106 upgrade paths 105 WebSphere Application Serer configuration 106 WebSphere Application Serer installation 105 workflow files 107 workflow_systemprocess directory 107 Tioli Identity Manager ersion 5.0 to 5.1 CA certificates presered 106 data directory 106 database schema 106 database serer 105 demonstration certificate upgraded 106 directory serer 105 operating system requirements 105 property files 106 settings presered 106 upgrade paths 105 WebSphere Application Serer configuration 106 WebSphere Application Serer installation 105 workflow files 107 workflow_systemprocess directory 107 user account data, on directory serer 27 ID, erifying for database 99 itimuser on DB2 serer 16 priileges, no special 16 user (continued) password, erifying for database 99 user password identical in enroledatabase.properties file 99 user, ITIM 60, 70, 97 V erifying database CLASSPATH 99 connection 99 installation 11 user ID 99 user password 99 installation Tioli Identity Manager Serer 59, 70, 96 WebSphere Application Serer 96 ersioninfo.bat,command 43, 44 ersioninfo.sh,command 44 W WAS_HOME definition xiii WebSphere Application Serer base installation directory xiii WAS_NDM_PROFILE_HOME definition xi WebSphere Application Serer base installation directory xi WAS_PROFILE_HOME definition xiii WebSphere Application Serer base installation directory xiii was.policy file, permissions 138 wasadmin System User 138 Web address Tioli Identity Manager 70 WebSphere administratie console 43, 45, 46, 47 Web user interface (Tioli Identity Manager) 85 WebSphere administratie console starting 59, 96 Web address 43, 45, 46, 47 WebSphere Application Serer administratie security and application security itimadmin 138 wasadmin 138 configuration cluster 5 installing 41 presered during upgrade 106 single-serer 4 definition 3 installation 41 installation, configuration 41 installing 41 erifying 96 WebSphere installation custom installation recommended 42, 44 First Steps 43, 44, 46 IBM HTTP Serer installation 42, 44 WebSphere Web Serer plug-in installation 42, 44 WebSphere Web Serer plug-in deployment 42, 44 170 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
WebSphere Web Serer plug-in (continued) installing 48 separate computer recommended 48 wizard First Steps, WebSphere installation 43, 44, 46 Tioli Identity Manager installation cluster 63 single-serer 53 erifying DB2 installation 11 workflow process file, presered during upgrade addsericeselectionpolicy.xml 107 notifytemplate.html 107 workflow process, lost if running during upgrade Dynamic Role Add/Modify/Remoe 107 Policy Add/Modify/Remoe 107 worksheet tables 145 Index 171
172 IBM Tioli Identity Manager Serer: Installation and Configuration Guide
Program Number: 5724-C34 Printed in USA SC27-2410-01