Am51 Install

8/23/2019 Am51 Install

http://slidepdf.com/reader/full/am51-install 1/347

IBM Tivoli Access Manager

Base Installation Guide

Version 5.1

SC32-1362-00



IBM Tivoli Access Manager

Installation Guide

Version 5.1

SC32-1362-00



NoteBefore using this information and the product it supports, read the information in “Notices” on page 303.

First Edition (November 2003)

This edition applies to version 5, release 1, modification 0 of IBM Tivoli Access Manager (product number 5724-C08)and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 2001, 2003. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.



Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

viii IBM Tivoli Access Manager: Installation Guide



Preface

IBM® Tivoli® Access Manager (Tivoli Access Manager) is the base software that isrequired to run applications in the Access Manager product suite. It enables the

integration of Access Manager applications that provide a wide range of authorization and management solutions. Sold as an integrated solution, theseproducts provide an access control management solution that centralizes networkand application security policy for e-business applications.

Note: IBM Tivoli Access Manager is the new name of the previously releasedsoftware entitled Tivoli SecureWay® Policy Director. Also, for users familiarwith the Tivoli SecureWay Policy Director software and documentation, theterm management server is now referred to as policy server.

The IBM Tivoli Access Manager Base Installation Guide explains how to install andconfigure Tivoli Access Manager Base software.

Who should read this book

This guide is for system administrators responsible for the installation anddeployment of IBM Tivoli Access Manager.

Readers should be familiar with the following:

v PC and UNIX® operating systems

v Database architecture and concepts

v Security management

v Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), andTelnet

v Lightweight Directory Access Protocol (LDAP) and directory servicesv Authentication and authorization

If you are enabling Secure Sockets Layer (SSL) communication, you also should befamiliar with SSL protocol, key exchange (public and private), digital signatures,cryptographic algorithms, and certificate authorities.

What this book contains

Part 1, “Planning for installation” includes the following chapters:

v Chapter 1, “Installation overview,” on page 3

Provides an overview of installing Tivoli Access Manager software using

installation wizards or native installation utilities.v Chapter 2, “System requirements,” on page 19

Lists software and hardware requirements necessary for successful installation of Tivoli Access Manager software.

v Chapter 3, “Internationalization,” on page 33

Instructs how to install language packages to enable Tivoli Access Manager fornon-English environments.

Part 2, “Base system installation” includes the following chapters:

v Chapter 4, “Setting up the registry server,” on page 47

© Copyright IBM Corp. 2001, 2003 ix



Describes how to set up and configure supported registries for use with TivoliAccess Manager.

Chapters 5 through 11 provide instructions on how to install and configureTivoli Access Manager components and prerequisite products to set up TivoliAccess Manager Base systems. Instructions are provided for both installationwizards and native command line utilities.

v

Chapter 5, “Setting up the policy server,” on page 89v Chapter 6, “Setting up an authorization server,” on page 99

v Chapter 7, “Setting up a development (ADK) system,” on page 107

v Chapter 8, “Setting up a Java runtime environment system,” on page 113

v Chapter 9, “Setting up a policy proxy server,” on page 119

v Chapter 10, “Setting up a runtime system,” on page 125

v Chapter 11, “Setting up a Web Portal Manager system,” on page 131

Part 3, “Reference information” includes the following chapters:

v Chapter 12, “Installing prerequisite products,” on page 145

Describes how to install prerequisite products that are required on specific Tivoli

Access Manager systems. Products include the Global Security Kit (GSKit), theIBM Tivoli Directory Client, IBM JRE, IBM WebSphere Application Server, andthe IBM Tivoli Directory Server Web Administration Tool.

v Chapter 13, “Uninstalling components,” on page 173

Provides instructions for unconfiguring and removing prerequisite products andTivoli Access Manager packages.

v Chapter 14, “Installation wizard scenarios,” on page 179

Provides scenarios and descriptions of configuring options that you areprompted for using installation wizards.

v Chapter 15, “Installation wizard options,” on page 197

Provides descriptions of configuration options that you are prompted for during

Tivoli Access Manager configuration using installation wizards.v Chapter 16, “pdconfig options,” on page 217

Provides descriptions of configuration options that you are prompted for duringTivoli Access Manager configuration using the pdconfig utility.

v Chapter 17, “Enabling Secure Sockets Layer,” on page 227

Explains how to enable SSL data encryption for secure communications betweenthe registry server and IBM Tivoli Directory Clients.

v Chapter 18, “AIX: Setting up a standby policy server,” on page 249

Describes how to set up a standby policy server in the event of a system failure(on AIX® only). This capability requires additional software and hardware,including High Availability Cluster Multiprocessing (HACMP) software.

v Chapter 19, “Tivoli Access Manager utilities,” on page 273

Provides reference information about configuration utilities used when settingup Tivoli Access Manager systems.

v Chapter 20, “Using response files,” on page 293

Provides instructions for how to use response files to install multiple productson multiple machines at the same time.

x IBM Tivoli Access Manager: Installation Guide



Publications

Review the descriptions of the Tivoli Access Manager library, the prerequisitepublications, and the related publications to determine which publications youmight find helpful. After you determine the publications you need, refer to theinstructions for accessing publications online.

Additional information about the IBM Tivoli Access Manager for e-businessproduct itself can be found at:

http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/

The Tivoli Access Manager library is organized into the following categories:

v “Release information”

v “Base information”

v “Web security information”

v “Developer references” on page xii

v “Technical supplements” on page xiii

Release informationv IBM Tivoli Access Manager for e-business Read This First (GI11-4155-00)

Provides information for installing and getting started using Tivoli AccessManager.

v IBM Tivoli Access Manager for e-business Release Notes (GI11-4156-00)

Provides late-breaking information, such as software limitations, workarounds,and documentation updates.

Base informationv IBM Tivoli Access Manager Base Installation Guide (SC32-1362-00)

Explains how to install and configure the Tivoli Access Manager base software,including the Web Portal Manager interface. This book is a subset of IBM Tivoli Access Manager for e-business Web Security Installation Guide and is intended foruse with other Tivoli Access Manager products, such as IBM Tivoli AccessManager for Business Integration and IBM Tivoli Access Manager for OperatingSystems.

v IBM Tivoli Access Manager Base Administration Guide (SC32-1360-00)

Describes the concepts and procedures for using Tivoli Access Manager services.Provides instructions for performing tasks from the Web Portal Managerinterface and by using the pdadmin command.

Web security informationv IBM Tivoli Access Manager for e-business Web Security Installation Guide

(SC32-1361-00)

Provides installation, configuration, and removal instructions for the TivoliAccess Manager base software as well as the Web Security components. This

book is a superset of IBM Tivoli Access Manager Base Installation Guide.

v IBM Tivoli Access Manager for e-business WebSEAL Administration Guide(SC32-1359-00)

Provides background material, administrative procedures, and technicalreference information for using WebSEAL to manage the resources of yoursecure Web domain.

Preface xi





v IBM Tivoli Access Manager for e-business IBM WebSphere Application ServerIntegration Guide (SC32-1368-00)

Provides installation, removal, and administration instructions for integratingTivoli Access Manager with IBM WebSphere® Application Server.

v IBM Tivoli Access Manager for e-business IBM WebSphere Edge Server IntegrationGuide (SC32-1367-00)

Provides installation, removal, and administration instructions for integratingTivoli Access Manager with the IBM WebSphere Edge Server application.

v IBM Tivoli Access Manager for e-business Plug-in for Web Servers Integration Guide(SC32-1365-00)

Provides installation instructions, administration procedures, and technicalreference information for securing your Web domain using the plug-in for Webservers.

v IBM Tivoli Access Manager for e-business BEA WebLogic Server Integration Guide(SC32-1366-00)

Provides installation, removal, and administration instructions for integratingTivoli Access Manager with BEA WebLogic Server.

v IBM Tivoli Access Manager for e-business IBM Tivoli Identity Manager Provisioning

Fast Start Guide (SC32-1364-00)

Provides an overview of the tasks related to integrating Tivoli Access Managerand Tivoli Identity Manager and explains how to use and install theProvisioning Fast Start collection.

Developer referencesv IBM Tivoli Access Manager for e-business Authorization C API Developer Reference

(SC32-1355-00)

Provides reference material that describes how to use the Tivoli Access Managerauthorization C API and the Tivoli Access Manager service plug-in interface toadd Tivoli Access Manager security to applications.

vIBM Tivoli Access Manager for e-business Authorization Java Classes DeveloperReference (SC32-1350-00)

Provides reference information for using the Java™ language implementation of the authorization API to enable an application to use Tivoli Access Managersecurity.

v IBM Tivoli Access Manager for e-business Administration C API Developer Reference(SC32-1357-00)

Provides reference information about using the administration API to enable anapplication to perform Tivoli Access Manager administration tasks. Thisdocument describes the C implementation of the administration API.

v IBM Tivoli Access Manager for e-business Administration Java Classes DeveloperReference (SC32-1356-00)

Provides reference information for using the Java language implementation of the administration API to enable an application to perform Tivoli AccessManager administration tasks.

v IBM Tivoli Access Manager for e-business Web Security Developer Reference(SC32-1358-00)

Provides administration and programming information for the cross-domainauthentication service (CDAS), the cross-domain mapping framework (CDMF),and the password strength module.

xii IBM Tivoli Access Manager: Installation Guide



Technical supplementsv IBM Tivoli Access Manager Upgrade Guide (SC32-1369-00)

Explains how to upgrade Tivoli Access Manager for e-business systems to aVersion 5.1 level.

v IBM Tivoli Access Manager for e-business Command Reference (SC32-1354-00)

Provides information about the command line utilities and scripts provided withTivoli Access Manager.

v IBM Tivoli Access Manager Error Message Reference (SC32-1353-00)

Provides explanations and recommended actions for the messages produced byTivoli Access Manager.

v IBM Tivoli Access Manager for e-business Problem Determination Guide(SC32-1352-00)

Provides problem determination information for Tivoli Access Manager.

v IBM Tivoli Access Manager for e-business Performance Tuning Guide (SC32-1351-00)

Provides performance tuning information for an environment consisting of TivoliAccess Manager with the IBM Tivoli Directory server as the user registry.

Related publicationsThis section lists publications related to the Tivoli Access Manager library.

The Tivoli Software Library provides a variety of Tivoli publications such as whitepapers, datasheets, demonstrations, redbooks, and announcement letters. The TivoliSoftware Library is available on the Web at:http://www.ibm.com/software/tivoli/library/

The Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available, in English only,from the Glossary link on the left side of the Tivoli Software Library Web pagehttp://www.ibm.com/software/tivoli/library/

IBM Global Security KitTivoli Access Manager provides data encryption through the use of the IBM GlobalSecurity Kit (GSKit), Version 7. GSKit is included on the IBM Tivoli Access ManagerBase CD, the IBM Tivoli Access Manager Web Administration Interfaces CDs, and theIBM Tivoli Access Manager Directory Server CDs for supported platforms.

The GSKit package provides the iKeyman key management utility, gsk7ikm, whichis used to create key databases, public-private key pairs, and certificate requests.The following document is available on the Tivoli Information Center Web site inthe same section as the IBM Tivoli Access Manager product documentation:

v IBM Global Security Kit Secure Sockets Layer and iKeyman User’s Guide(SC32-1363-00)

Provides information for network or system security administrators who plan toenable SSL communication in their Tivoli Access Manager environment.

IBM Tivoli Directory ServerIBM Tivoli Directory Server, Version 5.2, is included on the IBM Tivoli Access Manager Directory Server CD for the desired operating system.

Note: IBM Tivoli Directory Server is the new name for the previously releasedsoftware known as:

v IBM Directory Server (Version 4.1 and Version 5.1)

Preface xiii

http://www.ibm.com/software/tivoli/library/






v IBM SecureWay Directory Server (Version 3.2.2)

IBM Directory Server Version 4.1, IBM Directory Server Version 5.1, and IBM TivoliDirectory Server Version 5.2 are all supported by IBM Tivoli Access ManagerVersion 5.1.

Additional information about IBM Tivoli Directory Server can be found at:

http://www.ibm.com/software/network/directory/library/

IBM DB2 Universal DatabaseIBM DB2® Universal Database™ Enterprise Server Edition, Version 8.1 is providedon the IBM Tivoli Access Manager Directory Server CD and is installed with the IBMTivoli Directory Server software. DB2 is required when using IBM Tivoli DirectoryServer, z/OS™, or OS/390® LDAP servers as the user registry for Tivoli AccessManager.

Additional information about DB2 can be found at:

http://www.ibm.com/software/data/db2/

IBM WebSphere Application ServerIBM WebSphere Application Server, Version 5.0.2, is included on the IBM Tivoli Access Manager Web Administration Interfaces CD for the desired operating system.WebSphere Application Server enables the support of the Web Portal Managerinterface and the IBM Tivoli Directory Server Web Administration Tool.

Additional information about IBM WebSphere Application Server can be found at:

http://www.ibm.com/software/webservers/appserv/infocenter.html

IBM Tivoli Access Manager for Business IntegrationIBM Tivoli Access Manager for Business Integration, available as a separately

orderable product, provides a security solution for IBM MQSeries®

, Version 5.2,and IBM WebSphere MQ for Version 5.3 messages. IBM Tivoli Access Manager forBusiness Integration allows WebSphere MQSeries applications to send data withprivacy and integrity by using keys associated with sending and receivingapplications. Like WebSEAL and IBM Tivoli Access Manager for OperatingSystems, IBM Tivoli Access Manager for Business Integration, is one of theresource managers that use the services of IBM Tivoli Access Manager.

Additional information about IBM Tivoli Access Manager for Business Integrationcan be found at:

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/

The following documents associated with IBM Tivoli Access Manager for BusinessIntegration Version 5.1 are available on the Tivoli Information Center Web site:

v IBM Tivoli Access Manager for Business Integration Administration Guide(SC23-4831-01)

v IBM Tivoli Access Manager for Business Integration Problem Determination Guide(GC23-1328-00)

v IBM Tivoli Access Manager for Business Integration Release Notes (GI11-0957-01)

v IBM Tivoli Access Manager for Business Integration Read This First (GI11-4202-00)

xiv IBM Tivoli Access Manager: Installation Guide











IBM Tivoli Access Manager for WebSphere Business IntegrationBrokersIBM Tivoli Access Manager for WebSphere Business Integration Brokers, availableas part of IBM Tivoli Access Manager for Business Integration, provides a securitysolution for WebSphere Business Integration Message Broker, Version 5.0 andWebSphere Business Integration Event Broker, Version 5.0. IBM Tivoli AccessManager for WebSphere Business Integration Brokers operates in conjunction with

Tivoli Access Manager to secure JMS publish/subscribe applications by providingpassword and credentials-based authentication, centrally-defined authorization,and auditing services.

Additional information about IBM Tivoli Access Manager for WebSphereIntegration Brokers can be found at:


The following documents associated with IBM Tivoli Access Manager forWebSphere Integration Brokers, Version 5.1 are available on the Tivoli InformationCenter Web site:

v

IBM Tivoli Access Manager for WebSphere Business Integration Brokers AdministrationGuide (SC32-1347-00)

v IBM Tivoli Access Manager for WebSphere Business Integration Brokers Release Notes(GI11-4154-00)

v IBM Tivoli Access Manager for Business Integration Read This First (GI11-4202-00)

IBM Tivoli Access Manager for Operating SystemsIBM Tivoli Access Manager for Operating Systems, available as a separatelyorderable product, provides a layer of authorization policy enforcement on UNIXsystems in addition to that provided by the native operating system. IBM TivoliAccess Manager for Operating Systems, like WebSEAL and IBM Tivoli AccessManager for Business Integration, is one of the resource managers that use theservices of IBM Tivoli Access Manager.

Additional information about IBM Tivoli Access Manager for Operating Systemscan be found at:

http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/

The following documents associated with IBM Tivoli Access Manager forOperating Systems Version 5.1 are available on the Tivoli Information Center Website:

v IBM Tivoli Access Manager for Operating Systems Installation Guide (SC23-4829-00)

v IBM Tivoli Access Manager for Operating Systems Administration Guide(SC23-4827-00)

v IBM Tivoli Access Manager for Operating Systems Problem Determination Guide(SC23-4828-00)

v IBM Tivoli Access Manager for Operating Systems Release Notes (GI11-0951-00)

v IBM Tivoli Access Manager for Operating Systems Read Me First (GI11-0949-00)

IBM Tivoli Identity ManagerIBM Tivoli Identity Manager Version 4.5, available as a separately orderableproduct, enables you to centrally manage users (such as user IDs and passwords)and provisioning (that is providing or revoking access to applications, resources, oroperating systems.) Tivoli Identity Manager can be integrated with Tivoli Access

Preface xv







Manager through the use of the Tivoli Access Manager Agent. Contact your IBMaccount representative for more information about purchasing the Agent.

Additional information about IBM Tivoli Identity Manager can be found at:

http://www.ibm.com/software/tivoli/products/identity-mgr/

Accessing publications onlineThe publications for this product are available online in Portable Document Format(PDF) or Hypertext Markup Language (HTML) format, or both in the Tivolisoftware library: http://www.ibm.com/software/tivoli/library

To locate product publications in the library, click the Product manuals link on theleft side of the library page. Then, locate and click the name of the product on theTivoli software information center page.

Product publications include release notes, installation guides, user ’s guides,administrator’s guides, and developer’s references.

Note: To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is available when you clickFile → Print).

Accessibility

Accessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You also canuse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Contacting software supportBefore contacting IBM Tivoli Software Support with a problem, refer to the IBMTivoli Software Support site by clicking the Tivoli support link at the followingWeb site: http://www.ibm.com/software/support/

If you need additional help, contact software support by using the methodsdescribed in the IBM Software Support Guide at the following Web site:http://techsupport.services.ibm.com/guides/handbook.html

The guide provides the following information:

v Registration and eligibility requirements for receiving support

v Telephone numbers, depending on the country in which you are located

v A list of information you should gather before contacting customer support

Conventions used in this book

This reference uses several conventions for special terms and actions and foroperating system-dependent commands and paths.

Typeface conventionsThe following typeface conventions are used in this reference:

xvi IBM Tivoli Access Manager: Installation Guide



http://www.ibm.com/software/support/

http://techsupport.services.ibm.com/guides/handbook.html

http://techsupport.services.ibm.com/guides/handbook.html

http://www.ibm.com/software/support/





Bold Lowercase commands or mixed case commands that are difficult todistinguish from surrounding text, keywords, parameters, options, namesof Java classes, and objects are in bold.

Italic Variables, titles of publications, and special words or phrases that areemphasized are in italic.

Monospace

Code examples, command lines, screen output, file and directory namesthat are difficult to distinguish from surrounding text, system messages,text that the user must type, and values for arguments or commandoptions are in monospace.

Operating system differencesThis book uses the UNIX convention for specifying environment variables and fordirectory notation. When using the Windows command line, replace $variable with%variable% for environment variables and replace each forward slash (/) with a

backslash (\) in directory paths. If you are using the bash shell on a Windowssystem, you can use the UNIX conventions.

Preface xvii



xviii IBM Tivoli Access Manager: Installation Guide



Part 1. Planning for installation

Chapter 1. Installation overview . . . . . . . 3

Planning for deployment . . . . . . . . . . 4

Secure domain overview . . . . . . . . . . 5Tivoli Access Manager installation components . . . 6Tivoli Access Manager Base components . . . . 6

Access Manager Application Development Kit 6Access Manager Authorization Server . . . . 6Access Manager Java Runtime Environment . . 6Access Manager Policy Proxy Server . . . . 7Access Manager Policy Server . . . . . . 7Access Manager Runtime . . . . . . . . 7Access Manager Web Portal Manager . . . . 8Provisioning Fast Start . . . . . . . . . 8

Prerequisite products . . . . . . . . . . 9IBM Global Security Kit . . . . . . . . 9IBM Java Runtime Environment (JRE) . . . . 9

IBM Tivoli Directory Client . . . . . . . 9IBM Tivoli Directory Server . . . . . . . 9IBM Tivoli Directory Server WebAdministration Tool . . . . . . . . . 10IBM WebSphere Application Server . . . . 10

Types of Tivoli Access Manager systems . . . . . 11Installation methods . . . . . . . . . . . 15

Installation wizards. . . . . . . . . . . 15Native installation utilities . . . . . . . . 15

Installation process . . . . . . . . . . . . 17

Chapter 2. System requirements . . . . . . 19

Supported registries . . . . . . . . . . . 19IBM Tivoli Directory Server . . . . . . . . 19

IBM Tivoli Directory Server WebAdministration Tool . . . . . . . . . 20

IBM Security Server for OS/390 . . . . . . 21IBM z/OS Security Server LDAP Server . . . . 21Lotus Domino . . . . . . . . . . . . 22Microsoft Active Directory . . . . . . . . 22Netscape iPlanet and Sun ONE Directory Server 22Novell eDirectory . . . . . . . . . . . 22

Disk space and memory requirements . . . . . 24Supported platforms, including required patches . . 26Backward compatibility . . . . . . . . . . 30Hardware acceleration card support . . . . . . 31

Chapter 3. Internationalization . . . . . . . 33

Language support overview . . . . . . . . . 34Installing language support packages . . . . . . 35Installing language packages for IBM TivoliDirectory Server . . . . . . . . . . . . . 37Uninstalling language support packages . . . . . 39Locale environment variables . . . . . . . . 39

LANG variable on UNIX systems . . . . . . 40LANG variable on Windows systems . . . . . 41Using locale variants . . . . . . . . . . 41

Message catalogs . . . . . . . . . . . . 42Text encoding (code set) support . . . . . . . 43

Location of code set files . . . . . . . . . 43

© Copyright IBM Corp. 2001, 2003 1



2 IBM Tivoli Access Manager: Installation Guide



Chapter 1. Installation overview

After you create a deployment plan, you are ready to install Tivoli Access Managersoftware on the systems in your distributed environment. If you already have

Tivoli Access Manager software installed, update your previous deployment planand follow instructions provided in the IBM Tivoli Access Manager Upgrade Guide.

Note: For the latest release information, including known defects and limitations,consult the IBM Tivoli Access Manager for e-business Release Notes.

This chapter includes the following sections:

v “Planning for deployment” on page 4

v “Secure domain overview” on page 5

v “Tivoli Access Manager installation components” on page 6

v “Types of Tivoli Access Manager systems” on page 11

v “Installation methods” on page 15

v “Installation process” on page 17




Planning for deployment

Before you implement a particular Tivoli Access Manager solution, you mustdetermine the specific security and management capabilities that are required of your network.

The first step in planning the deployment of a Tivoli Access Manager security

environment is to define the security requirements for your computingenvironment. Defining security requirements means determining the businesspolicies that must apply to users, programs, and data. This includes defining thefollowing:

v Objects to be secured

v Actions permitted on each object

v Users that are permitted to perform the actions

Enforcing a security policy requires an understanding of the flow of accessrequests through your network topology. This includes identifying proper rolesand locations for firewalls, routers, and subnets. Deploying a Tivoli AccessManager security environment also requires identifying the optimal points within

the network for installing software that evaluates user access requests, and grantsor denies the requested access.

Implementation of a security policy requires understanding the quantity of users,data, and throughput that your network must accommodate. You must evaluateperformance characteristics, scalability, and the need for failover capabilities.Integration of legacy software, databases, and applications with Tivoli AccessManager software must also be considered.

After you have an understanding of the features that you want to deploy, you candecide which Tivoli Access Manager systems and blades can be combined to bestimplement your security policy.

For useful planning documentation, including actual business scenarios, seesupplemental product information at the following Web sites:

http://www.ibm.com/redbooks/

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

Installation overview


http://www.ibm.com/redbooks



http://www.ibm.com/redbooks



Secure domain overview

The computing environment in which Tivoli Access Manager enforces securitypolicies for authentication, authorization, and access control is called a securedomain. The initial secure domain, called the management domain, is created whenyou install and configure the following systems:

Policy serverMaintains the master authorization database for the management domain.In addition, it updates authorization database replicas and maintainslocation information about other Tivoli Access Manager servers.

RegistryProvides a database of the user identities known to Tivoli Access Manager.It also provides a representation of groups in Tivoli Access Manager rolesthat are associated with users.

These core systems must exist for Tivoli Access Manager to perform fundamentaloperations, such as permitting or denying user access to protected objects(resources). All other Tivoli Access Manager services and components are built onthis base.

You can deploy Tivoli Access Manager on multiple systems or install all thesoftware necessary to configure and use the management domain on onestandalone system. A single system setup is useful only when prototyping adeployment or developing and testing an application.

After you configure the policy server and registry server, you can set up additionalsystems in the management domain, such as an authorization server or applicationdevelopment system. You can also create additional secure domains (if using anLDAP registry); thus, securely partitioning data into separate, logical groupings.For information about creating multiple domains, see the IBM Tivoli Access ManagerBase Administration Guide.


Chapter 1. Installation overview 5



Tivoli Access Manager installation components

This section introduces Tivoli Access Manager Base and prerequisite components,which are generally common to all Tivoli Access Manager installations. Use theseinstallation components to set up Tivoli Access Manager systems listed in “Typesof Tivoli Access Manager systems” on page 11.

Sections include the following:v “Tivoli Access Manager Base components”

v “Prerequisite products” on page 9

Tivoli Access Manager Base componentsTivoli Access Manager Base includes the following installation components. Thesecomponents are shipped on the IBM Tivoli Access Manager Base CD for supportedplatforms with the exception of the Web Portal Manager component, which isshipped on the IBM Tivoli Access Manager Web Administration Interfaces CD. Usethese installation components to set up Base systems listed in “Types of TivoliAccess Manager systems” on page 11.

Access Manager Application Development KitThe Access Manager Application Development Kit provides a developmentenvironment that enables you to code third-party applications to query theauthorization server for authorization decisions. This kit contains support for using

both C APIs and Java™ classes for authorization and administration functions. Torun the Java program or to compile and run your own Java programs, you mustinstall and configure a Java runtime environment system.

Access Manager Authorization ServerThe Access Manager Authorization Server provides access to the authorizationservice for third-party applications that use the Tivoli Access Managerauthorization API in remote cache mode. The authorization server also acts as alogging and auditing collection server to store records of server activity.

Access Manager Java Runtime EnvironmentThe Access Manager Java Runtime Environment offers a reliable environment fordeveloping and deploying Java applications in a Tivoli Access Manager securedomain. Use it to add Tivoli Access Manager authorization and security services tonew or existing Java applications.

You can use the pdjrtecfg command to configure this component to use the proper JRE on your system. You can also configure this component to several different JREs on the same system, if so desired.

Note that if you plan to install the Web Portal Manager interface, this componentis required. It is also required with the Access Manager Application Development

Kit component if you are a developer using Tivoli Access Manager Java runtimeenvironment classes. For more information, see the IBM Tivoli Access Manager fore-business Administration Java Classes Developer Reference and the IBM Tivoli Access Manager for e-business Authorization Java Classes Developer Reference.





Access Manager Policy Proxy ServerThe Access Manager Policy Proxy Server is used to set up a proxy server, whichacts as an intermediary between a less trusted network and a more trustednetwork. This server ensures security and provides administrative control andcaching services. It is associated with or part of a gateway server that separates theenterprise network from the outside network, and a firewall server that protectsthe enterprise network from outside intrusion. In a Tivoli Access Manager

environment, the proxy server runs on behalf of the policy server for a givennumber of authorization applications and administrative functions, such aspdadmin commands.

Access Manager Policy ServerThe Access Manager Policy Server maintains the master authorization database forthe management domain as well as the policy databases associated with othersecure domains that you might decide to create. This server is key to theprocessing of access control, authentication, and authorization requests. It alsoupdates authorization database replicas and maintains location information aboutother Tivoli Access Manager servers.

Optionally, you can configure a standby server to take over policy server functions

in the event of a system failure or unplanned outage. When the policy server goesdown, the standby policy server acts as the primary policy server until the primarypolicy server assumes its original role. In turn, the standby policy server reverts

back to a standby role. At any given time, there is only one active policy server andonly one shared copy of the policy databases.

Tivoli Access Manager supports the use of one standby policy server on supportedAIX platforms. In addition, deploying a standby policy server requires theinstallation and configuration of High Availability Cluster Multiprocessing(HACMP) software—a clustering solution designed to provide high-availabilityaccess to business-critical data and application through component redundancyand application failover.

Access Manager RuntimeThe Access Manager Runtime contains runtime libraries and supporting files thatapplications can use to access Tivoli Access Manager servers.

You must install and configure the Access Manager Runtime component on eachsystem that runs Tivoli Access Manager except for Web Portal Manager and Javaruntime environment systems.





Access Manager Web Portal ManagerThe Access Manager Web Portal Manager is a Web-based graphical user interface(GUI) used for Tivoli Access Manager administration. Similar to the pdadmincommand line interface, this GUI provides management of users, groups, roles,permissions, policies, and other Tivoli Access Manager tasks. A key advantage isthat you can perform these tasks remotely, without requiring any special networkconfiguration.

The Web Portal Manager interface also includes a set of delegated managementservices that enables a business to delegate user administration, group and roleadministration, security administration, and application access provisioning toparticipants (sub-domains) in the business system. These sub-domains can furtherdelegate management and administration to trusted sub-domains under theircontrol.

This component is shipped separately on the IBM Tivoli Access Manager Web Administration Interfaces CD. Supported browsers for the Web Portal Managerinterface are as follows:

v Netscape Navigator 4.7x and 7.0

v

Microsoft Internet Explorer 5.5 and 6.0

Provisioning Fast StartA Provisioning Fast Start Installer is provided on the Tivoli Access Manager BaseCDs for AIX and Windows platforms. Use this installer to install a ProvisioningFast Start collection of utilities that can help you integrate Tivoli Access Managerwith Tivoli Identity Manager (which is a separately orderable IBM product). Thetasks supported by these utilities include:

v Creating a Tivoli Access Manager service and provisioning policy on the TivoliIdentity Manager server

v Configuring Tivoli Identity Manager for use with WebSEAL single sign-on

v Importing and synchronizing user data in Tivoli Identity Manager

v

Creating a Web interface for user management with Tivoli Identity ManagerFor more information, see the IBM Tivoli Access Manager for e-business IBM TivoliIdentity Manager Provisioning Fast Start Guide.





Prerequisite products

Tivoli Access Manager includes the following prerequisite products. Theseproducts are shipped with Tivoli Access Manager and are required when settingup specific Tivoli Access Manager systems. For a list of required installationcomponents necessary to set up a Tivoli Access Manager system, see Table 1 onpage 11.

IBM Global Security KitIBM Global Security Kit (GSKit) provides Secure Sockets Layer (SSL) dataencryption between Tivoli Access Manager systems and supported registry servers.The GSKit package also installs the iKeyman key management utility (gsk7ikm),which enables you to create key databases, public-private key pairs, and certificaterequests.

You must install GSKit before installing most other Tivoli Access Managercomponents. GSKit is a prerequisite to the Access Manager Runtime component,which is required on all Tivoli Access Manager systems with the exception of Javaruntime environment and Web Portal Manager systems. For information aboutusing this utility to enable SSL with a supported registry server, see Chapter 17,“Enabling Secure Sockets Layer,” on page 227 or refer to the IBM Global SecurityKit Secure Sockets Layer and iKeyman User’s Guide.

Note: OpenSSL is included in GSKit and may be used for cryptographicoperations (as per the OpenSSL license agreement).

IBM Java Runtime Environment (JRE)IBM JRE is required when installing the Access Manager Java RuntimeEnvironment component, language support packages, or using Tivoli AccessManager installation wizards.

IBM Tivoli Directory ClientThe IBM Tivoli Directory Client is shipped with IBM Tivoli Directory Server on the

IBM Tivoli Access Manager Directory Server CD for supported AIX, HP-UX, Linux,Solaris, and Windows platforms.

You must install the IBM Tivoli Directory Client on each system that runs TivoliAccess Manager, with the following exceptions:

v The Tivoli Access Manager system is a supported Windows system that is joinedto an Active Directory domain.

v You are setting up a Java runtime environment or Web Portal Manager system.

v You are using Lotus Domino as your registry server.

IBM Tivoli Directory ServerIBM Tivoli Directory Server, Version 5.2, is shipped on the IBM Tivoli Access

Manager Directory Server CD for supported AIX, HP-UX, Linux, Sun SolarisOperating Environment, and Windows platforms. You can use this server as yourTivoli Access Manager registry server or use one of the registry servers listed in“Supported registries” on page 19. This Lightweight Directory Access Protocol(LDAP) directory runs as a stand-alone daemon. It is based on a client/servermodel that provides client access to an LDAP server. The IBM Tivoli DirectoryServer provides an easy way to maintain directory information in a central locationfor storage, updating, retrieval, and exchange.





IBM Tivoli Directory Server Web Administration ToolIBM Tivoli Directory Server, Version 5.2, provides the Web Administration Tool—aseparately installable GUI that runs on an application server, such as the IBMWebSphere Application Server. Use the Web Administration Tool to administer IBMTivoli Directory servers either locally or remotely. You can install a single WebAdministration console to manage multiple IBM Tivoli Directory servers, includingVersion 4.1, 5.1, and 5.2 servers.

The Web Administration Tool is shipped separately on the IBM Tivoli Access Manager Web Administration Interfaces CD. For system requirements, includingsupported browsers, see “IBM Tivoli Directory Server Web Administration Tool” onpage 20.

IBM WebSphere Application ServerIBM WebSphere Application Server 5.0.2 is used for installation of the Web PortalManager interface and the Web Administration Tool. IBM WebSphere ApplicationServer is shipped on the IBM Access Manager Web Administration Interfaces CD forsupported platforms.

Note that IBM Tivoli Directory Server, Version 5.2, usually ships WebSphere

Application Server — Express version for use with its Web Administration Tool. InTivoli Access Manager, Version 5.1, this simplified Web server application wasreplaced with IBM WebSphere Application Server, V5.0.2—the premier Java 2Enterprise Edition (J2EE) and Web services technology-based application platform,offering one of the first production-ready application servers for the deployment of enterprise Web services solutions for dynamic e-business on demand.





Types of Tivoli Access Manager systems

This section lists types of Tivoli Access Manager Base systems that you can set upin a secure domain. Required installation components and supported platforms foreach system type are provided.

It is recommended that you set up the policy server and registry server on separatesystems. However, other system types do not have to be standalone systems. Forexample, you can install the Web Portal Manager interface on the same system asthe policy server.

Notes:

1. You must install the IBM Tivoli Directory Client, Version 5.2, on each systemthat runs Tivoli Access Manager, with the following exceptions:

v The Tivoli Access Manager system is a supported Windows system that is joined to an Active Directory domain.

v You are setting up a Java runtime environment or Web Portal Managersystem.

v Domino is the registry server.

2. If using an installation wizard to install and configure a Tivoli Access Managersystem, IBM JRE 1.3.1 is also required.

3. SuSE Linux is one of four partner companies whose products are based onUnitedLinux 1.0; other companies being the SCO Group, Turbolinux, andConectiva. When SuSe Linux Enterprise Server (SLES) is listed as supported,other partner companies’ products based on UnitedLinux 1.0 support is impliedas well. For more information, consult the UnitedLinux Web site at:

http://www.unitedlinux.com

Table 1 lists types of Tivoli Access Manager Base systems.

Table 1. Tivoli Access Manager Base systems—Required components and supported platforms

System Type Installation components Supported platformsAuthorization server

v Global Security Kit,Version 7

v IBM Tivoli Directory Client,Version 5.21

v Access Manager Runtime, Version 5.1

v Access Manager Authorization Server,Version 5.1

v AIX 5.1.0 and 5.2.0

v HP-UX 11.0 and 11i

v Red Hat Enterprise Linux 3.0

v SuSE SLES8 for IA32

v SuSE SLES8 for S/390 and zSeries(31– bit systems) with Service Pack 2

v SuSE SLES8 for zSeries (64-bitsystems, 31– bit compatibility mode)with Service Pack 2

v SuSE SLES8 for pSeries and iSeries

v Solaris 8 and 9

v Windows 2000 Server and AdvancedServers with Service Pack 3

v Windows 2003 Standard Server andEnterprise Server



http://www.unitedlinux.com/




Table 1. Tivoli Access Manager Base systems — Required components and supported platforms (continued)

System Type Installation components Supported platforms

Development (ADK)v Global Security Kit,

Version 7

v IBM Tivoli Directory Client,Version 5.2 1


v Access Manager ApplicationDevelopment Kit, Version 5.1

v AIX 4.3.3 and 5.1.0 and 5.2.0






v Solaris 7 and 8 and 9

v Windows NT 4.0 with Service Pack 6a



v Windows XP Pro

IBM Tivoli Directory Server If you plan to install the IBM TivoliDirectory Server as your Tivoli AccessManager registry, the followingcomponents are required:

v Global Security Kit,Version 7


v IBM DB2, Version 8.1

v IBM Tivoli Directory Server,Version 5.2

v AIX 5.1.0 and 5.2.0






v Solaris 8 and 9

v Windows NT 4.0 with Service Pack 6a



Java runtime environmentv Access Manager Java Runtime

Environment, Version 5.1

v IBM JRE, Version 1.3.1 or later

v AIX 4.3.3 and 5.1.0 and 5.2.0





v SuSE SLES8 for zSeries (64-bit

systems, 31– bit compatibility mode)with Service Pack 2


v Solaris 7 and 8 and 9

v Windows NT with Service Pack 6a









Policy proxy serverv Global Security Kit,

Version 7



v Access Manager Policy Proxy Server,Version 5.1

v AIX 5.1.0 and 5.2.0







v Solaris 8 and 9

v Windows 2000 Server and AdvancedServer with Service Pack 3


Policy serverv

Global Security Kit,Version 7



v Access Manager Policy Server, Version5.1

vAIX 5.1.0 and 5.2.0






v Solaris 8 and 9



Runtimev Global Security Kit,

Version 7



v AIX 4.3.3 and 5.1.0 and 5.2.0






v

Solaris 7 and 8 and 9v Windows NT 4.0 with Service Pack 6a









Web Portal Managerv IBM WebSphere Application Server,

Version 5.0.2

v Access Manager Web Portal Manager,Version 5.1

v Access Manager Java RuntimeEnvironment, Version 5.1

v AIX 5.1.0 and 5.2.0






v Solaris 8 and 9

v Windows 2000 Server and AdvancedServer with Service Pack 3






Installation methods

You can install and configure Tivoli Access Manager software in the followingways:

v “Installation wizards”

v “Native installation utilities”

Installation wizardsUse installation wizards to simplify installation and configuration of Tivoli AccessManager systems. You can run a single program to set up one of a variety of TivoliAccess Manager systems. Software prerequisites and product patches areautomatically installed in the appropriate order.

Table 2 lists Base installation wizards that are available for the indicated systemtypes.

Installation wizards for Tivoli Access Manager Base systems are located in the rootdirectory on the IBM Tivoli Access Manager Base CDs with the following exceptions:

v

install_ldap_server is located on the IBM Tivoli Access Manager Directory ServerCDs.

v install_amwpm is located on the IBM Tivoli Access Manager Web AdministrationInterfaces CDs.

Note: For a list of installed components and supported platforms for each of thesesystem types, see “Types of Tivoli Access Manager systems” on page 11.

Table 2. Installation wizards for Base systems

Installation wizard Type of Base system

install_ldap_server IBM Tivoli Directory Server

install_ammgr Policy server

install_amacld Authorization server

install_amadk Development (ADK) system

install_amjrte Java runtime environment system

install_amproxy Policy proxy server

install_amrte Runtime system

install_amwpm Web Portal Manager system

install_ampfs 1 Provisioning Fast Start

1 The install_ampfs wizard is used to install the Provisioning Fast Start collection of utilities that can help you integrate Tivoli Access Manager with Tivoli Identity Manager.For more information, see the IBM Tivoli Access Manager for e-business IBM Tivoli Identity Manager Provisioning Fast Start Guide.

Native installation utilitiesYou can use platform-specific utilities, such as pkgadd on Solaris OperatingEnvironment, to install Tivoli Access Manager components. Unlike automatedwizards, you must manually install each component and any prerequisite softwarein the appropriate order.

If the Access Manager Runtime component is installed on your system, you canuse the pdconfig utility to configure Tivoli Access Manager components. If the





Access Manager Runtime component is not installed, you must usecomponent–specific utilities, such as pdjrtecfg to configure the Access Manager

Java Runtime Environment component and pdwpmcfg to configure the AccessManager Web Portal Manager component

Note: For more information about these utilities, see Chapter 19, “Tivoli AccessManager utilities,” on page 273.





Installation process

To create a Tivoli Access Manager management domain, follow these basic steps:

1. Plan your Tivoli Access Manager deployment. Ensure that you understand the business security requirements for which Tivoli Access Manager is beingdeployed.

2. Decide which combination of Tivoli Access Manager systems that you want toinstall. A supported registry and the policy server system are required to set upthe initial management domain.

3. Ensure that your Tivoli Access Manager systems meet all software andhardware requirements listed in Chapter 2, “System requirements,” on page 19.

4. Set up a registry for use with Tivoli Access Manager. For instructions, seeChapter 4, “Setting up the registry server,” on page 47.

5. Install and configure the Tivoli Access Manager policy server system. Forinstructions, see Chapter 5, “Setting up the policy server,” on page 89. If youplan to set up a standby policy server using HACMP software, see instructionsin Chapter 18, “AIX: Setting up a standby policy server,” on page 249.

6. Install other types of Tivoli Access Manager Base systems (as needed). For

example, you can install one or more of the following systems:

Authorization server Page 99

Development (ADK) system Page 107

Java runtime environment system Page 113

Policy proxy server Page 119

Runtime system Page 125

Web Portal Manager system Page 131

7. It is recommended that you use a certificate from a Certificate Authority (CA)to enable SSL communication between your supported registry server and IBM

Tivoli Directory Clients. To do so, you must either generate a certificate requestthrough the GSKit iKeyman utility or import a private certificate. For moreinformation about using the iKeyman utility, see the IBM Global Security KitSecure Sockets Layer and iKeyman User’s Guide. To set up the iKeyman utility, seeinstructions in “Setting up the GSKit iKeyman utility” on page 147.





Chapter 2. System requirements

This section describes the minimum product levels you should have installed. Forknown problems, limitations, and last-minute information, see the IBM Tivoli Access

Manager for e-business Release Notes.

The following sections are included:

v “Supported registries”

v “Disk space and memory requirements” on page 24

v “Supported platforms, including required patches” on page 26

v “Backward compatibility” on page 30

v “Hardware acceleration card support” on page 31

Supported registries

Tivoli Access Manager supports the following user registries, their supportedoperating systems, and any necessary prerequisite software.

IBM Tivoli Directory ServerTivoli Access Manager supports the use of IBM Tivoli Directory Server, Versions4.1, 5.1, and 5.2.

Note: IBM Tivoli Directory Server, Version 5.2, is shipped with Tivoli AccessManager, Version 5.1. Only a single version of IBM Directory Server canexist on a system at a time and because IBM Tivoli Access Manager, Version5.1, uses the Version 5.2 IBM Directory client for the LDAP registry, youshould install the IBM Tivoli Directory Server on a separate system if usingeither Version 4.1 or 5.1.

Supported platforms are as follows:

v AIX platforms:

– AIX 5.1

– AIX 5.2

Note: On AIX 5.1, you must install AIX Maintenance Level 4 or higher. On AIX5.2, you must install AIX Maintenance Level 1 or higher.

v HP-UX platforms:

– HP-UX 11

– HP-UX 11i with the following patches:

- December 2001 GOLDBASE11i bundle

- December 2001 GOLDAPPS11i bundle

- patch PHSS_26560

v Linux on xSeries platforms:

– UnitedLinux 1.0 with Service Pack 2

– SuSE Linux Enterprise Server 8

– Red Hat Enterprise Linux 3.0

v Linux on zSeries platforms:





– Red Hat Enterprise Server 3.0

v Linux on pSeries and iSeries platforms:

– Red Hat Enterprise Server 3.0


v Solaris platforms:

– Solaris Operating Environment Software, Versions 8 and 9

– Trusted Solaris, Version 8

v Windows platforms:

– Windows 2000

– Windows Server 2003, Standard or Enterprise

– Windows NT 4.0 with Service Pack 6 or later; a Windows NT file system(NTFS) is required for security support.

Attention:

v If you have an existing IBM Directory Server that you want to use for TivoliAccess Manager, ensure that you upgrade the server to a supported level. Forupgrade instructions, see the IBM Tivoli Access Manager Upgrade Guide.

v If you have a pre-existing version of LDAP from a vendor other than IBM, youshould remove it before installing the IBM Tivoli Directory Server. If youattempt to install the IBM Tivoli Directory Server without removing the othervendor’s version, the resulting file name conflicts might prevent either versionfrom working.

IBM Tivoli Directory Server Web Administration ToolIBM Tivoli Directory Server supports the use of the IBM Tivoli Directory ServerWeb Administration Tool, Version 5.2. You can install the Web Administration Toolon a computer with or without the IBM Tivoli Directory Server client or server.The Web Administration Tool can be used to administer LDAP servers of thefollowing types:

v

IBM Tivoli Directory Server, Version 5.2v IBM Directory Server, Version 5.1

v IBM Directory Server, Version 4.1

v OS/400 V5R3

v z/OS™ R4

Note: For z/OS R4, only the following setups are supported by the WebAdministration Tool:

– A single TDBM backend

– A single SDBM backend

– One TDBM and SDBM backend

The Web Administration Tool is supported on the following platforms:

v AIX platforms:

– AIX 4.3.3

– AIX 5.1

– AIX 5.2

v HP-UX platforms:

– HP-UX 11

– HP-UX 11i

System requirements




v Linux on xSeries platforms:

– UnitedLinux 1.0

– SuSE Linux Enterprise Server 7 and 8

– Red Hat Advanced Server 2.1

v Linux on zSeries platforms:

– SuSE Linux Enterprise Server 8.0

v Linux on pSeries and iSeries platforms:

– UnitedLinux 1.0

– SuSE Linux Enterprise Server 8.0

v Solaris platforms:

– Solaris Operating Environment Software, Versions 7, 8, and 9

– Trusted Solaris, Version 8

v Windows platforms:

– Windows 2000

– Windows XP

– Windows Server 2003, Standard or Enterprise

– Windows NT 4.0 with Service Pack 6 or later

To use the Web Administration Tool, you also need the following:

v One of the following application servers:

– The embedded version of WebSphere Application Server — Express V5.0 orlater.

– IBM WebSphere Application Server, Version 5.0 or later. IBM WebSphereApplication Server, Version 5.0.2, is provided with Tivoli Access Manager,Version 5.1.

v One of the following Web browsers on the computer from which you will usethe Web Administration Tool. (This might or might not be the computer where

the Web Administration Tool is installed):– AIX platforms: Mozilla 1.3 or 1.4

– HP-UX platforms: Mozilla 1.3 or 1.4

– Linux on xSeries platforms: Mozilla 1.3 or 1.4

– Linux on iSeries, pSeries, and zSeries platforms: No browser support isavailable. You must use another system to access the Web Administration Toolon these Linux platforms.

– Solaris platforms: Mozilla 1.3 or 1.4

– Windows platforms: Internet Explorer, Version 6.0

IBM Security Server for OS/390

Tivoli Access Manager supports the use of IBM Security Server for OS/390®

,Version 2, Release 10. For product information, see the OS/390 Internet LibraryWeb site at:

http://www.s390.ibm.com/os390/bkserv/

IBM z/OS Security Server LDAP ServerTivoli Access Manager supports the use of IBM z/OS Security Server LDAP Server,Version 1, Release 2 or higher. For product information, see the z/OS InternetLibrary Web site at:

System requirements






http://www.ibm.com/servers/eserver/zseries/zos/bkserv/

Customers can also obtain softcopy publications on CD-ROM, z/OS: Collection,SK3T-4269.

Lotus Domino

Tivoli Access Manager on Windows platform supports the use of Lotus

®

Domino,Version 5.0.10 and 6.0 as a user registry. The Domino server can run on anyplatform supported by Tivoli Access Manager, Version 5.1.

Attention: When Lotus Domino is used as the registry:

v The IBM Tivoli Directory Client is not required.

v You must install a Lotus Notes® client prior to installing the Access ManagerRuntime component. Tivoli Access Manager supports Lotus Notes client, Version5.0.10, and Version 6.0 or higher.

Microsoft Active DirectoryTivoli Access Manager supports the use of Active Directory for Windows 2000 and

Windows 2003 as a user registry.

In previous releases of Tivoli Access Manager, Active Directory support wasavailable on the Windows 2000 Advanced Server platform only. New to Version5.1, Active Directory users can run Tivoli Access Manager on all Windows andUNIX platforms currently supported in the Tivoli Access Manager product (withthe exception of Windows NT).

UNIX platforms make use of the IBM Tivoli Directory Client to communicate withActive Directory. This LDAP client is also used in cases where the policy serverdomain differs from the domain of the local host name.

Note that the Tivoli Access Manager policy server is supported on Windows 2000

and 2003 systems only.

Netscape iPlanet and Sun ONE Directory ServerTivoli Access Manager supports the use of Netscape iPlanet Directory Server,Version 5.1, and Sun ONE Directory Server, Version 5.2, as a user registry.

For installation information, consult the product documentation that came withyour iPlanet or Sun ONE Directory Server.

Attention:

v If you have an existing iPlanet or Sun ONE Directory Server that you want touse for Tivoli Access Manager, ensure that you upgrade the server to a

supported level. For upgrade instructions, see Sun documentation at thefollowing Web address:

http://docs.sun.com/db/prod/s1dirsrv

v The iPlanet and Sun ONE Directory Server has built-in SSL capability. You mustinstall GSKit onto the directory server system only if the Access ManagerRuntime component is installed on the same system.

Novell eDirectoryTivoli Access Manager supports the use of Novell eDirectory 8.6.2 and 8.7 as a userregistry.

System requirements








For installation information, consult the product documentation that came withyour Novell eDirectory server. Novell eDirectory product documentation isavailable at:

http://www.novell.com/documentation/a-z.html

The latest patches to these products are available at:

http://support.novell.com/filefinder/5069/index.html

Attention:

v If you have an existing Novell eDirectory server that you want to use for TivoliAccess Manager, ensure that you upgrade the server to a supported level.

v The Novell eDirectory server has built-in SSL capability. You must install GSKitonto the directory server system only if the Access Manager Runtime componentis installed on the same system.

System requirements








Disk space and memory requirements

Tivoli Access Manager binaries and libraries can require a large amount of diskspace. You should ensure that there is enough disk space in the file systems whereyou are going to install these files. As each Tivoli Access Manager component orsystem is added to a secure domain, additional disk space is required. Ensure thatthere is enough available disk space to allow for future installation of Tivoli Access

Manager software.

Note: These tables list disk space and memory requirements for Tivoli AccessManager components only. Keep in mind that you must also factor inadditional requirements, such as operating system requirements.

Table 3. Base components — Disk space and memory requirements

Component MinimumDiskSpace(MB)

RecommendDisk Space

(MB)

Disk Spacefor ACLdatabase

(MB)

Add DiskSpace forLog Files

(MB)

MinimumMemory

(MB)

RecommendMemory (MB)

Memoryper

additionaldomain

Access ManagerApplication

Development Kit

3 5 — — — — —

Access ManagerAuthorizationServer

2 4 15 2 5 30 40 —

Access Manager Java RuntimeEnvironment

8 10 — — — — —

Access ManagerPolicy Proxy Server

1 2 — 40 —

Access ManagerPolicy Server

2 4 5 1, 2 10 1 30 40 5 2

Access ManagerRuntime 36 40 — — — — —

Access ManagerWeb Portal Manager

1 2 — — 35 3 70 4 —

Global Security Kit 18 20 — — — — —

IBM TivoliDirectory Client

46 50 — — 6 6

IBM TivoliDirectory Server(includingprerequisitesoftware)

145 7 245 7 — 10 256 5 512—1GB 5 —

IBM WebSphereApplication Server,Version 5.0.2

552 552 — — 256 512 —

System requirements




Table 3. Base components — Disk space and memory requirements (continued)

Component MinimumDiskSpace(MB)

RecommendDisk Space

(MB)

Disk Spacefor ACLdatabase

(MB)

Add DiskSpace forLog Files

(MB)

MinimumMemory

(MB)

RecommendMemory (MB)

Memoryper

additionaldomain

Notes:1

The size is for the default domain only. For each additional domain, increase the recommended diskspace by this amount.2 This is based on the approximate requirement for an ACL database with 10,000 objects, equallyspread across 10 object spaces and about 30 ACLs attached to 10% of the objects. Except for thepolicy server, the size is tripled to account for a backup copy and an additional copy created duringreplication.3 The minimum for WPM represents the memory requirement for each connected browser.4 This recommendation for WPM represents two connected browsers.5 256MB (minimum) and 512MB–1GB (recommended) memory are for less than one million TivoliAccess Manager users. For more than one million users, increase this amount to 512 (minimum) and1GB–2GB (recommended) memory.6 Memory requirements for the IBM Tivoli Directory Client are part of the memory requirements of

the servers that use it.7 IBM Tivoli Directory Server estimates include an empty database. Add an additional 10KB perTivoli Access Manager user.

System requirements




Supported platforms, including required patches

Table 4 lists required patches or service levels for supported operating systems.

Note: SuSE Linux is one of four partner companies whose products are based onUnitedLinux 1.0; other companies being the SCO Group, Turbolinux, andConectiva. When SuSe Linux Enterprise Server (SLES) is listed as supported,

other partner companies’ products based on UnitedLinux 1.0 support isimplied as well. For more information, consult the UnitedLinux Web site at:

http://www.unitedlinux.com

Table 4. Table 1. Patches required by supported operating system platform

Operating System Platform Tivoli Access Manager 5.1 supportedsystems

Required Patches or Service Level

AIX 4.3.3

v Development (ADK)

v Java runtime environment

v Runtime

Latest patches and the following:

v bos.rte.libpthreads at level4.3.3.51 or higher

v xlC.rte (6.0.0.0 C Set ++ Runtime)

v

xlC.aix43.rte (6.0.0.3 C Set ++Runtime)

AIX 5.1

v Authorization server

v Development (ADK)


v Policy server

v Policy proxy server

v Runtime

v Web Portal Manager

Maintenance Level 4 or higher andthe following:


v xlC.aix50.rte (6.0.0.3 or higher CSet ++ Runtime)

AIX 5.2


v Development (ADK)


v Policy server


v Runtime


Maintenance Level 1 or higher

AIX 5200-01 maintenance packageandthe following:


v xlC.aix50.rte (6.0.0.3 C Set ++Runtime)

v bos.rte.libc at 5.2.0.12

HP-UX 11.0


v Development (ADK)


v Policy server


vRuntime


v XSWGR-1100

v PHKL_25475

v PHSS_26945 or later

v PHSS_25091

v For specific languages only:

– Japanese: PHSS_26972– Korean:PHSS_26974

– Simple-Chinese: PHSS_26976

– Traditional Chinese:PHSS_24937

System requirements






Table 4. Table 1. Patches required by supported operating system platform (continued)



HP-UX 11i


v Development (ADK)


v Policy server


v Runtime


v PHCO_24400

v PHCO_24402

v PHSS_25092

v PHSS_26946

v For specific languages only:

– Japanese:PHSS_26971

– Korean:PHSS_26973

– Simple-Chinese:PHSS_24975

– Traditional Chinese:PHSS_26977

Red Hat Enterprise Linux 3.0


v Development (ADK)


v Policy server

v

Policy proxy serverv Runtime

No specific patches are required.

SuSE SLES8 for IA32


v Development (ADK)


v Policy server


v Runtime


libstdc++-3.2.2-5

v SuSE SLES8 for S/390 and zSeries(31– bit systems)

v SuSE SLES8 for zSeries (64– bitsystems)


v Development (ADK)


v Policy server


v Runtime


Kernel levels supported:

v 31– bit: k_deflt-2.4.19-32

v 64– bit kernel: k_deflt-2.4.19-34

Service Pack 2 update:

v 31– bit kernel:

– k_deflt-2.4.19-79

v 64– bit kernel:

– k_deflt-2.4.19-80

SuSE SLES8 for pSeries and iSeries

v Development (ADK)


v Runtime


Kernel levels supported:

v kernel-iseries64-2.4.19-104

v kernel-ppc64-2.4.19-108

Service Pack 1 update:

v kernel-iseries64-2.4.19-194v kernel-ppc64-2.4.19-186

System requirements







Solaris Operating Environment 7

v Development (ADK)


v Runtime

32– bit packages:

v 106327-18

v 106541–24

v 106950-22

v 106980–22

v 107544–03

64– bit packages:

v 106300-19

v 106327-18

v 106541–24

v 107544–03

v 106950-22

v 106980–22


v

Authorization serverv Development


v Policy server


v Runtime


32– bit packages:

v 109147-15

v 108434-05

v 108528–24

v 108827–40

v 111327–02

v SUNWuiu8

v SUNWjiu8

64– bit packages:

v 109147-15

v 108434–05

v

108435–06v 108528–24

v 108827–40

v 111327–02

v SUNWuiu8

v SUNWjiu8



v Development (ADK)


v Policy server


v Runtime


11711–06

Windows NT 4.0

v Development (ADK)


v Runtime

Service Pack 6a

Windows XP and 2000 Pro

v Development (ADK)


v Runtime

No specific patches at this time.

System requirements







Windows 2000 Server and AdvancedServer


v Development (ADK)


v Policy server


v Runtime


Service Pack 3

Windows 2003 Standard Server andEnterprise Server


v Development (ADK)


v Policy server


v Runtime

v

Web Portal Manager

No specific patches at this time.

System requirements




Backward compatibility

The following Tivoli Access Manager components can communicate with a Version5.1 policy server or authorization server:

v Access Manager Runtime, Versions 3.8, 3.9, 4.1, and 5.1

v Access Manager Java Runtime Environment, Versions 3.9, 4.1, and 5.1

Notes:1. Because the servers use the runtime for communication, the servers are

backward compatible.

2. All components on a single system must be at the same version.

3. When using Active Directory or Lotus Domino as the user registry, all TivoliAccess Manager components must be at the Version 5.1 level.

The binary backward compatibility supported by Tivoli Access Manager, Version5.1, for Tivoli Access Manager, Version 3.9 and 4.1, applications is as follows:

v Access Manager Runtime, Version 5.1, supports applications compiled againstTivoli Access Manager, Version 4.1 and 3.9 ADKs for all platforms (exceptSolaris).

v Access Manager Runtime, Version 5.1, for Solaris supports applications compiledagainst the Tivoli Access Manager, Version 4.1 ADK only.

System requirements




Hardware acceleration card support

Table 5 lists platform-specific hardware accelerator cards that have been verified toperform successfully with Tivoli Access Manager, Version 5.1.

Table 5. Hardware acceleration card support

Operating system Supported Hardware Acceleration Cards

AIX 5.1v nCipher nForce 300 RSA BSAFE, Version 5.32

v nCipher nForce 300 PKCS#11, Version 5.32

v IBM 4758–023 PKCS#11, Version 2.41

v Eracom Orange PKCS#11, Version 2.11

v IBM 4960 PKCS#11, Version 5.1.0.25

AIX 5.2v IBM 4758–023 PKCS#11, Version 2.41


v IBM 4960 PKCS#11, Version 5.1.0.25

HP-UX 11 Rainbow Crypto Swift RSA BSAFE, Version 3.2.0

HP-UX 11i Not supported

Red Hat Enterprise Linux 3.0v Eracom Orange PKCS#1, Version 2.11

SuSE SLES8 for IA32v Eracom Orange PKCS#11, Version 2.11

SuSE SLES8 for zSeries (31-bitnative and 31-bit compat. modein 64-bit native) and S/390 (31-bitnative)

v PCICA - zSeries Feature code 0862

v PCICC - zSeries Feature code 0861, S/390 Featurecode 0860

Solaris 8v Rainbow Crypto Swift RSA BSAFE, Version 3.2.0

v nCipher nForce 300 RSA BSAFE, Version 8.0



Solaris 9 v nCipher nForce 300 RSA BSAFE


Windows 2000 Server andAdvanced Server

v Rainbow Crypto Swift RSA BSAFE, Version 3.2.0

v nCipher nForce 300 RSA BSAFE, Version 8.0


v IBM 4758–023 PKCS#11, Version 2.41


Windows 2003 Standard Serverand Enterprise Server

Not supported

Install the appropriate vendor’s device drivers on the machine where your TivoliAccess Manager application is running, using the instructions accompanying thecard. In the case of the BSAFE cards, no additional configuration is required. GSKitautomatically detects the cards. Therefore, any Tivoli Access Manager componentthat uses GSKit automatically uses the acceleration.

System requirements




Chapter 3. Internationalization

This chapter describes the internationalization features for a Tivoli Access Managersecure domain. This section contains the following topics:

v “Language support overview” on page 34

v “Installing language support packages” on page 35

v “Installing language packages for IBM Tivoli Directory Server” on page 37

v “Uninstalling language support packages” on page 39

v “Locale environment variables” on page 39

v “Message catalogs” on page 42

v “Text encoding (code set) support” on page 43

AttentionEnsure that you review the internationalization section in the IBM Tivoli

Access Manager for e-business Release Notes for any language-specific limitationsor restrictions.




Language support overview

Tivoli Access Manager software is translated into the following languages:

v Brazilian Portuguese

v Czech

v Chinese (Simplified)

v Chinese (Traditional)v French

v German

v Hungarian

v Italian

v Japanese

v Korean

v Polish

v Spanish

v Russian

The translations for these languages are provided as language support packages onthe IBM Tivoli Access Manager Language Support CD for each product. To obtainlanguage support for Tivoli Access Manager, you must install the language supportpackage for that product.

Keep in mind that if you use installation wizards to install Tivoli Access Manager,you must install the language package before installing Tivoli Access Manager sothat you can view configuration messages in your native language. For nativeinstallation utilities, install the language package after installing Tivoli AccessManager components but before configuring them. If you do not install thelanguage support package, the associated product displays all text in English.

Note: Each language is a separately installable product installation image.

If language support for a product is installed and you upgrade the product, youmust also install the corresponding language support product, if one exists. Referto the upgrade documentation for the specific product to determine if languagesupport is required. If you do not install the language support after upgrading, theassociated product might display some fields and messages in English.

Internationalization




Installing language support packages

To install language support packages for Tivoli Access Manager, follow these steps:

1. Log on as root or as an Administrative user.

2. Install the IBM JRE 1.3.1 for your particular operating system. For instructions,see one of the following:

vOn AIX systems, see page 153.

v On HP-UX systems, see page 153.

v On Linux systems, see page 154.

v On Solaris systems, see page 155.

v On Windows systems, see page 155.

3. Insert or mount the IBM Tivoli Access Manager Language Support CD and changeto the root directory where the CD is located.

Note: On HP-UX, mount the CD using the pfs_mountd command.

4. Depending on the Tivoli Access Manager product that you want to install, runone or more of the following setup scripts.

Attention

v Scripts are used for UNIX systems; batch files (.bat extension) are usedfor Windows systems.

v If you issue a script without specifying the jre_path, you must ensurethat the Java executable is part of the PATH statement. Otherwise, issuethe script specifying the jre_path as follows:

package jre_path

For example, to install the language package for Tivoli Access ManagerBase, enter the following:

install_pdrte_lp /usr/bin

where /usr/bin is the path to the JRE.

Language packages are as follows:

install_pdrte_lp Specifies to install language packages for TivoliAccess Manager Base.

install_pdjrte_lp Specifies to install language packages for TivoliAccess Manager Java runtime environment.

install_pdwpm_lp Specifies to install language packages for TivoliAccess Manager Web Portal Manager.

5. Click Next to begin installation. The Software License Agreement dialog isdisplayed.

6. To accept the license agreement, select I accept the terms in the licenseagreement and then click Next. A dialog showing a list of language packages isdisplayed.

7. Select the language packages that you want to install and click Next. A dialogshowing the location and features of the language packages you selected isdisplayed.


Chapter 3. Internationalization 35



8. To accept the language packages you selected, click Next. The languagepackages you selected are installed.

9. After installation for the Tivoli Access Manager language pack has completedsuccessfully, click Finish to close the wizard and restart your system.





Installing language packages for IBM Tivoli Directory Server

In addition to installing language packages for Tivoli Access Manager software,you must install language packages for IBM Tivoli Directory. These languagepackages are provided on the IBM Tivoli Access Manager Language Support CDs forsupported platforms.

1. To install the prerequisite language packages, do one of the following:

v On AIX systems, do the following:

a. Insert the IBM Tivoli Access Manager Language Support for AIX CD andmount it.

b. Install the following packages:

installp –c –a –g –X –d cd_mount_point/usr/sys/inst.images packages

where cd_mount_point/usr/sys/inst.images is the directory where theCD is mounted and packages are as follows:

ldap.html.langSpecifies IBM Tivoli Directory documentation.

ldap.msg.langSpecifies IBM Tivoli Directory messages.

and lang is the language file abbreviation.

For example, to install IBM Tivoli Directory documentation in the Italianlanguage, enter the following:

installp -cagXd cd_mount_point/usr/sys/inst.images ldap.html.it_IT

where cd_mount_point/usr/sys/inst.images is the directory where theCD is mounted.

v On Linux on xSeries and Linux on zSeries systems, do the following:

a. Insert the IBM Tivoli Access Manager Language Supportfor Linux on xSeriesor Linux on zSeries CD and mount it.

Note: Linux on zSeries users: You must first obtain access to the Linuxrpm files from CD.

b. Change to the /mnt/cdrom/series directory where /mnt/cdrom is themount point for your CD and series specifies xSeries or zSeries.

c. Install the following packages:

rpm -ihv packages

where packages are as follows:

Linux on xSeries Linux on zSeries

ldap-html-lang-5.2-1.s390.rpm ldap-html-lang-5.2-1.i386.rpm

ldap-html-lang-5.2-1.s390.rpm ldap-html-lang-5.2-1.i386.rpm


v On Solaris systems, do the following:

a. Insert the IBM Tivoli Access Manager Language Support for Solaris CD.

b. Install the following packages (one at a time):

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault packages





where packages, located in the /solaris directory, specifies the following:

IBMldilang Specifies IBM Tivoli Directory documentation.

IBMldmlang Specifies IBM Tivoli Directory messages.


For example, to install IBM Tivoli Directory messages in the Japaneselanguage, enter the following:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IBMldmJa

where -d /cdrom/cdrom0/solaris specifies the location of the packageand -a /cdrom/cdrom0/solaris/pddefault specifies the location of theinstallation administration script.





Uninstalling language support packages

To uninstall language support packages, follow these steps:

1. Change to one of the following directories:

v On UNIX systems:

/opt/location

v On Windows systems:C:\Program Files\location

where location is as follows:

PDBLP/Lp_uninst Specifies the location of the language packagesfor Tivoli Access Manager Base.

PDJrtLP/lp_uninst Specifies the location of the language packagesfor Tivoli Access Manager Java runtimeenvironment.

PDWpmLP/lp_uninst Specifies the location of the language packagesfor Tivoli Access Manager Web Portal Manager.

2. To uninstall the language support packages, enter one of the following:

v On UNIX systems:

jre_path/java -jar package

v On Windows systems:

jre_path\java -jar package

where jre_path is the path where the Java executable is located and package isone of the following:

Note: If the Java executable is in the path, you do not have to specify jre_path.

pdrte_lp_uninstall.jar Specifies the language package for Tivoli Access

Manager Base.pdjrte_lp_uninstall.jar Specifies the language package for Tivoli Access

Manager Java runtime environment.

pdwpm_lp_uninstall.jar Specifies the language package for Tivoli AccessManager Web Portal Manager.

Locale environment variables

As with most current operating systems, localized behavior is obtained byspecifying the desired locale. For Tivoli Access Manager software, you set theLANG environment variable to the desired locale name as specified by POSIX,X/Open, or other open systems standards.

Note: If you are in a Windows environment, you can alternatively modify thelanguage setting in the Regional Settings of the Control Panel.

If you specify the LANG environment variable and modify the regional settings,the LANG environment variable overrides this regional setting.

As specified by open systems standards, other environment variables overrideLANG for some or all locale categories. These variables include the following:

v LC_CTYPE





v LC_TIME

v LC_NUMERIC

v LC_MONETARY

v LC_COLLATE

v LC_MESSAGES

v LC_ALL

If any of the previous variables are set, you must remove their setting for theLANG variable to have full effect.

LANG variable on UNIX systemsMost UNIX systems use the LANG variable to specify the desired locale. DifferentUNIX operating systems, however, require different locale names to specify thesame language. Be sure to use a value for LANG that is supported by the UNIXoperating system that you are using.

To obtain the locale names for your UNIX system, enter the following:

locale –a





LANG variable on Windows systemsMost operating systems do not use the LANG environment variable. Tivoli AccessManager software, however, can use LANG to determine the desired language. Todo so, set the LANG to the canonical locale name based on the ISO language orterritory codes without a code set suffix. For example:

v fr is the locale for standard French

v ja is the locale for Japanesev pt_BR is the locale for Brazilian Portuguese

v C is the locale for English in C locale

On Windows systems, if LANG is not set, the installation of the Access ManagerRuntime will set the following variable for LANG:

case ISLANG_CZECH : lang = "CSCZ1250";case ISLANG_FRENCH_STANDARD: lang = "FrFr1252";case ISLANG_GERMAN : lang = "DeDe1252";case ISLANG_SPANISH : lang = "ESES1252";case ISLANG_ITALIAN : lang = "ITIT1252";case ISLANG_PORTUGUESE_BRAZILIAN : lang = "PTBR1252";case ISLANG_POLISH : lang = "PLPL1250";

case ISLANG_CHINESE_TAIWAN : lang = "ZHTW950";case ISLANG_CHINESE_PRC : lang = "ZHCN936";case ISLANG_JAPANESE : lang = "JaJp932";case ISLANG_KOREAN : lang = "KoKr949";case ISLANG_RUSSIAN : lang = "RuRu1251" ;case ISLANG_HUNGARIAN : lang = "HuHu1250";default : lang = "enus1252";

Using locale variantsAlthough Tivoli Access Manager software currently provides only one translatedversion for each language, you can use a preferred locale variant, and Tivoli AccessManager finds the corresponding language translation. For example, Tivoli AccessManager provides one translation for French, but each of the following localesettings finds the appropriate translation:

v fr is the locale name for standard French

v fr_FR is the locale name for French in France

v fr_CA is the locale name for French in Canada

v fr_CH is the locale name for French in Switzerland





Message catalogs

Message catalogs are typically installed in a msg subdirectory and each of thesemessage catalogs is installed under a language-specific subdirectory as follows:

v On UNIX systems:

/opt/PolicyDirector/nls/msg/locale

vOn Windows systems:install_dir/nls/msg/locale

Tivoli Access Manager recognizes variations in UNIX locale names and is usuallyable to map the specified value to the appropriate message catalog.

The NLSPATH variable is used to find the appropriate message catalog directory,as specified by open systems standards. For example, if the message catalogs are in /opt/PolicyDirector/nls/msg, the NLSPATH variable is set to the following:

/opt/PolicyDirector/nls/msg/%L/%N.cat:/opt/PolicyDirector/nls/msg/%L/%N

Note: For Windows, use a semi-colon ( ;) instead of a (:) as the separator.

The %L directive is expanded to the message catalog directory that most closelymatches the current user language selection, and %N.cat expands to the desiredmessage catalog.

If a message catalog is not found for the desired language, the English C messagecatalogs are used.

For example, suppose you specify the AIX locale for German in Switzerland asfollows:

LANG=De_CH.IBM-850

The %L directive is expanded in the following order to locate the specified locale:

1. de_CH

2. de

3. C

Because Tivoli Access Manager does not provide a German in Switzerlandlanguage package, de_CH is not found. If the Tivoli Access Manager Germanlanguage package is installed, de is used. Otherwise, the default locale C is used,causing text to be displayed in English.





Text encoding (code set) support

Different operating systems often encode text in different ways. For example,Windows systems use SJIS (code page 932) for Japanese text, but UNIX systemsoften use eucJP.

In addition, multiple locales can be provided for the same language so that

different code sets can be used for the same language on the same machine. Thiscan cause problems when text is moved from system to system or betweendifferent locale environments.

Tivoli Access Manager addresses these problems by using Unicode and UTF-8 (themulti-byte form of Unicode) as the internal canonical representation for text.

Message catalogs are encoded using UTF-8, and the text is converted to the localeencoding before being presented to the user. In this way, the same French messagecatalog files can be used to support a variety of Latin 1 code sets, such asISO8859-1, Microsoft 1252, IBM PC 850, and IBM MVS

™

1047.

UTF-8 is also used to achieve text interoperability. For example, Common ObjectRequest Broker Architecture (CORBA) strings are transmitted as UTF-8. Thisenables remote management within a heterogeneous network in which local textencoding can vary. For example, Japanese file names can be manipulated on

Japanese PC endpoints from a desktop executing in the UNIX Japanese EUC locale.

Text interoperability across the secure domain is also achieved by storing strings asUTF-8 within the Tivoli object database. Strings are converted to the local encodingfor viewing and manipulation by applications that are executing on differentoperating system code sets.

Location of code set filesInteroperability across your secure domain depends on code set files, which are

used to perform UTF-8 conversion and other types of encoding-specific textprocessing. These files are installed in the following directories:

v On UNIX systems:

/opt/PolicyDirector/nls/msg/locale


install_dir/nls/msg/locale





Part 2. Base system installation

Chapter 4. Setting up the registry server. . . . 47

Setting up IBM Tivoli Directory Server . . . . . 48

Pre-installation requirements . . . . . . . 48Installing using the installation wizard . . . . 50Installing using native utilities . . . . . . . 51

AIX: Installing IBM Tivoli Directory Server . . 51HP-UX: Installing IBM Tivoli Directory Server 53Linux: Installing IBM Tivoli Directory Server 54Solaris: Installing IBM Tivoli Directory Server 56Windows: Installing IBM Tivoli DirectoryServer . . . . . . . . . . . . . . 58Configuring IBM Tivoli Directory Server. . . 61Configuring IBM Tivoli Directory Server forTivoli Access Manager . . . . . . . . . 63

Setting up IBM z/OS and OS/390 Security Servers 70Updating schema files . . . . . . . . . . 70

Adding suffixes . . . . . . . . . . . . 70Configuring Tivoli Access Manager for LDAP . . 72Native authentication user administration . . . 72

Setting up Lotus Domino . . . . . . . . . . 74Creating a Tivoli Access Manager administrativeuser for Domino . . . . . . . . . . . . 74Installing a Lotus Notes client on the Dominoserver . . . . . . . . . . . . . . . 75

Setting up Microsoft Active Directory. . . . . . 77Active Directory considerations. . . . . . . 77Creating an Active Directory domain . . . . . 77 Joining an Active Directory domain . . . . . 78Creating an Active Directory administrative user 80Active Directory replication . . . . . . . . 80

Setting up Novell eDirectory . . . . . . . . 82When using Novell eDirectory . . . . . . . 82

Setting up Sun ONE Directory Server. . . . . . 84

Chapter 5. Setting up the policy server . . . . 89

Installing using the installation wizard . . . . . 89Installing using native utilities . . . . . . . . 90

AIX: Installing the policy server . . . . . . 90HP-UX: Installing the policy server . . . . . 91Linux: Installing the policy server . . . . . . 93Solaris: Installing the policy server. . . . . . 94Windows: Installing the policy server. . . . . 95

Chapter 6. Setting up an authorization server . . 99

Installing using the installation wizard . . . . . 99Installing using native utilities. . . . . . . . 100

AIX: Installing an authorization server . . . . 100HP-UX: Installing an authorization server . . . 101Linux: Installing an authorization server . . . 102Solaris: Installing an authorization server . . . 103Windows: Installing an authorization server . . 104

Chapter 7. Setting up a development (ADK)

system . . . . . . . . . . . . . . . 107

Installing using the installation wizard . . . . . 107

Installing using native utilities. . . . . . . . 108AIX: Installing a development (ADK) system 108

HP-UX: Installing a development (ADK) system 109Linux: Installing a development (ADK) system 110Solaris: Installing a development (ADK) system 111Windows: Installing a development (ADK)system. . . . . . . . . . . . . . . 112

Chapter 8. Setting up a Java runtime

environment system . . . . . . . . . . 113

Installing using the installation wizard . . . . . 113Installing using native utilities . . . . . . . . 113

AIX: Installing a Java runtime environmentsystem. . . . . . . . . . . . . . . 114HP-UX: Installing a Java runtime environmentsystem. . . . . . . . . . . . . . . 114

Linux: Installing a Java runtime environmentsystem. . . . . . . . . . . . . . . 115Solaris: Installing a Java runtime environmentsystem. . . . . . . . . . . . . . . 116Windows: Installing a Java runtime environmentsystem. . . . . . . . . . . . . . . 117

Chapter 9. Setting up a policy proxy server . . 119


AIX: Installing a policy proxy server . . . . 120HP-UX: Installing a policy proxy server . . . 121Linux: Installing a policy proxy server . . . . 122Solaris: Installing a policy proxy server . . . . 123

Windows: Installing a policy proxy server . . . 124

Chapter 10. Setting up a runtime system . . . 125


AIX: Installing a runtime system . . . . . . 126HP-UX: Installing a runtime system . . . . . 127Linux: Installing a runtime system . . . . . 128Solaris: Installing a runtime system . . . . . 128Windows: Installing a runtime system . . . . 129

Chapter 11. Setting up a Web Portal Manager

system . . . . . . . . . . . . . . . 131

Installing using the installation wizard . . . . . 131

Installing using native utilities. . . . . . . . 133AIX: Installing a Web Portal Manager system 133HP-UX: Installing a Web Portal Manager system 135Linux: Installing a Web Portal Manager system 137Solaris: Installing a Web Portal Manager system 139Windows: Installing a Web Portal Managersystem . . . . . . . . . . . . . . 141




Chapter 4. Setting up the registry server

The first step in establishing a management domain is to set up a registry serverfor use with Tivoli Access Manager. To install and configure a supported registry,

do one of the following:v To install and configure IBM Tivoli Directory Server (shipped with Tivoli Access

Manager), follow instructions in “Setting up IBM Tivoli Directory Server” onpage 48. It is recommended that you use the install_ldap_server installationwizard to streamline the installation and configuration process.

Note: This installation wizard is not available on HP-UX.

v To install a supported registry other than IBM Tivoli Directory Server, consultthe product’s documentation. For a list of supported registries, see “Supportedregistries” on page 19.

v If you have an existing registry that you want to use for Tivoli Access Manager,ensure that you upgrade the server to the version supported by this release. For

upgrade instructions for IBM Tivoli Directory Server, see the IBM Tivoli Access Manager Upgrade Guide; for other supported registries, consult the product’sdocumentation. Then follow instructions in this chapter to configure yourregistry for use with Tivoli Access Manager.

This chapter includes the following main sections:

v “Setting up IBM Tivoli Directory Server” on page 48

v “Setting up IBM z/OS and OS/390 Security Servers” on page 70

v “Setting up Lotus Domino” on page 74

v “Setting up Microsoft Active Directory” on page 77

v “Setting up Novell eDirectory” on page 82

v

“Setting up Sun ONE Directory Server” on page 84




Setting up IBM Tivoli Directory Server

This section provides information about installing and configuring IBM TivoliDirectory Server as your Tivoli Access Manager registry. You can set up this systemusing one of the following installation methods:

v “Installing using the installation wizard” on page 50

v

“Installing using native utilities” on page 51

Note: If you have a pre-existing version of LDAP from a vendor other than IBM,you should remove it before installing the IBM Tivoli Directory Server. If you attempt to install the IBM Tivoli Directory Server without removing theother vendor ’s version, the resulting file name conflicts might prevent eitherversion from working.

For complete IBM Tivoli Directory Server product documentation, click the ProductManuals and Technical Documentation link at:

http://www.ibm.com/software/network/help-directory/

Notes:

v IBM Tivoli Directory Server and IBM DB2 are shipped on the IBM Tivoli Access Manager Directory Server CD for supported AIX, HP-UX, Linux, Solaris, andWindows platforms.

v The Web Administration Tool and IBM WebSphere Application Server areshipped on the IBM Tivoli Access Manager Web Administration Interfaces CD forsupported AIX, HP-UX, Linux, Solaris, Windows 2000, and Windows 2003platforms.

Pre-installation requirementsBefore you install and configure IBM Tivoli Directory Server, you must perform thefollowing pre-installation tasks (as required). These requirements are applicable,regardless of which installation method you plan to use.

v Create a DB2 database owner ID, for example, ldapdb2. The user ID you specifywill own the database instance where the DB2 database will exist. You will beprompted for this ID and password during configuration.

Note: Windows users only — If you run the install_ldap_server installationwizard, the identity you create will be used for both the DB2 Administrator IDand the DB2 database owner ID. It is recommended that you create and useseparate IDs when using a native installation utility. For example, name the DB2database owner ID, ldapdb2, and the DB2 Administrator ID, db2admin.

– The user ID can be no longer than 8 characters.

– On Windows platforms, the user must be a member of the Administratorsgroup and must be in the same domain as the Administrator ID.

– On UNIX platforms, the user must have a home directory and must be theowner of the home directory.

– Choose a directory where the DB2 database will be located. The installationwizard will prompt for this directory under Directory server database home.

- The group ownership of the DB2 database directory should be the DB2group created when DB2 was installed. On AIX and Solaris, this group isusually named dbsysadm. For Linux on zSeries, this group is usuallynamed db2iadm1. For example, in the case of a user named ldapdb2, thedatabase directory should be owned by ldapdb2:dbsysadm on AIX andSolaris or by ldapdb2:db2iadm1 for Linux on zSeries.

Setting up the registry server






There might be some groups that do not work correctly as the user ’s primarygroup when configuring the database. For example, if the user ’s primarygroup on Linux is users, problems might occur. You must use other on Linuxif you want to be sure that the primary group will work.

– The user root must be a member of the group chosen to own the DB2database directory. If root is not a member of this group, add root as amember of the group.

– For best results, the user’s login shell should be the Korn shell(/usr/bin/ksh).

– The user’s password must be set correctly and ready to use. For example, thepassword cannot be expired or waiting for a first-time validation of any kind.(The best way to verify that the password is correctly set is to telnet to thesame computer and successfully log in with that user ID and password.)

– When configuring the database, it is not necessary, but customary, to specifythe home directory of the user ID as the database location. However, if youspecify some other location, the user’s home directory still must have 3 to 4MB of space available. This is because DB2 creates links and adds files intothe home directory of the instance owner (that is, the User) even though thedatabase itself is elsewhere. If you do not have enough space in the home

directory, you can either create enough space or specify another directory asthe home directory.

v On AIX systems only, IBM Tivoli Directory Server, Version 5.2, requires 64– bithardware and a 64– bit kernel. To ensure that your system is set up correctly,review the following:

– To verify that your AIX hardware is 64– bit, enter the following:

bootinfo –y

If results display 64, your hardware is 64– bit. In addition, if you type thecommand lsattr —El proc0, the output of the command returns the type of processor for your server. If you have any of the following, you have 64– bithardware: RS64 I, II, III, IV, POWER3, POWER3 II or POWER4.

– 64– bit hardware can have either a 32 or 64– bit kernel. To verify that you havea 64– bit kernel (/usr/lib/boot/unix_64) installed and running, enter thefollowing:

bootinfo –K

If results display 64, the kernel is 64– bit. However, if results display 32, youmust switch from the 32– bit kernel to 64– bit kernel. To do so, follow thesesteps:

1. Ensure that you have the following 64– bit packages:

bos.64bitbos.mp64

2. To switch to 64– bit kernel, enter the following commands:

ln -sf /usr/lib/boot/unix_64 /unixln -sf /usr/lib/boot/unix_64 /usr/lib/boot/unixlslv -m hd5bosboot -ad /dev/ipldeviceshutdown -Fr

– Ensure that asynchronous I/O is enabled. To do so, enter the followingcommands:

/usr/sbin/mkdev -l aio0/usr/sbin/chdev -l aio0 -P/usr/sbin/chdev -l aio0 -P -a autoconfig=available


Chapter 4. Setting up the registry server 49



Installing using the installation wizardThe install_ldap_server installation wizard simplifies the setup of a IBM TivoliDirectory Server system by installing and configuring the following components inthe appropriate order:

v IBM DB2 Universal Database, Enterprise Server Edition, Version 8.1

v Global Security Kit (GSKit), Version 7

v IBM Tivoli Directory Client , Version 5.2

v IBM Tivoli Directory Server, Version 5.2

v LDAP patch (am_update_ldap.sh)

For descriptions of configuration options and step-by-step instructions withillustrations, see “Using the install_ldap_server wizard” on page 180.

To install and configure an IBM Tivoli Directory Server system using theinstall_ldap_server wizard, follow these steps.

Note: The IBM Tivoli Directory Server installation wizard is not available onHP-UX. If you are installing IBM Tivoli Directory Server on HP-UX, see

instructions in “HP-UX: Installing IBM Tivoli Directory Server” on page 53.1. Perform pre-installation tasks as listed in “Pre-installation requirements” on

page 48.

2. Ensure that all necessary operating system patches are installed. Forinformation, see “Supported platforms, including required patches” on page 26.

3. To view status and messages in a language other than English (default), youmust install your language support package before running an installationwizard. For instructions, see “Installing language packages for IBM TivoliDirectory Server” on page 37.

4. On Windows systems only, exit from all running programs.

5. A sample SSL LDAP key file (am_key.kdb) is copied to your system during

installation. You can use theam_key.kdb

file to enable SSL support betweenyour policy server and LDAP server. If you plan to enable SSL using a differentSSL key file, ensure that you manually copy the SSL key file to a directory onthis system.

Note: The am_key.kdb file is intended for evaluation purposes only; it is notintended for use in a production environment. The default password forthe am_key.kdb file is key4ssl (lowercase).

6. Ensure that IBM JRE 1.3.1 (1.3.1.5 on AIX) is installed before running theinstallation wizard. For instructions, see page 153.

7. Do one of the following:

v If installing on Solaris only, run the install_db2 program, located in the rootdirectory on the IBM Tivoli Access Manager Directory Server 1 of 2 for SolarisCD. Next, run the install_ldap_server program, located in the root directoryon the IBM Tivoli Access Manager Directory Server 2 of 2 for Solaris CD.

v For supported AIX, Linux, and Windows platforms, run theinstall_ldap_server program, located in the root directory on the IBM Tivoli Access Manager Directory Server CD for your supported platform.

The installation wizard begins by prompting you for configuration informationas described in “Using the install_ldap_server wizard” on page 180. After yousupply this information (or accept default values), the components are installedand configured without further intervention.





8. If you enabled SSL using the default am_key.kdb key file, you will eventuallyneed to create and use your own key file to enable SSL or change this key file’sdefault password. To do so, you can use the iKeyman key management utility,which is installed with GSKit. For instructions, see information about setting upthe GSKit iKeyman utility in “Setting up the GSKit iKeyman utility” on page147. For information about using the iKeyman utility, see the IBM GlobalSecurity Kit Secure Sockets Layer and iKeyman User’s Guide.

After you set up IBM Tivoli Directory Server for use with Tivoli Access Managerusing the install_ldap_server installation wizard, the next step is to set up thepolicy server. For instructions, see Chapter 5, “Setting up the policy server,” onpage 89.

Installing using native utilitiesThe following sections enable you to install the IBM Tivoli Directory Server using afamiliar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder.

Complete the instructions that apply to your operating system:v AIX on page 51

v HP-UX on page 53

v Linux on page 54

v Solaris on page 56

v Windows on page 58

AIX: Installing IBM Tivoli Directory ServerTo set up an IBM Tivoli Directory Server system on AIX using the installp utility,follow these steps.

Note: It is recommended that you install your registry server on a separate system

than the policy server.1. Log on as root.


3. Perform pre-installation tasks as listed in “Pre-installation requirements” onpage 48.

4. Insert the IBM Tivoli Access Manager Directory Server for AIX CD and mount it.

5. Install IBM DB2. To do so, install the following packages in the order listed:

installp -cagNYXd cdrom/usr/sys/inst.images packages






db2_08_01.msg.en_US.iso88591db2_08_01.clientdb2_08_01.cnvucsdb2_08_01.repldb2_08_01.db2.rtedb2_08_01.cs.rtedb2_08_01.icutdb2_08_01.sqlproc

db2_08_01.icucdb2_08_01.db2.engndb2_08_01.jhlp.en_US.iso88591db2_08_01.cj

db2_08_01.jdbcdb2_08_01.dasdb2_08_01.db2.samplesdb2_08_01.cadb2_08_01.ch.en_US.iso88591db2_08_01.ccdb2_08_01.conndb2_08_01.conv

db2_08_01.ldapdb2_08_01.pextdb2_08_01.essg

6. Install GSKit. For instructions, see page 145.

7. Install the IBM Tivoli Directory Client:

installp -acgXd cd_mount_point/usr/sys/inst.images ldap.client ldap.max_crypto_client

where cd_mount_point/usr/sys/inst.images is the directory where the CD ismounted.

8.Install the IBM Tivoli Directory Server:installp -acgXd cd_mount_point/usr/sys/inst.images ldap.server ldap.max_crypto_server

9. From the root directory, enter the following to install the LDAP patch:

am_update_ldap.sh

10. English messages are automatically installed with the IBM Tivoli DirectoryServer package. If you require a different language version of the messagefiles and documentation, install them from the IBM Tivoli Access ManagerLanguage Support for AIX CD. For instructions, see “Installing languagepackages for IBM Tivoli Directory Server” on page 37.

To see the language versions that are available, enter the following:

installp -ld cd_mount_point/usr/sys/inst.images | grep ldap

A list of installable IBM Tivoli Directory Server packages is displayed.11. When installation is completed, the system generates an installation summary.

Verify that the last column in the summary displays SUCCESS for all loadedfiles. You can also verify that IBM Tivoli Directory was installed successfully

by entering the following command:

lslpp -L | grep ldap

The output displayed lists all the filesets starting with ldap. This includes theserver, client, Web Administration Tool, HTML, and message filesets. Forexample:

ldap.client.adt 5.2.0.0 C F Directory SDKldap.client.rte 5.2.0.0 C F Directory Client Runtimeldap.client.cfg 5.2.0.0 C F Directory Server Config GUIldap.server.com 5.2.0.0 C F Directory Server Frameworkldap.server.java 5.2.0.0 C F Directory Server Javaldap.server.rte 5.2.0.0 C F Directory Server Runtime

12. Define the LDAP administrator DN and password and then configure thedatabase that will store the directory data. For instructions, see “UNIX:Configuring IBM Tivoli Directory Server” on page 61.

13. After completion of IBM Tivoli Directory Server installation, you mustconfigure IBM Tivoli Directory Server for use with Tivoli Access Manager. Forinstructions, see page 63.





14. It is recommended that you use the GSKit iKeyman utility to enable SSLcommunication between your supported registry server and IBM TivoliDirectory Clients. To do so, follow these steps:

a. Set up the iKeyman utility. For instructions, see “Setting up the GSKitiKeyman utility” on page 147.

b. Enable SSL with a supported registry server. For instructions, see

Chapter 17, “Enabling Secure Sockets Layer,” on page 227.

Note: For more information about using the iKeyman utility, see the IBMGlobal Security Kit Secure Sockets Layer and iKeyman User’s Guide.

After you set up IBM Tivoli Directory Server for use with Tivoli Access Manager,the next step is to set up the policy server. For instructions, see Chapter 5, “Settingup the policy server,” on page 89.

HP-UX: Installing IBM Tivoli Directory ServerTo set up an IBM Tivoli Directory Server system on HP-UX, follow these steps.

Note: It is recommended that you install your registry server on a separate system

than the policy server.1. Log on as root.



4. Insert the IBM Tivoli Access Manager Directory Server for HP-UX CD.

5. Start pfs_mountd and then pfsd in the background, if they are not running.Mount the CD with the pfs_mount command. For example, enter thefollowing:

/usr/sbin/pfs_mount /dev/dsk/c0t0d0 /cd-rom

where /dev/dsk/c0t0d0 is the CD device and /cd-rom is the mount point.

6. Install IBM DB2:

swinstall -s /cd-rom/hp packages

where /cd-rom/hp is the directory and packages are as follows:

db2v81ent

db2v81cc

db2v81conn

db2v81gse

db2v81jhp

db2v81sdk

db2v81wgrp

db2v81cae


8. Install the IBM Tivoli Directory Client:

swinstall -s /cd-rom/hp LDAPClient

9. Install the IBM Tivoli Directory Server:

swinstall -s /cd-rom/hp LDAPServer

10. From the root directory, enter the following to install the LDAP patch:





am_update_ldap.sh

11. English messages are automatically installed with the IBM Tivoli DirectoryServer package. If you require a different language version of the message filesand documentation, install them from the IBM Tivoli Access Manager LanguageSupport for HP-UX CD. For instructions, see “Installing language packages forIBM Tivoli Directory Server” on page 37.









Linux: Installing IBM Tivoli Directory ServerTo install the IBM Tivoli Directory Server on a supported Linux system, followthese steps.

Notes:

1. It is recommended that you install your registry server on a separate systemthan the policy server.

2. Linux on zSeries users: You must first obtain access to the Linux rpm filesfrom the IBM Tivoli Access Manager for Linux on zSeries CD.

1. Log on as root.



4. Remove the openldap2-client-2.1.4-30 package or other conflicting LDAPpackages that are installed.

Note: If you need to have the openldap2-client installed on the same systemas the IBM Tivoli Directory Client, make sure the following conflictingprograms in /usr/bin are symlink’ed to the IBM LDAP client versions asfollows:

/usr/bin/ldapadd → /usr/ldap/bin/ldapmodify/usr/bin/ldapdelete → /usr/ldap/bin/ldapdelete/usr/bin/ldapmodify → /usr/ldap/bin/ldapmodify/usr/bin/ldapmodrdn → /usr/ldap/bin/ldapmodrdn/usr/bin/ldapsearch → /usr/ldap/bin/ldapsearch





5. Insert the IBM Tivoli Access Manager Directory Server CD for xSeries, zSeries, orpSeries and iSeries and mount it.

6. Change to the /mnt/cdrom/series directory where /mnt/cdrom is the mountpoint for your CD and series specifies xSeries, zSeries, or pSeries.

7. Install DB2. To do so, install the packages for your particular hardware asfollows:

rpm -ihv IBM_db2*.rpm

where packages for supported hardware are as follows:

Linux on xSeries Linux on zSeries Linux on pSeries and iSeries

IBM_db2msen81-8.1.0-16.i386.rpmIBM_db2cliv81-8.1.0-16.i386.rpmIBM_db2conv81-8.1.0-16.i386.rpmIBM_db2repl81-8.1.0-16.i386.rpmIBM_db2rte81-8.1.0-16.i386.rpmIBM_db2crte81-8.1.0-16.i386.rpmIBM_db2icut81-8.1.0-16.i386.rpmIBM_db2icuc81-8.1.0-16.i386.rpmIBM_db2engn81-8.1.0-16.i386.rpm

IBM_db2jhen81-8.1.0-16.i386.rpmIBM_db2cj81-8.1.0-16.i386.rpmIBM_db2jdbc81-8.1.0-16.i386.rpmIBM_db2das81-8.1.0-16.i386.rpmIBM_db2smpl81-8.1.0-16.i386.rpmIBM_db2ca81-8.1.0-16.i386.rpmIBM_db2chen81-8.1.0-16.i386.rpmIBM_db2cc81-8.1.0-16.i386.rpmIBM_db2cucs81-8.1.0-16.i386.rpmIBM_db2sp81-8.1.0-16.i386.rpmIBM_db2ldap81-8.1.0-16.i386.rpmIBM_db2pext81-8.1.0-16.i386.rpmIBM_db2conn81-8.1.0-16.i386.rpmIBM_db2wmsa81-8.1.0-16.i386.rpmIBM_db2essg81-8.1.0-16.i386.rpm

IBM_db2msen81-8.1.0-16.s390.rpmIBM_db2cliv81-8.1.0-16.s390.rpmIBM_db2conv81-8.1.0-16.s390.rpmIBM_db2repl81-8.1.0-16.s390.rpmIBM_db2rte81-8.1.0-16.s390.rpmIBM_db2crte81-8.1.0-16.s390.rpmIBM_db2icuc81-8.1.0-16.s390.rpmIBM_db2engn81-8.1.0-16.s390.rpmIBM_db2jhen81-8.1.0-16.s390.rpm

IBM_db2cj81-8.1.0-16.s390.rpmIBM_db2jdbc81-8.1.0-16.s390.rpmIBM_db2das81-8.1.0-16.s390.rpmIBM_db2smpl81-8.1.0-16.s390.rpmIBM_db2ca81-8.1.0-16.s390.rpmIBM_db2chen81-8.1.0-16.s390.rpmIBM_db2cc81-8.1.0-16.s390.rpmIBM_db2cucs81-8.1.0-16.s390.rpmIBM_db2sp81-8.1.0-16.s390.rpmIBM_db2ldap81-8.1.0-16.s390.rpmIBM_db2pext81-8.1.0-16.s390.rpmIBM_db2conn81-8.1.0-16.s390.rpmIBM_db2wbdb81-8.1.0-16.s390.rpmIBM_db2essg81-8.1.0-16.s390.rpm

IBM_db2acsg81-8.1.0-16.ppc64.rpmIBM_db2adsg81-8.1.0-16.ppc64.rpmIBM_db2adt81-8.1.0-16.ppc64.rpmIBM_db2cj81-8.1.0-16.ppc64.rpmIBM_db2cliv81-8.1.0-16.ppc64.rpmIBM_db2conn81-8.1.0-16.ppc64.rpmIBM_db2conv81-8.1.0-16.ppc64.rpmIBM_db2crte81-8.1.0-16.ppc64.rpmIBM_db2cucs81-8.1.0-16.ppc64.rpm

IBM_db2das81-8.1.0-16.ppc64.rpmIBM_db2dj81-8.1.0-16.ppc64.rpmIBM_db2engn81-8.1.0-16.ppc64.rpmIBM_db2icuc81-8.1.0-16.ppc64.rpmIBM_db2inst81-8.1.0-16.ppc64.rpmIBM_db2jdbc81-8.1.0-16.ppc64.rpmIBM_db2jhen81-8.1.0-16.ppc64.rpmIBM_db2msen81-8.1.0-16.ppc64.rpmIBM_db2pext81-8.1.0-16.ppc64.rpmIBM_db2repl81-8.1.0-16.ppc64.rpmIBM_db2rte81-8.1.0-16.ppc64.rpmIBM_db2smpl81-8.1.0-16.ppc64.rpmIBM_db2sp81-8.1.0-16.ppc64.rpmIBM_db2essg81-8.1.0-16.ppc64.rpm


9. Install the IBM Tivoli Directory Client package:

rpm -ihv package

where package is one of the following:

v Linux on xSeries: ldap-clientd-5.2-1.i386.rpm

v Linux on zSeries: ldap-clientd-5.2-1.s390.rpm

v Linux on pSeries and iSeries: ldap-client-5.2-1.ppc.rpm

10. Install the IBM Tivoli Directory Server package:

rpm -ihv package


v Linux on xSeries: ldap-serverd-5.2-1.i386.rpm

v Linux on zSeries: ldap-serverd-5.2-1.s390.rpm

v Linux on pSeries and iSeries: ldap-server-5.2-1.ppc.rpm

11. From the root directory on the CD, enter the following to install the LDAPpatch:

am_update_ldap.sh

12. Verify that the packages have been installed correctly:

rpm -qa | grep ldap





If the product has been successfully installed, results similar to the followingare displayed:

ldap-clientd-5.2-1ldap-serverd-5.2-1

13. English messages are automatically installed with the IBM Tivoli DirectoryServer package. If you require a different language version of the messagefiles and documentation, install them from the IBM Tivoli Access Manager

Language Support for Linux CD. For instructions, see “Installing languagepackages for IBM Tivoli Directory Server” on page 37.




a.Set up the iKeyman utility. For instructions, see “Setting up the GSKitiKeyman utility” on page 147.

b. Enable SSL with a supported registry server. For instructions, seeChapter 17, “Enabling Secure Sockets Layer,” on page 227.



Solaris: Installing IBM Tivoli Directory Server

To set up an IBM Tivoli Directory Server system on Solaris using the pkgaddutility, follow these steps.

Note: It is recommended that you install your registry server on a separate systemthan the policy server.

1. Log on as root.



4. Insert the IBM Tivoli Access Manager Directory Server 1 of 2 for Solaris CD.

5. Ensure that you are in the /cdrom/cdrom0/solaris directory.

6. Install IBM DB2. To do so, install the following packages (one at a time):


where:

-d /cdrom/cdrom0/solarisSpecifies the location of the package.

-a /cdrom/cdrom0/solaris/pddefaultSpecifies the location of the installation administration script.





and packages are as follows:

db2msen81db2cliv81db2cucs81db2repl81db2rte81db2crte81

db2icut81db2sp81db2icuc81db2engn81db2jhen81db2cj81

db2jdbc81db2das81db2smpl81db2ca81db2chen81db2cc81

db2conv81db2conn81db2pext81db2ldap81db2essg81

7. Insert the IBM Tivoli Access Manager Directory Server 2 of 2 for Solaris CD.

8. Apply the IBM DB2 license:

/opt/IBM/db2/V8.1/adm/db2licm -a /CD2_mount_point/solaris/db2ese.lic


Note: Because of package dependencies, the order of installation is significant.10. Install the IBM Tivoli Directory Client:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IBMldapc

where -d /cdrom/cdrom0/solaris specifies the location of the package and -a/cdrom/cdrom0/solaris/pddefault specifies the location of the installationadministration script.

11. Install the IBM Tivoli Directory Server:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IBMldaps


am_update_ldap.sh

13. English messages are automatically installed with the IBM Tivoli DirectoryServer package. If you require a different language version of the messagefiles and documentation, install them from the IBM Tivoli Access ManagerLanguage Support for Solaris CD. For instructions, see “Installing languagepackages for IBM Tivoli Directory Server” on page 37.

14. During installation, you are asked if you want to use /opt as the basedirectory. If space permits, accept /opt as the base directory and press Enter.

Note: With the installation of client and server packages, the following queryis displayed:

This package contains scripts which will be executed withsuper-user permission during the process of installing the package.

Continue with installation?

These scripts create the IBM Tivoli Directory Server user ID. Type y tocontinue.

The programs need to be able to start daemons, run DB2 commands,and create the IBM Tivoli Directory Server DB2 instance user ID andgroup, so they occasionally need to run as root. Type y to continue.

15. When the installation is completed, you are automatically returned to thecommand prompt.







18.It is recommended that you use the GSKit iKeyman utility to enable SSLcommunication between your supported registry server and IBM TivoliDirectory Clients. To do so, follow these steps:




After you set up IBM Tivoli Directory Server for use with Tivoli Access Manager,the next step is to set up the policy server. For instructions, see Chapter 5, “Setting

up the policy server,” on page 89.

Windows: Installing IBM Tivoli Directory ServerTo install the IBM Tivoli Directory Server on Windows, follow these steps.

Note: It is recommended that you install your registry server on a separate systemthan the policy server.

1. Log on as a user with administrator privileges.



4. Stop any programs that are running and close all windows. If you have openwindows, the initial installation window might be hidden behind otherwindows.

5. Insert the IBM Tivoli Access Manager Directory Server for Windows 2000 andWindows 2003 CD.

6. Install GSKit. For instructions, see “Windows: Installing the Global SecurityKit” on page 147.

7. Run the setup.exe file, located in the following directory:

/windows/Directory

The Choose Setup Language dialog is displayed.

8. Select the language that you want to use for the installation program and clickOK.

9. The Welcome dialog is displayed. Click Next to continue.

10. Read the license agreement. Select to accept the terms and then click Next.

11. Any preinstalled components and corresponding version levels are displayed.Click Next to continue.

12. To install the IBM Tivoli Directory Server to the default directory, click Next.To specify a different directory, type a directory path or click Browse to selectone.





Note: Do not use special characters, such as a hyphen (-) and period (.) in thename of the installation directory.

13. Select the language you want to use in IBM Tivoli Directory Server 5.2 andclick Next.

14. Select the following components and click Next.

v Client SDK 5.2

v Server 5.2v DB2 V8.1

AttentionThe following components are also available:

v Web Administration 5.2

v IBM WebSphere Application Server — Express 5.0.2

You can select to install these products. However, Access Managerrecommends the use of WebSphere Application Server, Version 5.0.2,when using the Web Administration Tool. For installation instructions,

see “Installing WebSphere Application Server” on page 157 and“Installing the Web Administration Tool” on page 167

15. If you selected DB2 V8.1 in Step 14, a window is displayed prompting you toenter a Windows user ID and password for the DB2 system ID. This user ID isthe DB2 Administrator ID, db2admin) that you created prior to installation.Follow these steps:

a. Type the user ID or accept the default.

b. Type the password, and then type the password again for verification.

c. Click Next.

16. Review the configuration options that you selected. Click Back to change anyof your selections. Click Next to begin the installation.

The installation process begins. Please wait. This process could take severalminutes.

17. After the files are installed, README files are displayed. Review theREADME files and click Next to continue.

18. Select to restart your system now or later. Click Finish.

Note: You must restart your system to complete IBM Tivoli Directory Serverconfiguration. You are unable to use IBM Tivoli Directory Server untilthis is completed.

19. After your computer is restarted, log in using the same user ID that you usedto install the IBM Tivoli Directory Server. The Configuration Toolautomatically runs so that you can complete server configuration. Before you

can use the server, you must set the administrator DN and password andconfigure the database that will store the directory data. For instructions, see“Windows: Configuring IBM Tivoli Directory Server” on page 61.


am_update_ldap.bat

21. After completion of IBM Tivoli Directory Server configuration, you mustconfigure IBM Tivoli Directory Server for use with Tivoli Access Manager. Forinstructions, see page 63.





Configuring IBM Tivoli Directory ServerAfter you install the IBM Tivoli Directory Server components, you must performthe following tasks:

1. Define the administrator DN and password

2. Configure the database

To do so, follow basic procedures in the following sections. For complete IBM

Tivoli Directory Server product documentation, click the Product Manuals andTechnical Documentation link at:


AttentionIf you used the install_ldap_server wizard to install and configure the IBMTivoli Directory Server, skip the instructions in this section. The installationwizard configures the IBM Tivoli Directory Server automatically.

UNIX: Configuring IBM Tivoli Directory Server: The following sections provide

information on how to configure IBM Tivoli Directory Server using the ldapcfgcommand. To complete server installation, you must perform these steps.

Defining the Administrator DN and password: To set the administrator DN andpassword, follow these steps:

1. Enter the following:

ldapcfg –u "adminDN" –p pwd

where adminDN is the administrator DN (default is cn=root) and pwd is thepassword for the administrator DN.

To accept the default administrator DN (cn=root) and define a password, enter

the following:ldapcfg -p pwd

where pwd is a password for the administrator DN.

Configuring the database: Ensure that the server is stopped and configure thedatabase as follows:

ldapcfg –a database_owner –w pwd -d database_name -c -l location

where database_owner is the identity you created previously to be the databaseowner (for example, ldapdb2). The database_name can be anything you choose andlocation where the DB2 database resides. For UNIX systems, this is a directoryname such as /home/ldapdb2.

Note: For more information, see information about configuring the database in theIBM Tivoli Directory Server Installation and Configuration Guide, Version 5.2.

Windows: Configuring IBM Tivoli Directory Server:

Setting the Administrator DN and password: To set the administrator DN andpassword for IBM Tivoli Directory Server, follow these steps:

1. In the IBM Tivoli Directory Server Configuration Tool window, clickAdministrator DN/password in the left navigation pane.







2. In the Administrator DN/password pane on the right, type a valid DN (oraccept the default DN, cn=root) in the Administrator DN field.

The IBM Directory Server administrator DN is the DN used by theadministrator of the directory. This administrator is the one user who has fullaccess to all data in the directory.

DNs are not case sensitive. If you are unfamiliar with X.500 format, or if for

any other reason you do not want to define a new DN, accept the default DN.3. In the Administrator Password and Confirm password fields, type the

password for the Administrator DN.

Passwords are case-sensitive. Record the password for future reference.

4. Click OK to complete this task.

Note: Double-byte character set (DBCS) characters in the password are notsupported.

Configuring the database: When you configure the database, the Configuration Tooladds information about the database that will be used to store directory data to theconfiguration file (ibmslapd.conf). If the database does not already exist, theConfiguration Tool creates the database.

Notes:

v Before configuring the database, be sure that the environment variable DB2COMM isnot set.

v The directory server must be stopped before you configure the database.

To configure the directory database, follow these steps:

1. Ensure that you created a DB2 database owner ID (as instructed in“Pre-installation requirements” on page 48).

2. In the Configuration Tool, click Configure database in the task list on the left.

3. The Configuration Tool attempts to determine whether you already have a

database. If you have a database already configured (that is, the information forthe database is in the configuration file), the Configuration Tool prompts youfor information about what you want to do. For example, if the database isconfigured but cannot be found on the system, you might choose to create adatabase using the name specified in the configuration file. Use the informationshown in the windows that are displayed to configure the database.

Depending on whether or not you already have a database, some or all of thefollowing windows are displayed.

v If a user ID and password are requested, type a user ID and associatedpassword, and then click Next. This user ID must already exist before youcan configure the database. This is the DB2 database owner ID (for example,ldapdb2) that you created prior to installation. (In previous releases, the user

ID was created if it did not exist, but this is no longer true.)

Note: Passwords are case-sensitive.

v If the database name is requested, type the name you want to give the DB2database and click Next. The name can be from 1 to 8 characters long. Thedatabase will be created in an instance with the same name as the user ID.

Note: If you want a different database instance name, you must use theLDAP ldapcfg command with the –t option to configure the database.

v If the database location is requested, type a drive letter for the database inthe Database location field and click Next. Be sure that you have at least





80MB of free hard disk space in the location you specify and that additionaldisk space is available to accommodate growth as new entries are added tothe directory.

v If a character set selection is requested, select the type of database you wantto create and click Next. You can create a UCS Transformation Format(UTF-8) database, in which LDAP clients can store UTF-8 character data, or alocal code page database, which is a database in the local code page.

Note: If you want to use language tags, the database must be a UTF-8database.

4. In the verification window, information is displayed about the configurationoptions you specified. To return to an earlier window and change information,click Back. To begin configuration, click Finish.

5. The completion window is displayed. Click Close.

Configuring IBM Tivoli Directory Server for Tivoli AccessManagerThe following section describes how to configure IBM Tivoli Directory Server asthe Tivoli Access Manager registry. You can configure IBM Tivoli Directory Server

for Tivoli Access Manager using either the Web Administration Tool, the preferredmethod or using the command line.

v “Using the Web Administration Tool” on page 64

v “Using the command line” on page 68

Note: For complete IBM Tivoli Directory Server product documentation, click theProduct Manuals and Technical Documentation link at:








Attention

v If you used the install_ldap_server wizard to install and configure the IBMTivoli Directory Server, skip the instructions in this section. The installationwizard configures the IBM Tivoli Directory Server automatically.

v

You can use the Web Administration Tool or the command line to performconfiguration. The Web Administration Tool enables you to administer IBMTivoli Directory servers either locally or remotely. To install this GUI, seepage 167.

Note: If you are running IBM Tivoli Directory Server, Version 4.1 or 5.1,ensure that you run the am_update_ldap.sh LDAP patch beforeinstalling the Web Administration Tool.

v The Web Administration Tool, Version 5.2, is backward-compatible andworks with IBM Tivoli Directory Server, Version 4.1, 5.1, and 5.2. If youwant to use the Web Administration Tool but have not installed it yet,follow these steps.

1. Install IBM WebSphere Application Server. For instructions, see page

157.

2. Install the IBM Tivoli Directory Server Web Administration Tool andconfigure this application into your WebSphere configuration. Forinstructions, see page 167.

v As administrator of the LDAP server, it is recommended that you configurethe server to encode userPassword attribute values using a one-wayencoding format, such as crypt or SHA-1. The default encryption value,imask, specifies a two-way encoding format. For instructions and moreinformation about password encryption, see the IBM Tivoli Directory Server Administration Guide, Version 5.2 at:


Using the Web Administration Tool: To use the Web Administration Tool toconfigure IBM Tivoli Directory Server for Tivoli Access Manager, follow thesesteps:

Note: For V5.1 IBM Tivoli Directory Server users, the Web Administration Tool isnot available on the HP-UX platform. Follow instructions in “Using thecommand line” on page 68.

1. Ensure that the IBM Tivoli Directory Server is installed and that the followingconditions are met:

v You have set the administrator DN (cn=root) and password to be able tostart a given server. You were prompted for this information during

configuration of the IBM Tivoli Directory Server.v You must have configured a database to be able to start a given server in a

state other than configuration only mode.

v You must have the administration daemon running to be able to start, stop,or restart a given server remotely. To do so:

– On UNIX systems, issue the following command:

ibmdiradm

– On Windows systems, click Start → Control Panel → Administrative Tools→ Services. Right-click IBM Directory Admin Daemon and then selectStart.

Configuring IBM Tivoli Directory Server for Tivoli Access Manager






v Tivoli Access Manager schema definitions are added automatically duringinstallation of IBM Tivoli Directory Server, Version 5.2. If you are using IBMTivoli Directory Server, Versions 4.1 or 5.1 only, you must do the following:

a. Copy the secschema.def file from the common directory, located on theTivoli Access Manager Base CD for your particular platform, to atemporary directory on your local system (for example, /tmp).

b.Run the ldapmodify command as follows:ldapmodify -v -h ldap_host -p port -D ldap_admin -w pwd -f /tmp/secschema.def

Note: If the Access Manager Runtime package is already installed andconfigured on your LDAP machine, you can update the schemausing the ivrgy_tool as follows:

ivrgy_tool -d -h ldap_host -p port -D ldap_admin -w pwd schema

For more information about ivrgy_tool, see “ivrgy_tool” on page 277.

2. Start the Web Administration Tool. To do so, go to the directory where youinstalled WebSphere Application Server and issue one of the followingcommands:

v

On UNIX systems:/usr/WebSphere/AppServer/bin/startServer.sh server1

or

/opt/WebSphere/AppServer/bin/startServer.sh server1


C:\Program Files\WebSphere\AppServer\bin\startServer.bat server1

3. To log into the console, open a Web browser and type the following address:

http://localhost:9080/IDSWebApp/IDSjsp/Login.jsp

where localhost is the host name or IP address of a machine where the WebAdministration Tool is installed.

The IBM Tivoli Directory Server Web Administration login page is displayed.


v If you have already set up the Web Administration Tool, skip to step 7 onpage 66.

v If you have not set up the Web Administration Tool previously, follow thesesteps:

a. From the IBM Tivoli Directory Server Web Administration login page,log in as the console administrator by specifying the default user nameand password as follows:

LDAP Hostname: Console Admin

Username: superadminPassword: secret





Click Login to continue. The IBM Tivoli Directory Server WebAdministration Tool console is displayed as follows:

Note: After initial setup of the Web Administration Tool, you will beable to log into the console using the LDAP host name or IPaddress of your IBM Tivoli Directory Server machine.

b. Console administration tasks are displayed on the left. To add yourserver, select Manage console servers and then click the Add button inthe right pane.

c. From the Add server window, complete the following fields and thenclick OK.

– Hostname: Type the host name or IP address of the machine whereIBM Tivoli Directory Server is installed.

– Port: The port is already provided (389). If you changed this portnumber during the configuration of the LDAP server, modify thisvalue accordingly.

– Administration port: The port is already provided (3538).

– SSL enabled: Select to enable SSL.

Note: If you have not enabled SSL with the server yet, you will not be able to log on and perform server administration tasks.

The Manage console servers pane is displayed with the serverinformation.

5. Select Log out to log off the server.6. From the Logout successful window, click the ″re-login by clicking here″ link

to return to the IBM Tivoli Directory Server Web Administration login page.

7. You are now ready to administer the server using this console. To do so,follow these steps:

a. Log in by selecting the LDAP host name or IP address for your machinefrom the drop-down menu.

b. Type the administration DN (cn=root).





c. Type the associated DN password that you created during configuration of the IBM Tivoli Directory Server and then click Login.

The IBM Tivoli Directory Server Web Administration Tool console isdisplayed:

Note: Server management tasks vary depending upon the capabilities of theserver.

8. To verify that the IBM Tivoli Directory Server is running, click Serveradministration → View server status in the left navigation pane. If your serveris stopped, click the Start/stop/restart server from the left navigation pane andthen click the Start button to start the server. A message is displayed when theserver successfully starts or stops.

9. To create a suffix, select Settings → Suffixes from the left navigation pane. TheSuffixes window is displayed.

10. To create the suffix where Tivoli Access Manager maintains its metadata, selectServer administration → Manager server properties from the left navigationpane. From the Manage server properties pane, select the Suffixes tab. Typethe following required suffix DN and then click Add:

secAuthority=Default

Note: The suffix distinguished name is not case-sensitive.The suffix is displayed in the Current suffix DNs table in the pane. Click OKto save changes.

11. At this point, you can create additional suffixes to maintain user and groupdefinitions.

Note: For more information about how to add suffixes, click the Help icon inthe upper-right pane of the window. The maximum is 1000 charactersfor a suffix.





12. When you have finished adding suffixes, select Server administration →Start/stop/restart server from the left navigation pane and then click theRestart button to restart the server. A status message is displayed when theserver is restarted successfully.


v If you did not add any suffixes other than secAuthority=Default, click

Logout to close the IBM Directory Server Web Administration Tool window.A directory entry for secAuthority=Default is automatically added whenthe policy server is configured.

v If you added suffixes other than secAuthority=Default, you must add anentry to the directory for each suffix. To do so, select Directorymanagement → Add an entry in the left navigation pane. When you havecompleted adding directory entries for the suffixes you created, click Finishand then click Logout to close the IBM Directory Server WebAdministration Tool window.

Note: If you enable SSL communication, the directory administration daemon must be stopped and restarted for SSL to take effect.

Using the command line: To configure IBM Tivoli Directory Server as your TivoliAccess Manager registry, follow these basic steps.

Note: For detailed information about adding suffixes and directory entries, consultthe IBM Tivoli Directory Server, Version 5.2, documentation.

1. Tivoli Access Manager schema definitions are added automatically duringinstallation of IBM Tivoli Directory Server, Version 5.2. If you are using IBMTivoli Directory Server, Versions 4.1 or 5.1 only, you must do the following:

a. Copy the secschema.def file from the common directory located on the TivoliAccess Manager Base CD for your particular platform to a temporarydirectory on your local system (for example, /tmp).

b. Run the ldapmodify command as follows:

ldapmodify -v -h ldap_host -p port -D ldap_admin -w pwd -f /tmp/secschema.def

Note: If the Access Manager Runtime package is already installed andconfigured on your LDAP machine, you can update the schema usingthe ivrgy_tool as follows:

ivrgy_tool -d -h ldap_host -p port -D ldap_admin -w pwd schema

For more information about ivrgy_tool, see “ivrgy_tool” on page 277.

2. Create the suffix where Tivoli Access Manager maintains its metadata asfollows:

ldapcfg -s "secAuthority=Default"

This suffix is added to the ibmslapd.conf file. At this point, you can createadditional suffixes to maintain user and group definitions. For example:

ldapcfg -s "c=US"

3. Start the LDAP server as follows:

ibmdiradm&ibmslapd&

4. Add entries for the suffixes you just created. If you added only the requiredsecAuthority=Default suffix, skip to step 65. Otherwise, create a file, add suffixentry information, and then run the ldapadd command. For example, create afile named addcus with the following contents:





dn: c=usobjectclass: topobjectclass: countryc: us

Then run the following command:

ldapadd -h host -D cn=root -w pwd -v -f addcus





Setting up IBM z/OS and OS/390 Security Servers

This section describes the configuration steps necessary to prepare the LDAPserver on z/OS or OS/390 for Tivoli Access Manager. Particular emphasis is givento configuring Tivoli Access Manager against a native security authorization facility(SAF) registry.

These guidelines assume a new LDAP server instance dedicated to the TivoliAccess Manager registry. For more information, consult the LDAP ServerAdministration and Use manual for your particular release of OS/390 or z/OS.This document is available through the z/OS library at:



v “Updating schema files”

v “Adding suffixes”

v “Configuring Tivoli Access Manager for LDAP” on page 72

v “Native authentication user administration” on page 72

Updating schema filesAn older version of the Access Manager schema was provided with the z/OSproduct. You must update the schema to support Tivoli Access Manager, Version5.1. To do so, use the ivrgy_tool utility to apply the schema to the z/OS LDAPserver before you create the secAuthority=Default suffix. For instructions, see“ivrgy_tool” on page 277.

Adding suffixesTivoli Access Manager requires that you create a suffix namedsecAuthority=Default, which maintains Tivoli Access Manager metadata. You must

add this suffix only once—when you first configure the LDAP server. This suffixenables Tivoli Access Manager to easily locate and manage the data. It also securesaccess to the data, thus avoiding integrity or corruption problems.

Additionally, you can either create a suffix or specify the distinguished name of anexisting LDAP DIT location to maintain user and group data. Similar to thesecAuthority=Default suffix, you should add any new suffixes to the LDAPregistry before configuring the policy server. If you add suffixes after the initialconfiguration of Tivoli Access Manager, you must add the appropriate ACLsmanually.

To add suffixes, including the secAuthority=Default suffix to the LDAP server’sslapd.conf file, consult the LDAP Server Administration and Use manual at:


Note: Restart the LDAP server for changes to take effect.

If you decide to add suffixes after the Tivoli Access Manager policy server has been configured, you must apply the appropriate ACLs to the newly created suffixas follows:

1. Add the new suffix to the security server slapd.conf file. See the z/OS LDAPServer Administration and Use Guide for details on how to update the IBM z/OSor OS/390 Security Server configuration file.









2. Restart the IBM z/OS or OS/390 Security Server.

3. To add an entry to the newly created suffix, do the following:

a. Create an LDIF file. This example assumes the newly created suffix iso=neworg,c=us:

dn:o=neworg,c=usobjectClass:organizationobjectClass:topo:neworg

b. Use the appropriate LDIF file as input to the ldapadd command:

ldapadd -D ldap_admin -w ldap_pwd -v -f ldif_filename

4. To apply the appropriate Tivoli Access Manager access controls to the newlycreated suffix, do the following:

v If you created one secure domain (called the management domain), create anldif file similar to the following to add ACLs for new suffixes:

v If you created additional secure domains (other than the initial managementdomain), create an ldif file similar to the following to add ACLs for newsuffixes:

5. To apply the ldif file, use the ldapmodify command as follows:

ldapmodify -h hostname -D admin_DN -w admin_pwd -v -f ldif_filename

Note that if aclpropagate=TRUE is set by default for the added suffix, theldapmodify command returns an error message similar to the following:

ldap_modify: additional info: R004086 Entry o=neworg,c=us already containsattribute aclpropagrate, value=TRUE

In this case, remove aclpropagate=TRUE from the ldif file and rerun theldapmodify command.

suffixaclpropagate=TRUEaclentry=group:cn=ivacld-servers,cn=securitygroups,secauthority=default:normal:csraclentry=group:cn=remote-acl-users,cn=securitygroups,secauthority=default:normal:csr

aclentry=group:cn=securitygroup,secauthority=default:object:ad:normal:cwsr:sensitive:cwsr:critical:\cwsr:restricted:cwsraclentry=access-id:LDAP_Admin_DN:object:ad:normal:rwsc:sensitive:rwsc:critical:cwsr:restricted:cwsrsuffixownerpropagate=TRUEentryOwner=group:cn=SecurityGroup,secAuthority=DefaultentryOwner=access-id:LDAP_Admin_DN

suffixaclentry=group:cn=ivacld-servers,cn=securitygroups,secauthority=default:normal:csraclentry=group:cn=remote-acl-users,cn=securitygroups,secauthority=default:normal:csr

aclentry=group:cn=securitygroup,secauthority=default:object:ad:normal:cwsr:sensitive:cwsr:critical:cwsr: \restricted:cwsraclentry=group:cn=ivacld-servers,cn=securitygroups,secauthority=<added domain>,cn=subdomains,\secauthority=default:normal:csraclentry=group:cn=remote-acl-users,cn=securitygroups,secauthority=<added domain>,cn=subdomains,\secauthority=default:normal:csraclentry=group:cn=securitygroup,secauthority=<add domain>,cn=subdomains,secauthority=default:object:ad:\normal:rwsc:sensitive:rwsc:critical:rwsc:restricted:rwscaclentry=access-id:LDAP_Admin_DN:object:ad:normal:rwsc:sensitivesuffixownerpropagate=TRUEentryOwner=group:cn=SecurityGroup,secAuthority=DefaultentryOwner=access-id:LDAP_Admin_DN





Configuring Tivoli Access Manager for LDAPWhen configuring Access Manager for LDAP on z/OS, be aware that AccessManager searches all suffixes defined on the LDAP server by default. If there aresuffixes defined, which will not be used by Access Manager, or, which AccessManager does not have the authority to search, you should add these suffixes tothe /access_mgr_install_dir/etc/ldap.conf file using the ignore-suffix

keyword.

For example:

ignore-suffix = sysplex=UTCPLXJ8ignore-suffix = "o=Your Company"ignore-suffix = o=MQuser

In this example, the sysplex=UTCPLXJ8 suffix is used to access the z/OS SDBM(RACF) database. The LDAP administrator ID used by Access Manager duringconfiguration is not a RACF userid on the z/OS system, and, therefore, does nothave the authority to do SDBM searches. If this suffix was not added to theignore-suffix list, Access Manager would receive a return code x’32’ -LDAP_INSUFFICIENT_ACCESS, during configuration.

The other suffixes in the list are used by other applications on z/OS, and can beignored by Access Manager.

Note that Tivoli Access Manager supports LDAP failover and load-balancing forread operations. If you configured a replica server, you can provide the replica hostname to Tivoli Access Manager in the ldap.conf file, which is installed with TivoliAccess Manager in the etc subdirectory.

Native authentication user administrationThe majority of administrative tasks remain unchanged with the addition of nativeauthentication. Operations such as user create, user show, adding a user to an ACLentry or group, and all user modify commands (except password) work the sameas Tivoli Access Manager configured against any other LDAP registry. Users canchange their own SAF passwords with the Web-based pkmspasswd utility.

Native authentication provides the added feature of many-to-one mapping of Tivoli Access Manager users to SAF user IDs. Multiple users can have the sameibm-nativeId, and all bind with the same password. For this reason, it isrecommended that you prevent many-to-one mapped users from changing the SAFpassword (otherwise there is an increased risk that users might inadvertently locktheir peers out of their accounts).

pdadmin sec_master> group modify SAFusers add user1pdadmin sec_master> acl create deny_pkmspdadmin sec_master> acl modify deny_pkms set group SAFusers Tpdadmin sec_master> acl attach /Webseal/server_name/pkmspasswd deny_pkms

OS/390 LDAP native authentication bind does not provide the authority toperform a password reset. For example, with native authentication enabled, thefollowing Tivoli Access Manager administration command does not work:

pdadmin sec_master> user modify user1 password ChangeMe1

Furthermore, there is no out-of-the-box administration command to set theibm-nativeId entry for a user. To that end, the following instructions assist themanagement of Tivoli Access Manager users with an associated nativeId.





The user create command does not change:

pdadmin sec_master> user create user1 cn=user1,o=tivoli,c=us user1 user1 ChangeMe1pdadmin sec_master> user modify user1 account-valid yes

The password (ChangeMe1, in this example) is set to the user’s userpasswordentry in LDAP, which has no effect with native authentication enabled. Inproduction, consider making this password something long and difficult to

guess—in case native authentication is ever inadvertently disabled.

To set the ibm-nativeId entry for a user, create an ldif file, called a schema file,similar to the following:

cn=user1,o=tivoli,c=usobjectclass=inetOrgPersonobjectclass=ibm-nativeAuthenticationibm-nativeId=SAF_username

You can load the ldif file using the ldapmodify command as follows:

ldapmodify -h hostname -p port -D bind_DN -w bind_pwd -f schema_file

The SAF command to reset a user’s password is as follows:

subsystem_prefix ALTUSER userid PASSWORD pwd

Note that to use native authentication, you must turn off auth-using-compare. Todo so, edit the [ldap]stanza of the ivmgrd.conf and webseald.conf file and changethe line as follows:

auth-using-compare = no

By default, authentications to LDAP are made with a compare operation, ratherthan a bind.

For more information on setting up native authentication, see the IBM z/OSSecurity Server LDAP Server Administration and Use documentation at:








Setting up Lotus Domino

To configure a Domino™ server as a registry for Tivoli Access Manager, followthese steps:

1. Ensure that you have reviewed and complied with system requirements listedin “Supported registries” on page 19.

2. Create a Tivoli Access Manager administrative user for Domino. Forinstructions, see “Creating a Tivoli Access Manager administrative user forDomino.”

3. Locate your Domino installation media and install a Lotus Notes® client on theDomino server. For instructions, see “Installing a Lotus Notes client on theDomino server” on page 75.

4. Ensure that the following environment variable is set on the Windows system:

NOTESNTSERVICE=1

This environment variable ensures that the Lotus Domino server, when runningas a Windows service, remains running after the user who started the servicelogs off the system.

Note: Tivoli Access Manager using a Domino registry is supported on Windowsplatforms only. This is because the Lotus Notes client is available only onsupported Windows platforms.

After you configure Domino for use with Tivoli Access Manager, the next step is toset up the policy server. For instructions, see Chapter 5, “Setting up the policyserver,” on page 89.

Creating a Tivoli Access Manager administrative user forDomino

For Tivoli Access Manager systems to communicate with the Domino server, you

must create and register a Tivoli Access Manager administrative user for Domino.To do so, follow these steps:

1. Make sure you have the following before you begin registration:

v Access to the certifier ID and its password

v Access to the Domino Directory from the machine you work on

v Editor access or the UserCreator role in the Domino Directory on theregistration server

2. From the Domino Administrator GUI, click the People & Groups tab.

3. From the Servers pane, choose the server to work from.

4. Select Domino Directories, and then select People.





5. From the Tools pane, click People → Register as shown:

6. Select the Domino server’s certifier ID (default location is c:\Program

Files\Lotus\Domino\Data).

Note: Notes uses the certifier ID specified in Administration Preferences; or if there is none, it uses the ID specified in the CertifierIDFile setting of NOTES.INI.

7. If prompted, type the certifier ID password that was set up during serverconfiguration and click OK. To change the certifier ID, click Cancel.

8. Select the Advanced check box and complete fields in the Basics pane. Forexample, enter information similar to the following for the Tivoli AccessManager administrative user:

v First name:AM

v Last name: Daemons

v Password: pwd9. Click Add person. The administrative user name appears in the Registration

status view (the user registration queue).

10. Click ID Info to make sure the Notes ID file is stored in the Domino directory.

11. Highlight the user name in the registration queue and click Register to addthe user to the Domino server.

A message is displayed indicating that the person was registered successfully.Click OK to remove the message dialog and then click Done.

12. From the Domino Administrator, select Refresh from the View menu to verifythat the Tivoli Access Manager user was created in the Domino server.

Installing a Lotus Notes client on the Domino serverTo install and configure a Lotus Notes client on the Domino server, follow thesegeneral steps:

Note: Tivoli Access Manager supports Lotus Notes client, Version 5.0.10, andVersion 6.0 or higher.

1. If you already have a Lotus Notes ID file that is in use on another clientsystem, copy this binary file to the drive:\notes\data directory on your localsystem.





Note: If you are uncertain about the name of the ID file you are currentlyusing, click File →Tools → User ID from the Lotus Notes client interfaceto locate the ID file name.

2. Run the Notes client setup file from the Lotus Notes or Domino CD forWindows and follow online instructions.

Note: Depending on the installation medium you are using, you might be

prompted to install other program features. For Tivoli Access Managerinstallation, the Notes client is the only required feature.

3. From the Lotus Notes Installation window, select Typical and followinstructions. When the installation is complete, click Finish.

4. Launch the Lotus Notes program to perform configuration. For example, clickStart → Programs → Lotus Applications → Lotus Notes.

5. From the Lotus Notes Client Configuration window, click Next and completethe following information:

v Select I want to connect to a Domino server and click Next.

v Select Set up a connection to a local area network (LAN) and click Next.

v Type the fully qualified name of your Domino server and click Next. This

can be a mail or passthru server, or some other server that knows who youare. For example, enter the following in the Domino server name field:

domino1/Tivoli

v Do one of the following:

– If you provided the Lotus Notes ID file, select My Notes UserID has beensupplied to me in a file and either click Browse to locate the ID file ortype the fully qualified name of the ID file in the File name field. Forexample, type c:\notes\data\username.id.

– Select Use my name as identification and type the Tivoli Access Manageradministrative user ID (for example, AMDaemons) in the User namefield.

Click Next to continue.6. If prompted for additional configuration information, you can accept the

default values. Click Finish to continue the Notes client configuration steps.

7. If appropriate, select the Do not connect to an internet proxy server radio button.

A password prompt window appears when the Notes client can access theremote Domino server.

8. Enter the password for the Tivoli Access Manager administrative user. If thepassword is correct, the Notes client continues to finish the remainingconfiguration.

When configuration is complete, the Notes ID file for the administrative user isinstalled in the \notes\data directory on the local system.





Setting up Microsoft Active Directory

To set up Active Directory for Tivoli Access Manager, you must perform thefollowing tasks in this order:

1. Create an Active Directory domain.

2. Join an Active Directory domain

3. Create an Active Directory administrative user

After you set up an Active Directory domain for use with Tivoli Access Manager,the next step is to set up the policy server on a Windows 2000 or Windows 2003system. For instructions, see Chapter 5, “Setting up the policy server,” on page 89.

Active Directory considerationsIt is important to review the following information before configuring ActiveDirectory for Tivoli Access Manager:

v Tivoli Access Manager can be configured in an Active Directory single domainor multi-domain environment. For information about single domain ormulti-domain environments, see the Active Directory product documentation at

the following Web addresses:– For Windows 2000 server:

http://www.microsoft.com/windows2000/en/server/help/

– For Windows 2003 server:

http://www.microsoft.com/windowsserver2003/proddoc/

v In a single-domain environment, the non-domain controller system needs to jointhe same domain where Tivoli Access Manager is configured. In a multi-domainenvironment, the non-domain controller system needs to join the ActiveDirectory domain.

v Supports security global group only.

v To import an Active Directory user as a Tivoli Access Manager user, use the

Active Directory user’s login name as the user ID for the Tivoli Access Manageruser.

v If you installed and configured Tivoli Access Manager on a client of ActiveDirectory (for example, Tivoli Access Manager and Active Directory are ondifferent systems), the client system must join the domain and you must sign onto the domain as the Administrator to perform Tivoli Access Managerconfiguration on the client system.

v The DNS in the network TCP/IP setting on the client system must be the sameas the domain controller ’s network TCP/IP setting. You can use the root domaincontroller as the DNS server or you can use a separate DNS.

v If you configured Tivoli Access Manager in the single domain, and the domainis the non-root domain, you must run adschema_update.exe manually on the

root domain controller.

Creating an Active Directory domainUse the Active Directory configuration wizard to promote your Windows serversystem to a domain controller. The act of creating a domain controller also createsan Active Directory domain.

Before you begin, you must decide if you want to create a domain controller for anew domain or create an additional domain controller for an existing domain. If









you plan to create a domain controller for a new domain, you must also answerwhether or not this new domain will be one of the following:

v The first domain in a new forest

v The first domain in a new domain tree in an existing forest

v A child domain in an existing domain tree

Note: If the new domain name does not exist in Forward Lookup Zones in DNS, itmust be created as a new zone before configuring a new domain controller.For more information about domain controllers, domain trees, and forests,consult your Windows server documentation.

To create a domain or add an additional domain controller to an existing domain,follow these steps:

v “ Joining an Active Directory domain”

v “Creating an Active Directory administrative user” on page 80

Joining an Active Directory domainAfter you create an Active Directory domain, follow these steps to join a Windows

Advanced Server to an Active Directory domain.

Note: Ensure that you are logged on as an administrator to the local system andhave a valid user name and password. Also ensure that the client and serversystems are in the same DNS before adding a system to the domain.

1. Right-click My Computer and then click Properties from the pop-up dialog.The System Properties notebook is displayed.

2. Click the Network Identification tab.





3. Click Properties. Under Member of, select Domain and type the name of thedomain that you want to join. Click OK to continue.

4. From the Domain Username And Password window, type a valid user nameand password and then click OK to join the system to the domain.

5. If the join operation is successful, a welcome window is displayed as shown.Click OK to continue.

6. A dialog is displayed indicating that the system needs to be rebooted. Click OKto continue.





7. The System Properties notebook is displayed, indicating that the join operationhas completed. Click OK to restart your system.

Note: After your system is restarted, ensure that you are signing into the ADdomain that you’ve just joined. Usually, the local domain is the defaultdomain in a Windows Login window.

Creating an Active Directory administrative userTo create an Active Directory administrative user for Tivoli Access Managerinitialization, follow these steps:

1. On the Active Directory server system, select Start → Programs →Administrative Tools → Active Directory Users and Computers.

2. Create a new user and add this new user to the groups of Administrators,Domain Admins, Enterprise Admins and Schema Admins. This user is anActive Directory user only, not an Tivoli Access Manager user. You can selectany name as the user login name, except sec_master, which is reserved for theTivoli Access Manager administrator.

Active Directory replicationWhen a domain controller writes a change to its local copy of the Active Directory,

a timer is started that determines when the domain controller’s replication partnersshould be notified of the change. By default, this interval is 300 seconds (5minutes). When this interval elapses, the domain controller initiates a notificationto each intra-site replication partner that it has changes that need to be propagated.Another configurable parameter determines the number of seconds to pause

between notifications. This parameter prevents simultaneous replies by thereplication partners. By default, this interval is 30 seconds. Both of these intervalscan be modified by editing the registry.





To modify the delay between the change to the Active Directory and firstreplication partner notification, use the Registry Editor to modify value data for theReplicator notify pause after modify (secs) DWORD value in the following registrykey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Attention: Use caution when modifying data using the Registry Editor. Incorrect

use can cause serious problems that might require you to reinstall your operatingsystem.

The default value data for the Replicator notify pause after modify (secs) DWORDvalue is 0x12c, which in hexadecimal format is 300 decimal (5 minutes).

To modify the notification delay between domain controllers, use the RegistryEditor to modify value data for the Replicator notify pause between DSAs (secs)DWORD value in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

The default value data for the Replicator notify pause between DSAs (secs) DWORD

value is 0x1e, which in hexadecimal format is 30 decimal (30 seconds).

Note: You must stop the policy server before editing the registry and then restartthe system afterwards.

During Active Directory multi-domain configuration, a data propagation delayoccurs with a default value of 5 minutes. A user or group, which was just createdin non-root domains, might not be visible when user list or group list commandsare issued. Similarly, a user or group, newly created in the primary root domaincontroller, might not be immediately visible in the secondary root domain. Byadjusting the values of Replicator notify pause after modify and Replicator notifypause between DSAs in the Windows system registry, you can change the

behavior to best fit your environment needs.





Setting up Novell eDirectory

Before you begin, ensure that you have completed the basic server installation andconfiguration for Novell eDirectory and the ConsoleOne tool as described in theNovell product documentation at the following Web addresses:

For Novell eDirectory, Version 8.6.2, see:

http://www.novell.com/documentation/lg/ndsedir86/index.html

For Novell eDirectory, Version 8.7, see:

http://www.novell.com/documentation/lg/edir87/index.html

In addition, ensure that you have reviewed and complied with systemrequirements listed in “Supported registries” on page 19.

To configure Novell eDirectory for Tivoli Access Manager, follow these steps:

1. Log in to the Novell Client workstation and start ConsoleOne.

2. Expand the NDS tree and then expand the tree that you created duringinstallation. Under the tree are two child entries: an organization object and aSecurity container object.

3. Select the organization icon. The right pane of the window displays theobjects for your organization.

4. To update the schema so that Tivoli Access Manager can install it, right-clickthe LDAP Group object and select Properties. The Properties notebook isdisplayed.

5. From the Properties of the LDAP Group window, select the Class Mappingstab.

6. From the Table of LDAP Group Class Mappings window, delete the followingentries and then select Apply:

inetOrgPersongroupOFNames

7. From the Properties of the LDAP Group screen, select the Attribute Mappingstab. The Table of LDAP Group Attribute Mappings window is displayed.

8. Scroll through the table and select the NDS Attributes Member attribute. Verifythat the corresponding LDAP attribute value is also Member. If the LDAPattribute value is not Member, click Modify.

9. From the Attribute Mapping window, enter the following and then select OK.

v NDS Attribute = Member

v Primary LDAP Attribute = Member

v Secondary LDAP attribute = uniqueMember

10. From the Properties of the LDAP Group window, click Apply and Close.

After you set up Novell eDirectory for use with Tivoli Access Manager, the nextstep is to set up the policy server. For instructions, see Chapter 5, “Setting up thepolicy server,” on page 89.

When using Novell eDirectoryNovell eDirectory defines the object classes User and Group as part of its baseschema. Instances of these object classes are created by an eDirectory administratorwhen defining a user or a group respectively. Both of these object classes are









defined by eDirectory as leaf nodes. eDirectory adds an attributeX-NDS_NOT_CONTAINER ’1’ to each of these object class definitions that specifies thatthey are not container objects. Not being a container object means that the objectscannot be defined beneath instances of these object classes.

Tivoli Access Manager requires the ability to append its own objects beneathpre-existing eDirectory users and groups in order to import them and make them

usable by Tivoli Access Manager. When Tivoli Access Manager adds its own objectclass definitions to the eDirectory schema, it also redefines the eDirectory User andGroup object classes to allow instances of these classes to be container objects.Novell eDirectory allows this change to its schema definition.

The following Novell eDirectory administrator actions will cause the Tivoli AccessManager modification to the User object class to be undone. The Group objectclass is not affected.

v Running the eDirectory database repair tool, ndsrepair using the rebuildschema option.

v Running Basic Repair from the iManager console and running local databaserepair using the rebuild operational schema option.

v Applying a patch update to Novell eDirectory.v Upgrading Novell eDirectory to a more recent version.

Should it be necessary to perform any of these operations after Tivoli AccessManager has been configured into the eDirectory server, run the following TivoliAccess Manager utility immediately to ensure that the definition of the User objectclass is restored.

ivrgy_tool -h edir_server_name -p port -D edir_admin_dn -w edir_admin_pwd schema

The ivrgy_tool.exe is located in the sbin subdirectory. For example:

v On Windows systems: d:\Program Files\Tivoli\Policy Director\sbin

v On UNIX systems: /opt/PolicyDirector/sbin

You must run this utility from the sbin directory since Tivoli Access Manager doesnot add the sbin directory to the system PATH. For more information about thisutility, see “ivrgy_tool” on page 277.





Setting up Sun ONE Directory Server

Before you begin, ensure that you have completed the basic server installation andconfiguration as described in the Sun ONE Directory Server productdocumentation. For more information, see Sun documentation at the followingWeb address:


To configure Sun ONE Directory Server for Tivoli Access Manager, follow thesesteps.

Note: For non-ASCII characters to be stored in attributes, you must disable the7-bit check plug-in during configuration of the directory server. The defaultvalue of this plug-in is set to on.

1. Check that the directory server daemon, slapd-serverID is running (using theps command, or an equivalent command for your operating system).

2. Ensure that the directory server daemon (slapd-serverID) and theadministration server daemon (admin-serv) are running. If they are not, enter

the following commands to start them:v On UNIX systems:

% ServerRoot/slapd-serverID/start-slapd

% ServerRoot/start-admin

v On Window systems, use Services to start the Sun ONE AdministrationServer 5.2 and Sun ONE Directory Server 5.2 services.

3. To start the console, enter one of the following:

v On UNIX systems:

% ServerRoot/startconsole

v On Windows systems, select Start → Programs → Sun ONE Server Products→ Sun ONE Server Console 5.2.

The Sun ONE Server Console Login dialog is displayed unless yourconfiguration directory (o=NetscapeRoot directory) is stored in a separateinstance of Sun ONE Directory Server. In this case, a window is displayedrequesting your administrator user DN, password, and the Web address of theadministration server for that directory server.

4. Log in using the user ID and password for the LDAP administrator. Forexample, type cn=Directory Manager and the appropriate password and thenclick OK.







The Sun ONE Server Console is displayed.

5. Navigate through the tree in the lefthand pane to find the system hostingyour Directory Server and click on it to display its general properties.

6. Double-click the name of your Directory Server in the tree or click the Open button. The Directory Server Console for managing this Directory Server





instance is displayed.

7. From the Configuration tab, right-click Data in the lefthand pane and thenselect New Suffix. You can also create a new suffix by selecting Data and thenselecting Object → New Suffix from the menu bar.

8. To create the suffix that maintains Tivoli Access Manager data, typesecAuthority=Default and then click OK.

The progress of the suffix creation is displayed in a status window.

9. Expand the Data node to ensure that the suffix was created. If you chose tocreate a suffix to maintain user and group data, follow this procedure again tocreate another suffix. For example, you could create a suffix namedo=tivoli,c=us.


v If you did not add any suffixes other than secAuthority=Default,configuration is complete. A directory entry for secAuthority=Default isautomatically added when the policy server is configured.

v If you added suffixes other than secAuthority=Default, continue to step 11to create directory entries for each new suffix.

11. Select the Directory tab and highlight the name of the server in the top of theleft pane.





12. Select Objects → New Root Object. A list of new suffixes for which no entryyet exists is displayed as shown:

13. For each new suffix (other than secAuthority=Default), select the new suffix.The New Object pane is displayed. Scroll down to find the entry type thatcorresponds to the suffix you are creating. For example, you might selectorganization for a suffix named o=tivoli,c=us. Highlight the entry type andclick OK as shown:

14. From the Generic Editor window, enter a value for the entry. For theo=tivoli,c=us example, enter tivoli as the value for organization and thenclick OK.

15. After you have created entries for each suffix that you added, select Console →Exit to close the console.





After you set up Sun ONE Directory Server for use with Tivoli Access Manager,the next step is to set up the policy server. For instructions, see Chapter 5, “Settingup the policy server,” on page 89.





Chapter 5. Setting up the policy server

This chapter provides information about installing and configuring the TivoliAccess Manager policy server system. You must install and configure only one

policy server for each secure domain. It is recommended that you set up the policyserver on a separate system than your registry server.

Optional: You can set up a standby policy server in the event of a system failure(on AIX only). This capability requires additional software and hardware, includingHigh Availability Cluster Multiprocessing (HACMP) software. For information and

basic instructions, see Chapter 18, “AIX: Setting up a standby policy server,” onpage 249.

You can set up this system using one of the following installation methods:

v “Installing using the installation wizard”

v “Installing using native utilities” on page 90

Installing using the installation wizard

The install_ammgr installation wizard simplifies the setup of the Tivoli AccessManager policy server system by installing and configuring the followingcomponents in the appropriate order:


v IBM Tivoli Directory Client, Version 5.2 (as needed)


v Access Manager Policy Server, Version 5.1

Note: The wizard detects if a component is installed and does not attempt to

re-install it.

To install and configure a policy server system using the install_ammgr wizard,follow these steps:


2. Ensure that your registry server is up and running (in normal mode) beforeinstalling the policy server.


4. To view status and messages in a language other than English (default), installa language support package before running an installation wizard. For

instructions, see “Installing language support packages” on page 35.


6. Run the install_ammgr program, located in the root directory on the TivoliAccess Manager Base CD for supported AIX, HP-UX, Linux, Solaris, andWindows platforms.

The installation wizard begins by prompting you for configuration informationas described in “Using the install_ammgr wizard” on page 189. After yousupply this information (or accept default values), the components are installedand configured without further intervention.




This completes the setup of the policy server system. To set up another TivoliAccess Manager system, follow steps in the “Installation process” on page 17.

Installing using native utilities

The following sections enable you to install Tivoli Access Manager software usinga familiar platform-specific utility. Unlike automated installation wizards, you must

manually install packages for each component and any prerequisite software in theappropriate order. To configure software packages after installation, use thepdconfig utility.

Complete the instructions that apply to your operating system:

v AIX on page 90

v HP-UX on page 91

v Linux on page 93



AIX: Installing the policy serverThe following procedure uses installp to install software packages and thepdconfig utility to configure them.

To install the Tivoli Access Manager policy server system on AIX, follow thesesteps:

1. Log on as root.


3. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it.


5. Install the IBM Tivoli Directory Client. For instructions, see page 150.6. Install the following packages:

installp -acgXd cd_mount_point/usr/sys/inst.images packages

where cd_mount_point/usr/sys/inst.images is the directory where the CD ismounted and packages are as follows:

PD.RTE Specifies the Access Manager Runtime package.

PD.Mgr Specifies the Access Manager Policy Server package.

Note: When installing the policy server, you must install the Access ManagerRuntime first. However, you must not configure this component until thepolicy server is installed.

7. To view status and messages in a language other than English (default), youmust install your language support package before configuring packages. Forinstructions, see “Installing language support packages” on page 35.

8. Configure the Access Manager Runtime followed by the Access Manager PolicyServer package as follows:

a. Start the configuration utility:

pdconfig

The Tivoli Access Manager Setup Menu is displayed.

Setting up the policy server




b. Type menu number 1 for Configure Package. The Tivoli Access ManagerConfiguration Menu is displayed.

c. Select the menu number of the package that you want to configure, one at atime.

Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, see

Chapter 16, “pdconfig options,” on page 217.When a message appears indicating that the package has been successfullyconfigured, press Enter to configure another package or select the x optiontwice to close the configuration utility.


Note that configuration of the Tivoli Access Manager policy server creates a defaultSSL certificate authority file named pdcacert.b64. After successful configuration of the Access Manager Policy Server component, a message similar to the following isdisplayed:

Access Manager Policy Server configuration completed successfully.

The Manager’s CA certificate is base64-encoded and saved in text file/var/PolicyDirector/keytab/pdcacert.b64You must distribute this file to each machine in your secure domain.It is needed for successful configuration.

For a Tivoli Access Manager runtime system to authenticate to Tivoli AccessManager servers, each runtime system will require a copy of this file. To obtainthis file, do one of the following:

v During configuration of the Access Manager Runtime package (using thepdconfig utility), select to download the pdcacert.b64 file automatically.

v Manually copy the pdcacert.b64 file to the Tivoli Access Manager system beforeconfiguring the Access Manager Runtime component.

HP-UX: Installing the policy serverThe following procedure uses swinstall to install software packages and thepdconfig utility to configure them.

To install the Tivoli Access Manager policy server system on HP-UX, follow thesesteps:

1. Log on as root.


3. Insert the IBM Tivoli Access Manager Base for HP-UX CD.

4. Start pfs_mountd and then pfsd in the background, if they are not running.

Mount the CD with the pfs_mount command. For example, enter thefollowing:




6. Install the IBM Tivoli Directory Client. For instructions, see page 150.


am_update_ldap.sh


Chapter 5. Setting up the policy server 91



8. Install the following packages:



PDRTE Specifies the Access Manager Runtime package.

PDMgr Specifies the Access Manager Policy Server package.

Note: When installing the policy server, you must install the Access ManagerRuntime first. However, you must not configure this component untilthe policy server is installed.


10. Configure the Access Manager Runtime followed by the Access ManagerPolicy Server package as follows:


pdconfig



c. Select the menu number of the package that you want to configure, one ata time.

Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 16, “pdconfig options,” on page 217.

When a message appears indicating that the package has been successfullyconfigured, press Enter to configure another package or select the x optiontwice to close the configuration utility.

11. Unmount the CD as follows:pfs_umount -c /cd-rom

where /cd-rom is the mount point.



Access Manager Policy Server configuration completed successfully.The Manager’s CA certificate is base64-encoded and saved in text file/var/PolicyDirector/keytab/pdcacert.b64You must distribute this file to each machine in your secure domain.It is needed for successful configuration.








Linux: Installing the policy serverThe following procedure uses rpm to install software packages and the pdconfigutility to configure them.

To install the Tivoli Access Manager policy server system on Linux, follow thesesteps.

Note: Linux on zSeries users: You must first obtain access to the Linux rpm filesfrom the IBM Tivoli Access Manager for Linux on zSeries CD.

1. Log on as root.


3. Insert the IBM Tivoli Access Manager Base CD for xSeries or zSeries and mountit.

4. Change to the /mnt/cdrom/series directory where /mnt/cdrom is the mount

point for your CD and series specifies xSeries or zSeries.5. Install GSKit. For instructions, see page 146.



rpm -ihv packages


Access Manager Runtime Access Manager Policy Server

Linux on xSeries PDRTE-PD-5.1.0-0.i386.rpm PDMgr-PD-5.1.0-0.i386.rpm

Linux on zSeries PDRTE-PD-5.1.0-0.s390.rpm PDMgr-PD-5.1.0-0.s390.rpm





pdconfig
















Solaris: Installing the policy serverThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.

To install the Tivoli Access Manager policy server system on Solaris, follow thesesteps:

1. Log on as root.


3. Insert the IBM Tivoli Access Manager Base for Solaris CD.

4. Install GSKit. For instructions see page 147.

5. Install the IBM Tivoli Directory Client. For instructions see page 151.

6. Install the following packages (one at a time):


where:





PDMgr Specifies the Access Manager Policy Server package.






When the installation process is complete for each package, the followingmessage is displayed:

Installation of package successful.




pdconfig










v

During configuration of the Access Manager Runtime package (using thepdconfig utility), select to download the pdcacert.b64 file automatically.


Windows: Installing the policy serverThe following procedure uses the setup.exe program to install software packagesand the pdconfig utility to configure them.





To install the Tivoli Access Manager policy server system on Windows, followthese steps:



3. Insert the IBM Tivoli Access Manager Base for Windows NT, Windows XP, Windows

2000 and Windows 2003 CD.4. Install GSKit. For instructions, see page 147.


6. Install the Access Manager Runtime and the Access Manager Policy Serverpackages. To do so, run the setup.exe program located in the followingdirectory:

windows\PolicyDirector\Disk Images\Disk1

Follow the online instructions to complete the installation.

Note: When installing the policy server, you must install the Access ManagerRuntime first. However, you must not configure this component until the

policy server is installed.7. To view status and messages in a language other than English (default), you

must install your language support package before configuring packages. Forinstructions, see “Installing language support packages” on page 35.



pdconfig

The Access Manager Configuration window is displayed.

b. Select the Access Manager Runtime package and click Configure.

c. Select the Access Manager Policy Server package and click Configure.




Access Manager Policy Server configuration completed successfully.The Manager’s CA certificate is base64-encoded and saved in text fileC:\PROGRA~1\Tivoli\POLICY~1\keytab\pdcacert.b64You must distribute this file to each machine in your secure domain.It is needed for successful configuration.







Chapter 6. Setting up an authorization server

This chapter provides information about installing and configuring a Tivoli AccessManager authorization server system.





The install_amacld installation wizard simplifies the setup of a Tivoli AccessManager authorization server system by installing and configuring the followingcomponents in the appropriate order:




v Access Manager Authorization Server, Version 5.1

Note: The wizard detects if a component is installed and does not attempt tore-install it.

To install and configure an authorization server system using the install_amacldwizard, follow these steps:


2. Ensure that the registry server and policy server are up and running (in normalmode).


4. To view status and messages in a language other than English (default), installa language support package before running an installation wizard. Forinstructions, see “Installing language support packages” on page 35.

5. On Windows systems only:

v Exit from all running programs.

v If you are using Active Directory, you must install the IBM Tivoli DirectoryClient before running this installation wizard. To do so, run the setup.exeprogram, located in the cd_drive:\windows\directory\. Select to install theClient SDK 5.2 feature and complete online instructions.

6. Run the install_amacld program, located in the root directory on the TivoliAccess Manager Base CD for supported AIX, HP-UX, Linux, Solaris, andWindows platforms.

The installation wizard begins by prompting you for configuration informationas described in “install_amacld” on page 205. After you supply this information(or accept default values), the components are installed and configured withoutfurther intervention.




This completes the setup of an authorization server system. To set up anotherTivoli Access Manager system, follow steps in the “Installation process” on page17.


The following sections enable you to install Tivoli Access Manager software using

a familiar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder. To configure software packages after installation, use the pdconfig utility.


v AIX on page 100

v HP-UX on page 101

v Linux on page 102



AIX: Installing an authorization serverThe following procedure uses installp to install software packages and thepdconfig utility to configure them.

To install a Tivoli Access Manager authorization server system, follow these steps:

1. Log on as root.





6. Install the following packages:installp -acgXd cd_mount_point/usr/sys/inst.images packages



PD.Acld Specifies the Access Manager Authorization Server package.


8. Configure the Access Manager Runtime followed by the Access Manager

Authorization Server package as follows:a. Start the configuration utility:

pdconfig




Setting up an authorization server





When a message appears indicating that the package has been successfullyconfigured, press Enter to configure another package or select the x option twice toclose the configuration utility.


HP-UX: Installing an authorization serverThe following procedure uses swinstall to install software packages and thepdconfig utility to configure them.


1. Log on as root.

2. Ensure that the registry server and policy server are up and running (in

normal mode).







7. From the root directory on the CD, enter the following to install the LDAP

patch:am_update_ldap.sh





PDAcld Specifies the Access Manager Authorization Server package.


10. Configure the Access Manager Runtime followed by the Access ManagerAuthorization Server package as follows:


pdconfig





Chapter 6. Setting up an authorization server 101





11.Unmount the CD as follows:pfs_umount -c /cd-rom



Linux: Installing an authorization serverThe following procedure uses rpm to install software packages and the pdconfigutility to configure them.

To install a Tivoli Access Manager authorization server system, follow these steps.


1. Log on as root.



4. Change to the /mnt/cdrom/series directory where /mnt/cdrom is the mountpoint for your CD and series specifies xSeries or zSeries.

5. Install GSKit. For instructions, see page 146.6. Install the IBM Tivoli Directory Client. For instructions, see page 151.


rpm -ihv packages


Access Manager Runtime Access Manager AuthorizationServer

Linux on xSeries PDRTE-PD-5.1.0-0.i386.rpm PDAcld-PD-5.1.0-0.i386.rpm

Linux on zSeries PDRTE-PD-5.1.0-0.s390.rpm PDAcld-PD-5.1.0-0.s390.rpm




pdconfig








Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, see

Chapter 16, “pdconfig options,” on page 217.



Solaris: Installing an authorization serverThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.


1. Log on as root.







where:





PDAcld Specifies the Access Manager Authorization Server package.






pdconfig








Depending on the package that you selected, you are prompted for

configuration options. For assistance with these configuration options, seeChapter 16, “pdconfig options,” on page 217.



Windows: Installing an authorization serverThe following procedure uses the setup.exe program to install software packages

and the pdconfig utility to configure them.




3. Insert the IBM Tivoli Access Manager Base for Windows NT, Windows XP, Windows2000 and Windows 2003 CD.



6. Install the Access Manager Runtime and the Access Manager AuthorizationServer packages. To do so, run the setup.exe program located in the following

directory:






pdconfig



c. Select the Access Manager Authorization Server package and clickConfigure.






Chapter 7. Setting up a development (ADK) system

This chapter provides information about installing and configuring a Tivoli AccessManager development (ADK) system.





The install_amadk installation wizard simplifies the setup of a Tivoli AccessManager development (ADK) system by installing and configuring the followingcomponents in the appropriate order:




v Access Manager Application Development Kit, Version 5.1


To install and configure a development (ADK) system using the install_amadkwizard, follow these steps:






6. Run the install_amadk program, located in the root directory on the TivoliAccess Manager Base CD for supported AIX, HP-UX, Linux, Solaris, andWindows platforms.

The installation wizard begins by prompting you for configuration informationas described in “install_amadk” on page 207. After you supply this information

(or accept default values), the components are installed and configured withoutfurther intervention.

This completes the setup of a development (ADK) system. To set up another TivoliAccess Manager system, follow steps in the “Installation process” on page 17.





The following sections enable you to install Tivoli Access Manager software usinga familiar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder. To configure the Access Manager Runtime component after installation, usethe pdconfig utility.


v AIX on page 108

v HP-UX on page 109

v Linux on page 110



AIX: Installing a development (ADK) systemThe following procedure uses installp to install software packages and thepdconfig utility to configure them.

To install a Tivoli Access Manager development (ADK) system, follow these steps:

1. Log on as root.









PD.AuthADK Specifies the Access Manager Application Development Kitpackage.


8. Configure the Access Manager Runtime package as follows:


pdconfig



c. Select the menu number of the package that you want to configure. Forassistance with configuration options, see Chapter 16, “pdconfig options,”on page 217.

When a message appears indicating that the package has been successfullyconfigured, select the x option twice to close the configuration utility.

Setting up a development (ADK) system




This completes the setup of a Tivoli Access Manager development (ADK) system.To set up another Tivoli Access Manager system, follow steps in the “Installationprocess” on page 17.

HP-UX: Installing a development (ADK) systemThe following procedure uses swinstall to install software packages and the

pdconfig utility to configure them.


1. Log on as root.

2. Ensure that the registry server and policy server are up and running (innormal mode).




where /dev/dsk/c0t0d0 is the CD device and /cd-rom is the mount point.5. Install GSKit. For instructions, see page 145.



am_update_ldap.sh





PDAuthADK Specifies the Access Manager Application Development Kitpackage.


10. Configure the Access Manager Runtime component as follows:


pdconfig


b. Type menu number 1 for Configure Package. The Tivoli Access Manager

Configuration Menu is displayed.c. Select the menu number of the package that you want to configure. For

assistance with configuration options, see Chapter 16, “pdconfig options,”on page 217.


11. Unmount the CD as follows:

pfs_umount -c /cd-rom



Chapter 7. Setting up a development (ADK) system 109




Linux: Installing a development (ADK) systemThe following procedure uses rpm to install software packages and the pdconfig

utility to configure them.

To install a Tivoli Access Manager development (ADK) system, follow these steps.


1. Log on as root.


3. Insert the IBM Tivoli Access Manager Base CD for xSeries, zSeries, or pSeries andiSeries and mount it.

4. Change to the /mnt/cdrom/series directory where /mnt/cdrom is the mount

point for your CD and series specifies xSeries, zSeries or pSeries.5. Install GSKit. For instructions, see page 146.



rpm -ihv packages


Access Manager Runtime Access Manager ApplicationDevelopment Kit

Linux on xSeries PDRTE-PD-5.1.0-0.i386.rpm PDAuthADK-PD-5.1.0-0.i386.rpm

Linux on zSeries PDRTE-PD-5.1.0-0.s390.rpm PDAuthADK-PD-5.1.0-0.s390.rpm

Linux on pSeries andiSeries

PDRTE-PD-5.1.0-0.ppc.rpm PDAuthADK-PD-5.1.0-0.ppc.rpm




pdconfig










Solaris: Installing a development (ADK) systemThe following procedure uses pkgadd to install software packages and the

pdconfig utility to configure them.


1. Log on as root.







where:





PDAuthADK Specifies the Access Manager Application Development Kitpackage.






pdconfig






Chapter 7. Setting up a development (ADK) system 111




Windows: Installing a development (ADK) systemThe following procedure uses the setup.exe program to install software packages

and the pdconfig utility to configure them.







6. Install the Access Manager Runtime and the Access Manager ApplicationDevelopment Kit packages. To do so, run the setup.exe program located in the

following directory:






pdconfig

The Access Manager Configuration window is displayed.b. Select the Access Manager Runtime package and click Configure.

For assistance with configuration options, see Chapter 16, “pdconfigoptions,” on page 217.

When a message appears indicating that the package has been successfullyconfigured, click Close to exit the configuration utility.






Chapter 8. Setting up a Java runtime environment system

This chapter provides information about installing and configuring a Tivoli AccessManager Java runtime environment system.



v “Installing using native utilities”


The install_amjrte installation wizard simplifies the setup of a Tivoli AccessManager Java runtime environment system by installing and configuring theAccess Manager Java Runtime Environment, Version 5.1, component.

Note: The wizard detects if a component is installed and does not attempt to

re-install it.

To install and configure a Java runtime environment system using theinstall_amjrte wizard, follow these steps:



3. Ensure that the policy server is up and running.



6. Run the install_amjrte program, located in the root directory on the TivoliAccess Manager Base CD for supported AIX, HP-UX, Linux, Solaris, andWindows platforms.

The installation wizard begins by prompting you for configuration informationas described in “install_amjrte” on page 208. After you supply this information(or accept default values), the component is installed and configured withoutfurther intervention.

This completes the setup of a Java runtime environment system. To set up anotherTivoli Access Manager system, follow steps in the “Installation process” on page17.


The following sections enable you to install Tivoli Access Manager software usinga familiar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder. To configure software packages after installation, use the pdjrtecfg utility.

Note: If the Access Manager Runtime component is installed on this system, youcan use either the pdconfig or pdjrtecfg utility to configure the AccessManager Java Runtime Environment component.





v AIX on page 114

v HP-UX on page 114

v Linux on page 115



AIX: Installing a Java runtime environment systemThe following procedure uses installp to install the Access Manager Java RuntimeEnvironment package and the pdjrtecfg utility to configure it.

To install a Tivoli Access Manager Java runtime environment system on AIX,follow these steps.

1. Log on as root.

2. Install IBM JRE, Version 1.3.1.5. For instructions, see page 153.


4. Install the Access Manager Java Runtime Environment package:

installp -acgXd cd_mount_point/usr/sys/inst.images PDJ.rte



6. To configure the Access Manager Java Runtime Environment component,change to the /opt/PolicyDirector/sbin directory and do the following:

v If configuring for use within IBM JRE 1.3.1.5, enter the following:

./pdjrtecfg -action config -interactive

v

If configuring for use within Sun JRE 1.4, enter the following:./pdjrtecfg -action config -host policy_server_host -port port -java_home jre_path

Notes:

1. To set up a Java Runtime Environment with configuration type of Full, ensurethat both the policy server and registry server are running. If the configurationtype is standalone, this is not required.

2. Do not use pdjrtecfg –interactive or the pdconfig utility when using Sun JRE1.4 or configuration might fail. For more information about these utilities, see“pdjrtecfg” on page 288 and “pdconfig” on page 287.

This completes the setup of a Java runtime environment system. To set up anotherTivoli Access Manager system, follow steps in the “Installation process” on page

17.

HP-UX: Installing a Java runtime environment systemThe following procedure uses swinstall to install the Access Manager JavaRuntime Environment package and the pdjrtecfg utility to configure it.

To install and configure a Tivoli Access Manager Java runtime environment systemon HP-UX, follow these steps.

1. Log on as root.

2. Install IBM JRE, Version 1.3.1. For instructions, see page 153.

Setting up a Java runtime environment system








5. Install the Access Manager Java Runtime Environment package, enter thefollowing:

swinstall -s /cd-rom/hp PDJrte



v If configuring for use within IBM JRE 1.3.1, enter the following:


v If configuring for use within Sun JRE 1.4, enter the following:

./pdjrtecfg -action config -host policy_server_host -port port -java_home jre_path

Notes:

1. To set up a Java Runtime Environment with configuration type of Full,ensure that both the policy server and registry server are running. If theconfiguration type is standalone, this is not required.

2. When using Sun JRE 1.4, do not use pdjrtecfg –interactive or thepdconfig utility or configuration might fail. For more information aboutthese utilities, see “pdjrtecfg” on page 288 and “pdconfig” on page 287.

v Unmount the CD as follows:



This completes the setup of a Java runtime environment system. To set upanother Tivoli Access Manager system, follow steps in the “Installation process”on page 17.

Linux: Installing a Java runtime environment systemThe following procedure uses rpm to install the Access Manager Java RuntimeEnvironment package and the pdjrtecfg utility to configure it.

To install a Tivoli Access Manager Java runtime environment system on Linux,follow these steps.


1. Log on as root.






Chapter 8. Setting up a Java runtime environment system 115



rpm -ihv package

where package is as follows:

v Linux on xSeries: PDJrte-PD-5.1.0-0.i386.rpm

v Linux on zSeries: PDJrte-PD-5.1.0-0.s390.rpm

v Linux on pSeries and iSeries: PDJrte-PD-5.1.0-0.ppc.rpm







Notes:

1. To set up a Java Runtime Environment with configuration type of Full,

ensure that both the policy server and registry server are running. If theconfiguration type is standalone, this is not required.

2. When using Sun JRE 1.4, do not use pdjrtecfg –interactive or the pdconfigutility or configuration might fail. For more information about theseutilities, see “pdjrtecfg” on page 288 and “pdconfig” on page 287.


Solaris: Installing a Java runtime environment systemThe following procedure uses pkgadd to install the Access Manager Java Runtime

Environment package and the pdjrtecfg utility to configure it.

To install and configure a Tivoli Access Manager Java runtime environment systemon Solaris, follow these steps.

1. Log on as root.




pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDJrte




v If configuring for use within IBM JRE 1.3.1, enter the following command:








Notes:

1. To set up a Java Runtime Environment with configuration type of Full,ensure that both the policy server and registry server are running. If theconfiguration type is standalone, this is not required.

2. When using Sun JRE 1.4, do not use pdjrtecfg –interactive or the pdconfig

utility or configuration might fail. For more information about theseutilities, see “pdjrtecfg” on page 288 and “pdconfig” on page 287.


Windows: Installing a Java runtime environment systemThe following procedure uses the setup.exe program to install the Access Manager

Java Runtime Environment package and the pdjrtecfg utility to configure it.

To install and configure a Tivoli Access Manager Java runtime environment system

on Windows, follow these steps.1. Log on as a user with Windows administrator privileges.



4. Install the Access Manager Java Runtime Environment package. To do so, runthe setup.exe file, located in the following directory:


Follow online instructions to complete the installation.


6. To configure the Access Manager Java Runtime Environment component,change to the c:\Program Files\Tivoli\Policy Director\sbin directory anddo the following:


pdjrtecfg -action config -interactive


pdjrtecfg -action config -host policy_server_host -port port -java_home jre_path

Notes:

1. To set up a Java Runtime Environment with configuration type of Full, ensurethat both the policy server and registry server are running. If the configurationtype is standalone, this is not required.

2. When using Sun JRE 1.4, do not use pdjrtecfg –interactive or the pdconfigutility or configuration might fail. For more information about these utilities,see “pdjrtecfg” on page 288 and “pdconfig” on page 287.

This completes the setup of a Java runtime environment system. To set up anotherTivoli Access Manager system, follow steps in the “Installation process” on page17.


Chapter 8. Setting up a Java runtime environment system 117



Chapter 9. Setting up a policy proxy server

This chapter provides information about installing and configuring a Tivoli AccessManager policy proxy server system.





The install_amproxy installation wizard simplifies the setup of a Tivoli AccessManager policy proxy server system by installing and configuring the followingcomponents in the appropriate order:




v Access Manager Policy Proxy Server, Version 5.1


To install and configure a policy proxy server system using the install_amproxywizard, follow these steps:





5. On Windows systems only:

v Exit from all running programs.

v If you are using Active Directory, you must install the IBM Tivoli DirectoryClient before running this installation wizard. To do so, run the setup.exeprogram, located in the cd_drive:\windows\directory\. Select to install theClient SDK 5.2 feature and complete online instructions.

6. Run the install_amproxy program, located in the root directory on the TivoliAccess Manager Base CD for supported AIX, HP-UX, Linux, Solaris, andWindows platforms.

The installation wizard begins by prompting you for configuration informationas described in “install_amproxy” on page 211. After you supply thisinformation (or accept default values), the components are installed andconfigured without further intervention.

This completes the setup of a policy proxy server system. To set up another TivoliAccess Manager system, follow steps in the “Installation process” on page 17.





The following sections enable you to install Tivoli Access Manager software usinga familiar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder. To configure software packages after installation, use the pdconfig utility.


v HP-UX on page 121

v Linux on page 122



AIX: Installing a policy proxy serverThe following procedure uses installp to install software packages and thepdconfig utility to configure them.

To install a Tivoli Access Manager policy proxy server system, follow these steps:1. Log on as root.







where cd_mount_point/usr/sys/inst.images is the directory where the CD is

mounted and packages are as follows:


PD.Proxy Specifies the Access Manager Proxy Policy Server package.


8. Configure the Access Manager Runtime followed by the Access Manager PolicyProxy Server package as follows:


pdconfig





Setting up a policy proxy server






HP-UX: Installing a policy proxy serverThe following procedure uses swinstall to install software packages and thepdconfig utility to configure them.

To install a Tivoli Access Manager policy proxy server system, follow these steps:

1. Log on as root.



4. Start pfs_mountd and then pfsd in the background, if they are not running.Mount the CD with the pfs_mount command. For example, enter the

following:/usr/sbin/pfs_mount /dev/dsk/c0t0d0 /cd-rom





am_update_ldap.sh



where /cd-rom/hp is the directory and packagesare as follows:


PDProxy Specifies the Access Manager Policy Proxy Server package.


10. Configure the Access Manager Runtime followed by the Access ManagerPolicy Proxy Server package as follows:


pdconfig






Chapter 9. Setting up a policy proxy server 121








Linux: Installing a policy proxy serverThe following procedure uses rpm to install software packages and the pdconfigutility to configure them.

To install a Tivoli Access Manager policy proxy server system, follow these steps.


1. Log on as root.



4. Change to the /mnt/cdrom/series directory where /mnt/cdrom is the mountpoint for your CD and series specifies xSeries or zSeries.




rpm -ihv packages


Access Manager Runtime Access Manager Policy ProxyServer

Linux on xSeries PDRTE-PD-5.1.0-0.i386.rpm PDMgrPrxy-PD-5.1.0-0.i386.rpm

Linux on zSeries PDRTE-PD-5.1.0-0.s390.rpm PDMgrPrxy-PD-5.1.0-0.s390.rpm


9. Configure the Access Manager Runtime followed by the Access Manager Policy

Proxy Server package as follows:


pdconfig











Solaris: Installing a policy proxy serverThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.


1. Log on as root.







where:


-a /cdrom/cdrom0/solaris/pddefault

Specifies the location of the installation administration script.



PDProxy Specifies the Access Manager Policy Proxy Server package.






pdconfig




Chapter 9. Setting up a policy proxy server 123





When a message appears indicating that the package has been successfully

configured, press Enter to configure another package or select the x option twice toclose the configuration utility.


Windows: Installing a policy proxy serverThe following procedure uses the setup.exe program to install software packagesand the pdconfig utility to configure them.







6. Install the Access Manager Runtime and the Access Manager Policy ProxyServer packages. To do so, run the setup.exe program located in the followingdirectory:


Follow the online instructions to complete the installation.7. To view status and messages in a language other than English (default), you




pdconfig



c. Select the Access Manager Policy Proxy Server package and clickConfigure.







Chapter 10. Setting up a runtime system

This chapter provides information about installing and configuring a Tivoli AccessManager runtime system.





The install_amrte installation wizard simplifies the setup of a Tivoli AccessManager runtime system by installing and configuring the following componentsin the appropriate order:





To install and configure a runtime system using the install_amrte wizard, followthese steps:






6. Run the install_amrte program, located in the root directory on the TivoliAccess Manager Base CD for supported AIX, HP-UX, Linux, Solaris, andWindows platforms.

The installation wizard begins by prompting you for configuration informationas described on page 198 (LDAP), page 200 (Active Directory), or page 203(Domino). After you supply this information (or accept default values), the

components are installed and configured without further intervention.

This completes the setup of a runtime system. To set up another Tivoli AccessManager system, follow steps in the “Installation process” on page 17.





The following sections enable you to install Tivoli Access Manager software usinga familiar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder. To configure software packages after installation, use the pdconfig utility.


v HP-UX on page 127

v Linux on page 128



AIX: Installing a runtime systemThe following procedure uses installp to install software packages and thepdconfig utility to configure them.

To install the Tivoli Access Manager runtime system, follow these steps:1. Log on as root.





6. Install the Access Manager Runtime package:

installp -acgXd cd_mount_point/usr/sys/inst.images PD.RTE

where cd_mount_point/usr/sys/inst.images is the directory where the CD is

mounted.7. To view status and messages in a language other than English (default), you




pdconfig



c. Select the menu number of the package that you want to configure, one at atime. For assistance with configuration options, see Chapter 16, “pdconfigoptions,” on page 217.


This completes the setup of a runtime system. To set up another Tivoli AccessManager system, follow steps in the “Installation process” on page 17.

Setting up a runtime system




HP-UX: Installing a runtime systemThe following procedure uses swinstall to install software packages and thepdconfig utility to configure them.

To install Tivoli Access Manager on HP-UX, follow these steps:

1. Log on as root.









am_update_ldap.sh


swinstall -s /cd-rom/hp PDRTE

where /cd-rom/hp is the directory and PDRTE is the runtime package.




pdconfig



Select the menu number of the package that you want to configure. Forassistance with configuration options, see Chapter 16, “pdconfig options,”on page 217.





This completes the setup of a Tivoli Access Manager runtime system. To set upanother Tivoli Access Manager system, follow steps in the “Installation process” onpage 17.


Chapter 10. Setting up a runtime system 127



Linux: Installing a runtime systemThe following procedure uses rpm to install software packages and the pdconfigutility to configure them.

To install Tivoli Access Manager packages on Linux, follow these steps.


1. Log on as root.






7.Install the Access Manager Runtime package:rpm -ihv package

where package are as follows:

v Linux on xSeries: PDRTE-PD-5.1.0-0.i386.rpm

v Linux on zSeries: PDRTE-PD-5.1.0-0.s390.rpm

v Linux on pSeries and iSeries: PDRTE-PD-5.1.0-0.ppc.rpm




pdconfig





Solaris: Installing a runtime systemThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.

To install a Tivoli Access Manager packages, follow these steps:

1. Log on as root.










pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDRTE







pdconfig






Windows: Installing a runtime systemThe following procedure uses the setup.exe program to install software packagesand the pdconfig utility to configure them.

To install a Tivoli Access Manager runtime system, follow these steps:


2. Ensure that the registry server and policy server are up and running (in normal

mode).




6. Install the Access Manager Runtime package. To do so, run the setup.exeprogram located in the following directory:



Chapter 10. Setting up a runtime system 129




7. To view status and messages in a language other than English (default), installyour language support package before configuring packages. For instructions,see “Installing language support packages” on page 35.



pdconfig



You are prompted for configuration options. For assistance with theseconfiguration options, see Chapter 16, “pdconfig options,” on page 217.






Chapter 11. Setting up a Web Portal Manager system

This chapter provides information about installing and configuring a Tivoli AccessManager Web Portal Manager system.





The install_amwpm installation wizard simplifies the setup of a Tivoli AccessManager Web Portal Manager system by installing and configuring the followingcomponents in the appropriate order:

v IBM WebSphere Application Server, Version 5.0.2, including IBM HTTP Server,Version 1.3.26

v Access Manager Java Runtime Environment, Version 5.1

v Access Manager Web Portal Manager, Version 5.1


To install and configure a Web Portal Manager system using the install_amwpmwizard, follow these steps.

Note: The Web Portal Manager installation wizard is not available on HP-UX. If you are installing IBM Tivoli Directory Server on HP-UX, see instructions in“HP-UX: Installing a Web Portal Manager system” on page 135.




Note: If you configure Web Portal Manager against JREs other than thesupported IBM JRE, configuration might fail.


5. Ensure that you have a supported Web browser installed on a system in yoursecure domain. Web Portal Manager supports:


v Microsoft Internet Explorer 5.5 and 6.0


7. Run the install_amwpm program, located in the root directory on the Tivoli Access Manager Web Administration Interfaces CD for AIX, Linux, Solaris,Windows 2000, and Windows 2003 platforms.




The installation wizard begins by prompting you for configuration informationas described in “install_amwpm” on page 213. After you supply thisinformation (or accept default values), the components are installed andconfigured without further intervention.

8. If you are installing on AIX, Linux on xSeries, Solaris, or Windows 2000, installfix pack 2 as follows.

Note: Other supported platforms are already installed at a WebSphereApplication Server 5.0.2 level.

a. Stop the WebSphere Application Server and the IBM HTTP Server. If youinstalled an LDAP registry server on the same machine, also ensure that theLDAP server is stopped.

b. Ensure that the JAVA_HOME system variable is set.

c. Insert the IBM Tivoli Access Manager WebSphere Fix Pack CD for yourplatform.

d. Copy the contents of the CD to a temporary directory on your hard drive.

e. Run the updateWizard script (UNIX) or batch file (Windows), located in the platform/websphere_fixpack subdirectory (where you copied the CD

contents).The Update Installation Wizard is displayed.

f. Follow online instructions to install fix pack 2. Ensure that you type thetemporary directory where you copied the fix pack files. For example, if youcopied the websphere_fixpack directory from CD to the C:\temp directory onyour system, enter the following in the Fix pack directory field:

C:\temp\websphere_fixpack\fixpacks

When installation has completed, click Finish.

Note: Tivoli Access Manager does not require Embedded Messaging. Thisinstallation wizard does not install this feature. If you already have

Embedded Messaging set up for your WebSphere Application Server5.0, you can choose to update this feature.

g. Configure the Access Manager Java Runtime Environment component foruse within the JRE installed with WebSphere. To do so, follow these steps:

1) Change to the /opt/PolicyDirector/sbin directory and enter thefollowing command:


2) Select the Full configuration type.

3) Specify the JRE that was installed with IBM WebSphere ApplicationServer. For example:

/usr/WebSphere/AppServer/java/jre

4) Specify the policy server host name, port, and domain.

Note: For more information about this utility, see “pdjrtecfg” on page288.

h. Restart the WebSphere Application Server and the IBM HTTP Server asfollows:

1) To restart the WebSphere Application Server, do one of the following:

v On UNIX systems, run the startServer.sh script, located in the/usr/WebSphere/AppServer/bin directory as follows:

Setting up a Web Portal Manager system




./stopServer.sh server1

./startServer.sh server1

v For Windows 2000 systems, select Start → Settings → Control Panel →Administrative Tools and then double-click the Services icon torestart this server.

2) To restart the IBM HTTP Server, do one of the following:

v

On AIX systems, enter the following:/usr/HTTPServer/apachectl restart

v On HP-UX, Linux on xSeries, and Solaris systems, enter the following:

/opt/IBMHTTPServer/apachectl restart

v For Windows 2000 systems, select Start → Settings → Control Panel →Administrative Tools and then double-click the Services icon torestart this server.

9. To access the Web Portal Manager interface, enter the following address in yourWeb browser:

http://hostname/pdadmin

where hostname is the name of the system where IBM WebSphere Application

Server is running the IBM HTTP Server.

This completes the setup of a Web Portal Manager system. To set up another TivoliAccess Manager system, follow steps in the “Installation process” on page 17. Forinformation about Web Portal Manager administration tasks, see the IBM Tivoli Access Manager Base Administration Guide.

Note that Tivoli Access Manager does not ship a default certificate to enable WebPortal Manager to have a secure connection between the browser and the HTTPserver used by WebSphere Application Server. It is recommended that youpurchase a CA certificate and then configure it into the Web Portal Managerenvironment.


The following sections enable you to install Tivoli Access Manager software usinga familiar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder. To configure software packages after installation, use the pdjrtecfg andamwpmcfg utilities as described in the following procedures.


v AIX on page 133

v HP-UX on page 135

v Linux on page 137



AIX: Installing a Web Portal Manager systemThe following procedure uses installp to install software packages and thepdjrtecfg and amwpmcfg utilities to configure them.

To install a Tivoli Access Manager Web Portal Manager system on AIX, completethe following steps:


Chapter 11. Setting up a Web Portal Manager system 133



1. Log on as root.




v Microsoft Internet Explorer 5.5 and 6.04. Ensure that IBM JRE 1.3.1.5 is installed. For instructions, see page 153.


5. Install IBM WebSphere Application Server. For instructions, see page 157.

6. Insert the IBM Tivoli Access Manager Web Administration Interfaces for AIX CDand mount it.




PDJ.rte Specifies the Access Manager Java Runtime Environmentpackage.

PD.WPM Specifies the Access Manager Web Portal Manager package.

Note: These packages must be installed on the same system as IBMWebSphere Application Server.


9. Configure the Access Manager Java Runtime Environment component for use

within the JRE installed with WebSphere. To do so, follow these steps:

a. Change to the /opt/PolicyDirector/sbin directory and enter the followingcommand:


b. Select the Full configuration type.

c. Specify the JRE that was installed with IBM WebSphere Application Server.For example:


d. Specify the policy server host name, port, and domain.

Note: For more information about this utility, see “pdjrtecfg” on page 288.

10. Configure the Access Manager Web Portal Manager package:./amwpmcfg -action config -interactive

Note: For more information about this utility, see “amwpmcfg” on page 274.

11. Before you start the Web Portal Manager interface, restart the WebSphereApplication Server and the IBM HTTP Server.

To restart the WebSphere Application Server, run the startServer.sh script,located in the /usr/WebSphere/AppServer/bin directory as follows:







To restart the IBM HTTP Server, enter the following:

/usr/HTTPServer/apachectl restart

Note: If you installed a registry server that does not use IBM HTTP Server andyou are installing Web Portal Manager on the same system, ensure thatthe Web server ports are different. To change the IBM HTTP Serverdefault port, edit the /usr/HTTPServer/conf/httpd.conf file, change

default port 80 to 8080 as shown, and then restart the IBM HTTPServer.

# Port: The port the standalone listens to.Port 8080

12. To access the Web Portal Manager interface, enter the following address inyour Web browser:


where hostname is the name of the system where IBM WebSphere ApplicationServer is running the IBM HTTP Server.

This completes the setup of a Web Portal Manager system. To set up another Tivoli

Access Manager system, follow steps in the “Installation process” on page 17. Forinformation about Web Portal Manager administration tasks, see the IBM Tivoli Access Manager Base Administration Guide.


HP-UX: Installing a Web Portal Manager systemThe following procedure uses swinstall to install software packages and the

pdjrtecfg and amwpmcfg utilities to configure them.

To install a Tivoli Access Manager Web Portal Manager system on HP-UX,complete the following steps:

1. Log on as root.





4. Ensure that IBM JRE 1.3.1 is installed. For instructions, see page 153.



6. Insert the IBM Tivoli Access Manager Web Administration Interfaces for HP-UX CD.










where /cd-rom/hp specifies the directory and packages are as follows:

PDJrte Specifies the Access Manager Java Runtime Environmentpackage.

PDWPM Specifies the Access Manager Web Portal Manager package.



10. Configure the Access Manager Java Runtime Environment component for usewithin the JRE installed with WebSphere. To do so, follow these steps:








11. Configure the Access Manager Web Portal Manager package:

./amwpmcfg -action config -interactive






To restart the WebSphere Application Server, run the startServer.sh script,located in the /usr/WebSphere/AppServer/bin directory as follows:





Note: If you installed a registry server that does not use IBM HTTP Serverand you are installing Web Portal Manager on the same system, ensurethat the Web server ports are different. To change the IBM HTTP Server





default port, edit the /opt/IBMHTTPServer/conf/httpd.conf file, changedefault port 80 to 8080 as shown, and then restart the IBM HTTPServer.






Note that Tivoli Access Manager does not ship a default certificate to enable WebPortal Manager to have a secure connection between the browser and the HTTP

server used by WebSphere Application Server. It is recommended that youpurchase a CA certificate and then configure it into the Web Portal Managerenvironment.

Linux: Installing a Web Portal Manager systemThe following procedure uses rpm to install software packages and the pdjrtecfgand amwpmcfg utilities to configure them.

To install a Tivoli Access Manager Web Portal Manager system on Linux, completethe following steps:

1. Log on as root.


normal mode).3. Ensure that you have a supported Web browser installed on a system in your

secure domain. Web Portal Manager supports:






6. Insert the IBM Tivoli Access Manager Web Administration Interfaces CD for

xSeries, zSeries, or pSeries and iSeries and mount it.7. Change to the /mnt/cdrom/series directory where /mnt/cdrom is the mount

point for your CD and series specifies xSeries, zSeries, or pSeries.


rpm -ihv packages






Access Manager Java RuntimeEnvironment

Access Manager Web PortalManager

Linux on xSeries PDJrte-PD-5.1.0-0.i386.rpm PDWPM-PD-5.1.0-0.i386.rpm

Linux on zSeries PDJrte-PD-5.1.0-0.s390.rpm PDWPM-PD-5.1.0-0.s390.rpm

Linux on pSeries andiSeries PDJrte-PD-5.1.0-0.ppc.rpm PDWPM-PD-5.1.0-0.ppc.rpm








/opt/WebSphere/AppServer/java/jre



11. Configure the Access Manager Web Portal Manager package:




To restart the WebSphere Application Server, run the startServer.sh script,located in the /opt/WebSphere/AppServer/bin directory as follows:





Note: If you installed a registry server that does not use IBM HTTP Server

and you are installing Web Portal Manager on the same system, ensurethat the Web server ports are different. To change the IBM HTTP Serverdefault port, edit the /opt/IBMHTTPServer/conf/httpd.conf file, changedefault port 80 to 8080 as shown, and then restart the IBM HTTPServer.











Solaris: Installing a Web Portal Manager systemThe following procedure uses pkgadd to install software packages and thepdjrtecfg and amwpmcfg utilities to configure them.

To install and configure a Web Portal Manager system on Solaris, follow these

steps:1. Log on as root.






Note: If you configure Web Portal Manager against JREs other than the

supported IBM JRE, configuration might fail.5. Install IBM WebSphere Application Server. For instructions, see page 162.

6. Insert the IBM Tivoli Access Manager Web Administration Interfaces for SolarisCD.



where:


-a /cdrom/cdrom0/solaris/pddefault

Specifies the location of the installation administration script.


PDJrte Specifies the Access Manager Java Runtime Environmentpackage.

PDWPM Specifies the Access Manager Web Portal Manager package.








a. Change to the /opt/PolicyDirector/sbin directory and enter the following

command:./pdjrtecfg -action config -interactive



/opt/WebSphere/AppServer/java/jre



e. Configure the Accr iess Manager Web Portal Manager package:


Note: For more information about this utility, see “amwpmcfg” on page274.


To restart the WebSphere Application Server, run the startServer.sh script,located in the /opt/WebSphere/AppServer/bin directory as follows:




/opt/IBMHTTPServer/bin/apachectl restart

Note: If you installed a registry server that does not use IBM HTTP Serverand you are installing Web Portal Manager on the same system, ensurethat the Web server ports are different. To change the IBM HTTP Serverdefault port, edit the /opt/IBMHTTPServer/conf/httpd.conf file, changedefault port 80 to 8080 as shown, and then restart the IBM HTTPServer.






Note that Tivoli Access Manager does not ship a default certificate to enable WebPortal Manager to have a secure connection between the browser and the HTTP





server used by WebSphere Application Server. It is recommended that youpurchase a CA certificate and then configure it into the Web Portal Managerenvironment.

Windows: Installing a Web Portal Manager systemThe following procedure uses setup.exe to install software packages and the

pdjrtecfg and amwpmcfg utilities to configure them.

To install and configure a Web Portal Manager system on Windows, follow thesesteps:








5. Install IBM WebSphere Application Server. See “Windows: InstallingWebSphere Application Server” on page 164.

6. Insert the IBM Tivoli Access Manager Web Administration Interfaces CD forWindows 2000 or Windows 2003.

7. Install the Access Manager Java Runtime Environment and Access ManagerWeb Portal Manager packages. To do so, run the setup.exe file located in thefollowing directory:






a. Change to the install_dir\sbin directory (for example, C:\ProgramFiles\Tivoli\Policy Director\sbin), and enter the following command:

pdjrtecfg -action config -interactiveb. Select the Full configuration type and click Next. For descriptions of the

configuration options, click Help.


C:\Program Files\WebSphere\AppServer\java\jre

Click Next to continue.

d. Specify the policy server host name, port, and domain. Click OK to startconfiguration.





e. When configuration has completed successfully, click OK to exit theconfiguration utility.


10. Configure the Access Manager Web Portal Manager package. To do so, followthese steps:

a.Change to the

install_dir\sbindirectory (for example,

C:\ProgramFiles\Tivoli\Policy Director\sbin), and enter the following command:

amwpmcfg -action config -interactive

Note: For more information about this utility, see “amwpmcfg” on page274.

b. Specify the installation path where IBM WebSphere Application Server isinstalled. For example, the default path is:

C:\Program Files\WebSphere\AppServer


c. Specify the policy server host name and port. Click OK to continue.

d. Specify the Tivoli Access Manager administrator name (sec_master),administrator password, and domain. Click OK to start configuration.

e. When configuration has completed successfully, click OK to exit theconfiguration utility.

11. Recommended: Restart the IBM WebSphere Application Server and IBM HTTPServer. For example, select Start → Settings → Control Panel → AdministrativeTools and then double-click the Services icon to restart these servers.

Note: If you installed a registry server that does not use IBM HTTP Server andyou are installing Web Portal Manager on the same system, ensure thatthe Web server ports are different. To change the IBM HTTP Serverdefault port, edit the C:\Program Files\IBMHTTPServer\conf\httpd.conf

file, change default port 80 to 8080 as shown, and then restart the IBMHTTP Server.


12. To start the Web Portal Manager, enter the following address in your Web browser:



This completes the setup of a Web Portal Manager system. To set up another TivoliAccess Manager system, follow steps in the “Installation process” on page 17. For

information about Web Portal Manager administration tasks, see the IBM Tivoli Access Manager Base Administration Guide.






Part 3. Reference information

Chapter 12. Installing prerequisite products . . 145

Installing the Global Security Kit . . . . . . . 145

AIX: Installing the Global Security Kit . . . . 145HP-UX: Installing the Global Security Kit . . . 145Linux: Installing the Global Security Kit . . . 146Solaris: Installing the Global Security Kit . . . 147Windows: Installing the Global Security Kit . . 147Setting up the GSKit iKeyman utility . . . . 147

Installing IBM Tivoli Directory Client . . . . . 150AIX: Installing IBM Tivoli Directory Client . . 150HP-UX: Installing IBM Tivoli Directory Client 150Linux: Installing the IBM Tivoli Directory Client 151Solaris: Installing IBM Tivoli Directory Client 151Windows: Installing IBM Tivoli Directory Client 152

Installing IBM JRE. . . . . . . . . . . . 153AIX: Installing IBM JRE, Version 1.3.1.5. . . . 153

HP-UX: Installing IBM JRE, Version 1.3.1 . . . 153Linux: Installing IBM JRE, Version 1.3.1 . . . 154Solaris: Installing IBM JRE, Version 1.3.1 . . . 155Windows: Installing IBM JRE, Version 1.3.1 . . 155

Installing WebSphere Application Server . . . . 157AIX: Installing WebSphere Application Server 157

AIX: Installing WebSphere ApplicationServer, fix pack 2 . . . . . . . . . . 158

HP-UX: Installing WebSphere ApplicationServer . . . . . . . . . . . . . . . 159

HP-UX: Installing WebSphere ApplicationServer, fix pack 2 . . . . . . . . . . 160

Linux: Installing WebSphere Application Server 161Linux on xSeries: Installing WebSphere

Application Server, fix pack 2 . . . . . . 162Solaris: Installing WebSphere Application Server 162

Solaris: Installing WebSphere ApplicationServer, fix pack 2 . . . . . . . . . . 163

Windows: Installing WebSphere ApplicationServer . . . . . . . . . . . . . . . 164

Windows 2000: Installing WebSphereApplication Server fix pack 2 . . . . . . 165

Installing the Web Administration Tool . . . . . 167AIX: Installing the Web Administration Tool . . 167HP-UX: Installing the Web Administration Tool 168Linux: Installing the Web Administration Tool 169Solaris: Installing the Web Administration Tool 170Windows: Installing the Web Administration

Tool . . . . . . . . . . . . . . . 170Installing the Web Administration Tool intoWebSphere . . . . . . . . . . . . . 171

Chapter 13. Uninstalling components . . . . 173

Unconfiguring Tivoli Access Manager components 173Unconfiguring IBM Tivoli Directory Server . . . 174AIX: Removing packages . . . . . . . . . 174HP-UX: Removing packages . . . . . . . . 175Linux: Removing packages . . . . . . . . . 176Solaris: Removing packages . . . . . . . . 176Windows: Removing packages . . . . . . . 177

Chapter 14. Installation wizard scenarios . . . 179

Using the install_ldap_server wizard . . . . . 180

Pre-installation requirements . . . . . . . 180install_ldap_server scenario . . . . . . . 181Using the install_ammgr wizard . . . . . . . 189

Chapter 15. Installation wizard options . . . . 197

Access Manager Runtime (LDAP) . . . . . . 198Access Manager Runtime (Active Directory) . . . 200Access Manager Runtime (Domino) . . . . . . 203install_amacld . . . . . . . . . . . . . 205install_amadk . . . . . . . . . . . . . 207install_amjrte . . . . . . . . . . . . . 208install_ammgr . . . . . . . . . . . . . 209install_amproxy . . . . . . . . . . . . 211install_amrte . . . . . . . . . . . . . 212

install_amwpm . . . . . . . . . . . . . 213install_ldap_server . . . . . . . . . . . 214

Chapter 16. pdconfig options . . . . . . . 217

Access Manager Runtime — LDAP . . . . . . 218Access Manager Runtime — Active Directory . . 219Access Manager Runtime — Domino . . . . . 221Access Manager Authorization Server . . . . . 222Access Manager Java Runtime Environment . . . 223Access Manager Policy Server . . . . . . . . 224Access Manager Policy Proxy Server . . . . . 225Access Manager Web Portal Manager . . . . . 226

Chapter 17. Enabling Secure Sockets Layer . . 227

Configuring IBM Tivoli Directory Server for SSLaccess . . . . . . . . . . . . . . . . 227

Creating the key database file and the certificate 228Obtaining a personal certificate from acertificate authority . . . . . . . . . . 229Creating and extracting a self-signed certificate 229Enabling SSL access . . . . . . . . . . 230

Configuring IBM z/OS and OS/390 securityservers for SSL access . . . . . . . . . . 232

Setting up the security options . . . . . . 232Creating a key database file . . . . . . . 233

Configuring Microsoft Active Directory for SSLaccess . . . . . . . . . . . . . . . . 234

Exporting the certificate on the Active Directory

server . . . . . . . . . . . . . . . 234Importing the certificate on the LDAP clientsystem . . . . . . . . . . . . . . 235Testing SSL access . . . . . . . . . . . 236

Configuring Novell eDirectory server for SSLaccess . . . . . . . . . . . . . . . . 236

Creating an organizational certificate authorityobject . . . . . . . . . . . . . . . 237Creating a self-signed certificate . . . . . . 237Creating a server certificate for the LDAP server 237Enabling SSL . . . . . . . . . . . . 238




Adding the self-signed CA certificate to the IBMkey file . . . . . . . . . . . . . . 238

Configuring Sun ONE Directory Server for SSLaccess . . . . . . . . . . . . . . . . 239

Obtaining a server certificate . . . . . . . 239Installing the server certificate . . . . . . . 240Enabling SSL access . . . . . . . . . . 241

Configuring IBM Tivoli Directory Client for SSLaccess . . . . . . . . . . . . . . . . 241

Creating a key database file . . . . . . . 242Adding a signer certificate . . . . . . . . 243Testing SSL access . . . . . . . . . . . 243

Configuring LDAP server and client authentication 244Creating a key database file . . . . . . . 244Obtaining a personal certificate from acertificate authority . . . . . . . . . . 245Creating and extracting a self-signed certificate 246Adding a signer certificate . . . . . . . . 247Testing SSL access . . . . . . . . . . . 247

Chapter 18. AIX: Setting up a standby policy

server . . . . . . . . . . . . . . . 249

Pre-installation requirements . . . . . . . . 250HACMP environment scenario . . . . . . . 251

Example HACMP configuration . . . . . . 253Part 1: Overall HACMP cluster topology . . 254Part 2: Cluster resources within HACMPtopology . . . . . . . . . . . . . 256Part 3: Application server definition withinHACMP topology . . . . . . . . . . 260

Creating a standby policy server environment . . 261Script: Setting UIDs for both the primary andstandby systems . . . . . . . . . . . 265Script: Linking files and directories on theprimary system. . . . . . . . . . . . 267

Example: Verifying primary server’s directories,soft links and permissions . . . . . . . . 268Script: Linking from the AIX system files to theshared directory on the standby system . . . 270Example: Verifying standby server’s directories,soft links and permissions . . . . . . . . 271

Chapter 19. Tivoli Access Manager utilities . . 273

amwpmcfg . . . . . . . . . . . . . . 274ivrgy_tool . . . . . . . . . . . . . . 277pdbackup . . . . . . . . . . . . . . 279pdconfig . . . . . . . . . . . . . . . 287pdjrtecfg . . . . . . . . . . . . . . . 288pd_start . . . . . . . . . . . . . . . 292

Chapter 20. Using response files . . . . . . 293

Response file template . . . . . . . . . . 294




Chapter 12. Installing prerequisite products

Reference the following information when instructed during installation of TivoliAccess Manager Base systems in Part 2 of this guide.

Installing the Global Security Kit

IBM Global Security Kit (GSKit) provides Secure Sockets Layer (SSL) dataencryption between Tivoli Access Manager systems and supported registry servers.The GSKit package also installs the iKeyman key management utility (gsk7ikm),which enables you to create key databases, public-private key pairs, and certificaterequests.


v AIX on page 145

v HP-UX on page 145

v Linux on page 146v Solaris on page 147


AIX: Installing the Global Security KitTo install GSKit on AIX, follow these steps:

1. Log on as root.

2. Insert the IBM Tivoli Access Manager CD for AIX and mount it.

3. Enter the following command to install the 32– bit runtime package:

installp -acgXd cd_mount_point/usr/sys/inst.images gskta.rte


Note: If you are installing GSKit on an IBM Tivoli Directory Server system, both the 32– bit and 64– bit runtime packages are required. To install the64– bit package, enter the following command:

installp -acgXd cd_mount_point/usr/sys/inst.images gsksa.rte

4. To verify that GSKit is installed, enter the following:

lslpp -l | grep gsk

After you install GSKit, no configuration is necessary.

To set up the key management utility installed with GSKit, see instructions in“Setting up the GSKit iKeyman utility” on page 147. For more information, seeChapter 17, “Enabling Secure Sockets Layer,” on page 227 or the IBM GlobalSecurity Kit Secure Sockets Layer and iKeyman User’s Guide.

HP-UX: Installing the Global Security KitTo install GSKit on HP-UX, follow these steps:

1. Log on as root.

2. Insert the IBM Tivoli Access Manager CD for HP-UX.








swinstall -s /cd-rom/hp/gsk7bas gsk7bas

where /cd-rom/hp is the directory.





To set up the key management utility installed with GSKit, see instructions in“Setting up the GSKit iKeyman utility” on page 147. For more information, see

Chapter 17, “Enabling Secure Sockets Layer,” on page 227 or the IBM GlobalSecurity Kit Secure Sockets Layer and iKeyman User’s Guide.

Linux: Installing the Global Security KitTo install GSKit on Linux, follow these steps.


1. Log on as root.

2. Insert the IBM Tivoli Access Manager CD for xSeries, zSeries, or pSeries andiSeries and mount it.



v To install GSKit in the default location:

rpm -ih package

where package are as follows:

– Linux on xSeries: gsk7bas-7.0-1.9.i386.rpm

– Linux on zSeries: gsk7bas-7.0-1.9.s390.rpm

– Linux on pSeries and iSeries: gsk7bas-7.0-1.0.ppc32.rpm

v To install in a specified location, be sure that you have write access to the

directory and use the --noscripts flag, as follows:rpm -ih --prefix new_location package --noscripts

where new_location specifies the path where you want to install GSKit. Forexample:

rpm -ihv --prefix /tmp/usr gsk7bas-7.0-1.9.i386.rpm --noscripts


To set up the key management utility installed with GSKit, see instructions in“Setting up the GSKit iKeyman utility” on page 147. For more information, see





Chapter 17, “Enabling Secure Sockets Layer,” on page 227 or the IBM GlobalSecurity Kit Secure Sockets Layer and iKeyman User’s Guide.

Solaris: Installing the Global Security KitTo install GSKit on Solaris, follow these steps:

1. Log on as root.

2. Insert the IBM Tivoli Access Manager for Solaris CD.3. Install the Global Security Kit package:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault gsk7bas



To set up the key management utility installed with GSKit, see instructions in“Setting up the GSKit iKeyman utility.” For more information, see Chapter 17,

“Enabling Secure Sockets Layer,” on page 227 or the IBM Global Security Kit SecureSockets Layer and iKeyman User’s Guide.

Windows: Installing the Global Security KitTo install GSKit on Windows, follow these steps:


2. Insert the IBM Tivoli Access Manager CD for Windows.

3. To install the Global Security Kit (GSKit), change to the \windows\GSKitdirectory on the drive where the CD is located and enter the following:

setup policydirector

4. Click Next. The Choose Destination Location dialog is displayed.

5. Accept the default destination directory or click Browse to select a path toanother directory on the local system. If the directory does not exist, you mustconfirm that you want the directory created or specify a directory that exists.

6. Click Next to install GSKit. The Setup Complete dialog is displayed.

7. Click Finish to exit the installation program.


To set up the key management utility installed with GSKit, see instructions in“Setting up the GSKit iKeyman utility.” For more information, see Chapter 17,“Enabling Secure Sockets Layer,” on page 227 or the IBM Global Security Kit SecureSockets Layer and iKeyman User’s Guide.

Setting up the GSKit iKeyman utilityBefore you run the iKeyman utility, you must set up GSKit to support CertificateManagement System (CMS) key database files. To do so, follow these steps:

1. Ensure that the following components are installed on your system:

v GSKit, Version 7 (For instructions, see “Installing the Global Security Kit” onpage 145.)

v IBM JRE 1.3.1 (For instructions, see “Installing IBM JRE” on page 153.)

v Access Manager Java Runtime Environment component


Chapter 12. Installing prerequisite products 147



Note: This component does not require configuration.

For package names and installation instructions, see Chapter 8, “Setting up a Java runtime environment system,” on page 113.

2. Ensure that you set the JAVA_HOME variable to point to the directory where the JRE is installed. JAVA_HOME is $JAVA_HOME on UNIX systems and %JAVA_HOME% onWindows.

3. To set up GSKit to support Certificate Management System (CMS) keydatabases, follow these steps:

a. Remove the following files from the JAVA_HOME/jre/lib/ext directory (if they exist):

gskikm.jaribmjcaprovider.jar

b. Copy the following files from accessmgr_install_dir/java/export/pdjrte toJAVA_HOME/jre/lib/ext:

v If you have JDK, Version 1.3.1, installed:

– lib/ext/ibmjceprovider.jar

– lib/ext/ibmpkcs.jar

– lib/ext/ibmjcefw.jar– lib/ext/local_policy.jar

– lib/ext/US_export_policy.jar

– lib/ext/ibmpkcs11.jar

If you have JDK, Version 1.4.1, installed:

– lib/ext/ibmjceprovider.jar

– lib/ext/ibmpkcs.jar

– lib/ibmjcefw.jar

– lib/security/local_policy.jar

– lib/ext/US_export_policy.jar

– lib/ext/ibmpkcs11.jar

v To register IBM CMS and JCE service providers, do one of the following:

Note: The order in which you specify the security providers is importantEach provider is tested in sequence, with one being the first. If thefirst cryptographic provider supplies the same encryption methodand it matches, this provider is used to do the encryption.

– For GSKit users to register an IBM CMS service provider, edit theJAVA_HOME/jre/lib/security/java.security file to configure thefollowing providers:

security.provider.1=sun.security.provider.Sunsecurity.provider.2=com.ibm.spi.IBMCMSProvider

– For GSKit and JSSE users to register both IBM CMS and IBM JCEservice providers, edit the JAVA_HOME/jre/lib/security/java.securityfile to configure the following providers:

security.provider.1=sun.security.provider.Sunsecurity.provider.2=com.ibm.spi.IBMCMSProvidersecurity.provider.3=com.ibm.crypto.provider.IBMJCE

4. Hardware acceleration card users only: If you plan to access cryptographichardware, such as the IBM PCI 4758 Cryptographic Coprocessor Card, youmust complete these additional steps. For example, WebSEAL can use PKCS#11using the GSKit 7 API to access PKCS#11 devices.





a. Copy the platform-specific shared libraries fromGSKIT_HOME/classes/native/native-support.zip to a directory on yoursystem. For example copy the native-support.zip file to /usr/lib on AIXor C:\Program Files\ibm\gsk7\lib on Windows.

b. Extract the contents of the zip file. For example, on AIX, the shared librariesare as follows:

libjpkcs11.solibpkcslog.solibpseudotoken.so

c. To register a IBMPKCS11 service provider, update theJAVA_HOME/jre/lib/security/java.security file as follows:

security.provider.1=sun.security.provider.Sunsecurity.provider.2=com.ibm.spi.IBMCMSProvidersecurity.provider.3=com.ibm.crypto.provider.IBMJCEsecurity.provider.4=com.ibm.crypto.pkcs11.provider.IBMPKCS11

d. Optional: Depending on whether you are using the gsk7ikm or gsk7cliutility, do one of the following:

v Using the gsk7ikm utility, configure the default PKCS#11 shared libraryfor use with cryptographic operations. This saves you from typing it in

each time you open the cryptographic token. You can set this default inthe GSKIT_HOME/classes/ikmuser.properties file. If this file does notexist, copy it from the example, GSKIT_HOME/classes/ikmuser.sample.

Update the DEFAULT_CRYPTOGRAPHIC_MODULE to the full path to thePKCS#11 shared library supplied with the PKCS#11 device. For example,/usr/lib/pkcs11/PKCS11_API.so on AIX 5.2 is used for the IBMCryptographic Accelerator.

When you select Open in the gsk7ikm GUI, a Cryptographic providerchoice is available. The file name prompted for in the initial dialog forCryptographic is the PKCS#11 shared library for the PKCS#11 device.This defaults to the value set for DEFAULT_CRYPTOGRAPHIC_MODULE.

v Using the gsk7cli utility, specify the cryptographic hardware provided

pseudo token library to the gskit_install/classes/ikeycmd.propertiesfile as follows:

– On Windows systems:

DEFAULT_CRYPTOGRAPHIC_MODULE= path\\pseudotoken.dll

– On UNIX systems:

DEFAULT_CRYPTOGRAPHIC_MODULE= path\\libpseudotoken.so

This completes the setup of the iKeyman utility. To use the iKeyman utility toenable SSL with a supported registry server, see Chapter 17, “Enabling SecureSockets Layer,” on page 227 or refer to the IBM Global Security Kit Secure SocketsLayer and iKeyman User’s Guide.





Installing IBM Tivoli Directory Client

The IBM Tivoli Directory Client is shipped with IBM Tivoli Directory Server on theIBM Tivoli Access Manager CDs for supported AIX, HP-UX, Linux, Solaris, andWindows platforms.

You must install the IBM Tivoli Directory Client on each system that runs Tivoli

Access Manager, with the following exceptions:v The Tivoli Access Manager system is a supported Windows system that is joined

to an Active Directory domain.

v You are setting up a Java runtime environment or Web Portal Manager system.

v You are using Lotus Domino as your registry server.


v AIX on page 150

v HP-UX on page 150

v Linux on page 151



AIX: Installing IBM Tivoli Directory ClientTo install the IBM Tivoli Directory Client on AIX, follow these steps:

1. Log on as root.

2. Insert the IBM Tivoli Access Manager CD for AIX and mount it.


installp -acgXd cd_mount_point/usr/sys/inst.images ldap.client ldap.max_crypto_client


After you install the IBM Tivoli Directory Client, no configuration is necessary.

HP-UX: Installing IBM Tivoli Directory ClientTo install the IBM Tivoli Directory Client on HP-UX, follow these steps:

1. Ensure that you remove any previous LDAP client packages prior to installingthis version.

2. Log on as root.

3. Insert the IBM Tivoli Access Manager CD for HP-UX.





swinstall -s /cd-rom/hp LDAPClient

where /cd-rom/hp is the directory and LDAPClient specifies the IBM TivoliDirectory Client package.






am_update_ldap.sh





Linux: Installing the IBM Tivoli Directory ClientTo install the IBM Tivoli Directory Client on Linux, follow these steps.

Note: Remove any existing version of the IBM Tivoli Directory Client beforeinstalling this version.

1. Log on as root.

2. Remove the openldap2-client-2.1.4-30 package or other conflicting LDAPpackages that are installed.

Note: If you need to have the openldap2-client installed on the same systemas the IBM Tivoli Directory Client, make sure the following conflicting

programs in /usr/bin are symlinked to the IBM LDAP client versions asfollows:

/usr/bin/ldapadd → /usr/ldap/bin/ldapmodify/usr/bin/ldapdelete → /usr/ldap/bin/ldapdelete/usr/bin/ldapmodify → /usr/ldap/bin/ldapmodify/usr/bin/ldapmodrdn → /usr/ldap/bin/ldapmodrdn/usr/bin/ldapsearch → /usr/ldap/bin/ldapsearch

3. Insert the IBM Tivoli Access Manager CD for xSeries, zSeries, or pSeries andiSeries and mount it.



rpm -ihv package


v Linux on xSeries: ldap-clientd-5.2-1.i386.rpm

v Linux on zSeries: ldap-clientd-5.2-1.s390.rpm

v Linux on pSeries and iSeries: ldap-client-5.2-1.ppc.rpm


Solaris: Installing IBM Tivoli Directory ClientTo install the IBM Tivoli Directory Client on Solaris, follow these steps:

1. Log on as root.

2. Insert the IBM Tivoli Access Manager for Solaris CD.

3. Change to the /cdrom/cdrom0/solaris directory.


pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IBMldapc






5. During installation, you are asked if you want to use /opt as the basedirectory. If space permits, use /opt as the base installation directory. To accept/opt as the base directory, press Enter.


Windows: Installing IBM Tivoli Directory ClientTo install the IBM Tivoli Directory Client on Windows, follow these steps:



3. Run the setup.exe file, located in the following directory:

windows\Directory


4. Select the language that you want to use for the installation and click OK.

5. The Welcome dialog is displayed. Click Next to continue.

6. Read the license agreement. Select to accept the terms and then click Next. Adialog might inform you of packages that are already installed and if anyaction is required. If necessary, satisfy any requirements and click Next.

7. Click Next to install the IBM Tivoli Directory Client in the specified defaultdirectory. To specify a different directory, type a directory path or click Browseto select one.

8. Select the language for the IBM Tivoli Directory Client and click Next.

9. Select Typical setup type and click Next to continue.

10. Select to install the Client SDK 5.2 feature and then click Next.

11. Review the configuration options that you selected. If you want to change anyof your selections, click Back. Click Next to begin the installation.

The installation process begins. Please wait.

Note: On Windows systems, you are prompted to intermittently restart yoursystem.

12. After the files are installed, the README file is displayed. Review theREADME and then click Next to continue.

13. Select whether you want to restart your system now or later and click Next.






Installing IBM JRE

IBM JRE, Version 1.3.1 (1.3.1.5 on AIX) is required when installing the AccessManager Java Runtime Environment or using installation wizards.


v AIX on page 153

v HP-UX on page 153

v Linux on page 154



AIX: Installing IBM JRE, Version 1.3.1.5To install JRE, Version 1.3.1.5, on AIX, follow these steps:

1. Log on as root.

2. Insert the IBM Tivoli Access Manager for AIX CD and mount it.


installp -acgXd cd_mount_point/usr/sys/inst.images Java131.rte



v Set the PATH environmental variable. For example:

export PATH=/usr/java131/jre/bin:$PATH

Note: To display whether IBM JRE 1.3.1.5 is already in the path, use the java–version command.

v Set the JAVA_HOME environmental variable to the path where you installed JRE1.3.1. For example, using ksh, enter the following to define JAVA_HOME:

export JAVA_HOME=/usr/java131/jre

5. IBM Tivoli Directory Server users only:

v You can set JAVA_HOME to either the system-installed Java or the Java versionincluded with the IBM Tivoli Directory Server (if installed). If you use theIBM Tivoli Directory Server version, you also need to set the LIBPATH systemvariable as follows:

export LIBPATH=/usr/ldap/java/bin:/usr/ldap/java/bin/classes:$LIBPATH

v If you plan to use the GSKit iKeyman utility on an IBM Tivoli DirectoryServer system, you must create a link from /usr/ldap/jre to /usr/ldap/java

by entering the following:

ln -s /usr/ldap/java /usr/ldap/jre

After you install IBM JRE 1.3.1.5, no configuration is necessary.

HP-UX: Installing IBM JRE, Version 1.3.1To install JRE 1.3.1 on HP-UX, follow these steps:

1. Log on as root.

2. Insert the IBM Tivoli Access Manager for HP-UX CD.


Installing IBM JRE







swinstall -s /cd_drive/hp rte_13101os11.depot B9789AA

where /cd_drive is the CD mount point and /cd_drive/hp is the directory.

5. Set the PATH environmental variable:

export PATH= java_path:$PATH

6. If you plan to use the GSKit iKeyman utility, verify that the following path has been set in your environment as follows:

SHLIB_PATH=/usr/lib

For example:

export SHLIB_PATH=/usr/lib;$SHLIB_PATH

Note: When this variable is not set, the Tivoli Access Manager authorizationservice many not be able to access the GSKit libraries.



After you install IBM JRE 1.3.1, no configuration is necessary.

Linux: Installing IBM JRE, Version 1.3.1

To install JRE 1.3.1 on Linux, follow these steps:

1. Log on as root.

2. Insert the IBM Tivoli Access Manager CD for xSeries, zSeries, or pSeries and

iSeries and mount it.3. Change to the /mnt/cdrom/series directory where /mnt/cdrom is the mount

point for your CD and series specifies xSeries, zSeries, or pSeries.

4. Install the IBM JRE 1.3.1 package:

rpm -ihv package


v Linux on xSeries: IBMJava2-JRE-1.3.1-3.0.i386.rpm

v Linux on zSeries: IBMJava2-JRE-1.3.1-3.0.s390.rpm

v Linux on pSeries and iSeries: IBMJava2-JRE-1.3.1-3.0.ppc.rpm


export PATH= jre_path:$PATH

For example, to ensure that the JRE is accessible through the PATH systemvariable, enter the following:

export PATH=/opt/IBMJava2-s390-131/jre/bin:$PATH

6. For Red Hat Enterprise Linux 2.1 only, enter the following:

export LD_PRELOAD=/usr/lib/libstdc++-libc6.2-2.so.3

Note: Tivoli Access Manager supports Red Hat Enterprise Linux 2.1 for AccessManager Plug-in for Edge Server only.

Installing IBM JRE




7. For Red Hat Enterprise Linux 3.0 only, the new threading library (NPTL)implemented by Red Hat Linux 3 is not compatible with the IBM JDK 1.3.1shipped with Tivoli Access Manager, and causes an installation failure. Thesolution for this is to set the LD_ASSUME_KERNEL environment variable prior torunning the installation script to a value compatible with JDK 1.3.1. Forexample:

export LD_ASSUME_KERNEL=2.4.0

export LD_ASSUME_KERNEL=2.2.5

As an alternate workaround, install the latest JRE service pack, which isavailable at the following IBM Web site:

http://www.ibm.com/developerworks/java/jdk/index.html


Solaris: Installing IBM JRE, Version 1.3.1To install JRE 1.3.1 on Solaris, follow these steps:

1. Log on as root.

2. Insert the IBM Tivoli Access Manager for Solaris CD.

3. Install the IBM JRE 1.3.1 package:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault SUNWj3rt



PATH=/usr/j2se/jre/bin:$PATHexport PATH


Windows: Installing IBM JRE, Version 1.3.1To install IBM JRE 1.3.1 on Windows, follow these steps:

1. Log on as a user with administrative privileges.



cd_drive\windows\JRE\install.exe

Complete online instructions. When installation has completed, click Finish.


set PATH=install_dir;%PATH%

For example, enter the following if you installed using the default installationdirectory:

set PATH=c:\Program Files\IBM\Java131\jre\bin;%PATH%

5. If you plan to use the GSKit iKeyman utility, do the following:

a. Set the JAVA_HOME environmental variable to the full path to your Javainstallation. For example:

set JAVA_HOME=c:\Program Files\IBM\Java131

b. Add the GSKit bin and lib directories to the PATH variable. For example:

Installing IBM JRE






set PATH="C:\Program Files\ibm\gsk7\bin";%PATH%set PATH="C:\Program Files\ibm\gsk7\lib";%PATH%


Installing IBM JRE




Installing WebSphere Application Server

IBM WebSphere Application Server 5.0.2, is included on the IBM Tivoli Access Manager Web Administration Interfaces CD for supported platforms.

WebSphere Application Server enables the support of both the Web Portal Managerinterface, which is used to administer Tivoli Access Manager, and the Web

Administration Tool, which is used to administer IBM Tivoli Directory Server.

Fix pack 2 for IBM WebSphere Application Server is required on AIX, HP-UX,Linux on xSeries, Solaris, and Windows 2000 systems. All other supportedoperating system versions are at the 5.0.2 level.

For information about IBM WebSphere Application Server, see:



v AIX on page 157

vHP-UX on page 159

v Linux on page 161



AIX: Installing WebSphere Application ServerWebSphere Application Server is required on systems where you plan to set upWeb Portal Manager or Web Administration Tool interfaces. To install WebSphereApplication Server 5.0.2 on AIX, follow these steps.

Note: WebSphere documentation is located on the IBM Tivoli Access Manager Web Administration Interfaces for AIX CD in the

usr/sys/inst.images/websphere/docs directory.

1. Log on as root.


3. Change to the /usr/sys/inst.images/websphere/aix directory on the drivewhere the CD is located.


./install



6. The Welcome screen is displayed. Click Next to continue.

7. Read the license agreement and click Yes if you accept the terms.

The installation wizard checks for system prerequisites. Please wait.

8. Select the Custom setup type and deselect Embedded Messaging, whichincludes JMS technology-compatible client for Embedded Messaging and IBMWebSphere MQSeries. Click Next to continue.

9. Accept the default destination directories for the following products and clickNext. You can also click Browse to select a path to another directory on thelocal system.







v IBM WebSphere Application Server, Version 5

v IBM HTTP Server, Version 1.3.26

10. Type a node name and host name or accept the defaults for this installationand click Next.

Note: The node name is used for administration, and must be unique within

its group of nodes (cell). The host name is the DNS name or IP addressof your local system.

11. Review your selections. Click Back to make changes or click Next to begin theinstallation process.

Installation begins. Please wait.

12. Click Next to register the product, or deselect the check box and click Next toregister at a later time.

13. Click Finish to close the installation wizard. The WebSphere ApplicationServer — First Steps window is displayed. Use this window to verify ortroubleshoot the installation.

14. After installation, you must install fix pack 2. For instructions, see “AIX:Installing WebSphere Application Server, fix pack 2.”

AIX: Installing WebSphere Application Server, fix pack 2To install WebSphere Application Server, fix pack 2, on AIX, follow these steps:

1. Stop the WebSphere Application Server and the IBM HTTP Server. If youinstalled an LDAP registry server on the same machine, also ensure that theLDAP server is stopped.

2. Ensure that the JAVA_HOME system variable is set. For example:

export JAVA_HOME=/opt/WebSphere/AppServer/java

3. Insert the IBM Tivoli Access Manager WebSphere Fix Pack for AIX CD and mountit.

4. Copy the contents of the CD to a temporary directory on your hard drive.

5. Run the following script, located in the aix/websphere_fixpack subdirectory(where you copied the CD contents):

./updateWizard.sh

The Update Installation Wizard is displayed.



8. Select IBM WebSphere Application Server v5.0.0 as the product you want toupdate and click Next.

9. Select Install fix packs and click Next.

10. Type the temporary directory where you copied the fix pack files. Forexample, if you copied the websphere_fixpack directory from CD to the

C:\temp directory on your system, enter the following in the Fix packdirectory field:



11. Select to install the fix pack and click Next.

12. Select to update IBM HTTP Server and click Next.





Note: Tivoli Access Manager does not require Embedded Messaging. If youalready have Embedded Messaging set up for your WebSphereApplication Server 5.0, you can choose to update this feature.

13. Click Next on the summary dialog to begin installation. The installationprocess begins. Please wait.

14. When installation has completed, click Finish.

15. Restart the WebSphere Application Server and the IBM HTTP Server.

HP-UX: Installing WebSphere Application ServerWebSphere Application Server is required on systems where you plan to set upWeb Portal Manager or Web Administration Tool interfaces. To install WebSphereApplication Server 5.0.2 on HP-UX, follow these steps.

Note: WebSphere documentation is located on the IBM Tivoli Access Manager Web Administration Interfaces for HP-UX CD in the hp/websphere/docs directory.

1. Log on as root.





4. Change to the hp/websphere/hp directory on the drive where the CD islocated.


./install











Note: The node name is used for administration, and must be unique withinits group of nodes (cell). The host name is the DNS name or IP addressof your local system.











16. After installation, you must install fix pack 2. For instructions, see “HP-UX:Installing WebSphere Application Server, fix pack 2.”

HP-UX: Installing WebSphere Application Server, fix pack 2To install WebSphere Application Server, fix pack 2, on HP–UX, follow these steps:


2. Ensure that the JAVA_HOME system variable is set. For example:export JAVA_HOME=/opt/WebSphere/AppServer/java

3. Insert the IBM Tivoli Access Manager WebSphere Fix Pack for HP-UX CD.


5. Run the following script, located in the hp/websphere_fixpack subdirectory(where you copied the CD contents):

./updateWizard.sh






10. Type the temporary directory where you copied the fix pack files. Forexample, if you copied the websphere_fixpack directory from CD to theC:\temp directory on your system, enter the following in the Fix packdirectory field:













Linux: Installing WebSphere Application ServerWebSphere Application Server is required on systems where you plan to set upWeb Portal Manager or Web Administration Tool interfaces. To install WebSphereApplication Server 5.0.2 on Linux, follow these steps.

Note: WebSphere documentation is located on the IBM Tivoli Access Manager Web

Administration Interfaces for Linux on xSeries, zSeries, or pSeries/iSeries CDin the series/websphere/docs directory.

1. Log on as root.

2. Insert the IBM Tivoli Access Manager Web Administration Interfaces for Linux onxSeries, zSeries, or pSeries/iSeries CD and mount it.

3. Change to one of the following directories on the drive where the CD islocated:

Linux on xSeries: /xSeries/websphere/linuxi386

Linux on zSeries: /zSeries/websphere/linuxs390

Linux on pSeries and iSeries: /pSeries/websphere/linuxppc


./install













Installation begins. Please wait.12. Click Next to register the product, or deselect the check box and click Next to

register at a later time.


14. For Linux on xSeries only, install fix pack 2. For instructions, see, “Linux onxSeries: Installing WebSphere Application Server, fix pack 2” on page 162.





Linux on xSeries: Installing WebSphere Application Server, fixpack 2To install WebSphere Application Server, fix pack 2, on Linux on xSeries, followthese steps:



export JAVA_HOME=/opt/WebSphere/AppServer/java

3. Insert the IBM Tivoli Access Manager WebSphere Fix Pack for Linux on xSeries CDand mount it.


5. Run the following script, located in the platform/websphere_fixpacksubdirectory (where you copied the CD contents)

./updateWizard.sh






10. Type the temporary directory where you copied the fix pack files. Forexample, if you copied the websphere_fixpack directory from CD to theC:\temp directory on your system, enter the following in the Fix packdirectory field:



11. Select to install the fix pack and click Next.12. Select to update IBM HTTP Server and click Next.





Solaris: Installing WebSphere Application ServerWebSphere Application Server is required on systems where you plan to set upWeb Portal Manager or Web Administration Tool interfaces. To install WebSphereApplication Server 5.0.2 on Solaris, follow these steps.

Note: WebSphere documentation is located on the IBM Tivoli Access Manager Web Administration Interfaces for Solaris CD in the solaris/websphere/docsdirectory.

1. Log on as root.

2. Insert the IBM Tivoli Access Manager Web Administration Interfaces for SolarisCD.





3. Change to the solaris/websphere/sun directory on the drive where the CD islocated.


./install


5. Select the language that you want to use for the installation and click OK.6. The Welcome screen is displayed. Click Next to continue.






v

IBM HTTP Server, Version 1.3.2610. Type a node name and host name or accept the defaults for this installation

and click Next.






14. Install fix pack 2. For instructions, see “Solaris: Installing WebSphereApplication Server, fix pack 2.”

Solaris: Installing WebSphere Application Server, fix pack 2To install WebSphere Application Server, fix pack 2, on Solaris, follow these steps:



export JAVA_HOME=/opt/WebSphere/AppServer/java3. Insert the IBM Tivoli Access Manager WebSphere Fix Pack for Solaris CD.


5. Run the following script, located in the solaris/websphere_fixpacksubdirectory (where you copied the CD contents)

./updateWizard.sh










10. Type the temporary directory where you copied the fix pack files. Forexample, if you copied the websphere_fixpack directory from CD to the

C:\temp directory on your system, enter the following in the Fix packdirectory field:






13. Click Next on the summary dialog to begin installation. The installation

process begins. Please wait.14. When installation has completed, click Finish.


Windows: Installing WebSphere Application ServerWebSphere Application Server is required on systems where you plan to set upWeb Portal Manager or Web Administration Tool interfaces. To install WebSphereApplication Server 5.0.2 on Windows, follow these steps.

Note: WebSphere documentation is located on the IBM Tivoli Access Manager Web Administration Interfaces CD for Windows 2000 (in windows\websphere\docs)or Windows 2003 (in windows2003\websphere\docs).


2. Ensure that you have closed any running Windows programs.


4. Change to one of the following directories on the drive where the CD islocated:

v On Windows 2000 systems:

windows\websphere\nt

v On Windows 2003 systems:

windows2003\websphere\windows2003

5. Run the following program:

install.exe












v

IBM WebSphere Application Server, Version 5v IBM HTTP Server, Version 1.3.26



12. You can run WebSphere Application Server and IBM HTTP Server asWindows services. To do so, type a password for the specified user ID andclick Next. This is a user name and password for WebSphere, and must be auser ID and password on the local system.





16. For Windows 2000 systems only, install fix pack 2. For instructions, see“Windows 2000: Installing WebSphere Application Server fix pack 2.”

Windows 2000: Installing WebSphere Application Server fix pack

2To install WebSphere Application Server, fix pack 2, on Windows, follow thesesteps:


2. Ensure that the JAVA_HOME system variable is set. To do so, run thesetupCmdLine.bat file, located in the install_dir\bin directory, whereinstall_dir is the installation directory where you installed the WebSphereApplication Server. For example:

C:\Program Files\WebSphere\AppServer\bin\setupCmdLine.bat

3. Insert the IBM Tivoli Access Manager WebSphere Fix Pack for Windows 2000 CD.


5. Run the following batch file, located in the windows/websphere_fixpacksubdirectory (where you copied the CD contents)

updateWizard










10. Type the temporary directory where you copied the fix pack files. Forexample, if you copied the websphere_fixpack directory from CD to theC:\temp directory on your system, enter the following in the Fix pack

directory field:C:\temp\websphere_fixpack\fixpacks






14. When installation has completed, click Finish.15. Restart the WebSphere Application Server and the IBM HTTP Server.





Installing the Web Administration Tool

The Web Administration Tool is used to administer IBM Tivoli Directory serverseither locally or remotely. You can install this interface at any time.

To install the Web Administration Tool application, follow the procedure for yourparticular platform.

Note: If you are running IBM Tivoli Directory Server, Version 4.1 or 5.1, ensurethat you run the am_update_ldap.sh LDAP patch before installing the WebAdministration Tool.

v AIX on page 167

v HP-UX on page 168

v Linux on page 169



Note: An application server is required, such as IBM WebSphere Application

Server. Version 5.0.2, which is shipped with Tivoli Access Manager. If yourdeployment plan includes installing the Web Portal Manager interface, youcan use the same WebSphere instance to host the Web Administration Tool.

AIX: Installing the Web Administration ToolTo install the Web Administration Tool on AIX, follow these steps:

1. Log on as root.

2. Ensure that system requirements for the Web Administration Tool are met. Forinformation, see page 20.

3. Ensure that the following servers are set up in your secure domain:


v

IBM WebSphere Application Server, Version 5.0.2

For instructions on installing these servers, see “Setting up IBM Tivoli DirectoryServer” on page 48 and “Installing WebSphere Application Server” on page 157.


5. Install the Web Administration Tool packages:

installp –acgXd cd_mount_point/usr/sys/inst.images ldap.webdadmin ldap.max_crypto_webdadmin


6. Install the Web Administration Tool into your WebSphere Application Server

configuration. For instructions, see page 171.

This completes the installation of the Web Administration Tool. To start the WebAdministration Tool, go to the directory where you installed WebSphereApplication Server and issue one of the following commands:

/usr/WebSphere/AppServer/bin/startServer.sh server1

or


To log into the console, open a Web browser and type the following address:






where localhost specifies the name or IP address of the host system where the WebAdministration Tool and WebSphere Application Server are installed. For moreinformation about using the Web Administration Tool, see the IBM Tivoli DirectoryServer Administration Guide, Version 5.2 at:


HP-UX: Installing the Web Administration ToolTo install the Web Administration Tool on HP-UX, follow these steps:

1. Log on as root.




v IBM WebSphere Application Server, Version 5.0.2






6. Install the Web Administration Tool package:

swinstall -s /cd-rom/hp ldapwebadmin

where /cd-rom/hp is the directory.

7. Install the Web Administration Tool into your WebSphere Application Serverconfiguration. For instructions, see page 171.






or












Linux: Installing the Web Administration ToolTo install the Web Administration Tool on Linux, follow these steps.


1. Log on as root.






4. Insert the IBM Tivoli Access Manager Web Administration Interfaces CD forxSeries, zSeries, or pSeries and iSeries and mount it.



rpm -ihv package


v Linux on xSeries: ldap-webadmind-5.2-1.i386.rpm

v Linux on zSeries: ldap-webadmind-5.2-1.s390.rpm

v Linux on pSeries and iSeries: ldap-webadmind-5.2-1.ppc.rpm




or














Solaris: Installing the Web Administration ToolTo install the Web Administration Tool on Solaris, follow these steps:

1. Log on as root.






4. Insert the IBM Tivoli Access Manager Web Administration Interfaces for Solaris CD.


pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IBMldapw

where -d /cdrom/cdrom0/solaris specifies the location of the package and -a/cdrom/cdrom0/solaris/pddefault specifies the location of the installation

administration script.6. Install the Web Administration Tool into your WebSphere Application Server

configuration. For instructions, see page 171.



or


To log into the console, open a Web browser and type the following address:http://localhost:9080/IDSWebApp/IDSjsp/Login.jsp



Windows: Installing the Web Administration ToolTo install the Web Administration Tool on Windows, follow these steps:

1. Log on as a user with administrator privileges.2. Ensure that system requirements for the Web Administration Tool are met. For

information, see page 20.












5. Install the Web Administration Tool package. To do so, run the setup.exeprogram located in the following directory:

\windows\Directory

Follow online instructions to complete the installation. Ensure that you selectWeb Administration Tool 5.2 and deselect all other installation features.


This completes the installation of the Web Administration Tool. To start the WebAdministration Tool, go to the directory where you installed WebSphereApplication Server and issue the following command:

C:\Program Files\WebSphere\AppServer\bin\startServer.bat server1





Installing the Web Administration Tool into WebSphereAfter you install the Web Administration Tool package, you must install the WebAdministration Tool into WebSphere Application Server. To do so, use thefollowing instructions as a guide.

For complete information on installing an application into a WebSphereconfiguration, see the IBM WebSphere Application Server 5.0 documentation at:


http://publib7b.boulder.ibm.com/wasinfo1/en/info/ae/ae/trun_app_instwiz.html

To install the Web Administration Tool into your WebSphere Application Serverconfiguration, do the following:

1. Log in to the WebSphere Application Server Administrative Console. Forexample, enter the following from a supported Web browser:

http://hostname:9090/admin/

where hostname specifies the name or IP address of the system where the IBMWebSphere Application Server is installed.

2. Click Applications → Install New Applications in the console navigation tree.The first of two Preparing for application install pages is shown.

3. On the first Preparing for application install page:

a. Specify the full path of the Web Administration Tool application standaloneIDSWebApp.war file as follows:

1) On UNIX systems:

install_dir/idstools/IDSWebApp.war











2) On Windows systems:

install_dir\idstools\IDSWebApp.war

where install_dir is the installation directory that you specified wheninstalling the Web Administration Tool. For example: C:\ProgramFiles\IBM\LDAP\idstools\IDSWebApp.war

Note: The file can be either on the client machine (the machine that runsthe Web browser) or on the server machine (the machine to whichthe client is connected).

b. In the Context Root field, specify the following:

/IDSWebApp

c. Click Next.

4. Select whether to generate default bindings or accept the defaults and clickNext. Using the default bindings causes any incomplete bindings in theapplication to be filled in which default values. Existing bindings are notaltered. You can customize default values used in generating default bindings.

The Install New Applications pages are displayed.

5. (Step 1: Provide options to perform the install) Ensure that the ApplicationName field contains IDSWebApp_war, accept default values, and click Next.

6. (Step 2: Map virtual hosts for web modules) Select IBM Tivoli DirectoryServer Web Application v2.0 as the Web Module and default_host as theVirtual Host and click Next.

7. (Step 3: Map modules to application servers) Select IBM Tivoli DirectoryServer Web Application v2.0 and click Next.

8. (Step 4: Summary) Review installation options and click Finish.

9. When the Save to Master Configuration page is displayed, click Save to savethe changes to your configuration. The application is registered with theadministrative





Chapter 13. Uninstalling components

Uninstalling Tivoli Access Manager is a two-part process. You must unconfigurecomponents and then remove Tivoli Access Manager packages.

This chapter provides the following sections:

v “Unconfiguring Tivoli Access Manager components”

v “Unconfiguring IBM Tivoli Directory Server” on page 174

v Removing packages:

– AIX on page 174

– HP-UX on page 175

– Linux on page 176

– Solaris on page 176

– Windows on page 177

Before you begin

v Unconfigure Tivoli Access Manager applications before unconfiguring theAccess Manager Policy Server or Access Manager Runtime components.

v Unconfigure and remove the policy server system last.

Unconfiguring Tivoli Access Manager components

Before you remove Tivoli Access Manager packages, you must ensure that thecomponent is unconfigured (if needed). To do so, follow these steps.

1. On UNIX, log on as root. On Windows, log on as a user with Windows

administrator privileges.2. To start the configuration utility, enter the following:

pdconfig

Note: On Windows system, you can also select Start → Programs → AccessManager → Configuration.

The Access Manager for e-business Setup Menu is displayed.

3. Unconfigure components in the following order. To unconfigure a componenton UNIX, type the number of the menu item for the Tivoli Access Managercomponent. To unconfigure a component on Windows, select a component andthen click Unconfigure. Repeat this procedure for each package that you want

to unconfigure.a. Access Manager Web Portal Manager

b. Access Manager Authorization Server

c. Access Manager Policy Proxy Server

d. Access Manager Policy Server

e. Access Manager Runtime and Access Manager Java Runtime Environment

Notes:

v If a component is not configured, you can simply remove it.




v If you are unconfiguring a policy server or policy proxy server, you areprompted for the distinguished name (cn=root) and password of the LDAPAdministrator.

v When unconfiguring the policy server, you are warned that configurationand authorization information for all Tivoli Access Manager servers andapplications installed in the management domain will be removed. Toproceed, enter y.

After you enter the LDAP administrative user DN and password, you areprompted to remove domain information permanently from the registry.Type y to remove all domain information, including user and groupinformation. Type n to remove domain information but retain user andgroup information so that the domain can be recreated later if needed.

v If you have the Access Manager Java Runtime Environment installed but notthe Access Manager Runtime, use the /opt/PolicyDirector/sbin/pdjrtecfgutility to unconfigure this component as follows:

./pdjrtecfg -action unconfig -interactive

Unconfiguring IBM Tivoli Directory Server

To unconfigure the IBM Tivoli Directory Server, follow these steps. It isrecommended that you back up your directory and any existing schema files

before starting this procedure.

1. On UNIX, log on as root. On Windows, log on as a user with Windowsadministrator privileges.

2. Stop the ibmslapd server.

3. Use the ldapucfg utility to remove the DB2 configuration information from theIBM Tivoli Directory Server. To do so, enter the following:

ldapucfg -d -i

You are prompted to enter 1 to confirm the unconfiguration. If the defaultdatabase was configured, the ldapucfg utility deletes the database from thesystem by this step. If a custom database was configured, the database remainson the system.

Note: To remove a custom database, log in as the instance owner and enter thefollowing:

db2stopdb2ilistdb2idrop instance_name

AIX: Removing packages

Uninstalling Tivoli Access Manager is a two-part process. You must unconfigure

components and then remove them, unless instructed to do otherwise, such asduring the upgrade process.

Note: Before removing packages, ensure that you stop all Tivoli Access Managerservices and applications.

To remove components from an AIX system, follow these steps:

1. Ensure that the components are unconfigured (if necessary). Follow theinstructions in “Unconfiguring Tivoli Access Manager components” on page173.


Uninstalling components




installp -u -g packages

where packages specifies one or more of the following.

Note: Use the –g option only if you want dependent software for the specifiedpackage removed.

IBM Global Security Kit gsksa.rte and gskta.rteIBM Tivoli Directory Client ldap.client and

ldap.max_crypto_client

IBM Tivoli Directory Server ldap.server andldap.max_crypto_server

Access Manager Application Development Kit PD.AuthADK

Access Manager Authorization Server PD.Acld

Access Manager Java Runtime Environment PDJ.rte

Access Manager Policy Server PD.Mgr

Access Manager Policy Proxy Server PD.MgrPrxy

Access Manager Runtime PD.RTE

Access Manager Web Portal Manager PD.WPM

HP-UX: Removing packages

Uninstalling Tivoli Access Manager is a two-part process. You must unconfigurecomponents and then remove them, unless you are instructed to do otherwise,such as during the upgrade process.


To remove components from an HP-UX system, follow these steps:1. Ensure that the components are unconfigured. Follow the instructions in

“Unconfiguring Tivoli Access Manager components” on page 173.


swremove packages

where packages specifies one or more of the following:

IBM Global Security Kit gsk7bas and gsk7ikm

IBM Tivoli Directory Client LDAPClient

IBM Tivoli Directory Server LDAPServer

Access Manager Application Development Kit PDAuthADK

Access Manager Authorization Server PDAcld

Access Manager Java Runtime Environment PDJrte

Access Manager Policy Server PDMgr

Access Manager Policy Proxy Server PDMgrPrxy

Access Manager Runtime PDRTE

Access Manager Web Portal Manager PDWPM


Chapter 13. Uninstalling components 175



A prompt is displayed indicating the pre-remove script is being run. Each file islisted as it is removed.

Linux: Removing packages

Uninstalling Tivoli Access Manager is a two-part process. You must unconfigurecomponents and then remove Tivoli Access Manager packages.


To remove components from a Linux system, follow these steps:

1. Ensure that you have unconfigured components. Follow instructions in“Unconfiguring Tivoli Access Manager components” on page 173.

2. To list installed package names, enter the following:

v For LDAP packages:

rpm -qa | grep ldap

v For GSKit packages:

rpm -qa | grep gskv For Tivoli Access Manager packages:

rpm -qa | grep PD


rpm -e packages

where packages specifies one or more of the following:

IBM Global Security Kit gsk7bas-7-0-1.9

IBM Tivoli Directory Client ldap-clientd-5.2-1

IBM Tivoli Directory Server ldap-serverd-5.2-1

Access Manager Application Development Kit PDAuthADK-PD-5.1.0-0

Access Manager Authorization Server PDAcld-PD-5.1.0-0

Access Manager Java Runtime Environment PDJrte-PD-5.1.0-0

Access Manager Policy Server PDMgr-PD-5.1.0-0

Access Manager Policy Proxy Server PDMgrPrxy-PD-5.1.0-0

Access Manager Runtime PDRTE-PD-5.1.0-0

Access Manager Web Portal Manager PDWPM-PD-5.1.0-0

Solaris: Removing packages



To remove components from a Solaris system, follow these steps:

1. Ensure that the components are unconfigured. To unconfigure components,follow the instructions in “Unconfiguring Tivoli Access Manager components”on page 173.





2. To remove a package, enter the following:

pkgrm package

where package specifies one of the following:

IBM Global Security Kit gsk7bas and gsk7ikm

IBM Tivoli Directory Client IBMldapc

IBM Tivoli Directory Server IBMldaps

Access Manager Application Development Kit PDAuthADK

Access Manager Authorization Server PDAcld

Access Manager Java Runtime Environment PDJrte

Access Manager Policy Server PDMgr

Access Manager Policy Proxy Server PDMgrPrxy

Access Manager Runtime PDRTE

Access Manager Web Portal Manager PDWPM

3. When prompted to confirm the removal of these components, enter y.

A prompt is displayed indicating the preremove script is being run. Each file islisted as it is removed.

Windows: Removing packages



To remove components from a Windows system, follow these steps:

1. Log on as a user with Windows administrator privileges.

2. Select Start → Settings → Control Panel and then click the Add/RemovePrograms.

3. Select one of the installed components and then click Remove.

4. Select another component from the list or click OK to exit the program.

5. To remove GSKit from your system, enter the following command:

isuninst -f"c:\program files\ibm\gsk7\gsk7bui.isu"

where c:\program files\ibm\gsk7 is the fully-qualified path where thegsk7BUI.isu file is located.

Note: You cannot uninstall GSKit using the Add/Remove Programs iconsimilar to the other Tivoli Access Manager components.


Chapter 13. Uninstalling components 177



Chapter 14. Installation wizard scenarios

This chapter provides step-by-step instructions with illustrations on how to installand configure the following Tivoli Access Manager systems using installation

wizards.v “Using the install_ldap_server wizard” on page 180

v “Using the install_ammgr wizard” on page 189

For descriptions of configuration options that you are prompted for, seeChapter 15, “Installation wizard options,” on page 197.




Using the install_ldap_server wizard

The following scenario uses the install_ldap_server wizard to install and configureIBM Tivoli Directory Server as the Tivoli Access Manager registry. This programinstalls and configures all necessary software on your system, includingprerequisite products, Tivoli Access Manager components, and associated patches.

Pre-installation requirementsBefore you install and configure IBM Tivoli Directory Server, you must perform thefollowing pre-installation tasks (as required). These requirements are applicable,regardless of which installation method you plan to use.

v Create a DB2 database owner ID, for example, ldapdb2 (UNIX) or db2admin(Windows). The user ID you specify will own the database instance where theDB2 database will exist. You will be prompted for this ID and password duringconfiguration.

Note: Windows users only — If you run the install_ldap_server installationwizard, the identity you create will be used for both the DB2 Administrator IDand the DB2 database owner ID. It is recommended that you create and useseparate IDs when using a native installation utility. For example, name the DB2database owner ID, ldapdb2, and the DB2 Administrator ID, db2admin.

– The user ID can be no longer than 8 characters.

– On Windows platforms, the user must be a member of the Administratorsgroup and must be in the same domain as the Administrator ID.

– On UNIX platforms, the user must have a home directory and must be theowner of the home directory.

– Choose a directory where the DB2 database will be located. The installationwizard will prompt for this directory under Directory server database home.

- The group ownership of the DB2 database directory should be the DB2group created when DB2 was installed. On AIX and Solaris, this group isusually named dbsysadm. For Linux on zSeries, this group is usually

named db2iadm1. For example, in the case of a user named ldapdb2, thedatabase directory should be owned by ldapdb2:dbsysadm on AIX andSolaris or by ldapdb2:db2iadm1 for Linux on zSeries.

There might be some groups that do not work correctly as the user’s primarygroup when configuring the database. For example, if the user’s primarygroup on Linux is users, problems might occur. You must use other on Linuxif you want to be sure that the primary group will work.

– The user root must be a member of the group chosen to own the DB2database directory. If root is not a member of this group, add root as amember of the group.

– For best results, the user ’s login shell should be the Korn shell

(/usr/bin/ksh).– The user ’s password must be set correctly and ready to use. For example, the

password cannot be expired or waiting for a first-time validation of any kind.(The best way to verify that the password is correctly set is to telnet to thesame computer and successfully log in with that user ID and password.)

– When configuring the database, it is not necessary, but customary, to specifythe home directory of the user ID as the database location. However, if youspecify some other location, the user’s home directory still must have 3 to 4MB of space available. This is because DB2 creates links and adds files intothe home directory of the instance owner (that is, the User) even though the

Installation wizard scenarios




database itself is elsewhere. If you do not have enough space in the homedirectory, you can either create enough space or specify another directory asthe home directory.

v On AIX systems only, IBM Tivoli Directory Server, Version 5.2, requires 64– bithardware and a 64– bit kernel. To ensure that your system is set up correctly,review the following:

– To verify that your AIX hardware is 64– bit, enter the following:bootinfo -y

If results display 64, your hardware is 64– bit. In addition, if you type thecommand lsattr —El proc0, the output of the command returns the type of processor for your server. If you have any of the following, you have 64– bithardware: RS64 I, II, III, IV, POWER3, POWER3 II or POWER4.

– 64– bit hardware can have either a 32 or 64– bit kernel. To verify that you havea 64– bit kernel (/usr/lib/boot/unix_64) installed and running, enter thefollowing:

bootinfo -K

If results display 64, the kernel is 64– bit. However, if results display 32, youmust switch from the 32– bit kernel to 64– bit kernel. To do so, follow thesesteps:

1. Ensure that you have the following 64– bit packages:

bos.64bitbos.mp64

2. To switch to 64– bit kernel, enter the following commands:

ln -sf /usr/lib/boot/unix_64 /unixln -sf /usr/lib/boot/unix_64 /usr/lib/boot/unixlslv -m hd5bosboot -ad /dev/ipldeviceshutdown -Fr

– Ensure that asynchronous I/O is enabled. To do so, enter the following

commands:/usr/sbin/mkdev -l aio0/usr/sbin/chdev -l aio0 -P/usr/sbin/chdev -l aio0 -P -a autoconfig=available

install_ldap_server scenarioTo install and configure IBM Tivoli Directory Server and its prerequisite software,follow these steps:


2. Insert the IBM Tivoli Access Manager Directory Server CD for your particularplatform.

3. Ensure that you have a supported JVM installed and the path set to the JVM.

Otherwise, you will receive the following message during installation:A suitable JVM could not be found.Please run the installer again using the option -is:javahome <JAVA HOME DIR>

To install the supported JRE package shipped with Tivoli Access Manager, see“Installing IBM JRE” on page 153.

4. If you plan to enable SSL, manually copy the SSL key file that you plan to useto any directory on your local system. The installation wizard copies a samplekey file (am_key.kdb) from the common directory on your CD to theinstall_dir\lib directory for you.


Chapter 14. Installation wizard scenarios 181



5. To start the installation wizard, change to the root directory on the drivewhere the CD is located and enter the following:

install_ldap_server







8. Read the license agreement and select I accept if you agree to the terms. ClickNext to continue.


v Windows systems: The next three panels prompt you to specify installationdirectories for GSKit, the IBM DB2, and the IBM Tivoli Directory Server.Accept the default directories or click Browse to select another directory.Click Next to continue.

v UNIX systems: Skip to step 10 on page 184. The installation wizard

automatically installs GSKit, IBM DB2, and the IBM Tivoli Directory Serverin the following directories:

– GSKit installation directory

AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gskta

HP-UX and Solaris: /opt/ibm/gsk7

Linux: /usr/local/ibm/gsk7

– IBM DB2 installation directory

AIX and Linux: /usr/ldap/db2

HP-UX and Solaris: /opt/IBM/db2

– IBM Tivoli Directory Server installation directory

AIX and Linux: /usr/ldap

HP-UX and Solaris: /opt/IBMldaps





10. Enter the user ID and password for the DB2 database owner ID you created in“Pre-installation requirements” on page 180. Click Next to continue.

11. Complete the following fields and then click Next to continue.

a. Administrator ID—Type a valid DN or accept the default DN (cn=root).This is the DN used by the administrator who has full access to all data inthe directory.

Note: DNs are not case-sensitive. If you are unfamiliar with X.500 format,or if for any other reason you do not want to define a new DN,accept the default DN.

b. Administrator password—Create a password for the Administrator ID.Note that passwords are case-sensitive.

c. Password confirmation—Type the password again for confirmation.

d. User-defined suffix— Type a suffix to maintain user and group data. Forexample: o=ibm,c=us

e. Local host name—Type the fully qualified name of the host system onwhich the LDAP server will reside.





12. Complete the following fields and then click Next to continue.

Note: If you do not plan to use am_key.kdb, change values for the SSL key filepath, password, and certificate label accordingly.

a. Type the password associated with the SSL key file. The password for thedefault key file is key4ssl (lowercase).

b. Type the label associated with the SSL key file certificate to be sent to the

LDAP server. The default key file certificate is PDLDAP.

Note: This label is not required during configuration of the policy serveror the authorization server. This value is required only if the serveris configured to perform both server and client authentication duringSSL establishment or if you want to use a non-default certificate inyour key file. Typically, the LDAP server requires only server-sidecertificates that were specified during the creation of the client .kdbfile.







Note: On Windows systems, you are prompted to intermittently restart yoursystem.





14. Monitor the installation and configuration of the IBM Tivoli Directory Serverand its prerequisite products.

When the restart panel is displayed, select to restart your computer now andclick Finish. After the restart, the Configuration Tool runs, prompting you forthe necessary information to complete server configuration. Continue tomonitor the configuration process and click Finish when configuration hascompleted.

Note: If the installation process encounters any problems, consult the

installation log file, msg__ldaps_install.log file, located in thefollowing directory:

v On UNIX systems:

/tmp


C:\Documents and Settings\Administrator\Local Settings\Temp

15. Optional: Install the Web Administration Tool, which enables you to administerIBM Tivoli Directory servers either locally or remotely. You can install thisinterface at any time. Note that an application server is required, such as IBMWebSphere Application Server 5.0.2 (shipped with Tivoli Access Manager). If your deployment plan includes installing the Web Portal Manager interface,you can use the same WebSphere instance to host the Web Administration

Tool.To install this GUI, see page 167.

Note: If you are running IBM Tivoli Directory Server, Version 4.1 or 5.1,ensure that you run the am_update_ldap.bat LDAP patchbefore installingthe Web Administration Tool.

16. If you enabled SSL using the default am_key.kdb key file, you will eventuallyneed to create and use your own key file to enable SSL or change this keyfile’s default password. To do so, you can use the iKeyman key management





utility, which is installed with GSKit. For instructions, see information aboutsetting up the GSKit iKeyman utility in “Installing the Global Security Kit” onpage 145.





Using the install_ammgr wizard

After you have successfully installed your user registry, the next step is to set upthe Tivoli Access Manager policy server. The following scenario uses theinstall_ammgr wizard to install and configure the policy server using an LDAPregistry. This program installs and configures all necessary software on yoursystem, including Tivoli Access Manager components, related products, and

associated patches.

Note: It is recommended that you set up your policy server system on a separatesystem than the registry server.

To install and configure the Tivoli Access Manager policy server using theinstall_ammgr wizard, follow these steps:


2. Stop any programs that are running and close all windows. If you have openwindows, the initial InstallShield Wizard window might be hidden behindother windows.


normal mode).4. Insert the IBM Tivoli Access Manager Base CD for your particular platform.

5. If you are installing the policy server on the same system as IBM TivoliDirectory Server, skip to step 6. Otherwise, manually copy the SSL key filethat you used to configure the IBM Tivoli Directory Server to a directory onthis system. For example, if you used the sample am_key.kdb file, copy this filefrom the IBM Tivoli Directory Server system to this system.

6. To start the installation wizard, change to the root directory on the drivewhere the CD is located and enter the following:

install_ammgr







9. Read the license agreement and select I accept if you agree to the terms. ClickNext to continue.





10. Select the user registry type that you plan to use for Tivoli Access Manager.Click Next to continue.

11. Select whether to enable Tivoli Common Directory for logging. This representsa central location on systems running Tivoli software for storing files, such astrace and message logs.

The first time you configure this feature, you can specify the directory whereyou want the log files to reside. Afterwards, you can configure Tivoli softwareto use this directory.






v Windows systems: The next three panels prompt you to specify installationdirectories for GSKit, the IBM DB2, and the IBM Tivoli Directory Client.Accept the default directories or click Browse to select another directory.Click Next to continue.

v UNIX systems: Skip to step 13. The installation wizard automaticallyinstalls GSKit, IBM DB2, and the IBM Tivoli Directory Client in thefollowing directories:

– GSKit installation directory

AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gskta

HP-UX and Solaris: /opt/ibm/gsk7

Linux: /usr/local/ibm/gsk7

– IBM DB2 installation directory

AIX and Linux: /usr/ldap/db2

HP-UX and Solaris: /opt/IBM/db2

– IBM Tivoli Directory Client installation directory

AIX and Linux: /usr/ldap

HP-UX and Solaris: /opt/IBMldapc

13. Complete the following fields and click Next.

v LDAP server host name—Type the host name of the LDAP server system.

v LDAP server port—The LDAP server port is already provided (389). If youchanged this port number during configuration of the LDAP server, modifythis value accordingly.

v On Windows systems only, you are prompted to Enable Secure SocketsLayer (SSL) with the IBM Tivoli Directory Server—For security purposes,it is recommended that you enable SSL with the registry server. To do so,select this check box to be prompted for SSL options listed in Step 15 onpage 193. Otherwise, skip to step 16 on page 193.





14. On UNIX systems only, you are prompted to enable Secure Sockets Layer (SSL)with the IBM Tivoli Directory Server. For security purposes, it isrecommended that you enable SSL with the LDAP server. To do so, select thischeck box and click Next to be prompted for SSL options listed in Step 15.

15. If you selected to enable SSL with the IBM Tivoli Directory Server, completethe following fields and select Next.

v

SSL key file with full path—Type the fully qualified path where the LDAPSSL client key file is located. For example, if you copied the am_key.kdb fileto the c:\keytabs directory, enter c:\keytabs\am_key.kdb.

v Key file password—Type the password associated with the key file. Thedefault password for the am_key.kdb file is key4ssl. In the future, when youchange this password using the gsk7ikm utility, you must recall this defaultpassword.

v SSL key file DN—The SSL certificate label is not required if using theinstallation wizard’s default key file, am_key.kdb.

v SSL port—The SSL port number is already provided (636). Modify the portnumber if needed.

16. Complete the following fields and click Next.

v Administrator password—Create an administrator password for thesecurity master ID (sec_master). You can use the sec_master ID to defineyour own administrative IDs, groups, and their capabilities.

v Policy server SSL port—The SSL port number is already provided (7135).Modify the port number if needed.

v SSL certificate lifecycle (days)—Type the number of days that the SSLcertificate file is valid. The default number of days is 365.

v SSL connection timeout (seconds)—Type the duration (in seconds) that anSSL connection waits for a response before timing out. The default numberof seconds is 7200.





v LDAP administrator DN—Type the LDAP administrator DN or accept thedefault value (cn=root).

v LDAP administrator password—Type the password associated with theLDAP administrator DN.







18. Monitor the installation and configuration of the policy server and itsprerequisite products.

Windows systemsWhen prompted to restart your system , click Next. After your system isrestarted, the installation wizard is displayed. Specify your language and

click Next. When policy server configuration has completed click Finishto exit the installation wizard.

After configuring the policy server, you can set up additional Tivoli AccessManager systems in the management domain. For a list of Tivoli Access Managersystems, see “Types of Tivoli Access Manager systems” on page 11.





Chapter 15. Installation wizard options

This chapter describes configuration options that you are prompted for usinginstallation wizards. Configuration options are included for the following:

v “Access Manager Runtime (LDAP)” on page 198v “Access Manager Runtime (Active Directory)” on page 200

v “Access Manager Runtime (Domino)” on page 203

v “install_amacld” on page 205

v “install_amadk” on page 207

v “install_amjrte” on page 208

v “install_ammgr” on page 209

v “install_amproxy” on page 211

v “install_amrte” on page 212

v “install_amwpm” on page 213

v“install_ldap_server” on page 214




Access Manager Runtime (LDAP)

Table 6 lists configuration options for the Access Manager Runtime package whenusing an LDAP registry. You are prompted for these options during configurationof a Tivoli Access Manager system requiring this installation component. You arealso prompted for these options when using the install_amrte installation wizardas instructed in “Installing using the installation wizard” on page 125.

Note: You are not prompted for policy server options during installation of thepolicy server using the install_ammgr wizard.

Table 6. Access Manager Runtime options — LDAP . * indicates a required option.

Configuration Options Default Value

Registry *Select to specify the type of registry server that has been set up for Tivoli Access Manager. The defaultvalue is LDAP.

Directory name for the IBM Global

Security Kit(prompted for on Windows only)

Specifies the GSKit installation directory. Defaultdirectories are as follows:

v AIX: /usr/opt/ibm/gsksa and

/usr/opt/ibm/gsktav HP-UX and Solaris: /opt/ibm/gsk7

v Linux: /usr/local/ibm/gsk7

v Windows: C:\Program Files\ibm\gsk7

Directory name for the IBM TivoliDirectory Client(prompted for on Windows only)

Specifies the IBM Tivoli Directory Client installationdirectory. Default directories are as follows:

v AIX and Linux: /usr/ldap

v HP-UX and Solaris: /opt/IBMldapc

v Windows: C:\Program Files\ibm\LDAP

Directory name for the Access

Manager Runtime(prompted for on Windows only)

Specifies the Access Manager Runtime installationdirectory. Default directories are as follows:

v

UNIX :/opt/PolicyDirectorv Windows: C:\Program Files\Tivoli\Policy

Director

Enable Tivoli Common Directory forLogging

Select to enable Tivoli Common Directory—acentral location on systems running Tivoli softwarefor storing files, such as trace and message logs.

Directory name *

Specifies the log directory for the first Tivolisoftware product installed.

The first time you configure Tivoli CommonDirectory, you can specify the directory where youwant the log files to reside. Afterwards, you canconfigure Tivoli software to use this directory.

Policy server host name *Specifies the fully qualified host name of the policyserver. For example:

pdmgr.tivoli.com

Policy server SSL port *Specifies the port number on which the policyserver listens for SSL requests. The default portnumber is 7135.

Policy server CA certificate fileFile can be automatically downloaded or copied from policy server

Installation wizard options




Table 6. Access Manager Runtime options — LDAP (continued). * indicates a required

option.

Domain *Specifies the domain name. The default is Default,which indicates the management domain.

LDAP server host name *Specifies the port number on which the LDAPserver listens. The default port number is 389.

LDAP server port *Specifies the port number on which the LDAPserver listens for SSL requests. The default portnumber is 636.

Enable Secure Sockets Layer (SSL)with the registry server(prompted on Windows only)

Specifies whether SSL should be enabled. Thisoption is recommended.

On Windows only, you can enable SSL with the LDAP server. If selected, you areprompted for the next four values:

SSL key file with full path * Specifies the fully qualified path name where theclient LDAP key database file is located on theruntime system. This key file must be obtainedfrom the LDAP server.Note: The signer of the SSL certificate must berecognized as a trusted certificate authority in theclient key database.

SSL key file password * Specifies the password of the client LDAP keydatabase file.

The am_key.kdb file shipped with Tivoli AccessManager has a default password of key4ssl.

These defaults are usable if you install andconfigure the IBM Tivoli Directory Server using theinstall_ldap_server program. If you decide tochange this password using the gsk7ikm utility,you must recall this default password.

Certificate label Specifies the label in the client LDAP key databasefile of the client certificate to be sent to the server.

This label is required only if the server isconfigured to require client authentication duringSSL establishment or if you want to use anon-default certificate in your key file.

Typically, the LDAP server requires only server-sidecertificates that were specified during creation of the client .kdb file. If the SSL client key file label isnot required, leave this field blank.

SSL port * Specifies the port number on which the LDAPserver listens for SSL requests. The default port

number is 636.


Chapter 15. Installation wizard options 199



Access Manager Runtime (Active Directory)

Table 7 lists configuration options for the Access Manager Runtime componentwhen using an Active Directory registry. You are prompted for these optionsduring configuration of a Tivoli Access Manager system requiring this installationcomponent. You are also prompted for these options when using the install_amrteinstallation wizard as instructed in “Installing using the installation wizard” on

page 125.

Active Directory users can run Tivoli Access Manager on all Windows and UNIXplatforms currently supported in the Tivoli Access Manager product (with theexception of Windows NT).

UNIX platforms make use of the IBM Tivoli Directory Client to communicate withActive Directory. This LDAP client is also used in cases where the policy serverdomain differs from the domain of the local host name.

Table 7. Access Manager Runtime options — Active Directory . * indicates a required option.

Configuration Options Description

Registry * Select to specify the type of registry server thathas been set up for Tivoli Access Manager —Active Directory. The default value is LDAP.

Directory name for the IBM GlobalSecurity Kit(prompted for on Windows only)

Specifies the GSKit installation directory. Defaultdirectories are as follows:

v AIX: /usr/opt/ibm/gsksa and/usr/opt/ibm/gskta

v HP-UX and Solaris: /opt/ibm/gsk7



Directory name for the IBM TivoliDirectory Client(prompted for on Windows only)

Specifies the IBM Tivoli Directory Clientinstallation directory. Default directories are as

follows:v AIX and Linux: /usr/ldap

v HP-UX and Solaris: /opt/IBMldapc

v Windows: C:\Program Files\ibm\LDAP

Directory name for the Access ManagerRuntime(prompted for on Windows only)

Specifies the Access Manager Runtime installationdirectory. Default directories are as follows:

v UNIX: /opt/PolicyDirector

v Windows: C:\Program Files\Tivoli\PolicyDirector

Enable Tivoli Common Directory forLogging

Select to enable Tivoli Common Directory—acentral location on systems running Tivolisoftware for storing files, such as trace and

message logs.

Directory name *


The first time you configure Tivoli CommonDirectory, you can specify the directory whereyou want the log files to reside. Afterwards, youcan configure Tivoli software to use this directory.





Table 7. Access Manager Runtime options — Active Directory (continued). * indicates a

required option.

Policy server host name *

Specifies the fully qualified host name of thepolicy server. For example:

pdmgr.tivoli.com

Policy server SSL port *

Specifies the port number on which the policy

server listens for SSL requests. The default portnumber is 7135.

Policy server CA certificate fileFile can be automatically downloaded or copied fromthe policy server

Domain *Specifies the domain name. The default isDefault, which indicates the managementdomain.

Local host name *Specifies the fully qualified name of the hostsystem on which the plug-in will reside.

Active Directory host name *

Specifies the Active Directory domain controllerserver name. For example:

adserver.tivoli.com

Active Directory domain *Specifies the Active Directory domain name. Forexample: dc=ibm,dc=com

Configure to multiple Active Directorydomains(prompted on Windows only)

Not enabled

Select to configure to multiple domains.Otherwise, Tivoli Access Manager is configured toa single domain. (default value)

Enable encrypted connections(prompted on Windows only)

Not enabled

Specifies that Kerberos is used in the ActiveDirectory Service Interface (ADSI) to encrypt datain the connection to the Active Directory server.This setting is equivalent to enabling an SSL

connection in a non-Windows environment.

Enable Secure Sockets Layer (SSL) withthe Active Directory server(prompted only when installing onUNIX systems or systems that do not belong to Active Directory domainswhere the policy server is configured)

Specifies whether to enable encryptedconnections. This option is recommended if youare installing Tivoli Access Manager on a UNIXsystem.

If you select to enable SSL communication between this UNIX system and the ActiveDirectory server, you are prompted for the next four values:

SSL key file with full path * Specifies the fully qualified path name where theclient LDAP key database file is located. This keyfile must be obtained from the LDAP server.Note: The signer of the SSL certificate must berecognized as a trusted certificate authority in theclient key database.





Table 7. Access Manager Runtime options — Active Directory (continued). * indicates a

required option.

SSL key file password * Specifies the password of the client LDAP keydatabase file.


These defaults are usable if you install andconfigure the IBM Tivoli Directory Server usingthe install_ldap_server program. If you decide tochange this password using the gsk7ikm utility,you must recall this default password.

Certificate label Specifies the label in the client LDAP keydatabase file of the client certificate to be sent tothe server.

This label is required only if the server isconfigured to require client authentication duringSSL establishment or if you want to use anon-default certificate in your key file.

Typically, the LDAP server requires onlyserver-side certificates that were specified duringcreation of the client .kdb file. If the SSL clientkey file label is not required, leave this field blank.

SSL port Specifies the port number on which the LDAPserver listens for SSL requests. The default portnumber is 636.

Access Manager data locationdistinguished name *

Specifies the distinguished name where you wantto store Tivoli Access Manager data. For example:dc=ibm,dc=com. The default value is the ActiveDirectory domain name.





Access Manager Runtime (Domino)

Table 8 lists configuration options for the Access Manager Runtime componentwhen using a Domino registry (Windows only). You are prompted for theseoptions during configuration of a Tivoli Access Manager system, which requiresthis installation component. You are also prompted for these options when usingthe install_amrte installation wizard as instructed in “Installing using the

installation wizard” on page 125.

Table 8. Access Manager Runtime options — Domino . * indicates a required option.


Registry *

Select to specify the type of registry serverthat has been set up for Tivoli AccessManager — Domino. The default value isLDAP.

Directory name for the IBM Global SecurityKit

Specifies the GSKit installation directory.The default directory is as follows:

C:\Program Files\ibm\gsk7

Directory name for the Access ManagerRuntime

Specifies the Access Manager Runtime

installation directory. The default directoryis as follows:

C:\Program Files\Tivoli\Policy Director

Enable Tivoli Common Directory for Logging

Select to enable Tivoli CommonDirectory—a central location on systemsrunning Tivoli software for storing files,such as trace and message logs.

Directory name *

Specifies the log directory for the firstTivoli software product installed.

The first time you configure TivoliCommon Directory, you can specify thedirectory where you want the log files to

reside. Afterwards, you can configureTivoli software to use this directory.


Specifies the fully qualified host name of the policy server. For example:

pdmgr.tivoli.com

Policy server SSL port *Specifies the port number on which thepolicy server listens for SSL requests. Thedefault port number is 7135.

Policy server CA certificate fileFile can be automatically downloaded or copied from policy server

Domain *Specifies the domain name. The default isDefault, which indicates the management

domain.

Domino server name *

Specifies the fully qualified name of theDomino server. For example:

Domino/tivoli

Notes client password *Specifies the password associated with theAdministrative user’s Notes ID file locatedon this machine.

Notes address book database name * The default value is names.nsf.





Table 8. Access Manager Runtime options — Domino (continued). * indicates a required

option.

Tivoli Access Manager database name *Specifies the database name that isassociated with Tivoli Access Managerdata. The default value is PDMdata.nsf.





install_amacld

The Tivoli Access Manager authorization server installation wizard(install_amacld) first prompts you for Access Manager Runtime configurationoptions based on the type of registry server. For descriptions of these configurationoptions, see one of the following:

v “Access Manager Runtime (LDAP)” on page 198

v “Access Manager Runtime (Active Directory)” on page 200


Table 9 lists additional options prompted for during installation using theinstall_amacld wizard as instructed in “Installing using the installation wizard” onpage 99.

Table 9. install_amacld configuration options . * indicates a required option.




pdmgr.tivoli.com


Domain *Specifies the domain name. The default isDefault, which indicates the managementdomain.

Administrator ID *Specifies the administrator of themanagement domain. Defaults tosec_master.

Tivoli Access Manager administratorpassword *

Specifies the password for the TivoliAccess Manager sec_master administratoraccount.

Local host name *Specifies the fully qualified name of thehost system on which the authorizationserver will reside.

Administration request port *Specifies the administration request port.The default port number is 7137.

Authorization request port *Specifies the authorization request portnumber. The default port number is 7136.

On UNIX only, you can enable SSL with the registry server. If selected, you areprompted for the next four values:

SSL key file with full path * Specifies the fully qualified path namewhere the client LDAP key database file is

located on the policy proxy server. Thiskey file must be obtained from the LDAPserver.Note: The signer of the SSL certificatemust be recognized as a trusted certificateauthority in the client key database.





Table 9. install_amacld configuration options (continued). * indicates a required option.

SSL key file password * Specifies the password of the client LDAPkey database file.

The am_key.kdb file shipped with TivoliAccess Manager has a default password of key4ssl.

These defaults are usable if you install andconfigure the IBM Tivoli Directory Serverusing the install_ldap_server program. If you decide to change this password usingthe gsk7ikm utility, you must recall thisdefault password.

Certificate label Specifies the label in the client LDAP keydatabase file of the client certificate to besent to the server.

This label is required only if the server isconfigured to require client authenticationduring SSL establishment or if you want to

use a non-default certificate in your keyfile.

Typically, the LDAP server requires onlyserver-side certificates that were specifiedduring creation of the client .kdb file. If the SSL client key file label is not required,leave this field blank.

SSL port * Specifies the port number on which theLDAP server listens for SSL requests. Thedefault port number is 636.





install_amadk

The Tivoli Access Manager development (ADK) system wizard (install_amadk)prompts you for Access Manager Runtime configuration options based on the typeof registry server. For descriptions of these configuration options, see one of thefollowing:




There are no ADK-specific configuration options.





install_amjrte

Table 10 lists configuration option descriptions for a Tivoli Access Manager Javaruntime environment system. You are prompted for these options duringconfiguration using the install_amjrte installation wizard as instructed inChapter 8, “Setting up a Java runtime environment system,” on page 113.

Table 10. install_amjrte configuration options . * indicates a required option.Configuration Options Default Value

Enable Tivoli Common Directory for Logging

Select to enable Tivoli CommonDirectory—a central location on systemsrunning Tivoli software for storing files,such as trace and message logs.

Directory name *


The first time you configure TivoliCommon Directory, you can specify thedirectory where you want the log files toreside. Afterwards, you can configure Tivoli

software to use this directory.



pdmgr.tivoli.com


JRE directory *Specifies the directory of the Java RuntimeEnvironment that is being configured forTivoli Access Manager.





install_ammgr

The Tivoli Access Manager policy server installation wizard (install_ammgr) firstprompts you for Access Manager Runtime configuration options based on the typeof registry server. For descriptions of these configuration options, see one of thefollowing:




Table 11 lists additional options prompted for during installation using theinstall_ammgr wizard as instructed in “Installing using the installation wizard” onpage 89.

Note: Depending on whether you are installing on a UNIX or Windows platform,you might be prompted for these options in a different order than listed.

Table 11. install_ammgr configuration options . * indicates a required option.


Tivoli Access Manager administrator password* (for sec_master)


Password confirmation *Specify the sec_master password again forconfirmation.


SSL certificate lifecycle (days) *Specifies the number of days that the SSLcertificate file is valid. The default numberof days is 365.

SSL connection timeout (seconds) *

Specifies the duration (in seconds) that an

SSL connection waits for a response beforetiming out. The default number of secondsis 7200.

You can enable SSL with the registry server. If selected, you are prompted for the nextfour values:

SSL key file with full path * Specifies the fully qualified path namewhere the client LDAP key database file islocated on the policy proxy server. Thiskey file must be obtained from the LDAPserver.Note: The signer of the SSL certificatemust be recognized as a trusted certificateauthority in the client key database.





Table 11. install_ammgr configuration options (continued). * indicates a required option.

SSL key file password * Specifies the password of the client LDAPkey database file.

The am_key.kdb file shipped with TivoliAccess Manager has a default password of key4ssl.

These defaults are usable if you install andconfigure the IBM Tivoli Directory Serverusing the install_ldap_server program. If you decide to change this password usingthe gsk7ikm utility, you must recall thisdefault password.

Certificate label Specifies the label in the client LDAP keydatabase file of the client certificate to besent to the server.

This label is required only if the server isconfigured to require client authenticationduring SSL establishment or if you want to

use a non-default certificate in your keyfile.

Typically, the LDAP server requires onlyserver-side certificates that were specifiedduring creation of the client .kdb file. If the SSL client key file label is not required,leave this field blank.

SSL port * Specifies the port number on which theLDAP server listens for SSL requests. Thedefault port number is 636.

If you enable SSL with an LDAP server, you are also prompted for the following values:

LDAP administrator DN * Specifies the distinguished name of the

LDAP administrator. The default name iscn=root.

LDAP administrator password * Specifies the password associated with theLDAP administrator DN.





install_amproxy

The Tivoli Access Manager policy proxy server installation wizard(install_amproxy) first prompts you for Access Manager Runtime configurationoptions based on the type of registry server. For descriptions of these configurationoptions, see one of the following:




Table 12 lists additional options prompted for during installation using theinstall_amproxy wizard as instructed in “Installing using the installation wizard”on page 119.

Table 12. install_amproxy configuration options . * indicates a required option.


Administrator ID *Specifies the administrator of themanagement domain. Defaults tosec_master.

Tivoli Access Manager administrator password*


Local host name *Specifies the fully qualified name of thehost system on which the policy proxyserver will reside.

Administration request port *Specifies the administration request port.The default port number is 7137.

Proxy request port *Specifies the authorization request portnumber. The default port number is 7138.





install_amrte

The Tivoli Access Manager runtime system wizard (install_amrte) prompts you forAccess Manager Runtime configuration options based on the type of registryserver. For descriptions of these configuration options, see one of the following:


v

“Access Manager Runtime (Active Directory)” on page 200v “Access Manager Runtime (Domino)” on page 203





install_amwpm

Table 13 lists configuration option descriptions for a Tivoli Access Manager WebPortal Manager system. You are prompted for these options during configurationusing the install_amwpm installation wizard as instructed in “Installing using theinstallation wizard” on page 131.

Table 13. install_amwpm configuration options.. * indicates a required option.Configuration Options Description

Directory name for IBM HTTP Server(prompted for on Windows only)

Specifies the IBM HTTP Server installationdirectory. Default directories are as follows:

v AIX: /usr/HTTPServer

v Linux and Solaris: /opt/IBMHTTPServer

v Windows: c:\Program Files\IBMHttpServer

Directory name for IBM WebSphereApplication Server(prompted for on Windows only)

Specifies the IBM WebSphere Application Serverinstallation directory. Default directories are asfollows:

v AIX: /usr/WebSphere/AppServer

v Linux and Solaris: /opt/WebSphere/AppServer

v Windows: c:\ProgramFiles\WebSphere\AppServer

Node name *

Specifies the WebSphere node name that is usedfor administration. This name must be uniquewithin its group of nodes (cell). The host nameis the DNS name or IP address of your localsystem.

Local host name *Specifies the fully qualified name of the hostsystem on which the Web Portal Manager willreside.

Local Administrator ID *Specifies the administrator ID with which youare logged on. (On UNIX, this is cn=root)

Local administrator password *Specifies the password of the localadministrator.


Specifies the fully qualified host name of thepolicy server. For example:

pdmgr.tivoli.com

Note: You are prompted for this option twiceduring configuration.

Policy server SSL port *

Specifies the port number on which the policyserver listens for SSL requests. The default portnumber is 7135.Note: You are prompted for this option twice

during configuration.

JRE directory *Specifies the directory of the Java RuntimeEnvironment that is being configured for TivoliAccess Manager.

Policy server administrator ID *Specifies the administrator of the managementdomain. Defaults to sec_master.

Policy server administrator password *Specifies the password for the Tivoli AccessManager sec_master administrator account.





install_ldap_server

Table 14 lists configuration options for IBM Tivoli Directory Server and itsprerequisite software. Depending on whether you are installing on a UNIX orWindows platform, you might be prompted for these options in a differentsequence than listed.

Table 14. IBM Tivoli Directory Server installation Configuration Options Description

Global Security Kit Directory Name(prompted on Windows only)

Specifies the GSKit installation directory.Default directories are as follows:

v AIX: /usr/opt/ibm/gsksa and/usr/opt/ibm/gskta

v HP-UX and Solaris: /opt/ibm/gsk7



IBM DB2 Directory Name(prompted on Windows only)

Specifies the IBM DB2 installationdirectory. Default directories are asfollows:

v AIX and Linux:

/usr/ldap/db2

v Solaris:

/opt/IBM/db2

v Windows:

C:\Program Files\IBM\SQLLIB

IBM Tivoli Directory Server Directory Name(prompted on Windows only)

Specifies the IBM Tivoli Directory Serverinstallation directory. Default directoriesare as follows:

v

AIX and Linux:/usr/ldap

v Solaris:

/opt/IBMldaps

v Windows:

C:\Program Files\IBM\LDAP

DB2 administrator ID *

Prior to installation, you must create a DB2database owner ID, for example, ldapdb2(UNIX) or db2admin (Windows). Forguidelines, see “Pre-installation

requirements” on page 48.

DB2 administrator password *Specifies the password for the DB2administrator ID.

Directory server database home *C: on Windows

ldapdb2 user’s home directory onUNIX

DB2 database name * amdb

Administrator ID * cn=root





Table 14. IBM Tivoli Directory Server installation (continued)

Administrator password *Create a new password for theadministrator ID.

Password confirmation *(prompted on Windows only)

Specify the administrator ID passwordagain for confirmation.

User-defined suffix

Specifies a suffix to maintain user and

group data. For example:o=ibm,c=us

Local host name *(prompted on Windows only)

Installation wizard detects and fills in the hostname of your system.

Specifies the fully qualified name of thehost system on which the LDAP serverwill reside.

Non SSL port number *Specifies the port number on which theLDAP server listens. The default portnumber is 389.

SSL port number *Specifies the port number on which theLDAP server listens for SSL requests. The

default port number is 636.

SSL key file with full path *

Automatically copied to your hard drive. The panel displays the key file location based on platform. You can accept this location orbrowse to locate a different key file.

The signer of the SSL certificate must berecognized as a trusted certificate authorityin the client key database.

SSL key file password *Specifies the password associated with theSSL key file. key4ssl is the passwordassociated with the am_key.kdb file.

SSL key file certificate label

Specifies the label associated with the SSLkey file certificate to be sent to the LDAPserver. The default key file certificate isPDLDAP (associated with am_key.kdb file).





Chapter 16. pdconfig options

This section lists descriptions of options that you are prompted for duringconfiguration of Tivoli Access Manager components using the pdconfig utility.

Depending on whether you are installing on a UNIX or Windows platform, youmight be prompted for these options in a different sequence than listed.

Tivoli Access Manager packages that require configuration are as follows:

v “Access Manager Runtime — LDAP” on page 218

v “Access Manager Runtime — Active Directory” on page 219

v “Access Manager Runtime — Domino” on page 221

v “Access Manager Authorization Server” on page 222

v “Access Manager Java Runtime Environment” on page 223

v “Access Manager Policy Server” on page 224

v “Access Manager Policy Proxy Server” on page 225

v “Access Manager Web Portal Manager” on page 226




Access Manager Runtime — LDAP

Table 15 lists options prompted for during configuration of the Access ManagerRuntime package using an LDAP registry.

Table 15. Access Manager Runtime configuration options – LDAP

Configuration option Description

Will the policy server be installed onthis machine

Indicate whether or not the policy server will beinstalled on the same machine.

Enable Tivoli Common Directory forlogging


Registry Select the LDAP choice.

LDAP server host name Specifies the fully qualified host name of theLDAP server. For example:

ldapserver.tivoli.com

LDAP server port Specifies the port number on which the LDAPserver listens. The default port number is 389.

If the Tivoli Access Manager policy server is not installed on the same system as theAccess Manager Runtime, you are prompted for the next two values:

Policy server host name Specifies the fully qualified host name of thepolicy server. For example:

pdmgr.tivoli.com

Policy server SSL port Specifies the port number on which the policyserver listens for SSL requests. The default portnumber is 7135.

Domain Specifies the domain name. The default is Default,which indicates the management domain.

Automatically download thepdcacert.b64 file from the policy

server?

Configuration of the Tivoli Access Manager policyserver creates a default SSL certificate authority file

named pdcacert.b64. After successfulconfiguration of the Access Manager Policy Servercomponent, you must distribute this file to eachmachine in your secure domain.

For a Tivoli Access Manager runtime system toauthenticate to Tivoli Access Manager servers, eachruntime system will require a copy of this file. Toobtain this file, do one of the following:

v During configuration of the Access ManagerRuntime package, select to download thepdcacert.b64 file automatically.

v Manually copy the pdcacert.b64 file to the

Tivoli Access Manager system beforeconfiguring the Access Manager Runtimecomponent.

pdconfig options




Access Manager Runtime — Active Directory

Table 16 lists options prompted for during configuration of the Access ManagerRuntime package using an Active Directory registry.

Table 16. Access Manager Runtime configuration options – Active Directory


Specify the location of the Access Manager Policy Server. If you select Access ManagerPolicy Server is installed on another machine, you are prompted for the following twovalues:

Host name Specifies the fully qualified host name of the policyserver. For example:

pdmgr.tivoli.com

Listening port Specifies the port number on which the policyserver listens for SSL requests. The default portnumber is 7135.

Registry Specifies the type of Tivoli Access Manager registry:Active Directory

Configure to Multiple ActiveDirectory Domains Not enabledSelect to configure to multiple domains. Otherwise,Tivoli Access Manager is configured to a singledomain. (default value)

Active Directory host name * Specifies the Active Directory domain controllerserver name. For example:

adserver.tivoli.com

Active Directory domain Specifies the Active Directory domain name. Forexample: dc=tivoli,dc=com

Enable encrypted connections Not enabled

Specifies that Kerberos is used in the Active

Directory Service Interface (ADSI) to encrypt data inthe connection to the Active Directory server. Thissetting is equivalent to enabling an SSL connectionin a non-Windows environment.

On non-Windows systems, you can select to enable SSL connections between this TivoliAccess Manager runtime system and the Active Directory server. If selected, you areprompted for the next four values:

Port number Specifies the port number on which the LDAPserver listens for SSL requests. The default portnumber is 636.

Key file with full path Specifies the LDAP client key file that you createdwhen enabling encrypted communication.

Certificate label Specifies the SSL client certificate label. This fieldrequires that you type any character. Because youdo not need to set up client-side certificateauthentication, the character that you specify isignored.

pdconfig options

Chapter 16. pdconfig options 219



Table 16. Access Manager Runtime configuration options – Active Directory (continued)


Key file password Specifies the password of the client LDAP keydatabase file.


These defaults are usable if you install andconfigure the IBM Tivoli Directory Server using theinstall_ldap_server program. If you decide tochange this password using the gsk7ikm utility, youmust recall this default password.

Active Directory Administrator ID Specifies the Administrative ID that you created in“Creating an Active Directory administrative user”on page 80.

Active Directory AdministratorPassword

Specifies the password associated with the ActiveDirectory Administrator ID.

Access Manager data locationDistinguished name

Specifies the distinguished name where you want tostore Tivoli Access Manager data. For example:dc=tivoli,dc=com. The default value is the ActiveDirectory domain name.


Select to enable Tivoli Common Directory—a centrallocation on systems running Tivoli software forstoring files, such as trace and message logs.

Directory name Specifies the log directory for the first Tivolisoftware product installed.


If you are using Active Directory as your registry, an activedir.conf file is createdin the following directory:

%PD_INSTALL_DIR%\etc

where PD_INSTALL_DIR is the directory where Tivoli Access Manager is installedand C:\Program Files\Tivoli\Policy Director is the default directory.

pdconfig options




Access Manager Runtime — Domino

Table 17 lists options prompted for during configuration of the Access ManagerRuntime package using a Lotus Domino registry.

Table 17. Access Manager Runtime configuration options – Domino configuration options


Specify the location of the Access Manager Policy Server. If you select Access ManagerPolicy Server is installed on another machine, you are prompted for the following twovalues:

Host name Specifies the fully qualified host name of the policyserver. For example:

pdmgr.tivoli.com

Listening port Specifies the port number on which the policyserver listens for SSL requests. The default portnumber is 7135.

Registry Specifies the type of Tivoli Access Managerregistry: Domino

Domino server name Specifies the fully qualified name of the Dominoserver. For example:

Domino/tivoli

Enable SSL with the registry server Panel choices are inaccessible. Click Next tocontinue.

Notes client password Specifies the password associated with theAdministrative user’s Notes ID file located on thismachine.

Access Manager database name Specifies the database name that is associated withTivoli Access Manager data. The default value isPDMdata.nsf.

Enable Tivoli Common Directory for

logging

Select to enable Tivoli Common Directory—a

central location on systems running Tivoli softwarefor storing files, such as trace and message logs.



pdconfig options




Access Manager Authorization Server

Table 18 lists options prompted for during configuration of the Access ManagerAuthorization Server package.

Note: Configure the Access Manager Runtime package before configuring theAccess Manager Authorization Server package.

Table 18. Access Manager Authorization Server configuration options


Domain Specifies the domain name. The default is Default,which indicates the management domain. Do notchange this value.

Policy server host name Specifies the host name used by the policy serverto contact this server. The default is the host nameof the local system.

Policy server port Specifies the port number on which the policyserver listens for requests. The default port numberis 7135.

Tivoli Access Manager administrator(or Administrator ID for domainDefault)

Specifies the administrator of the managementdomain. Defaults to sec_master. Do not change thisvalue.

Password Specifies the Tivoli Access Manager administrator(sec_master) password.

Local host name Specifies the fully qualified name of the hostsystem on which the authorization server willreside.

Administration request port Specifies the administration request port. Thedefault port is 7137.

Authorization request port Specifies the authorization request port number.The default port number is 7136.

pdconfig options




Access Manager Java Runtime Environment

Table 19 lists options prompted for during configuration of the Access Manager Java Runtime Environment package.

Table 19. Access Manager Java Runtime Environment configuration options


Configuration type To configure the Access Manager Java RuntimeEnvironment for use within the current JRE, selecta configuration type:

Full: Select if you are configuring Web PortalManager or enabling Java applications to manageand use Tivoli Access Manager security.

Stand-alone: Select if you are a developer using Java runtime environment classes. You are notprompted for policy server information.

Full path of the Java RuntimeEnvironment (JRE) to configure for

Tivoli Access Manager

Specifies the path to IBM JRE 1.3.1. For example:

/usr/java131/jre

If you are installing a Web Portal Manager system,ensure that you specify the JRE installed withWebSphere Application Server. For example:


Host name of the Access Managerpolicy server machine

Specifies the fully qualified host name of the policyserver. For example:

pdmgr.tivoli.com

Port number of the Access Managerpolicy server machine

Specifies the port number on which the policyserver listens for SSL requests. The default portnumber is 7135.

Access Manager Policy Server domain

information

null





pdconfig options




Access Manager Policy Server

Notes:

1. You are prompted to configure the Access Manager Runtime package beforeconfiguring the Access Manager Policy Server package.

2. The policy server is not supported on UNIX platforms for Active Directory or

Domino registry servers.Table 20. Access Manager Policy Server configuration options


Access Manager administrator ID Specifies the administrator of the managementdomain. Defaults to sec_master. For ActiveDirectory Multiple Domain, this issec_master@domain_name.

Access Manager administratorPassword

Specifies the password for the Tivoli AccessManager administrative user ID.

Confirm password Specify the sec_master password again forconfirmation.

Policy server SSL port Specifies the port number on which the policyserver listens for SSL requests. The default portnumber is 7135.

SSL certificate lifecycle Specifies the number of days that the SSL certificatefile is valid. The default number of days is 365.

SSL connection timeout Specifies the duration (in seconds) that an SSLconnection waits for a response before timing out.The default number of seconds is 7200.

pdconfig options




Access Manager Policy Proxy Server

Table 21 lists options prompted for during configuration of the Access ManagerPolicy Proxy Server package.

Note: Configure the Access Manager Runtime package before configuring theAccess Manager Policy Proxy Server package.

.

Table 21. Access Manager Policy Proxy Server configuration options


Policy server host name * Specifies the fully qualified host name of the policyserver. For example:

pdmgr.tivoli.com

Policy server port * Specifies the port number on which the policyserver listens for requests. The default port numberis 7135.

Administrator ID * Specifies the administrator of the managementdomain. Defaults to sec_master. For Active

Directory Multiple Domain, this issec_master@domain_name.

Password * Specifies the password for the Tivoli AccessManager administrative user ID.

Local host name * Specifies the fully qualified name of the hostsystem on which the policy proxy server willreside. For example:

pdproxy.tivoli.com

Administration request port * Specifies the administration request port. Thedefault port is 7139.

Proxy request port * Specifies the proxy request port. The default port is7138.

pdconfig options




Access Manager Web Portal Manager

Table 22 lists options prompted for during configuration of the Access ManagerWeb Portal Manager package.

Table 22. Access Manager Web Portal Manager configuration options


Tivoli Access Manager administrator Specifies the administrator of the managementdomain. Defaults to sec_master.

Tivoli Access Manager administratorpassword

Specifies the password for the Tivoli AccessManager sec_master administrator account.

pdconfig options




Chapter 17. Enabling Secure Sockets Layer

It is recommended that you enable Secure Sockets Layer (SSL) communication between your LDAP server and IBM Tivoli Directory Clients that support IBM

Tivoli Access Manager software.

Note: If you used the installation wizard to install the IBM Tivoli Directory Server,you can skip the instructions in this chapter. The install_ldap_serverprogram steps you through the process of enabling SSL while, at the sametime, installing and configuring this LDAP server and its prerequisites.

To enable SSL communication, you must first configure SSL on the server, and thenconfigure SSL on the IBM Tivoli Directory Client. During SSL configuration, youare prompted to choose one of the following authentication types:

Server authenticationThe server sends its certificate to the client and the client authenticates the

server.

Server and client authenticationAfter the server has sent its certificate to the client and has beenauthenticated by the client, the server requests the client’s certificate. Inthis case, a certificate needs to be established for the client system as wellas the server.

If you choose to implement server authentication only, you must configure yourserver and IBM Tivoli Directory Clients for SSL access. However, if you choose toimplement server and client authentication, you must configure SSL on the server,configure SSL on the client, and then follow instructions in “Configuring LDAPserver and client authentication” on page 244.

This chapter contains the following main sections:

v “Configuring IBM Tivoli Directory Server for SSL access”

v “Configuring IBM z/OS and OS/390 security servers for SSL access” on page232

v “Configuring Microsoft Active Directory for SSL access” on page 234

v “Configuring Novell eDirectory server for SSL access” on page 236

v “Configuring Sun ONE Directory Server for SSL access” on page 239

v “Configuring IBM Tivoli Directory Client for SSL access” on page 241

v “Configuring LDAP server and client authentication” on page 244

Configuring IBM Tivoli Directory Server for SSL accessYou can enable the use of SSL to protect communication between the Tivoli AccessManager servers and the LDAP server. This step needs to be done only the firsttime SSL communication is set up between the LDAP server and the IBM TivoliDirectory Client.

If you previously enabled SSL access to the LDAP server during the LDAP serverconfiguration, you must copy a client and server key ring pair to each additionalTivoli Access Manager system that uses SSL access.




If SSL access is required by your LDAP server, use GSKit to perform SSL keymanagement. GSKit provides a graphical key management utility named gsk7ikm.For complete instructions on how to use the gsk7ikm utility to enable SSL, see theSSL Introduction and iKeyman User’s Guide.

To enable SSL access on the IBM Tivoli Directory Server, complete the instructionsin the following sections:

v “Creating the key database file and the certificate” on page 228

v “Obtaining a personal certificate from a certificate authority” on page 229 or“Creating and extracting a self-signed certificate” on page 229

v “Enabling SSL access” on page 230

Creating the key database file and the certificateTo enable SSL support on the LDAP server, the server must have a certificate thatidentifies it and that it can use as a personal certificate. This personal certificate isthe certificate that the server sends to the client to allow the client to authenticatethe server. The certificates and the public and private key pair are stored in a keydatabase file. A user typically acquires a signed certificate from a certificate

authority, such as VeriSign.

Alternatively, a user can use a self-signed certificate. If the user is using aself-signed certificate, the system on which the certificate is generated becomes thecertificate authority.

Use the gsk7ikm utility to create the key database file and the certificate. To createthe key database file and certificate (self-signed or signed), follow these steps:

1. Ensure that the supported version of GSKit and gsk7ikm are installed on boththe LDAP server and any IBM Tivoli Directory Clients that will be using SSL.

2. It is recommended that you use a certificate from a Certificate Authority (CA)or the GSKit iKeyman utility to enable SSL communication between yoursupported registry server and IBM Tivoli Directory Clients. To do so, follow

these steps:




3. Start the gsk7ikm utility, which is located in one of the following defaultdirectories:

System Path

AIX /usr/lpp/ibm/gsk7/bin/gsk7ikm

HP-UX /opt/ibm/gsk7/bin/gsk7ikm

Linux /usr/local/ibm/gsk7/bin/gsk7ikm

Solaris /opt/IBM/GSK7/bin/gsk7ikm

Windows C:\Program Files\IBM\gsk7\bin\gsk7ikm.exe

4. To create a new key database file, select Key Database File → New.

5. Verify that CMS is the selected key database type.

SSL — IBM Tivoli Directory Server




6. Type the information in the File Name and Location fields where you wantthe key database file to be located and click OK. A key database file’sextension is.kdb.

7. Enter the key database file password, and confirm it. Remember thispassword because it is required when the key database file is edited.

8. Accept the default expiration time, or change it to your organization’s

requirements.9. If you want the password to be masked and stored into a stash file, select

Stash the password to a file.

A stash file can be used by some applications so that the application does nothave to know the password to use the key database file. The stash file has thesame location and name as the key database file and has an extension of .sth.

10. Click OK. This completes the creation of the key database file. There is set of default signer certificates. These signer certificates are the default certificateauthorities that are recognized.

Obtaining a personal certificate from a certificate authorityIf you plan to use a certificate from a certificate authority instead of a self-signed

certificate, you must request the certificate from the certificate authority and thenreceive it after it has been completed.

If you plan to use a self-signed certificate, skip this section and go to “Creatingand extracting a self-signed certificate.”

To request and receive a certificate, follow these steps:

1. Use gsk7ikm to request a certificate from a certificate authority and thenreceive the new certificate into your key database file.

2. Click the Personal Certificate Requests section of the key database file.

3. Click New.

4. To produce a request that can be sent to the certificate authority, complete the

information and then click OK.

5. To install the certificate to your key database file after the certificate authorityreturns it, click the Personal Certificates section and then click Receive.

6. After you have the LDAP server’s certificate in the key database file, configurethe LDAP server to enable SSL.

Continue to “Enabling SSL access” on page 230.

Creating and extracting a self-signed certificateIf you obtained a certificate from a known certificate authority, as described in“Obtaining a personal certificate from a certificate authority,” skip this section andgo to “Enabling SSL access” on page 230.

To create a new self-signed certificate and store it into the key database file, followthese steps:

1. Select Create → New Self-Signed Certificate.

2. Type a name in the Key Label field that GSKit can use to identify this newcertificate in the key database. For example, the label can be the system nameof the LDAP server.

3. Accept the defaults for the Version field (X509 V3) and for the Key Size field.


Chapter 17. Enabling SSL 229



4. Accept the default system name or enter a different distinguished name in theCommon Name field for this certificate.

5. Enter a company name in the Organization field.

6. Complete any optional fields or leave them blank.

7. Accept the defaults for the Country field and 365 for the Validity Period fieldor change them to suit your organization’s requirements.

8. Click OK. GSKit generates a new public and private key pair and creates thecertificate.

If you have more than one personal certificate in the key database file, GSKitqueries if you want this key to be the default key in the database. You canaccept one of them as the default. The default certificate is used at runtimewhen a label is not provided to select which certificate to use.

This completes the creation of the LDAP server’s personal certificate. It isdisplayed in the Personal Certificates section of the key database file. Use themiddle bar of the key management utility to select between the types of certificates kept in the key database file.

The certificate also is displayed in the Signer Certificates section of the keydatabase file. When you are in the Signer Certificates section of the key

database, verify that the new certificate is there.Next, you must extract your LDAP server’s certificate to a Base64-encodedASCII data file.

9. Use gsk7ikm to extract your LDAP server’s certificate to a Base64-encodedASCII data file. This file is used in “Adding a signer certificate” on page 243.

10. Highlight the self-signed certificate that you just created.

11. Click Extract Certificate.

12. Click Base64-encoded ASCII data as the data type.

13. Type a certificate file name for the newly extracted certificate. The certificatefile’s extension is usually.arm.

14. Type the location where you want to store the extracted certificate.

15. Click OK.

16. Copy this extracted certificate to the IBM Tivoli Directory Client system.

You can now configure the LDAP server to enable SSL. Continue to “Enabling SSLaccess.”

Enabling SSL accessTo configure the IBM Tivoli Directory Server to enable SSL, follow these steps:

1. Ensure that the IBM Tivoli Directory Server and the administration daemon arerunning. To start the server, do one of the following:

v On UNIX systems, use the ibmdirctl command.

v For Windows systems, use the ibmdirctl command or:a. Click Start → Settings → Control Panel.

b. Do one of the following:

– On Windows NT systems, click Services. Select IBM Tivoli DirectoryV5.2 and click Start. Repeat this step for the IBM Tivoli DirectoryAdmin Daemon service.

– On Windows 2000 systems, click Administrative Tools → Services.Right-mouse click IBM Tivoli Directory V5.1 and click Start. Repeatthis step for the IBM Tivoli Directory Admin Daemon service.






v To configure SSL communications, enter the following command:

ldapmodify -D Admin_DN -w admin_password -i filename

where filename contains:

dn:cn=SSL,cn=Configurationchangetype:modifyreplace:ibm-slapdSecurityibm-slapdSecurity:SSL | none | SSLOnly-replace:ibm-slapdSslAuthibm-slapdSslAuth:serverauth | serverClientAuth-replace:ibm-slapdSslCertificateibm-slapdSslCertificate: ldapserv-replace:ibm-slapdSslKeyDatabaseibm-slapdSslKeyDatabase: /usr/ldap/etc/key.kdb

v Edit the ibmsladp.conf file and add the following to the stanza that begins:

dn:cn=SSL,cn=Configuration

ibm-slapdSecurity:SSL | none | SSLOnly

ibm-slapdSslAuth:serverauth | serverClientAuthibm-slapdSslCertificate: ldapservibm-slapdSslKeyDatabase: /usr/ldap/etc/key.kdb

3. Stop both the IBM Tivoli Directory Server and the administration daemon asfollows:

v For UNIX systems:

ibmdirctl -D ldap_admin -w ldap_pwd stopps -ef | grep ibmdiradmkill -9 pid_obtained_by_previous_command

v For Windows systems, click Start → Settings → Control Panel →Administrative Tools → Services. Right-click IBM Tivoli Directory V5.2 andclick Stop. Repeat this step for the IBM Tivoli Directory Admin Daemon

service.4. Start both the IBM Tivoli Directory Server and administration daemon as

follows:

v For UNIX systems, use the ibmdirctl command to start the administrationdaemon and then use the ibmdirctl command to start the directory server asfollows:

ibmdiradmibmdirctl -D ldap_admin -w ldap_pwd start

v For Windows systems, use the ibmdirctl command or click Start → Settings →Control Panel → Administrative Tools → Services. Right-mouse click IBMTivoli Directory V5.2 and click Start. Repeat this step for the IBM TivoliDirectory Admin Daemon service.

5. To test that SSL has been enabled, type the following command from theLDAP server command line:

ldapsearch -h ldaphost -Z -K keyfile -P key_pw -b "" -s base objectclass=*

where:

ldaphostSpecifies the DNS host name of the LDAP server.

keyfile_pwdSpecifies the name of the SSL key database file (with default extension





of .kdb). If the key database file is not in the current directory, specifythe fully-qualified key database filename.

key_pwSpecifies the key file password. This password is required to access theencrypted information in the key database file (which may include oneor more private keys). If a password stash file is associated with the

key database file, the password is obtained from the password stashfile, and the –P option is not required. This option is ignored if neither–Z nor –K is specified.

The ldapsearch command returns the LDAP base information, which includesthe suffixes on the LDAP server.

The LDAP server SSL setup is now complete.

6. Next, set up the IBM Tivoli Directory Client for SSL access. Continue to“Configuring IBM Tivoli Directory Client for SSL access” on page 241.

Configuring IBM z/OS and OS/390 security servers for SSL access

When Tivoli Access Manager and LDAP services are not on the same protectednetwork, it is recommended that you enable SSL communication between theLDAP server and the clients that support Tivoli Access Manager software. Thisprotocol provides secure, encrypted communications between each server andclient. Tivoli Access Manager uses these communications channels as part of theprocess for making authentication and authorization decisions.

To configure an LDAP server on OS/390 or z/OS for SSL communications, consultthe LDAP Server Administration and Use manual for your particular release of OS/390 or z/OS. This document is located at:


The following high-level steps are required to enable SSL support for LDAP onz/OS releases 1.2 through 1.4. These steps assume that you have installed andconfigured the LDAP directory server, installed z/OS Cryptographic ServicesSystem SSL, and set STEPLIB, LPALIB, or LINKLIST.

1. Configure the LDAP server to listen for LDAP requests on the SSL port forserver authentication and, optionally, client authentication. See “Setting up thesecurity options.”

2. Generate the LDAP server private key and server certificate and mark it as thedefault in the key database or use its label on the sslCertificate configurationfile option. For an example of using the gskkyman utility to create a keydatabase file, see “Creating a key database file” on page 233.

3. Restart the LDAP server.

Setting up the security optionsThe following options for SSL can be set in the slapd.conf file:

listen ldap_URLSpecifies, in LDAP URL format, the IP address (or host name) and the portnumber where the LDAP server will listen to incoming client requests. Thisparameter may be specified more than one time in the configuration file.

sslAuth {serverAuth | serverClientAuth}Specifies the SSL authentication method. The serverAuth method allows







the LDAP client to validate the LDAP server on the initial contact betweenthe client and the server. The serverAuth method is the default.

sslCertificate {certificateLabel | none}Specifies the label of the certificate that is used for server authentication. Itis stored in the key database file, which is created and managed using thegskkyman tool.

sslCipherSpecs intSpecifies the SSL cipher specifications that will be accepted from clients.

Table 23. Supported ciphers

Cipher Hexadecimal value Decimal value

SLAPD_SSL_RC4_MD5_US 0x0800 2048

SLAPD_SSL_RC4_SHA_US 0x0400 1024

SLAPD_SSL_TRIPLE_DES_SHA_US 0x0100 256

SLAPD_SSL_DES_SHA_EXPORT 0x0200 512

SLAPD_SSL_RC2_MD5_EXPORT 0x1000 4096

SLAPD_SSL_RC4_MD5_EXPORT 0x2000 8192

The integer value used with the sslCipherSpecs keyword is the decimalrepresentation of the ORed bitmask defined by the hexadecimal values inTable 23. For example, to use all the available ciphers in the US, the valueshould be 15104. (Outside the US, the value to indicate all valid cipherspecs is 12288.) In this case, clients that support any one of these cipherswould be able to establish an SSL connection with the server.

sslKeyRingFile filenameSpecifies the path and file name of the SSL key database file for the server.The file name must match the key database file name using the gskkymantool.

sslKeyRingFilePW stringSpecifies the password protecting access to the SSL key database file. Thepassword string must match the password to the key database file that wascreated using the gskkyman tool.

Note: Use of the sslKeyRingFilePW configuration option is stronglydiscouraged. As an alternative, use either the RACF key ringsupport or the sslKeyRingPWStashFile configuration option. Thiseliminates this password from the configuration file.

sslKeyRingPWStashFile filenameSpecifies a file name where the password for the server’s key database fileis stashed. If this option is present, then the password from this stash file

overrides the sslKeyRingFilePW configuration option, if present. Use thegskkyman utility with the –s option to create a key database passwordstash file.

Creating a key database fileThe following example shows you how to use the gskkyman utility to create a keydatabase file.

1. Start the gskkyman utility from a shell prompt (OMVS or rlogin session) asfollows:

$ gskkyman

SSL — z/OS and OS/390 Servers




The gskkyman utility provides a menu-based interface. To perform a function,choose the option you want to perform by entering its number at the commandprompt. You are prompted for configuration options. Press Enter after eachprompt to continue.

2. Enter option 1 to create a new key database file.

3. Type a key database name or accept the default (key.kdb) and press Enter.

4. Create a password to protect the key database.5. Re-enter the database password for verification.

6. Type a password expiration interval in days or accept the default (no expirationdate).

7. Type a database record length or accept the default (2500).

The key database is created and a message is displayed indicating the successor failure of this operation

8. From the Key Management Menu , select option 6 to create a self-signedcertificate and follow the prompts.

9. After the certificate is created, you must extract this certificate so it can be sentto the LDAP client system and added as a trusted CA certificate. To do so,

follow these steps:a. Select option 1 to manage keys and certificates.

b. From the Key and Certificate List, enter the label number.

c. From the Key and Certificate Menu, enter option 6 to export the certificateto a file.

d. From the Export File Format dialog, select the export format. For example,select option 1 to export to Binary ASN.1 DER.

The certificate is exported.You can now transfer the exported file to theLDAP client system, and add it as a trusted CA certificate. Since the fileformat of binary DER was specified on the export, this same file type must

be specified to the gsk7ikm utility on the LDAP client system, when doingthe Add operation.

Configuring Microsoft Active Directory for SSL access

Ensure that the Active Directory domain is set up and that the Tivoli AccessManager policy server is installed and configured on a Windows 2000 system.

Exporting the certificate on the Active Directory serverTo export the CA certificate on the Active Directory server, follow these steps:

1. Log on as either a member of the local Administrator security group forstand-alone computers or a member of the Domain Administrator securitygroup for computers that are connected to the domain.

2. Install the certificate authority (CA) on the Windows Server, which will installthe server certificate on the Active Directory server. To do so, follow thesesteps:

a. Click Start → Administrative Tools → Certificate Authority to open the CAMicrosoft Management Console (MMC) GUI.

b. Highlight the CA machine and right-click to select Properties for the CA.

c. From General menu, click View Certificate.

d. Select the Details view, and click the Copy to File... button on the lowerright corner of the window.

e. Use the Certificate Export Wizard to save the CA certificate in a file.

SSL — z/OS and OS/390 Servers




Note: You can save the CA certificate in either DER Encoded Binary X-509format or Based-64 Encoded X-509 format.

3. To verify that SSL is enabled on the Active Directory server (Windows 2000 orWindows 2003), follow these steps:

a. Ensure that Windows 2000 Support Tools (Windows Support Tools onWindows 2003) is installed on the Active Directory machine. Thesuptools.msi

setup program is located in the\Support\Tools\

directory onyour Windows CD.

b. Select one of the following:

v For Windows 2000 systems, select Start → Windows 2000 Support Tools →Tools → Active Directory Administration Tool and start the ldp tool.

v For Windows 2003 systems, select Start → Windows Support Tools →Tools → Command Prompt and start the ldp tool.

c. From the ldp window, select Connection → Connect and supply the hostname and port number (636).

Note: Ensure that you type the Active Directory domain server namecorrectly.

If successful, a window is displayed listing information related to the ActiveDirectory SSL connection. If the connection is unsuccessful, restart your system andrepeat this procedure.

Importing the certificate on the LDAP client systemAfter you have exported the certificate on the Active Directory server, you mustimport the certificate on each non-Windows Tivoli Access Manager system onwhich you plan to set up encrypted communications. To do so, follow these steps:

1. Ensure that the following components are installed on the Tivoli AccessManager system.

Attention: Do not configure the Access Manager Runtime component at this time.

v

Global Security Kit (GSKit)v IBM Tivoli Directory Client (LDAP client)

v Access Manager Runtime

2. Ensure that you have set up the iKeyman Key Management Utility, which isinstalled with GSKit. For instructions, see information about setting up theGSKit iKeyman utility in “Installing the Global Security Kit” on page 145.

3. Install the extracted CA certificate on the Tivoli Access Manager system.

4. Using the GSKit iKeyman utility, create a key database file and import theActive Directory server’s CA certificate into this key file. Ensure that theimported CA certificate points to the CA certificate file extracted from theActive Directory server system. For instructions, see “Configuring IBM TivoliDirectory Client for SSL access” on page 241 or refer to the SSL Introduction and

iKeyman User’s Guide.

5. To test the SSL connection to the Active Directory server with the key file thatyou just created, you can use the ldapsearch command on the Tivoli AccessManager system. For instructions, see “Testing SSL access” on page 236.

6. Use the Tivoli Access Manager pdconfig utility to configure the AccessManager Runtime component. When prompted to enable encryptedconnections, select Yes. For descriptions of configuration options, see “AccessManager Runtime — Active Directory” on page 219.

SSL — Microsoft Active Directory




7. If you have additional Tivoli Access Manager components installed on thissystem, such as the Access Manager Authorization Server or Web PortalManager, configure these components at this time.

SSL setup is now complete.

Testing SSL accessAfter the Active Directory server recognizes the certificate authority that createdthe client’s personal certificate, test SSL access using the following command onthe LDAP client:

ldapsearch -h AD_servername -s base -Z -K client_keyfile -P keyfile_pwd objectclass=*

The command variables are as follows:

Variable Description

AD_servername Specifies the DNS host name of the ActiveDirectory server.

client_keyfile Specifies the fully qualified path name of thegenerated client key file.

keyfile_pwd Specifies the password of the generated key file.

If successful, a window is displayed listing Active Directory server information. If the connection is unsuccessful, restart your system and repeat this procedure.

Configuring Novell eDirectory server for SSL access

Secure Socket Layer (SSL) allows the data, which is transmitted between the TivoliAccess Manager services and the NDS eDirectory, to be encrypted to provide dataprivacy and integrity. It is recommended that administrators enable SSL to protectinformation, such as user passwords and private data. However, SSL is not

required for Tivoli Access Manager to operate. If SSL is not required in your TivoliAccess Manager environment, skip this section.

Tivoli Access Manager supports server-side authentication with Novell eDirectoryonly. To configure the Novell eDirectory server for SSL, ensure that theConsoleOne tool is installed and complete the following sections:

v “Creating an organizational certificate authority object” on page 237

v “Creating a self-signed certificate” on page 237

v “Creating a server certificate for the LDAP server” on page 237

v “Enabling SSL” on page 238

v “Adding the self-signed CA certificate to the IBM key file” on page 238

Note: For more information, see Novell product documentation at the followingWeb sites:

For Novell eDirectory, Version 8.6.2, see:


For Novell eDirectory, Version 8.7, see:


SSL — Microsoft Active Directory








Creating an organizational certificate authority objectDuring installation of eDirectory, an NDSPKI:Certificate Authority object iscreated by default (if one does not already exist in the network). It is importantthat the subject name (not the object name) be a valid signatory. The subject namemust have an organization field and a country field to be recognized as valid byTivoli Access Manager. The default subject name is as follows:

0=organizational_entry_name.OU=Organizational CD

This is not a valid signatory. To change it, you must recreate the CertificateAuthority object with a valid subject name. To do so, follow these steps:

1. Start ConsoleOne.

2. Select the Security container object. Objects are displayed in the right-handpane of the window.

3. Select the Organization CA object and delete it.

4. Right-click the Security container object again and click New → Object.

5. From the list box in the New Object dialog, double-click NDSPKI: CertificateAuthority. The Create an Organizational Certificate Authority Object dialog isdisplayed. Follow the online instructions.

6. Select the target server and enter an eDirectory object name. For example:

Host Server Field = C22Knt_NDS.AM

Object Name Field = C22KNT-CA

7. In Creation Method, select Custom and click Next.

Depending on the installed version of Novell eDirectory, two additional screensmight be displayed. Click Next twice to continue.

8. Accept the default Subject name or enter a valid distinguished name for theCertificate Authority being defined. All certificates generated by the CertificateAuthority are placed in this location.

9. The Organizational Certificate Authority is displayed in ConsoleOne asC22KNT-CA.

Creating a self-signed certificateTo create a self-signed certificate, do the following:

1. Go to the properties of the Organizational Certificate Authority (C22KNT-CA).The Properties window is displayed.

2. Select the Certificate tab and then select Self Signed Certificate from thedrop-down menu.

3. Validate the certificate.

4. Export the certificate. The Export a Certificate window is displayed.

5. Accept the default values and write down the location where the self-signedcertificate will be saved. For example:

c:\c22knt\CA-SelfSignedCert.der

6. Transfer (FTP) the file to the Tivoli Access Manager host directory. For example:

c:\Program Files\Tivoli\Policy Directory\keytab

Note that this is a binary file.

Creating a server certificate for the LDAP serverTo create the server certificate for the Novell eDirectory server, follow these steps:

SSL — Novell eDirectory Server




1. To create a server certificate for the LDAP server, right-click on theOrganization entry and click New → Object. A New Object window isdisplayed.

2. Select NDSPKI: Key Material and then click OK. The Create Server Certificate(Key Material) window is displayed.

3. Enter the certificate name (for example, AM), select Custom for the creation

method, and click Next.4. Use the default values for Specify the Certificate Authority option, which will

sign the certificate and click Next.

5. Specify the key size, accept default values for all other options, and click Next.

Note: The default key size for Novell eDirectory Version 8.6.2 is 1024 bits; 2048 bits for Version 8.7.

6. In the Specify the Certificate Parameters window, click on the Edit button beside the Subject name field. The Edit Subject window is displayed.

7. Enter the subject name and then click OK. The Create Server Certificate (KeyMaterial) window is displayed with the Subject Name field updated. Click Nextto continue.

8. To accept the default values in the following windows, click Next twice andthen click Finish to create a key material.

The Creating Certificate window is temporarily displayed. When it clears, theright pane of ConsoleOne is updated with a Key Material entry named AM.This is the server certificate.

Enabling SSLTo enable SSL for the Novell LDAP server, do the following:

1. In the right-hand pane of ConsoleOne, locate an entry named LDAP Server –hostname and right-click on it.

2. From the drop-down menu, select Properties. From the Properties notebook,

select the SSL Configuration tab.3. Click the Tree Search icon beside the SSL Certificate field. The Select SSL

Certificate window is displayed. The SSL Certificate List pane displays thecertificates known to the organization.

4. Select the AM certificate and click OK. The Properties of LDAP Server–hostname window is redisplayed with an updated SSL Certificate field.

Note: Do not select Enable and Require Mutual Authentication.

Adding the self-signed CA certificate to the IBM key fileTo add the self-signed CA certificate to the IBM key file on the Tivoli AccessManager server, follow these steps:

1. Start the gsk7ikm utility. An IBM Key Manager window is displayed.2. Select Key Database File → New. A New window is displayed.

3. Update the fields to the following values and then click OK:

Key database type: CMS key database fileFile name: key.kdbLocation: /var/PolicyDirector/keytabs

A Password Prompt window is displayed.





4. Create a password, entering it twice for configuration, and then click OK. TheIBM Key Manager window is displayed with the Signer Certificates dialogdisplayed.

5. Click the Add button. The Add CA’s Certificate from a File window isdisplayed. Update the following fields and then click OK:

Data type: Binary der dataCertificate file name: <hostname>CA-SelfSignedCert.der

Location: /var/PolicyDirector/keytabs

The Signer Certificates dialog is now updated with a certificate named AM.

Configuring Sun ONE Directory Server for SSL access

SSL allows the data that is transmitted between the Tivoli Access Manager servicesand Sun ONE Directory Server to be encrypted to provide data privacy andintegrity. It is recommended that administrators enable SSL to protect informationsuch as user passwords and private data. However, SSL is not required for TivoliAccess Manager to operate.

This procedure needs to be done only the first time SSL communication is set up between the Sun ONE Directory Server and IBM Tivoli Directory Clients. To enableSSL communication, both Sun ONE Directory Server and the IBM Tivoli DirectoryClients must be configured.

For complete information about enabling SSL access on Sun ONE Directory Server,see Sun documentation at the following Web address:


Complete the instructions in the following sections:

v “Obtaining a server certificate” on page 239

v “Installing the server certificate” on page 240

v “Enabling SSL access” on page 241

Obtaining a server certificateTo enable SSL support, Sun ONE Directory Server requires a certificate that provesits identity to client systems. The server sends the certificate to the client to enablethe client to authenticate with the server. This certificate is called a Server-Cert.

Use the Sun ONE Console 5.1 and the Certificate Setup Wizard to establish theServer-Cert:

1. Start Sun ONE Server Console 5.2.

2. From the Sun ONE Server Console Login dialog, enter the administrator user

ID, password, and the URL of the Admin Server for that directory server.3. Select the domain to be used by Tivoli Access Manager.

4. Expand the server name.

5. Expand Server Group.

6. Select the entry labeled Directory Server.

Configuration information about Sun ONE Directory Server is displayed.

7. Click Open. The Sun ONE Directory Server is accessed.

8. Click the Configuration tab.

9. Click the Encryption tab.







10. Verify that the Enable SSL for this server check box is not selected.

11. Click the Tasks tab and then click Manage Certificates.

Note: The private key for the certificate is stored on an internal securitydevice called a token, which is password protected. The first time thatyou click the Manage Certificates button, you are prompted to createthe password for this token.

12. Enter the Security password twice and then click OK. The ManageCertificates window is displayed.

13. In the Security Device pull-down, ensure that internal (software) is selectedand that the Server Certs tab is selected.

14. Click the Request button at the bottom of the window. The Certificate RequestWizard panel is displayed.

15. Ensure that the Request certificate manually button is selected and clickNext.

16. Enter the requestor information and then click Next. Ensure that you completeall fields. When prompted to continue, click Yes.

17. Ensure that the Active Encryption token field states internal (software).

18. Enter the security device password and then click Next.

19. To save the certificate request to a file, click Save to File. To copy the requestto the clipboard, click Copy to Clipboard. Then click Done to complete yourrequest.

20. E-mail your request or attach the saved file and send your request to thecertificate authority administrator.

Installing the server certificateAfter you have received the certificate from the certificate authority, install it bycompleting the following steps:

1. Open the Sun ONE Server Console 5.2.

2. Click the Tasks tab and then click Manage Certificates.3. Ensure that Server Certs is selected and then click Install.


v To install the certificate from a file, select In this local file.

v To paste the text in the window, select In the following encoded text block,copy the text of the certificate, and then click Paste from Clipboard.

5. Click Next.

6. Verify that the certificate information is correct and click Next.

7. In the This certificate will be named field, type a certificate name or accept thedefault name, server-cert, and then click Next.

8. Enter the token password and then click Done. If the process is successful, the

Manage Certificate panel is displayed and the server certificate name is listedunder the Server Certs tab.

9. Continue to “Enabling SSL access” on page 241.

SSL — Sun ONE Directory Server




Enabling SSL accessWhen you have exited the Certificate Setup Wizard, you are returned to theEncryption tab as shown:

1. Select Enable SSL for this server.

2. Select Use the cipher family;RSA.

3. If you do not plan to require certificate-based client authentication, select Donot allow client authentication.

4. Click Save.

5. Restart Sun ONE Directory Server for changes to take effect.

Note: You have to type the trust database password each time the server isstarted.

SSL is now enabled on Sun ONE Directory Server. Next, you need to enableSSL on the IBM Tivoli Directory Client systems that will function as LDAPclients to Sun ONE Directory Server.

See “Configuring IBM Tivoli Directory Client for SSL access” on page 241.

Configuring IBM Tivoli Directory Client for SSL access

You must first set up the LDAP server for SSL access before you set up the LDAPclient for SSL access. If you have not yet configured your server for SSL access,follow instructions in one of the following:

v “Configuring IBM Tivoli Directory Server for SSL access” on page 227

v “Configuring Sun ONE Directory Server for SSL access” on page 239

v “Configuring Novell eDirectory server for SSL access” on page 236

v “Configuring IBM z/OS and OS/390 security servers for SSL access” on page232

SSL — Sun ONE Directory Server




Similar to creating a key database file for the server, you must create a keydatabase file on the client system. Note that for the client to authenticate the LDAPserver, the client must recognize the certificate authority (signer) that created theLDAP server’s certificate. If the LDAP server is using a self-signed certificate, theclient must be enabled to recognize the system that generated the LDAP server’scertificate as a trusted root (certificate authority).

To configure the LDAP client for SSL access to the LDAP server, complete theinstructions in the following sections:

v “Creating a key database file” on page 242

v “Adding a signer certificate” on page 243

v “Testing SSL access” on page 243

Creating a key database fileUse the gsk7ikm utility to create the key database file. To create the key databasefile, follow these steps:

1. Ensure that GSKit and the gsk7ikm utility are installed on both the LDAPserver and any LDAP clients that will be using SSL.


System Path




Solaris /opt/IBM/gsk7/bin/gsk7ikm


3. To create a new key database file, select Key Database File → New.

4. Verify that the CMS key database file is the selected key database type.5. Type the information in the File Name and Location fields where you want

the key database file to be located. A key database file’s extension is.kdb.

6. Click OK.

7. Enter the key database file password, and confirm it.

Remember this password because it is required when the key database file isedited.

8. Accept the default expiration time, or change it to your organization’srequirements.

9. If you want the password to be masked and stored into a stash file, selectStash the password to a file.

A stash file can be used by some applications so that the application does nothave to know the password to use the key database file. The stash file has thesame location and name as the key database file and has an extension of .sth.

10. Click OK. This completes the creation of the key database file. There is set of default signer certificates. These signer certificates are the default certificateauthorities that are recognized.

In order for the client to be able to authenticate the LDAP server, the clientmust recognize the certificate authority (signer) that created the LDAP server’scertificate. If the LDAP server is using a self-signed certificate, the client must

SSL — IBM Tivoli Directory Client




be enabled to recognize the system that generated the LDAP server’scertificate as a trusted root (certificate authority).

11. After creating the key database file, change the file ownership of the keydatabase file to ivmgr. Use the appropriate operating system command forchanging file ownership. For example, on UNIX systems, enter the following:

# chown ivmgr keyfile

Adding a signer certificateTo add a signer certificate after the key database file has been created, follow thesesteps:

1. If you are using a self-signed certificate for the LDAP server, ensure that thecertificate that was extracted from the key database file in “Creating andextracting a self-signed certificate” on page 229 has been copied to the clientsystem. If it has not been copied, copy it now. Otherwise, ensure that youhave the certificate authority’s certificate which created your LDAP server’scertificate.

2. Click the Signer Certificates section of the client’s CMS key database file.

3. Click Add.

4. Accept Base64-encoded ASCII data as the data type.

5. Indicate the certificate’s file name and its location. The certificate file’sextension is usually.arm.

6. Click OK.

7. Type a label for the signer certificate that you are adding. For example, youcan use the system name of the LDAP server for the label. If the LDAPserver’s certificate was created by a certificate authority, you can use thecertificate authority’s name as the label.

8. Click OK. The certificate is displayed in the client’s key database as a signercertificate.

9. Highlight the newly added signer certificate, and click View/Edit.

10. Ensure that Set the certificate as a trusted root is selected so that thecertificate is marked as a trusted root.

If the LDAP server’s certificate was generated by a regular certificateauthority, be sure that the certificate authority is listed as a signer certificateand marked as a trusted root. If it is not, add the certificate authority’scertificate as a signer certificate and indicate that it is a trusted root.

The client is now able to establish an SSL session with the LDAP server.

Testing SSL accessTo test that SSL access has been enabled, enter the following command on theLDAP client:

ldapsearch -h servername -Z -K client_keyfile -P keyfile_pwd-b "" -s base objectclass=*



servername Specifies the DNS host name of the LDAPserver.

client_keyfile Specifies the fully qualified path name of thegenerated client key file.






keyfile_pwd Specifies the password of the generated keyfile.

This command returns the LDAP base information, which includes the suffixes onthe LDAP server.

During LDAP server configuration in “Configuring IBM Tivoli Directory Server forSSL access” on page 227, you chose an authentication method of either ServerAuthentication or Server and Client Authentication.

v If you chose Server Authentication, the SSL setup is now complete.

v If you chose Server and Client Authentication, go to “Configuring LDAP serverand client authentication.”

Configuring LDAP server and client authentication

During the configuration of the LDAP server to enable SSL access, as described in“Enabling SSL access” on page 230, you were prompted to choose either Server

Authentication or Server and Client Authentication.

If you chose Server Authentication, SSL configuration is complete.

If you chose Server and Client Authentication, you must now establish acertificate for the client system. In this mode of authentication, the server requeststhe client’s certificate and uses it to authenticate the client’s identity.

To establish a certificate for the client system, complete the instructions in thefollowing sections:

v “Creating a key database file” on page 244

v “Obtaining a personal certificate from a certificate authority” on page 245

v “Creating and extracting a self-signed certificate” on page 246

v “Adding a signer certificate” on page 247

v “Testing SSL access” on page 247

Creating a key database fileIf you have not already created a client key database file, use the gsk7ikm utilityto create the key database file and the certificate. If you have already created a keydatabase file, go to “Obtaining a personal certificate from a certificate authority” onpage 245.

To create the key database file and certificate (self-signed or signed), follow thesesteps:

1. Ensure that the GSKit and gsk7ikm are installed on both the LDAP server andany clients that will be using SSL.


System Path








System Path


Windows C:\Program Files\IBM\gsk7\bin\ gsk7ikm.exe

3. Select Key Database File → New.

4. Verify that the CMS key database file is the selected key database type.

5. Type the information in the File Name and Location fields where you wantthe key database file to be located. A key database file’s extension is.kdb.

6. Click OK.

7. Enter the key database file password, and confirm it. Remember thispassword because it is required when the key database file is edited.

8. Accept the default expiration time, or change it to your organization’srequirements.

9. If you want the password to be masked and stored into a stash file, selectStash the password to a file.

A stash file can be used by some applications so that the application does nothave to know the password to use the key database file. The stash file has the

same location and name as the key database file and has an extension of .sth.10. Click OK.

This completes the creation of the key database file. There is set of defaultsigner certificates. These signer certificates are the default certificateauthorities that are recognized.

11. After creating the key database file, change the file ownership of the keydatabase file to ivmgr. Use the appropriate operating system command forchanging file ownership. For example, on UNIX systems, enter the following:

# chown ivmgr keyfile

Obtaining a personal certificate from a certificate authority

If you plan to use a certificate from a certificate authority (such as VeriSign),instead of a self-signed certificate, you must request the certificate from thecertificate authority and then receive it after it has been completed.

If you plan to use a self-signed certificate, skip this section and go to “Creatingand extracting a self-signed certificate” on page 246.

To request and receive a certificate, follow these steps:

1. Use gsk7ikm to request a certificate from a certificate authority and thenreceive the new certificate into your key database file.

2. Click the Personal Certificate Requests section of the key database file.

3. Click New.

4. To produce a request that can be sent to the certificate authority, complete theinformation and then click OK.

5. To install the certificate to your key database file after the certificate authorityreturns it, click the Personal Certificates section and then click Receive.

6. After you have the LDAP client’s certificate in the key database file, you canadd the certificate of the certificate authority, which created the client’scertificate to the LDAP server.

7. Continue to “Adding a signer certificate” on page 247.

SSL — Server and Client Authentication




Creating and extracting a self-signed certificateIf you obtained a certificate from a known certificate authority, as described in“Obtaining a personal certificate from a certificate authority” on page 245, skip thissection and go “Adding a signer certificate” on page 247.

To create a new self-signed certificate and store it into the key database file, follow

these steps:1. Start the gsk7ikm utility, which is located in one of the following default

directories:

System Path






2. Select Create → New Self-Signed Certificate.3. Type a name in the Key Label field that GSKit can use to identify this new

certificate in the key database.

For example, the label can be the system name of the LDAP client.

4. Accept the defaults for the Version field (X509 V3) and for the Key Size field.

5. Accept the default system name or enter a different distinguished name in theCommon Name field for this certificate.

6. Enter a company name in the Organization field.

7. Complete any optional fields or leave them blank.

8. Accept the defaults for the Country field and 365 for the Validity Period fieldor change them to suit your organization’s requirements.

9. Click OK. GSKit generates a new public and private key pair and creates thecertificate.

If you have more than one personal certificate in the key database file, GSKitqueries if you want this key to be the default key in the database. You canaccept one of them as the default. The default certificate is used at runtimewhen a label is not provided to select which certificate to use.

This completes the creation of the LDAP client’s personal certificate. It isdisplayed in the Personal Certificates section of the key database file. Use themiddle bar of the key management utility to select between the types of certificates kept in the key database file.

The certificate also is displayed in the Signer Certificates section of the keydatabase file. When you are in the Signer Certificates section of the key

database, verify that the new certificate is there.Next, you must extract your LDAP server’s certificate to a Base64-encodedASCII data file.

10. Use gsk7ikm to extract your LDAP server’s certificate to a Base64-encodedASCII data file.

11. Highlight the self-signed certificate that you just created.

12. Click Extract Certificate.

13. Click Base64-encoded ASCII data as the data type.





14. Type a certificate file name for the newly extracted certificate. The certificatefile’s extension is usually.arm.

15. Type the location where you want to store the extracted certificate and thenclick OK.

16. Copy this extracted certificate to the LDAP server system.

On the LDAP server, after the client’s personal certificate has been created andadded to the client’s key database file, the certificate authority that created thatclient certificate must be recognized as a signer certificate (trusted root).

Adding a signer certificateYou must perform this step on the LDAP server.

To add a signer certificate after the key database file has been created, follow thesesteps:


v If you are using a self-signed certificate for the client, ensure that thecertificate that was extracted from the key database file in “Creating and

extracting a self-signed certificate” on page 246 has been copied to theserver system. If it has not been copied, copy it now and skip the followingsteps.

v If the client certificate was created by a certificate authority, add thecertificate authority’s certificate as a trusted signer using the followingsteps.

2. Click the Signer Certificates section of the client’s CMS key database file.

3. Click Add.

4. Click Base64-encoded ASCII data to set the data type.

5. Indicate the certificate’s file name and its location. The certificate file’sextension is usually.arm.

6.Click

OK.

7. Type a label for the signer certificate that you are adding. For example, youcan use the system name of the LDAP client for the label or the name of thecertificate authority that generated the client’s certificate.

8. Click OK. The self-signed certificate is displayed in the client’s key databaseas a signer certificate.

9. Highlight the newly added signer certificate, and click View/Edit.

10. Ensure that Set the certificate as a trust root is selected so that the certificateis marked as a trusted root.

If the LDAP client’s certificate was generated by a regular certificate authority, be sure that the certificate authority is listed as a signer certificate and markedas a trusted root. If it is not, add the certificate authority’s certificate as a

signer certificate and indicate that it is a trusted root.The server is now able to establish an SSL session with the LDAP client.

11. Continue to “Testing SSL access.”

Testing SSL accessAfter the LDAP server recognizes the certificate authority that created the client’spersonal certificate, test SSL access using the following command on the LDAPclient:

ldapsearch -h servername -Z -K client_keyfile -P key_pw -N \client_label -b "" -s base objectclass=*







servername The DNS host name of the LDAP server.

client_keyfile The fully qualified path name of the generatedclient key ring.

key_pw The password of the generated key ring.client_label The label associated with the key, if any. This field

is optional and is only needed if the LDAP serveris configured to perform both server and clientauthentication.

The ldapsearch command returns the LDAP base information, which includes thesuffixes on the LDAP server. Notice that the –N parameter indicates the label thatwas specified when the client’s personal certificate was added to the client’s keydatabase file.

Note: Do not specify the LDAP server’s signer certificate label. The –N option indicates

to GSKit which client certificate is sent to the server when requested. If nolabel is specified, then the default personal certificate is sent when the serverrequests the client’s certificate.

SSL setup is now complete.





Chapter 18. AIX: Setting up a standby policy server

You can configure a standby server to take over policy server functions in theevent of a system failure or unplanned outage. When the policy server goes down,

the standby policy server acts as the primary policy server until the primary policyserver assumes its original role. In turn, the standby policy server reverts back to astandby role. At any given time, there is only one active policy server and only oneshared copy of the policy databases.

Tivoli Access Manager supports the use of one standby policy server on supportedAIX platforms. In addition, deploying a standby policy server requires theinstallation and configuration of High Availability Cluster Multiprocessing(HACMP) software—a clustering solution designed to provide high-availabilityaccess to business-critical data and application through component redundancyand application failover.


v “Pre-installation requirements” on page 250

v “HACMP environment scenario” on page 251

v “Creating a standby policy server environment” on page 261

The HACMP scenario is provided as a general guide to show you how to installand configure an HACMP environment for standby policy server capability. Afteryou set up your HACMP environment, follow product-specific instructions aboutcreating a standby policy server within a Tivoli Access Manager secure domain.Scripts and examples are provided for your convenience.

For detailed information on clustering and HACMP, see the following Web sites:

http://www.ibm.com/servers/eserver/clusters/software/

http://www.ibm.com/servers/aix/products/ibmsw/high_avail_network/hacmp.html

Rules

v You can create one primary policy server and one standby policy server.

v Both the primary and standby policy servers must reside on AIX systemsthat are part of a High Availability Cluster Multiprocessing (HACMP)environment.

v Each AIX system must have access to a shared disk array that is configured

for data redundancy.v The policy database and the configuration files used by the policy server

must reside on a shared disk array.

v The registry server, such as IBM Tivoli Directory Server 5.2, must beavailable and installed on a separate system.



http://www.ibm.com/servers/aix/products/ibmsw/%20high_avail_network/hacmp.html







Pre-installation requirements

Before you set up a primary/standby policy server environment, ensure that thefollowing conditions are met:

v Ensure that two machines (primary and standby) are at the same maintenancelevels and have similar hardware/performance capabilities. Supportedmaintenance levels are as follows:

– For AIX 5.1, Maintenance Level 3 or higher

– For AIX 5.2, Maintenance Level 1 or higher

v Ensure that HACMP 4.5 or higher is installed, configured, and running on boththe primary and standby policy server systems.

v Ensure that a shared file system is mounted. For example, you can connect anexternal SSA-based storage tower to both systems, such as the SSA-based 7133Model T40 storage enclosure.

For general instructions about settings up a basic HACMP environment, see thescenario on page 251.

AIX: Setting up a standby policy server




HACMP environment scenario

This scenario is just one example of how you might install and configure anHACMP environment for standby policy server capability. In this example, similarto other HACMP environments that provide for standby policy server capability,you must configure the HACMP environment for IP address takeover of theprimary system’s service IP address as well as for shared access to an external file

system.

For more complete details about how to configure and set up these environments,refer to the HACMP documents included when you purchased this product. If youhave any service problems involving HACMP, contact IBM Support for theseproducts.

This scenario provides instructions for setting up a policy server on each of twoAIX systems. The host systems that are used throughout this scenario are asfollows:

v tucana has a service IP address of 192.168.2.13, a boot IP address of 192.168.2.79, and a standby IP address, which must be on a different subnet

from the service and boot IP addresses of 192.168.3.2. These IP addressesrequire that two network adapters, such as Ethernet adapters, be available ontucana. Only two network adapters are needed since in a HACMP environment,the service IP address is activated and the boot IP address is deactivated after theHACMP cluster is started on a HACMP node

v perseus has a service IP address of 192.168.2.14, a boot IP address of 192.168.2.80, and a standby IP address, which must be on a different subnetfrom the service and boot IP addresses of 192.168.3.3. These IP addressesrequire that two network adapters, such as Ethernet adapters, be available onperseus.

Note: The service and boot IP addresses on each AIX system will use the samenetwork adapter. The standby IP address on each AIX system will use the

second network adapter.

The primary policy server will be installed and configured on the primary AIXsystem. The primary host system in this scenario is tucana.

The standby policy server will be installed and configured on the other remainingAIX system. The other host system is perseus in this scenario.


Chapter 18. AIX: Setting up a standby policy server 251



Hardware requirementsIn this scenario, the following hardware is used. Your hardware requirementswill be different, depending on your configuration.

v Two AIX systems with the following hardware:

– Two Ethernet or Token Ring cards connected and configured to thenetwork

– A serial cable that is connected from the serial port on one AIX systemto the serial port on the other AIX system

Note: Each AIX system must be able to ping the IP address of the otherAIX system.

– An SSA adapter card

v An SSA– based disk array, such as: IBM 7133 Model T40 storage tower oran IBM 7133 D40 rack mounted enclosure

v Three SSA connection cables. Two (one per AIX system) are cabled to thedisk array and one is cabled between the two AIX systems

v IBM AIX 5.1 Service Pack 3 (the recommended version and service pack)installation CDs on both AIX systems. If you use other versions, theversion and service pack level must match on both machines.

Use the following scenario to set up a basic HACMP environment on AIX:

1. Install the AIX 5.1 operating system using the AIX installation CDs, includingall base rsct packages and Service Pack 3. To check the operating system level,type:

oslevel -r

If Service Pack 3 is installed, 5100–03 is displayed.

2. Install the separately purchased HACMP Version 4.5 ES/CRM software andany AIX base operating system prerequisites that are needed.

3. Update file information by doing the following:

a. In the /etc/hosts file on both AIX systems, type the host name and IPaddress for all your network card connections. For example, if you havefour connection network cards between your two systems, your /etc/hostsfile must contain lines similar to the following example:

# @(#)47 1.1 src/bos/usr/sbin/netstart/hosts, cmdnet, bos510 7/24/91 10:46## COMPONENT_NAME: TCPIP hosts## FUNCTIONS: loopback#

# ORIGINS: 26 27## (C) COPYRIGHT International Business Machines Corp. 1985, 1989# All Rights Reserved# Licensed Materials - Property of IBM## US Government Users Restricted Rights - Use, duplication or# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.## /etc/hosts## This file contains the hostnames and their address for hosts in the# network. This file is used to resolve a hostname into an Internet





# address.## At minimum, this file must contain the name and address for each# device defined for TCP in your /etc/net file. It may also contain# entries for well-known (reserved) names such as timeserver# and printserver as well as any other host name and address.## The format of this file is:

# Internet Address Hostname # Comments# Items are separated by any number of blanks and/or tabs. A ’#’# indicates the beginning of a comment; characters up to the end of the# line are not interpreted by routines which search this file. Blank# lines are allowed.

# Internet Address Hostname # Comments# 192.9.200.1 net0sample # ethernet name/address# 128.100.0.1 token0sample # token ring name/address# 10.2.0.2 x25sample # x.25 name/address127.0.0.1 loopback localhost # loopback (lo0) name/address192.168.2.13 tucana192.168.2.79 tucana-boot192.168.3.2 tucana-stby192.168.2.14 perseus192.168.2.80 perseus-boot192.168.3.3 perseus-stby

b. Edit the /.rhosts file to ensure that it contains the correct host names. Forexample:

perseusperseus-bootperseus-stbytucanatucana-boottucana-stby

c. To set the correct permission, run the following:

chmod 600 /.rhosts

d. Edit the /etc/rc.net file, and add these lines:

no -o thewall=10240no -o routerevalidate=1no -o ipqmaxlen=512

4. Configure the HACMP cluster. To do so, consult your HACMP softwaredocumentation. Use the “Example HACMP configuration” as a guide.

Example HACMP configurationThis section provides an example of a typical HACMP configuration for TivoliAccess Manager. This example illustrates SMITTY menu panels that were capturedwhile performing actual test cases. Parts to this example are as follows:

v “Part 1: Overall HACMP cluster topology” on page 254

Describes the overall cluster topology of the HACMP environment, including the

names of the nodes, network definitions, and other pertinent information.v “Part 2: Cluster resources within HACMP topology” on page 256

Describes the cluster resources within the HACMP cluster topology, includingthe resource groups and the shared file system.

v “Part 3: Application server definition within HACMP topology” on page 260

Describes the application server definition (which is the policy server in thisexample) within the HACMP cluster topology.





Figure 1 illustrates a two system (or two node) configuration sharing an externalstorage enclosure.

The primary (tucana) and standby (perseus) policy servers are sharing anSSA-based external storage enclosure. When the primary policy server goes down

because of a failover event, such as a network or hardware failure, the HACMPsoftware on the standby system recognizes this event and takes over the service IPaddress of the primary policy server. The HACMP software also mounts the sharedfile system on the standby system and starts the standby policy server. Thestandby policy server remains operational until the HACMP software on thestandby system recognizes that the primary system has been restored. At that time,the HACMP software on the primary system does the following:

1. Resumes control of the service IP address associated with the primary system

2. Mounts the shared file system3. Starts the primary policy server

Note: While the HACMP software on the primary system is performing theseactions, the HACMP software on the standby system stops the standbypolicy server, unmounts the shared file system , and relinquishes control of the service IP address of the primary policy server.

The following example illustrates an HACMP environment containing a primaryand a standby policy server. Before each SMITTY screen capture is the a hierarchyof menus that you must progress through to display the screen.

Part 1: Overall HACMP cluster topologySMITTY MENU Hierarchy:

HACMP for AIX- Cluster Configuration- Cluster Topology- Show Cluster Topology- Show Cluster Topology

COMMAND STATUS

Figure 1. Standby policy server configuration





Command: OK stdout: yes stderr: no

Before command completion, additional instructions may appear below.

[TOP]Cluster Description of Cluster am51bosCluster ID: 1There were 2 networks defined: tucanaip, tucanatty1

There are 2 nodes in this clusterNODE perseus:

This node has 2 service interface(s):

Service Interface perseus:IP address: 192.168.2.14Hardware Address:Network: tucanaipAttribute: public

Service Interface perseus has a possible boot configuration:Boot (Alternate Service) Interface: perseus-boot

IP Address: 192.168.2.80Network: tucanaipAttribute: public

Service Interface perseus has 1 standby interfacesStandby Interface 1: perseus-stby


Service Interface perseus-tty1:IP address: /dev/tty1Hardware Address:Network: tucanatty1Attribute: serial

Service Interface perseus-tty1 has no standby interfaces

NODE tucana:This node has 2 service interface(s):

Service Interface tucana:IP address: 192.168.2.13Hardware Address:Network: tucanaipAttribute: public

Service Interface tucana has a possible boot configuration:Boot (Alternate Service) Interface: tucana-boot

IP Address: 192.168.2.79

Network: tucanaipAttribute: public

Service Interface tucana has 1 standby interfacesStandby Interface 1: tucana-stby


Service Interface tucana-tty1:IP address: /dev/tty1Hardware Address:





Network: tucanatty1Attribute: serial

Service Interface tucana-tty1 has no standby interfaces

Breakdown of network connections:Connections to network tucanaip

Node perseus is connected to network tucanaip by these interfaces:perseus-bootperseusperseus-stby

Node tucana is connected to network tucanaip by these interfaces:tucana-boottucanatucana-stby

Connections to network tucanatty1Node perseus is connected to network tucanatty1 by these interfaces:

perseus-tty1

Node tucana is connected to network tucanatty1 by these interfaces:tucana-tty1

[BOTTOM]

Part 2: Cluster resources within HACMP topologySMITTY MENU Hierarchy:

HACMP for AIX- Cluster Configuration- Cluster Resources- Show Cluster Resources- Show Resource Information by Node- Select Node Name- perseus

COMMAND STATUS



[TOP]

Resource Group Name tucanasipNode Relationship cascadingParticipating Node Name(s) tucana perseusService IP Label tucanaFilesystems /am510fs1Filesystems Consistency Check fsckFilesystems Recovery Method sequentialFilesystems/Directories to be exported /am510fs1Filesystems to be NFS mountedNetwork For NFS MountVolume Groups am510vgConcurrent Volume GroupsDisks





Shared Tape ResourcesAIX Connections ServicesAIX Fast Connect ServicesApplication Servers PDMGRHighly Available Communication LinksMiscellaneous DataAutomatically Import Volume Groups falseInactive Takeover false

Cascading Without Fallback false9333 Disk Fencing falseSSA Disk Fencing falseFilesystems mounted before IP configured false

Resource Group Name perseusipNode Relationship cascadingParticipating Node Name(s) perseus tucanaService IP Label perseusFilesystemsFilesystems Consistency Check fsckFilesystems Recovery Method sequentialFilesystems/Directories to be exportedFilesystems to be NFS mountedNetwork For NFS MountVolume GroupsConcurrent Volume GroupsDisksShared Tape ResourcesAIX Connections ServicesAIX Fast Connect ServicesApplication ServersHighly Available Communication LinksMiscellaneous DataAutomatically Import Volume Groups falseInactive Takeover falseCascading Without Fallback false9333 Disk Fencing falseSSA Disk Fencing falseFilesystems mounted before IP configured false

Run Time Parameters:

Node Name perseusDebug Level highHost uses NIS or Name Server false

[BOTTOM]

SMITTY MENU Hierarchy:

HACMP for AIX- Cluster Configuration- Cluster Resources- Show Cluster Resources- Show Resource Information by Node- Select Node Name- tucana

COMMAND STATUS







[TOP]

Resource Group Name tucanasipNode Relationship cascadingParticipating Node Name(s) tucana perseus

Service IP Label tucanaFilesystems /am510fs1Filesystems Consistency Check fsckFilesystems Recovery Method sequentialFilesystems/Directories to be exported /am510fs1Filesystems to be NFS mountedNetwork For NFS MountVolume Groups am510vgConcurrent Volume GroupsDisksShared Tape ResourcesAIX Connections ServicesAIX Fast Connect ServicesApplication Servers PDMGRHighly Available Communication LinksMiscellaneous DataAutomatically Import Volume Groups falseInactive Takeover falseCascading Without Fallback false9333 Disk Fencing falseSSA Disk Fencing falseFilesystems mounted before IP configured false

Resource Group Name perseusipNode Relationship cascadingParticipating Node Name(s) perseus tucanaService IP Label perseusFilesystemsFilesystems Consistency Check fsckFilesystems Recovery Method sequentialFilesystems/Directories to be exported

Filesystems to be NFS mountedNetwork For NFS MountVolume GroupsConcurrent Volume GroupsDisksShared Tape ResourcesAIX Connections ServicesAIX Fast Connect ServicesApplication ServersHighly Available Communication LinksMiscellaneous DataAutomatically Import Volume Groups falseInactive Takeover falseCascading Without Fallback false9333 Disk Fencing false

SSA Disk Fencing falseFilesystems mounted before IP configured false


Node Name tucanaDebug Level highHost uses NIS or Name Server false

[BOTTOM]






HACMP for AIX- Cluster Configuration- Cluster Resources

- Show Cluster Resources- Show Resource Information by Resource Group- Select Resouce Group Name- perseusip

COMMAND STATUS



Resource Group Name perseusipNode Relationship cascadingParticipating Node Name(s) perseus tucanaService IP Label perseusFilesystemsFilesystems Consistency Check fsckFilesystems Recovery Method sequentialFilesystems/Directories to be exportedFilesystems to be NFS mountedNetwork For NFS MountVolume GroupsConcurrent Volume GroupsDisksShared Tape ResourcesAIX Connections ServicesAIX Fast Connect ServicesApplication Servers

Highly Available Communication LinksMiscellaneous DataAutomatically Import Volume Groups falseInactive Takeover falseCascading Without Fallback false9333 Disk Fencing falseSSA Disk Fencing falseFilesystems mounted before IP configured false





HACMP for AIX- Cluster Configuration- Cluster Resources





- Show Cluster Resources- Show Resource Information by Resource Group- Select Resouce Group Name- tucanasip

COMMAND STATUS



Resource Group Name tucanasipNode Relationship cascadingParticipating Node Name(s) tucana perseusService IP Label tucanaFilesystems /am510fs1Filesystems Consistency Check fsckFilesystems Recovery Method sequentialFilesystems/Directories to be exported /am510fs1Filesystems to be NFS mountedNetwork For NFS MountVolume Groups am510vgConcurrent Volume GroupsDisksShared Tape ResourcesAIX Connections ServicesAIX Fast Connect ServicesApplication Servers PDMGRHighly Available Communication LinksMiscellaneous DataAutomatically Import Volume Groups falseInactive Takeover falseCascading Without Fallback false9333 Disk Fencing falseSSA Disk Fencing falseFilesystems mounted before IP configured false




Part 3: Application server definition within HACMP topologySMITTY MENU Hierarchy:

HACMP for AIX- Cluster Configuration- Cluster Resources- Define Application Servers- Change / Show an Application Server





Change Application Server

Type or select values in entry fields.Press Enter AFTER making all desired changes.

[Entry Fields]Server Name PDMGRNew Server Name [PDMGR]

Start Script [/usr/bin/pd_start start]Stop Script [/usr/bin/pd_start stop]

Creating a standby policy server environment

To create a standby policy server environment, follow these steps:

1. On both the primary policy server and the standby policy server systems, createa ivmgr user ID, a ivmgr group ID, a tivoli user ID and a tivoli group ID.

Before creating these IDs, ensure the /etc/security/limits file on each systemhas the same default settings (where the creation of user and group IDs areconcerned). This is necessary to ensure that the user and group IDs are createdwith exactly the same characteristics on both systems. To create these IDs, doone of the following:

v Use the SMITTY utility to ensure that both AIX systems use the same numberfor each ID. For example, both systems must have the same ID number forthe ivmgr user ID. In addition, the ID numbers must be different for each of the four IDs.

v Create a script similar to the sample shown in “Script: Setting UIDs for boththe primary and standby systems” on page 265. Run this script to set UIDsfor ivmgr and tivoli users and groups. For example, if this script was namedsetivug, the following command would create a ivmgr group with an ID of 250, an ivmgr user with an ID of 251, a tivoli group with an ID of 260, and ativoli user with an ID of 261.

./setivug 250 251 260 261

Note: Ensure that the four UID values are not being used on either systembefore attempting to create them.

2. After configuring and starting the HACMP cluster on your two systems, createa directory, such as /share in the shared file system that is mountable on thesesystems. For example, create a /share directory on the shared externalSSA-based storage tower. To do so, follow these steps:

a. Using the system that will serve as the primary policy server, create a/share directory in the shared file system. This shared directory, located inthe external SSA-based storage tower, will contain critical information thatmust be shared between the primary and standby policy servers.

b. Create a /share subdirectory named PolicyDirector(/share/PolicyDirector). Also ensure that ivmgr is the owner and ivmgr is

the group associated with both directories.c. Use SMITTY HACMP menus to simulate an IP takeover scenario. To do so,

stop cluster services on the primary policy server machine using thegraceful with takeover shutdown mode.

When the cluster shutdown completes on the primary policy server, thestandby policy server takes over the service IP address of the primarypolicy server and is able to access the /share and /share/PolicyDirectordirectories within the shared file system.





d. From the standby policy server system, issue the ls –l command to validatethat both of these directories are associated with the ivmgr user and theivmgr group.

e. Restart the cluster on the primary policy server. After the restart hascompleted, the service IP address will be restored to the primary policyserver system and the shared file system will be mounted on the primarypolicy server system.

3. On the primary policy server , do the following:

a. Install and configure required Tivoli Access Manager components usingeither the install_ammgr wizard or the native installation method. Forinstructions, see Chapter 5, “Setting up the policy server,” on page 89.

Figure 2 illustrates the location of key files after the primary policy server isinstalled and configured.

b. Stop the primary policy server.

c. Edit the /opt/PolicyDirector/ivmgrd.conf file and do the following:

1) Within the [ssl] stanza, change the value of the ssl-io-inactivity-timeout entry to 300.

2) Within the [configuration-database] stanza, update the file= entry toindicate the fully qualified location of the ivmgrd.conf.obf file withinthe SHARED external file system. For example:file=/share/PolicyDirector/ivmgrd.conf.obf

d. Edit the /opt/PolicyDirector/pd.conf file and change the host name of theprimary policy server to match the host name of the service IP interface,which was configured in your HACMP configuration for this system. In theexample depicted in “HACMP environment scenario” on page 251, this hostname value was tucana.

e. After changes are saved to the configuration files, create a script similar tothe sample shown in “Script: Linking files and directories on the primarysystem” on page 267. Run this script on the primary policy server to linkrequired files and directories to the shared file system (/share).

Figure 2. Primary policy server after initial configuration





Figure 3 illustrates the location of key files after they have been moved tothe shared file system. Note that the standby policy server has not beenconfigured at this point.

f. Restart the primary policy server.

g. Verify the directory structure, file location, soft links and file permissions asshown on page 268.

4. On the standby policy server , do the following:

a. Install (do not configure) required Tivoli Access Manager components using anative installation utility, such as installp. For instructions, see “AIX:Installing the policy server” on page 90.

b. Ensure that the HACMP cluster is running on this system and validate thatthe shared external file system (/share/PolicyDirector) is accessible. This isnecessary so that the configuration process can access .conf files stored inthe file system.

For the standby policy server to access this shared external file system, theprimary policy server must be shut down. To do so, use the SMITTYHACMP menus to stop cluster services by specifying the graceful withtakeover shutdown mode on the primary policy server system. After thecluster has been stopped on this system, verify, once the HACMP failoveroperation is completed (which should take no more than a minute), that thestandby policy server system has taken over the service IP address of theprimary policy server and that the shared file system is mounted on the

standby policy server system.c. Configure the standby policy server using the pdconfig utility. For

instructions, see “AIX: Installing the policy server” on page 90.

Note: The primary policy server does not have to be running to configure astandby policy server. However, the registry server that is used bythe primary policy server must be available and running on adifferent system than the primary policy server system.

During configuration, the pdconfig utility detects that a policy serverconfiguration already exists. Respond y (Yes) to the following prompts:

Figure 3. Primary policy server after incorporating use of the shared file system





A policy server is already configured to this LDAP server. A secondpolicy server may be configured for migration or standby purposes ONLY!Would you like to configure a second policy server to this LDAP server(y/n) [No]? yUse this policy server for standby (y/n) [No]: y

When prompted, type the “fully qualified” location of the ivmgrd.conf file(the existing policy server configuration file). For example, if the shared

directory is /share, type the following:/share/PolicyDirector/ivmgrd.conf

The pdconfig utility places a link to this file in the/opt/PolicyDirector/etc directory and modifies the ivmgrd.conf file toenable standby operation.

Note: After successful configuration of the standby policy server, thestandby policy server is not started. It will automatically start onlyafter a failover condition is detected by the HACMP software that isrunning on the standby policy server. Otherwise, serious errors andconflicts can occur if both the primary and the standby policy servers

attempt to run in a concurrent manner.d. Create a script similar to the sample shown in “Script: Linking from the AIX

system files to the shared directory on the standby system” on page 270.Run this script to link from the AIX system files to the shared directory.

e. Verify the directory structure, file location, soft links and file permissions asshown on page 271.

Note: Because both systems share the same directory, the contents of /share/PolicyDirector on the standby server must be identical to thecontents shown for the primary server.

Configuration of the primary and standby policy servers is now complete. At thispoint, the HACMP cluster is down on the primary policy server system and up onthe standby policy server system.

Before testing the policy server failover capabilities, verification must be performedto ensure that the HACMP configuration specified the policy server executable asan application server. To do so using the SMITTY utility, select Show ClusterResources from the HACMP Cluster Resources panel to display the clusterresources. To define an application server, select the Add an Application Serveroption from the HACMP Define Application Servers panel. After this panel isselected, the start script (/usr/bin/pd_start start) and the stop script(/usr/bin/pd_start stop) for the policy server executable are specified.

Figure 4 on page 265 illustrates the location of key files after using a native

installation method to configure the standby policy server. Appropriate links tothese key files within the shared system are also created.





After the application server configuration has been verified, it is now possible tofully activate the HACMP primary/standby policy server configuration. To activatethis configuration, the HACMP cluster on the primary policy server system must

be restarted. This action will start the primary policy server and put the standbypolicy server in standby mode.

Script: Setting UIDs for both the primary and standby systemsUse a script similar to the following to set UIDs for ivmgr and tivoli users andgroups on both the primary and standby policy server systems.

Figure 4. Completed primary/standby policy server environment





#!/bin/ksh## This script sets the uid values for the ivmgr user and the ivmgr group# to values that are specified on the command line when this script is# executed. In addition, this script defines the tivoli group uid and the# tivoli user uid.#

# The first parameter ($1) is the uid for the ivmgr group. The second parameter# ($2) is the uid for the ivmgr user. The third parameter ($3) is the uid# for the tivoli group. The fourth parameter ($4) is for the tivoli user uid.# Before executing this script, insure that the four uid values ARE NOT already# being used on either system.## Due to the importance of these values, it is ABSOLUTELY necessary on the# system which will run as the Standby Policy Server to set the ivmgr group# uid and the ivmgr user uid to MATCH the corresponding settings for these# entities on the system which is serving as the Primary Policy Server. Also,# since the definition of the ivmgr user has membership in the tivoli group,# then it is also necessary to create the tivoli group as well. Finally, since# the tivoli group contains the tivoli user, then then tivoli user, with the# appropriate uid, must be defined as well. These user/group settings insure# consistency across the two policy servers allowing for each system to take# over the role of the Primary Policy Server when it is appropriate.# Otherwise, the Standby Policy Server will not run or will not even configure# correctly if these values are not the same on BOTH systems.## Note that this script, setivug, MUST be run BEFORE the Standby Policy Server# is installed. As a matter of fact, it is recommended that this script be run# BEFORE any Access Manager software is installed on either the Primary OR the# Standby Policy server. In this way, all four of these ID’s will be consistent# across BOTH systems.#set -eset -x## Create the ivmgr and tivoli groups with the appropriate uids#mkgroup -’A’ id="$1" ivmgr

mkgroup -’A’ id="$3" tivolix() {LIST=SET_A=for i in "$@"doif [ "$i" = "admin=true" ]thenSET_A="-a"continuefiLIST="$LIST \"$i\""doneeval mkuser $SET_A $LIST}

## Now define the ivmgr user uid to be a part of the staff, tivoli, and ivmgr groups.# (Enter the following command on one continuous line.)#x id="$2" pgrp=’staff’ groups=’staff,tivoli,ivmgr’ home=’/opt/PolicyDirector’

shell=’/usr/bin/ksh’ gecos=’Policy Director Manager’ ivmgr## Now define the tivoli user uid to be a part of the staff and tivoli groups.# (Enter the following command on one continuous line.)#x id="$4" pgrp=’staff’ groups=’staff,tivoli’ home=’/home/tivoli’ shell=’/usr/bin/ksh’

gecos=’Owner of Tivoli Common Files’ tivoli#





Script: Linking files and directories on the primary systemUse a script similar to the following to link required files and directories on theprimary policy server system.

#!/bin/ksh#

# Save a copy of the 3 files below under the .bkp extensioncp -p /opt/PolicyDirector/etc/pd.conf /opt/PolicyDirector/etc/pd.conf.bkpcp -p /opt/PolicyDirector/etc/ivmgrd.conf /opt/PolicyDirector/etc/ivmgrd.conf.bkpcp -p /opt/PolicyDirector/etc/ivmgrd.conf.obf /opt/PolicyDirector/etc/ivmgrd.conf.obf.bkp

# Move configuration files to shared directory on the external file systemmv /opt/PolicyDirector/etc/pd.conf /share/PolicyDirectormv /opt/PolicyDirector/etc/ivmgrd.conf /share/PolicyDirector/ivmgrd.confmv /opt/PolicyDirector/etc/ivmgrd.conf.obf /share/PolicyDirector/ivmgrd.conf.obf

# Link the configuration files back to the original installation directory# and change the ownership and group of these links to ivmgr.ln -s /share/PolicyDirector/pd.conf /opt/PolicyDirector/etc

ln -s /share/PolicyDirector/ivmgrd.conf /opt/PolicyDirector/etcln -s /share/PolicyDirector/ivmgrd.conf.obf /opt/PolicyDirector/etcchown -h ivmgr /opt/PolicyDirector/etc/ivmgrd.confchown -h ivmgr /opt/PolicyDirector/etc/ivmgrd.conf.obfchown -h ivmgr /opt/PolicyDirector/etc/pd.confchgrp -h ivmgr /opt/PolicyDirector/etc/ivmgrd.confchgrp -h ivmgr /opt/PolicyDirector/etc/ivmgrd.conf.obfchgrp -h ivmgr /opt/PolicyDirector/etc/pd.conf

# For the keytab, db and lock subdirectories, create a backup of these directories,# move their contents to the shared external file system, and link the files in# these directories back to the original installation directory.

cp -R -p /var/PolicyDirector/keytab /var/PolicyDirector/keytab_bkpmv /var/PolicyDirector/keytab /share/PolicyDirector

ln -s /share/PolicyDirector/keytab /var/PolicyDirector

cp -R -p /var/PolicyDirector/db /var/PolicyDirector/db_bkpmv /var/PolicyDirector/db /share/PolicyDirectorln -s /share/PolicyDirector/db /var/PolicyDirector

cp -R -p /var/PolicyDirector/lock /var/PolicyDirector/lock_bkpmv /var/PolicyDirector/lock /share/PolicyDirectorln -s /share/PolicyDirector/lock /var/PolicyDirector

# Change the ownership and group of these links to ivmgr.chown -h ivmgr /var/PolicyDirector/dbchown -h ivmgr /var/PolicyDirector/keytabchown -h ivmgr /var/PolicyDirector/lockchgrp -h ivmgr /var/PolicyDirector/dbchgrp -h ivmgr /var/PolicyDirector/keytabchgrp -h ivmgr /var/PolicyDirector/lock





Example: Verifying primary server’s directories, soft links andpermissions

In the /opt/PolicyDirector/etc directory:

==> ls -l

total 3714-rw-r----- 1 ivmgr ivmgr 1682440 Oct 10 11:48 AccessManagerBaseAutoTraceDatabaseFile.obfuscated-rw-r--r-- 1 ivmgr ivmgr 2703 Oct 14 13:16 activedir_ldap.conf-rw-r----- 1 ivmgr ivmgr 2703 Jul 14 14:21 activedir_ldap.conf.template-rw-r----- 1 ivmgr ivmgr 18195 Jul 7 10:46 additional_licenses.txtdrw-rw---- 2 ivmgr ivmgr 512 Dec 31 1969 blades-rw-r----- 1 ivmgr ivmgr 5890 Jan 24 2003 config-rw-r----- 1 ivmgr ivmgr 718 May 13 11:40 domino.conf.template-rw-r----- 1 ivmgr ivmgr 114 Oct 10 11:48 ffdclrwxrwxrwx 1 ivmgr ivmgr 36 Oct 15 13:45 ivmgrd.conf -> /am510fs1/PolicyDirector/ivmgrd.conf-rw-r----- 1 ivmgr ivmgr 16949 Oct 14 13:19 ivmgrd.conf.bkplrwxrwxrwx 1 ivmgr ivmgr 40 Oct 15 13:45 ivmgrd.conf.obf -> /am510fs1/PolicyDirector/ivmgrd.conf.obf-rw-r----- 1 ivmgr ivmgr 64 Oct 14 13:19 ivmgrd.conf.obf.bkp-rw-r----- 1 ivmgr ivmgr 16731 Oct 10 11:29 ivmgrd.conf.template-rw-r--r-- 1 ivmgr ivmgr 2319 Oct 14 13:18 ldap.conf

-rw-r----- 1 ivmgr ivmgr 2187 Oct 10 11:21 ldap.conf.template-rw-r--r-- 1 ivmgr ivmgr 36544 Sep 29 12:45 novschema.def-rw-r--r-- 1 ivmgr ivmgr 26260 Sep 29 12:45 nsschema.deflrwxrwxrwx 1 ivmgr ivmgr 32 Oct 15 13:45 pd.conf -> /am510fs1/PolicyDirector/pd.conf-rw-r--r-- 1 ivmgr ivmgr 3736 Oct 14 13:20 pd.conf.bkp-rw-r----- 1 ivmgr ivmgr 3645 Oct 10 11:29 pd.conf.template-rw-r----- 1 ivmgr ivmgr 5576 Oct 10 10:05 pdbackup.lst-rw-r----- 1 ivmgr ivmgr 7448 Oct 10 10:05 pdinfo.lst-rw-r--r-- 1 ivmgr ivmgr 5354 Oct 14 13:19 pdmgrd_routing-rw-r--r-- 1 ivmgr ivmgr 5255 Oct 10 11:36 pdmgrd_routing.template-rw-r--r-- 1 ivmgr ivmgr 1492 Oct 14 12:49 pdversion.dat-rw-r--r-- 1 ivmgr ivmgr 1492 Aug 18 11:37 pdversion.dat.template-rw-r----- 1 ivmgr ivmgr 1466 Jan 24 2003 product-rw-r--r-- 1 ivmgr ivmgr 5827 Oct 14 13:16 routing-rw-r--r-- 1 ivmgr ivmgr 5674 Oct 10 11:36 routing.template

-rw-r--r-- 1 ivmgr ivmgr 14035 Sep 29 12:45 secschema.def-rw-r--r-- 1 ivmgr ivmgr 11236 Jan 24 2003 secschema390.def-rw-r--r-- 1 ivmgr ivmgr 1 Oct 14 12:49 startup-rw-r--r-- 1 ivmgr ivmgr 1 Jun 24 10:48 startup.template-rw-r--r-- 1 ivmgr ivmgr 1233 Jan 24 2003 upgrade3.7_ibm_schema.def-rw-r--r-- 1 ivmgr ivmgr 1938 Jan 24 2003 upgrade3.7_ibm_schema390.def-rw-r--r-- 1 ivmgr ivmgr 1744 Jan 24 2003 upgrade3.7_netscape_schema.def





In the /var/PolicyDirector directory:

==> ls -Rltotal 7drwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 auditlrwxrwxrwx 1 ivmgr ivmgr 27 Oct 15 13:45 db -> /am510fs1/PolicyDirector/dbdrwxrwxr-x 2 ivmgr ivmgr 512 Oct 14 13:19 db_bkp

lrwxrwxrwx 1 ivmgr ivmgr 31 Oct 16 15:48 keytab -> /am510fs1/PolicyDirector/keytabdrwxr-xr-x 2 ivmgr ivmgr 512 Oct 16 15:42 keytab_bkplrwxrwxrwx 1 ivmgr ivmgr 29 Oct 15 13:45 lock -> /am510fs1/PolicyDirector/lockdrwxr-x--- 2 ivmgr ivmgr 512 Dec 31 1969 lock_bkpdrwxrwxrwx 3 ivmgr ivmgr 512 Oct 16 13:40 logdrwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 pdbackupdrwxr-x--- 2 ivmgr ivmgr 512 Oct 14 12:49 pdmgrd./audit:total 0

./db_bkp:total 1056-rw------- 1 ivmgr ivmgr 540672 Oct 15 13:45 master_authzn.db

./keytab_bkp:total 35-rw------- 1 ivmgr ivmgr 10080 Oct 14 13:19 ivmgrd.kdb-rw------- 1 ivmgr ivmgr 129 Oct 14 13:18 ivmgrd.sth-rw-rw-rw- 1 root system 5080 Oct 14 13:19 pd.kdb-rw-rw-rw- 1 root system 129 Oct 14 13:19 pd.sth-rw------- 1 root system 1070 Oct 14 13:18 pdcacert.b64

./lock_bkp:total 0

In the SHARED directory, /share/PolicyDirector, on the external file system:

==> ls -Rl

total 80drwxrwxr-x 2 ivmgr ivmgr 512 Oct 14 13:19 db-rw-r----- 1 ivmgr ivmgr 16950 Oct 16 13:32 ivmgrd.conf-rw-r----- 1 ivmgr ivmgr 64 Oct 16 13:32 ivmgrd.conf.obfdrwxr-xr-x 2 ivmgr ivmgr 512 Oct 16 15:42 keytabdrwxr-x--- 2 ivmgr ivmgr 512 Dec 31 1969 lock-rw-r--r-- 1 ivmgr ivmgr 3736 Oct 14 13:20 pd.conf

./db:total 1056-rw------- 1 ivmgr ivmgr 540672 Oct 16 16:18 master_authzn.db

./keytab:total 64-rw------- 1 ivmgr ivmgr 10080 Oct 14 13:19 ivmgrd.kdb

-rw------- 1 ivmgr ivmgr 129 Oct 14 13:18 ivmgrd.sth-rw-rw-rw- 1 root system 5080 Oct 14 13:19 pd.kdb-rw-rw-rw- 1 root system 129 Oct 14 13:19 pd.sth-rw------- 1 root system 1070 Oct 14 13:18 pdcacert.b64

./lock:total 0





Script: Linking from the AIX system files to the shareddirectory on the standby system

Use a script similar to the following to linking from the AIX system files to theshared directory on the standby policy server system.

#!/bin/ksh

## The Standby Policy Server must use the same configuration files as the# Primary Policy Server. For this reason, the following links must be created# in order for the Standby Policy Server to function correctly.## Note the Access Manager configuration software will automatically create# a link to the ivmgrd.conf file that is stored in the shared external file system.

# Backup pd.conf to pd.bkp and link to pd.conf in the shared external file systemmv /opt/PolicyDirector/etc/pd.conf /opt/PolicyDirector/etc/pd.conf.bkpln -s /share/PolicyDirector/pd.conf /opt/PolicyDirector/etc

# Backup keytab, db and lock directories and link the keytab, db, and lock# directories to their corresponding files in the shared external file system.

mv /var/PolicyDirector/keytab /var/PolicyDirector/keytab_bkpln -s /share/PolicyDirector/keytab /var/PolicyDirector

mv /var/PolicyDirector/db /var/PolicyDirector/db_bkpln -s /share/PolicyDirector/db /var/PolicyDirector

mv /var/PolicyDirector/lock /var/PolicyDirector/lock_bkpln -s /share/PolicyDirector/lock /var/PolicyDirector

# Change the group and ownership of the five links above to ivmgr.chown -h ivmgr /opt/PolicyDirector/etc/pd.confchown -h ivmgr /var/PolicyDirector/dbchown -h ivmgr /var/PolicyDirector/keytabchown -h ivmgr /var/PolicyDirector/lockchgrp -h ivmgr /opt/PolicyDirector/etc/pd.conf

chgrp -h ivmgr /var/PolicyDirector/dbchgrp -h ivmgr /var/PolicyDirector/keytabchgrp -h ivmgr /var/PolicyDirector/lock





Example: Verifying standby server’s directories, soft links andpermissions

In the /opt/PolicyDirector/etc directory:

==> ls -l

total 3668-rw-r----- 1 ivmgr ivmgr 1682440 Oct 10 11:48 AccessManagerBaseAutoTraceDatabaseFile.obfuscated-rw-r--r-- 1 ivmgr ivmgr 2703 Oct 16 13:26 activedir_ldap.conf-rw-r----- 1 ivmgr ivmgr 2703 Jul 14 14:21 activedir_ldap.conf.template-rw-r----- 1 ivmgr ivmgr 18195 Jul 07 10:46 additional_licenses.txtdrw-rw---- 2 ivmgr ivmgr 512 Dec 31 1969 blades-rw-r----- 1 ivmgr ivmgr 5890 Jan 24 2003 config-rw-r----- 1 ivmgr ivmgr 718 May 13 11:40 domino.conf.template-rw-r----- 1 ivmgr ivmgr 114 Oct 10 11:48 ffdclrwxrwxrwx 1 root system 36 Oct 16 13:32 ivmgrd.conf -> /am510fs1/PolicyDirector/ivmgrd.conflrwxrwxrwx 1 root system 40 Oct 16 13:32 ivmgrd.conf.obf -> /am510fs1/PolicyDirector/ivmgrd.conf.obf-rw-r----- 1 ivmgr ivmgr 16731 Oct 10 11:29 ivmgrd.conf.template-rw-r--r-- 1 ivmgr ivmgr 2319 Oct 16 13:31 ldap.conf-rw-r----- 1 ivmgr ivmgr 2187 Oct 10 11:21 ldap.conf.template-rw-r--r-- 1 ivmgr ivmgr 36544 Sep 29 12:45 novschema.def

-rw-r--r-- 1 ivmgr ivmgr 26260 Sep 29 12:45 nsschema.deflrwxrwxrwx 1 ivmgr ivmgr 32 Oct 16 13:36 pd.conf -> /am510fs1/PolicyDirector/pd.conf-rw-r--r-- 1 ivmgr ivmgr 3741 Oct 16 13:32 pd.conf.bkp-rw-r----- 1 ivmgr ivmgr 3645 Oct 10 11:29 pd.conf.template-rw-r----- 1 ivmgr ivmgr 5576 Oct 10 10:05 pdbackup.lst-rw-r----- 1 ivmgr ivmgr 7448 Oct 10 10:05 pdinfo.lst-rw-r--r-- 1 ivmgr ivmgr 5255 Oct 10 11:36 pdmgrd_routing.template-rw-r--r-- 1 ivmgr ivmgr 1492 Oct 16 13:27 pdversion.dat-rw-r--r-- 1 ivmgr ivmgr 1492 Aug 18 11:37 pdversion.dat.template-rw-r----- 1 ivmgr ivmgr 1466 Jan 24 2003 product-rw-r--r-- 1 ivmgr ivmgr 5810 Oct 16 13:27 routing-rw-r--r-- 1 ivmgr ivmgr 5674 Oct 10 11:36 routing.template-rw-r--r-- 1 ivmgr ivmgr 14035 Sep 29 12:45 secschema.def-rw-r--r-- 1 ivmgr ivmgr 11236 Jan 24 2003 secschema390.def-rw-r--r-- 1 ivmgr ivmgr 1 Oct 16 13:27 startup

-rw-r--r-- 1 ivmgr ivmgr 1 Jun 24 10:48 startup.template-rw-r--r-- 1 ivmgr ivmgr 1233 Jan 24 2003 upgrade3.7_ibm_schema.def-rw-r--r-- 1 ivmgr ivmgr 1938 Jan 24 2003 upgrade3.7_ibm_schema390.def-rw-r--r-- 1 ivmgr ivmgr 1744 Jan 24 2003 upgrade3.7_netscape_schema.def





In the /var/PolicyDirector directory:

==> ls -Rltotal 7drwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 auditlrwxrwxrwx 1 ivmgr ivmgr 27 Oct 16 13:36 db -> /am510fs1/PolicyDirector/dbdrwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 db_bkp

lrwxrwxrwx 1 ivmgr ivmgr 31 Oct 16 13:36 keytab -> /am510fs1/PolicyDirector/keytabdrwxrwxrwx 2 ivmgr ivmgr 512 Dec 31 1969 keytab_bkplrwxrwxrwx 1 ivmgr ivmgr 29 Oct 16 13:36 lock -> /am510fs1/PolicyDirector/lockdrwxr-x--- 2 ivmgr ivmgr 512 Dec 31 1969 lock_bkpdrwxrwxrwx 2 ivmgr ivmgr 512 Dec 31 1969 logdrwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 pdbackupdrwxr-x--- 2 ivmgr ivmgr 512 Oct 16 13:24 pdmgrd./audit:total 0

./db_bkp:total 0

./keytab_bkp:total 0

./lock_bkp:total 0




Chapter 19. Tivoli Access Manager utilities

In addition to the pdadmin command utility, Tivoli Access Manager provides thefollowing utilities for your use.

Table 24. Tivoli Access Manager utilities

Utility Description

amwpmcfg Configures the Web Portal Manager interface.

ivrgy_tool Updates the Tivoli Access Manager schema on the specifiedLDAP server.

pdbackup Backs up, restores, and extracts Tivoli Access Manager data.

pdconfig Configures and unconfigures Tivoli Access Managercomponents except the Tivoli Access Manager Java runtimecomponent.

pdjrtecfg Configures the Tivoli Access Manager Java runtime

component.pd_start Stops, starts, and restarts servers on UNIX systems. Also

displays server status.




amwpmcfg

Configures, unconfigures, retrieves the package name for, or provides status forWeb Portal Manager.

Syntax

amwpmcfg –action config –host policy_server_host [–port policy_server_port]–waspath websphere_installation_path [–admin_id admin_id –admin_pwdadmin_password]

amwpmcfg –action config –interactive

amwebcfg –action config –rspfile response_file

amwebcfg –action unconfig –rspfile response_file

amwpmcfg –action unconfig [–admin_id admin_id –admin_pwd admin_password]–host policy_server_host [–port policy_server_port] –waspathwebsphere_installation_path

amwpmcfg –action unconfig –interactive [–admin_id admin_id –admin_pwdadmin_password

amwpmcfg –action status [–admin_id admin_id –admin_pwd admin_password]

amwpmcfg –operations

amwpmcfg –help [options]

amwpmcfg usage

amwpmcfg –?

Parameters

–action {config|name|status|unconfig}Specifies the action to be performed. Actions include:

config Use to configure the Tivoli Access Manager Web Portal Manager.

name Retrieves the Tivoli Access Manager Web Portal Manager packagename and returns the name value to the pdconfig utility. Thisoption is used only by pdconfig. Do not use this option from thecommand line.

status Use to determine the configuration status for Tivoli Access

Manager Web Portal Manager and return status to the pdconfigutility. This option is used only by pdconfig. Do not use thisoption from the command line.

unconfigUse to unconfigure the Tivoli Access Manager Web Portal Manager.

–a admin_idLogs you in as the user admin_id. If you do not specify this option, youwill be prompted.

–p passwordSpecifies the password for the user admin_id. If you do not specify this




option, you are prompted for a password. This option cannot be usedunless the –action config or –action unconfig option is used.

–host policy_server_hostSpecifies the Tivoli Access Manager policy server host name.

Valid values for host_name include any valid IP host name.

Example: host = libra.dallas.ibm.com–help [option]

Provides online help for one or more command options by displayingdescriptions of the valid command line options.

–interactiveSpecifies the interactive mode, using a graphical interface to configure theTivoli Access Manager Web Portal Manager. If not specified, theconfiguration program will run in non-interactive (silent) mode.

–operationsPrints out all the valid command line options.

–port policy_server_port

Specifies the Tivoli Access Manager policy server port number. The defaultvalue is 7135

–rspfile response_fileProvides the fully qualified path and file name for the Web Portal Managerresponse file to use during silent configuration. A response file can be usedfor configuration or unconfiguration. There is no default response filename. The response file contains stanzas and option=value pair stanzaentries. For more information, see Chapter 20, “Using response files,” onpage 293.

–usageDisplays the usage syntax for this command. Also displays an example.

–waspath websphere_installation_pathSpecifies the path to the IBM WebSphere Application Server directory. Thewebsphere_installation_pathwill be validated by checking the existence of the/bin/wsadmin script file and the /java/jre/lib/ext/PD.jar file. Theconfiguration cannot continue if the required version of WebSphereApplication Server is not installed.

–? Displays the usage syntax for this command. Also displays an example.

AvailabilityThis command is located in the following default installation directories:

v On UNIX systems:

/opt/PolicyDirector/sbin/v On Windows systems:

c:\Program Files\Tivoli\Policy Director\sbin\

When an installation directory other than the default is selected, this utility islocated in the sbin directory under the installation directory (for example,install_dir\sbin\).

Chapter 19. Tivoli Access Manager utilities 275



Return codesThe following exit status codes can be returned:

0 The command completed successfully.

1 The command failed.

When a command fails, a description of the error and an error status code in

hexadecimal format is provided (for example, 0x15c3a00c). Refer to the IBMTivoli Access Manager Error Message Reference. This reference provides a list of the Tivoli Access Manager error messages by decimal or hexadecimal codes.




ivrgy_tool

Updates the Tivoli Access Manager schema on the specified LDAP server.Normally the schema is automatically updated when the Tivoli Access Managerpolicy server (pdmgrd) is configured. When migrating an existing installation of Tivoli Access Manager, the schema on the LDAP server must be upgraded to thecurrent version of Tivoli Access Manager using this utility.

Syntaxivrgy_tool –h host_name –p port –D ldap_admin_dn –w ldap_admin_pwd –d [ –Z –Kldap-ssl-key-filename –P ldap-ssl-keyfile-password [ –N ldap-ssl-keyfile-label]] schema

Parameters

–d Indicates verbose mode.

–D ldap_admin_dnSpecifies the distinguished name of the LDAP administrator. The formatfor a distinguished name is similar to:

cn=root

–h host_nameSpecifies the IP address or host name of the LDAP server.


Examples:host = librahost = libra.dallas.ibm.com

–K ldap-ssl-key-filenameSpecifies the fully qualified path and file name of the SSL key database.This parameter is required only if the –Z is specified. Use the SSL key fileto handle certificates that are used in LDAP communication. The file type

can be anything but the extension is usually .kdb.

Example for Windows: C:\pd\keytab\ivmgrd.kdb

Example for UNIX: /opt/PolicyDirector/keytab/ivmgrd.kdb

–N ldap-ssl-keyfile-labelSpecifies the label name of the client certificate in the SSL key databasethat is sent to the LDAP server if the LDAP server is configured to perform

both server and client authentication during SSL establishment.

This parameter is optional. This parameter is only valid when SSL is beingused (indicated by using the –Z flag) and when the LDAP server has beenconfigured to require client authentication.

If the default Tivoli Access Manager key database is being used, thedefault client certificate label is PDLDAP.

–p portSpecifies the port number of the LDAP server.

For port, use the LDAP server-configured port number. The default portnumber is 636 if Secure Sockets Layer (SSL) is used and 389 if SSL is notused.




–P ldap-ssl-keyfile-passwordSpecifies the password for the SSL key database. This parameter isrequired only if the –Z option is specified.

Note: The password associated with the default SSL key file is key4ssl.

–w ldap_admin_pwd

Specifies the password of the LDAP administrator.–Z Indicates that SSL is used.

schemaIndicates that the IBM Directory server should be updated with the TivoliAccess Manager schema. Only use this parameter when migrating aversion of IBM Directory server prior to version 5.2.

CommentsThe Tivoli Access Manager schema is defined in a set of files. The files relate to thetype of LDAP server that is being used. These files contain the Tivoli AccessManager LDAP schema:

v secschema.def— used for the IBM Directory Server

v nsschema.def — used for the Sun ONE Directory Server

v novschema.def — used for the Novell eDirectory Server

These files are installed as part of the Tivoli Access Manager runtime and are usedas input to the automatic schema update process when you configure Tivoli AccessManager policy server.

Note: The administrator can also apply and update the schema by using these filesas the LDAP Data Interchange Format (LDIF) input to an IBM Directoryldapmodify command.




When a command fails, a description of the error and an error is provided.




pdbackup

Backs up, restores, and extracts Tivoli Access Manager data.

Syntaxpdbackup –action backup –list path_to_list_file [–path path] [–file filename]

pdbackup –action restore –file filename [–path path]

pdbackup –action extract –file filename –path path

pdbackup –usage

pdbackup –?

ParametersNote that you can shorten an option name, but the abbreviation must beunambiguous. For example, you can type –a for –action or –l for –list. However,values for options cannot be shortened.

–action [backup|restore|extract]Specifies to backup, restore, or extract data.

–file filenameSpecifies one of the following:

v If specified with the –a backup option, specifies a file name other thanthe list_filename_date.time[.tar|.dar] default file name.

The default name of the archive file is the name of the list that is usedand includes a date and time stamp. For example:

– UNIX

/var/PolicyDirector/pdbackup/list_filename_date.time.tar

– WindowsC:\Program Files\Tivoli\PolicyDirector\pdbackup\list_filename_date.time.dar

v If specified with the –a restore option, specifies the name and fullyqualified path of the archive file to restore. There is no default path. Thisoption is required when using the –a restore option.

v If specified with the –a extract option, specifies the name and fullyqualified path of the archive file to extract. There is no default path. Thisoption is required when using the –a extract option.

–list path_to_list_fileSpecifies the fully qualified path to either the archive or service list file (anASCII file containing various stanzas). This option is required when using

the –a backup option. Both the path and list file name depend on thecomponent. Each component can have its own list in its own directory.

v On UNIX systems, the normal path is as follows:

/opt/PolicyDirector/etc/pdbackup.lst

v On Windows systems, the normal path is as follows:

C:\Program Files\Tivoli\PolicyDirector\etc\pdbackup.lst

–path pathSpecifies an alternate directory in which to place the list file, such as:




v If specified with the –a backup option, specifies the path where youwant backup files stored. If you do not specify a path when using the –abackup option, the default path is one of the following:

– On UNIX systems, the default path is as follows:

/var/PolicyDirector/pdbackup/

– On Windows systems, the default path is as follows:

amrte_install_dir\pdbackup\

where amrte_install_dir specifies the directory where the Tivoli AccessManager runtime is installed.

v If specified with the –a restore option on UNIX systems only, indicatesto restore archived files in the specified path. By default, the restore pathis on the directory used when backing up data. On Windows systems,the restore process does not support the –p option.

v If specified with the –a extract option, specifies the directory namewhere you want extracted files stored. There is no default path. The –poption is required when using the –a extract option.

–usage

Displays the usage syntax for this command. Also displays an example.


CommentsUse the pdbackup command to back up and restore Tivoli Access Manager data.As an alternative to a restore action, you can extract all archived files into a singledirectory.

This command is most commonly used in three scenarios:

v Back up, restore, and extract of Tivoli Access Manager Base component files.

v Back up, restore, and extract of Tivoli Access Manager WebSEAL component

files.v Back up, restore, and extract of Tivoli Access Manager Web server component

files

Note that only three scenarios are discussed. However, you can back up, restore,and extract any Tivoli Access Manager Base component files, and any Tivoli AccessManager server files.

Backup of Tivoli Access Manager files

The backup action obtains the backup list file name to archive from the argumentto the –file option. The date and time reflect the creation time of the file. When anservice list file’s name is not specified, a default service list file name isautomatically used. For these scenarios, the component-specific backup list files areshown in table Table 25 on page 281.

The backup list file is located in the pdbackup directory under the Tivoli AccessManager installation directory. You can use the –path option to specify an alternatedirectory in which to place the backup list file.

The following table show the backup list file’s location when Tivoli AccessManager is installed in the component’s default installation directory.




Table 25. Backup list files

Tivoli Access Manager Base

UNIX /var/PolicyDirector/pdbackup/pdbackup.lst_ddmmmyyyy.hh_mm.tar

Windows amrte_install_dir\pdbackup\pdbackup.lst_ddmmmyyyy.hh_mm.dar

Tivoli Access Manager WebSEAL

UNIX /var/pdweb/pdbackup/amwebbackup.lst_ddmmmyyyy.hh_mm.tarWindows amrte_install_dir\PDweb\pdbackup\amwebbackup.lst_ddmmmyyyy.hh_mm.dar

Tivoli Access Manager Plug-in for Web Servers

UNIX /var/pdwebpi/pdbackup/pdwebpi.lst_ddmmmyyyy.hh_mm.tar

Windows amrte_install_dir\PDwebpi\pdbackup\pdwebpi.lst_ddmmmyyyy.hh_mm.dar

For example, a representative Tivoli Access Manager Base component backup listfile name for UNIX would be backup.lst_14Oct2003.11_22.tar.

Backup of Tivoli Access Manager service information files

The backup action also creates a service list file name.

The backup action obtains the service list file name to archive from the argumentto the –file option. The date and time reflect the creation time of the service list file.When an service list file’s name is not specified, a default service list file name isautomatically used. For these scenarios, the component-specific backup list files areshown in table Table 26.

The location of the service list file can be specified using the –path option. If thelocation is not specified, a default location is used. The service list files are alsolocated in the etc directory under the Tivoli Access Manager component’sinstallation directory.

The following table show the service list file’s location when Tivoli AccessManager is installed in the component’s default installation directory.

Table 26. Service file list (pdinfo)

Service file lists

Tivoli Access Manager Base

UNIX /opt/PolicyDirector/etc/pdinfo.lst_ddmmmyyyy.hh_mm.tar

Windows C:\ProgramFiles\Tivoli\PolicyDirector\etc\pdinfo.lst_ddmmmyyyy.hh_mm.dar

Tivoli Access ManagerWebSEAL

UNIX /opt/pdweb/etc/pdinfo-amwebbackup.lst_ddmmmyyyy.hh_mm.tar

Windows C:\Program Files\Tivoli\PolicyDirector\etc\pdinfo-amwebbackup.lst_ddmmmyyyy.hh_mm.dar

Tivoli Access Manager Plug-in for Web Servers

UNIX /opt/pdweb/etc/opt/pdwebpi/etc/pdinfo-pdwebpi.lst_ddmmmyyyy.hh_mm.tar

Windows C:\Program Files\Tivoli\PDWebpi\etc\pdinfo-pdwebpi.lst_ddmmmyyyy.hh_mm.dar




For example, a representative Tivoli Access Manager Base component service listfile name for UNIT would be pdinfo.lst_14Oct2003.11_22.tar.

Restore of Tivoli Access Manager files

When files are restored, the files are placed into a directory hierarchy. The locationof the hierarchy is as follows:

v UNIX

Archived files are restored by default to the root directory. You can use the–path to specify an alternative directory.On UNIX systems, unless you specifythe option, which enables you to restore files to a specific directory tree.

v Windows

Archived files are restored to their original directory. The –path option is notavailable.

Extract of Tivoli Access Manager files

Use pdbackup to extract files from the backup archive. Files are placed into asingle directory. Files are not placed into a directory tree structure.

Use the –file option to specify the name and fully qualified path of the archive fileto extract.

Use the –path option to specify the directory where the extracted files are placed.

Note: Windows registry keys are not updated with the –a extract option.


v On UNIX systems:

/opt/PolicyDirector/bin/


c:\Program Files\Tivoli\Policy Director\bin\

When an installation directory other than the default is selected, this utility islocated in the bin directory under the installation directory (for example,install_dir\bin\).

ExamplesBackup of Tivoli Access Manager Base

v This example backs up by using default values for the archive files:

UNIX

pdbackup -a backup -list /opt/PolicyDirector/etc/pdbackup.1st

Windowspdbackup -a backup -list installation_dir\etc\pdbackup.1st

Note: The shortened form of pdbackup -a backup -l is also acceptable.

Example archive file created by this command:




UNIX:/var/PolicyDirector/pdbackup/pdbackup.lst_15dec2003.10_41.tar

Windows\installation_dir\pdbackup\pdbackup.lst_15dec2003.10_41.dar

v This example backs up by specifying an alternative location for the archive files:The following example performs a back up, creating the default archive file inthe /var/backup directory (UNIX) or C:\pdback (Windows):

UNIXpdbackup -a backup -list /opt/PolicyDirector/etc/pdbackup.1st -p /var/backup

Windowspdbackup -a backup -list installation_dir\etc\pdbackup.1st -path c:\pdback

v This example backs up by specifying an alternative name for the archive file:The following example performs a back up, creating a file named pdarchive.tar(UNIX) or pdarchive.dar (Windows). The file is located in the default archivedirectory.

UNIXpdbackup -a backup -list /opt/PolicyDirector/etc/pdbackup.1st -f pdarchive

Windowspdbackup -a backup -list base_dir\etc\pdbackup.1st -f pdarchive

The default archive extension (.tar for UNIX, .dar for Windows) is appended tothe pdarchive file name. This file is stored in the default archive directory/var/PolicyDirector/pdbackup (UNIX) or installation_dir\pdbackup(Windows).

Backup of Tivoli Access Manager WebSEAL


UNIXpdbackup -a backup -list /opt/pdweb/etc/amwebbackup.1st

Windowspdbackup -a backup -list installation_dir\etc\amwebbackup.1st


UNIX:/var/PolicyDirector/pdbackup/amwebbackup.lst_15dec2003.10_41.tar

Windows\installation_dir\pdbackup\amwebbackup.lst_15dec2003.10_41.dar


UNIXpdbackup -a backup -list /opt/pdweb/etc/amwebbackup.1st -p /var/backup

Windowspdbackup -a backup -list installation_dir\etc\amwebbackup.1st -path c:\pdback

v This example backs up by specifying an alternative name for the archive file:The following example performs a back up, creating a file namedamwebarchive.tar (UNIX) or amwebarchive.dar (Windows). The file is located inthe default archive directory.




UNIXpdbackup -a backup -list /opt/pdweb/etc/amwebbackup.1st -f amwebarchive

Windowspdbackup -a backup -list base_dir\etc\amwebbackup.1st -f amwebarchive

The default archive extension (.tar for UNIX, .dar for Windows) is appended to

the pdarchive file name. This file is stored in the default archive directory/var/PolicyDirector/pdbackup (UNIX) or installation_dir\pdbackup(Windows).

Backup of Tivoli Access Manager Plug-in for Web Servers


UNIXpdbackup -a backup -list /opt/pdwebpi/etc/pdwebpi.lst

Windowspdbackup -a backup -list install-dir\etc\pdwebpi.lst


UNIX:/var/PolicyDirector/pdbackup/pdinfo-pdwebpi_15dec2003.10_41.tar

Windows\installation_dir\pdbackup\pdinfo-pdwebpi_15dec2003.10_41.dar


UNIXpdbackup -a backup -list /opt/pdweb/etc/pdwebpi.lst -p /var/backup

Windowspdbackup -a backup -list installation_dir\etc\pdwebpi.lst -path c:\pdback

v This example backs up by specifying an alternative name for the archive file:The following example performs a back up, creating a file namedamwebarchive.tar (UNIX) or amwebarchive.dar (Windows). The file is located inthe default archive directory.

UNIXpdbackup -a backup -list /opt/pdweb/etc/pdwebpi.lst -f amwebarchive

Windowspdbackup -a backup -list base_dir\etc\pdwebpi.lst -f amwebarchive

The default archive extension (.tar for UNIX, .dar for Windows) is appended tothe pdarchive file name. This file is stored in the default archive directory

/var/PolicyDirector/pdbackup (UNIX) or installation_dir\pdbackup(Windows).

Restore of Tivoli Access Manager Base

v This example restores the contents of the archive file when the archive file isstored in the default location:

UNIXpdbackup -a restore -f /var/PolicyDirector/pdbackup/pdbackup.1st_15dec2003.07_24.tar




Windowspdbackup -a restore -f base_dir\pdbackup\pdbackup.1st_15dec2003.07_24.dar

v This example restores the contents of the archive file when the archive file isstored in the non-default location, such as /var/pdback (UNIX) or \pdbackup(Windows):

UNIXpdbackup -a restore -f /var/pdback/pdbackup.1st_15dec2003.07_25.tar

Windowspdbackup -a restore -f h:\pdbackup\pdbackup.1st_15dec2003.07_25.dar

v (UNIX only) This example restores the contents of an archive file, when thearchive file is stored in the non-default location /var/pdback. Place the restoreddirectory hierarchy under the directory /pdtest:

pdbackup -a restore -p pdtest -f /var/pdback/pdbackup.1st_15dec2003.07_25.tar

Restore of Tivoli Access Manager WebSEALv This example restores the contents of the archive file, when the archive file is

stored in the default location:

UNIXpdbackup -a restore -f /var/PolicyDirector/pdbackup/amwebbackup.1st_15dec2003.07_24.tar

Windowspdbackup -a restore -f base_dir\pdbackup\amwebbackup.1st_15dec2003.07_24.dar

v (UNIX only) This example restores the contents of an archive file, when thearchive file is stored in the non-default location /var/pdback. Place the restoreddirectory hierarchy under the directory /amwebtest:

pdbackup -a restore -p amwebtest -f /var/pdback/amwebbackup.1st_15dec2003.07_25.tar

Restore of Tivoli Access Manager Plug-in for Web Servers

v This example restores the contents of the archive file, when the archive file isstored in the default location:

UNIXpdbackup -a restore -f /var/PolicyDirector/pdbackup/pdinfo-pdwebpi.lst_15dec2003.07_24.tar

Windowspdbackup -a restore -f install_directory\pdbackup\pdinfo-pdwebpi.lst_15dec2003.07_24.dar

v (UNIX only) This example restores the contents of an archive file, when thearchive file is stored in the non-default location /var/pdback. Place the restoreddirectory hierarchy under the directory /amwebtest:

pdbackup -a restore -p amwebtest -f /var/pdback/pdinfo-pdwebpi.lst_15dec2003.07_25.tar

Extract of Tivoli Access Manager Base

This example extracts the contents of an archive file from /var/pdbackup (UNIX) orC:\pdback (Windows) to a directory named pdextract.




UNIXpdbackup -a extract -p pdextract -f /var/pdbackup/pdbackup.1st_15dec2003.07_25.tar

Windowspdbackup -a extract -p e:\pdextract -f c:\pdback\pdbackup.1st_15dec2003.07_25.dar

When the pdextract directory does not exist, it is automatically created.

Extract of Tivoli Access Manager WebSEAL

This example extracts the contents of an archive file from /var/pdbackup (UNIX) orC:\pdback (Windows) to a directory named amwebextract.

UNIXpdbackup -a extract -p amwebextract -f /var/pdbackup/pdbackup.1st_15dec2003.07_25.tar

Windowspdbackup -a extract -p e:\amwebextract -f c:\pdback\pdbackup.1st_15dec2003.07_25.dar

When the amwebextract directory does not exist, it is automatically created.

Extract of Tivoli Access Manager Plug-in for Web Servers

This example extracts the contents of an archive file from /var/pdbackup (UNIX) orC:\pdback (Windows) to a directory named amwebextract.

UNIXpdbackup -a extract -p amwebextract -f /var/pdbackup/pdinfo-pdwebpi.lst_15dec2003.07_25.tar

Windowspdbackup -a extract -p e:\amwebextract -f c:\pdback\pdinfo-pdwebpi.lst_15dec2003.07_25.dar

When the amwebextract directory does not exist, it is automatically created.




When a command fails, a description of the error and an error status code inhexadecimal format is provided (for example, 0x15c3a00c). Refer to the IBMTivoli Access Manager Error Message Reference. This reference provides a list of the Tivoli Access Manager error messages by decimal or hexadecimal codes.




pdconfig

Presents an interactive menu to configure and unconfigure Tivoli Access Managercomponents.

Syntax

pdconfig

ParametersNone.


v On UNIX systems:



c:\Program Files\Tivoli\Policy Director\bin\

When an installation directory other than the default is selected, this utility islocated in the bin directory under the installation directory (for example,install_dir\bin\).




When a command fails, a description of the error and an error status code inhexadecimal format is provided (for example, 0x15c3a00c). Refer to the IBM

Tivoli Access Manager Error Message Reference. This reference provides a list of the Tivoli Access Manager error messages by decimal or hexadecimal codes.




pdjrtecfg

Configures the Tivoli Access Manager Java runtime component. The Tivoli AccessManager Java runtime component enables Java applications to manage and useTivoli Access Manager security.

Syntaxpdjrtecfg –action config –host policy_server_host [–port policy_server_port][–java_home jre_home] [–domain domain_name] [–config_type full] [–enable_tcd[–tcd path]]

pdjrtecfg –action config [–config_type standalone]

pdjrtecfg –action config –interactive

pdjrtecfg –action config –rspfile response_file

pdjrtecfg –action unconfig –rspfile response_file

pdjrtecfg –action unconfig [–java_home { jre_home| all}] [–remove_common_jars]

pdjrtecfg –action unconfig –interactive

pdjrtecfg –action status [–java_home jre_home]

pdjrtecfg –action name

pdjrtecfg –operations

pdjrtecfg –help [options]

pdjrtecfg –usage

pdjrtecfg –?

Parameters

–action {config|name|status|unconfig}Specifies the action to be performed. Actions include:

config Use to configure the Tivoli Access Manager Java runtimecomponent.

name Returns the name value for the Tivoli Access Manager Javaruntime component to the pdconfig utility. This option is usedonly by pdconfig. Do not use this option from the command line.

status Determines and returns the Tivoli Access Manager Java runtimecomponent configuration status information to the pdconfig utility.This option is used only by pdconfig. Do not use this option fromthe command line.

unconfigUse to unconfigure the Tivoli Access Manager Java runtimecomponent.

–config_type {full|standalone}Specifies the configuration mode. Valid values are:




full Specifies the configuration mode where the Tivoli Access Manager Java runtime component configuration program requires TivoliAccess Manager policy server information to run. This defaultvalue is full.

standaloneSpecifies the configuration mode where the Tivoli Access Manager

Java runtime component configuration program does not requireTivoli Access Manager policy server information to run. This modelets you use Tivoli Access Manager Java APIs without requiring aTivoli Access Manager policy server.

–domain domain_nameSpecifies the local domain for the Java runtime component beingconfigured. A local domain is a Tivoli Access Manager secure domain thatis used by programs when no explicit domain is specified. If this option isnot specified, the local domain will default to the management domain.

–enable_tcd [–tcd path]Enables Tivoli Common Directory (TCD) logging, if not already enabled,and specifies the fully qualified path location to use for common logging.

When TCD is enabled, all Tivoli Access Manager message log files will beplaced in this common directory location.

–help [options]Provides online help for one or more command options by displayingdescriptions of the valid command line options. Alternatively, providesonline help about a specific command line option.

–host policy_server_hostSpecifies the Tivoli Access Manager policy server host name.


Examples:host = librahost = libra.dallas.ibm.com

–interactiveSpecifies the interactive mode, in which the user is prompted forconfiguration information to configure the Tivoli Access Manager Javaruntime component. If not specified, the configuration program will run innon-interactive (silent) mode.

Note: Configuration of a Sun JRE, Version 1.4, will fail if you use pdjrtecfg–interactive (interactive mode) or if you use the pdconfig utility.You must configure using the pdjrtecfg utility in non-interactivemode. Note that Tivoli Access Manager Java runtime, Version 1.4,will work when using pdjrtecfg –interactive (interactive mode) or

the pdconfig utility.

–java_home jre_pathSpecifies the fully-qualified path to the Java runtime component (such asthe directory ending in JRE). If –java_home is not specified, the current JREwill be used. For example:

c:\Program Files\IBM\JAVA13\JRE

During unconfiguration (–action unconfig), you can specify the all option,which unconfigures all configured JREs.




–operationsPrints out all the valid command line options.

–port policy_server_portSpecifies the Tivoli Access Manager policy server port number. The defaultvalue is 7135.

–remove_common_jars

Removes only the IBM-related JAR files that were added to the JRE duringTivoli Access Manager Java runtime component configuration. Any JARthat existed in the JRE prior to Tivoli Access Manager Java runtimecomponent configuration is not deleted, regardless of whether or not the–remove_common_jars option is specified.

During unconfiguration only, specifies to delete other IBM related JARfiles, such as logging and security JAR files.

–rspfile response_fileProvides the fully qualified path and file name for the Java runtimecomponent response file to use during silent installation. A response filecan be used for configuration or unconfiguration. There is no defaultresponse file name. The response file contains stanzas and option=value pair

stanza entries. For more information, see Chapter 20, “Using responsefiles,” on page 293.

–usageDisplays the usage syntax for this command. Also displays an example.


CommentsThis command copies Tivoli Access Manager Java libraries to a library extensionsdirectory that exists for a Java runtime that has already been installed on thesystem.

Using this command does not overwrite JAR files that already exist in the jre_home\lib\ext directory, except the PD.jar file, which is overwritten if the fileexists.

You can install more than one Java runtime on a given machine. The pdjrtecfgcommand can be used to configure the Tivoli Access Manager Java runtimeindependently to each of the JREs.

Note: Make sure that you use the pdjrtecfg utility and not the PdJrteCfg Javaclass directly.

Examples

1. The following example configures the Tivoli Access Manager Java runtimecomponent:

pdjrtecfg -action config -host sys123.acme.com -port 7135-java_home E:\apps\IBM\Java131\jre

2. The following example unconfigures the Tivoli Access Manager Java runtimecomponent:

pdjrtecfg -action unconfig -java_home E:\apps\IBM\Java131\jre-remove_common_jars





v On UNIX systems:

/opt/PolicyDirector/sbin/


c:\Program Files\Tivoli\Policy Director\sbin\

When an installation directory other than the default is selected, this utility islocated in the sbin directory under the installation directory (for example,install_dir\sbin\).




When a command fails, a description of the error and an error status code in

hexadecimal format is provided (for example, 0x15c3a00c). Refer to the IBMTivoli Access Manager Error Message Reference. This reference provides a list of the Tivoli Access Manager error messages by decimal or hexadecimal codes.




pd_start

Stops, starts, and restarts servers on UNIX systems. Also displays server status.

Note: On Windows systems, use the Services folder.

Syntaxpd_start start [server_name ]

pd_start stop [server_name ]

pd_start restart [server_name ]

pd_start status [server_name ]

Parameters

restart Restarts all configured Tivoli Access Manager servers.

start Starts all Tivoli Access Manager servers not currently running on

the local system.

status Displays the state of all configured Tivoli Access Manager servers(running or stopped).

stop Stops all Tivoli Access Manager servers not currently running onthe local system.

CommentsServer processes are normally enabled and disabled through automated scripts thatrun at system startup and shutdown. In a UNIX environment, you can also use thepd_start executable file to manually start and stop the server processes. Thistechnique is useful when you need to customize an installation or when you need

to perform troubleshooting tasks.

You can only use pd_start to start and stop servers on the local machine.

AvailabilityThis command is located in the following default installation directory on UNIXsystems:


When an installation directory other than the default is selected, this utility islocated in the bin directory under the installation directory (for example,install_dir/bin/).




When a command fails, a description of the error and an error status code inhexadecimal format is provided (for example, 0x15c3a00c). Refer to the IBMTivoli Access Manager Error Message Reference. This reference provides a list of the Tivoli Access Manager error messages by decimal or hexadecimal codes.




Chapter 20. Using response files

You can create response files to streamline the installation and configuration of Tivoli Access Manager components. A response file is a text file that contains the

product and system information needed to install and configure components. It isuseful for performing unattended (silent) installations. The installation processreads the information from the response file instead of prompting you to fill in the

blanks. You can also reuse a response file for future installations, using a texteditor to add components or to customize options.

Edit the values in a response file template and then run the script as follows:

install_amrte -options filename

where filename is the name of the template file. For example:

install_amrte -options d:\temp\response

Table 27 lists response file templates for installation of Tivoli Access Manager Basesystems using the installation wizard method. These templates are located in the\rspfile directory on IBM Tivoli Access Manager Base CDs for supported platforms.

Table 27. Installation wizard response file templates

Installs and configures the followingTivoli Access Manager Base system:

Template

Authorization server install_amacld.options.template

Development (ADK) install_amadk.options.template

Java runtime environment install_amjrte.options.template

Policy server install_ammgr.options.template

Policy proxy server install_amproxy.options.template

Runtime install_amrte.options.template

Web Portal Manager install_amwpm.options.template

IBM Tivoli Directory Server with IBM DB2 install_ldap_server.options.template

install_db2.options.template

Response files are also available for configuration using native installation utilitiesfor the following Tivoli Access Manager components:

Table 28. Installation wizard response file templates

Tivoli Access Manager component Template

Access Manager Web Portal Manager(configuration)

amwpmcfg.rsp.template

Access Manager Java Runtime Environment(configuration)

pdjrtecfg.rsp.template

Access Manager Policy Proxy Server(configuration)

pdproxycfg.rsp.template




Response file template

The following is an example of a template used to create a response file to installand configure a policy server system. For descriptions of the configuration optionsthat you require to complete a template, see Chapter 15, “Installation wizardoptions,” on page 197.

################################################################################

## InstallShield Options File Template## Wizard name: Setup# Wizard source: install_ammgr_setup.jar# Created on: Thu Oct 02 17:06:17 CDT 2003# Created by: InstallShield Options File Generator# Recorded for IBM Tivoli Access Manager 5.1## This file can be used to create an options file (i.e. response file) for the# wizard "Setup". Options files are used with "-options" on the command line to# modify wizard settings.## The settings that can be specified for the wizard are listed below. To use# this template, follow these steps:

## 1. Enable a setting below by removing leading ’###’ characters from the# line (search for ’###’ to find settings you can change).## 2. Specify a value for a setting by replacing the characters ’<value>’.# Read each settings documentation for information on how to specify its# value.## 3. Save the changes to the file.## 4. To use the options file with the wizard, specify -options <file-name># as a command line argument to the wizard, where <file-name> is the name# of this options file.#################################################################################

################################################################################## User Input Field - regType## Enter the registry type. The valid options are: LDAP, Active Directory, or# Domino.#

### -W AMRTE_RegistryTypeUIPanel.regType="<value>"

################################################################################## Directory name## Specify the product’s installation directory.#

### -W GSKIT_DestinationPanel.productInstallLocation=<value>

################################################################################## Directory name#

Using response files




# Specify the product’s installation directory.#

### -W LDAPC_DestinationPanel.productInstallLocation=<value>

#################################################################################

# Directory name## Specify the product’s installation directory.#

### -W AMRTE_DestinationPanel.productInstallLocation=<value>

################################################################################## User Input Field - useTcd## Enable Tivoli Common Logging (yes or no)#

### -W AM_TCDPanel.useTcd="<value>"

################################################################################## User Input Field - tcdDir## Tivoli Common Directory - full path#

### -W AM_TCDPanel.tcdDir="<value>"

################################################################################

## User Input Field - hostName## Host name of the Policy Server in the secure domain.#

### -W AMRTE_ServerOptionsUIPanel.hostName="<value>"

################################################################################## User Input Field - listeningPort## Port on which the policy server listens.#

### -W AMRTE_ServerOptionsUIPanel.listeningPort="<value>"

################################################################################## User Input Field - certFile## If the policy server allows the automatic download of the cerfificate file,# leave this option blank. Otherwise you must specify the file name here.#


Chapter 20. Using response files 295



### -W AMRTE_ServerOptionsUIPanel.certFile="<value>"

################################################################################## User Input Field - localDomain#

# Enter the local domain name. Use Default if you do not need to specify one.#

### -W AMRTE_ServerOptionsUIPanel.localDomain="<value>"

################################################################################## User Input Field - localHostName## Local host name with domain extension#

### -W AMRTE_ServerOptionsUIPanel.localHostName="<value>"

################################################################################## User Input Field - ldapHost## Host name of the IBM Directory server (LDAP)#

### -W AMRTE_LDAPOptionsUIPanel.ldapHost="<value>"

################################################################################## User Input Field - ldapPort## LDAP Listening Port

#

### -W AMRTE_LDAPOptionsUIPanel.ldapPort="<value>"

################################################################################## User Input Field - enableSSL## Enable SSL communication with the LDAP server - yes or no#

### -W AMRTE_LDAPOptionsUIPanel.enableSSL="<value>"

################################################################################## User Input Field - multipleDomains## Use multiple domains for Active Directory configuration: 1=Yes or 0=No#

### -W AMRTE_ADServerInfoUIPanel.multipleDomains="<value>"

################################################################################## User Input Field - hostName





## Active Directory host name#

### -W AMRTE_ADServerInfoUIPanel.hostName="<value>"

################################################################################

## User Input Field - domainName##

### -W AMRTE_ADServerInfoUIPanel.domainName="<value>"

################################################################################## User Input Field - encryptedConnection## Enable encrypted connections with the Active Directory server: 1=Yes, 0=No#

### -W AMRTE_ADServerInfoUIPanel.encryptedConnection="<value>"

################################################################################## User Input Field - multipleDomains## Use multiple domains for Active Directory configuration: 1=Yes or 0=No#

### -W AMRTE_ADServerInfoDifDomUIPanel.multipleDomains="<value>"

################################################################################## User Input Field - hostName

## Active Directory host name#

### -W AMRTE_ADServerInfoDifDomUIPanel.hostName="<value>"

################################################################################## User Input Field - domainName## Active Directory domain name#

### -W AMRTE_ADServerInfoDifDomUIPanel.domainName="<value>"

################################################################################## User Input Field - enableSSL##

### -W AMRTE_ADServerInfoDifDomUIPanel.enableSSL="<value>"





################################################################################## User Input Field - adminId## Active Directory administrator id#

### -W AMRTE_ADAdminInfoUIPanel.adminId="<value>"

################################################################################## User Input Field - adminPwd## Active Directory administrator password#

### -W AMRTE_ADAdminInfoUIPanel.adminPwd="<value>"

################################################################################## User Input Field - sslKeyfile## Full path to the LDAP SSL client keyfile#

### -W AMRTE_SSLOptionsUIPanel.sslKeyfile="<value>"

################################################################################## User Input Field - sslKeyfilePassword## Password of the LDAP SSL client keyfile#

### -W AMRTE_SSLOptionsUIPanel.sslKeyfilePassword="<value>"

################################################################################## User Input Field - sslKeyfileLabel## LDAP SSL client keyfile label (DN) - only if required#

### -W AMRTE_SSLOptionsUIPanel.sslKeyfileLabel="<value>"

################################################################################## User Input Field - sslPort## LDAP SSL port number#

### -W AMRTE_SSLOptionsUIPanel.sslPort="<value>"

################################################################################





## User Input Field - distName## Access Manager data location: distinguished name#

### -W AMRTE_ADDataInfoUIPanel.distName="<value>"

################################################################################## Directory name## Specify the product’s installation directory.#

### -W LDAPC_DestinationPanel_AD.productInstallLocation=<value>

################################################################################## User Input Field - dominoServer## Domino server name#

### -W AMRTE_DominoUIPanel.dominoServer="<value>"

################################################################################## User Input Field - notesClientPwd## Notes client password#

### -W AMRTE_DominoUIPanel.notesClientPwd="<value>"

################################################################################## User Input Field - nabDbName## NAB database name#

### -W AMRTE_DominoUIPanel.nabDbName="<value>"

################################################################################## User Input Field - amDbName## Access Manager database name#

### -W AMRTE_DominoUIPanel.amDbName="<value>"

#################################################################################





# Directory name## Specify the product’s installation directory.#

### -W AMMGR_DestinationPanel.productInstallLocation=<value>

################################################################################## User Input Field - secmasterPwd##

### -W AMMGR_ConfigOptions.secmasterPwd="<value>"

################################################################################## User Input Field - secmasterPwdConfirm## Re-enter the password for confirmation.#

### -W AMMGR_ConfigOptions.secmasterPwdConfirm="<value>"

################################################################################## User Input Field - secmasterPort##

### -W AMMGR_ConfigOptions.secmasterPort="<value>"

################################################################################## User Input Field - SSLcertlife##

### -W AMMGR_ConfigOptions.SSLcertlife="<value>"

################################################################################## User Input Field - SSLtimeout#

#

### -W AMMGR_ConfigOptions.SSLtimeout="<value>"

################################################################################## User Input Field - ldapadminid##





### -W AMMGR_ConfigOptions.ldapadminid="<value>"

################################################################################## User Input Field - ldapadminpwd##

### -W AMMGR_ConfigOptions.ldapadminpwd="<value>"

################################################################################## User Input Field - enableSSL## Enable SSL - 1=Yes, 0=No#

### -W AMMGR_EnableSSLUIPanel.enableSSL="<value>"

################################################################################## User Input Field - sslKeyfile## Full path to the SSL client keyfile#

### -W AMMGR_SSLOptionsUIPanel.sslKeyfile="<value>"

################################################################################## User Input Field - sslKeyfilePassword#

# Password for the SSL client keyfile#

### -W AMMGR_SSLOptionsUIPanel.sslKeyfilePassword="<value>"

################################################################################## User Input Field - sslKeyfileLabel## SSL client keyfile label#

### -W AMMGR_SSLOptionsUIPanel.sslKeyfileLabel="<value>"

################################################################################## User Input Field - sslPort## SSL port number#

### -W AMMGR_SSLOptionsUIPanel.sslPort="<value>"





Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION ″AS IS″ WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.




Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreement

between us.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources.

IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrates programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have not

been thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing application

programs conforming to IBM’s application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.




Some code distributed with the product is from third parties, which havealternative licensing terms. These terms are reproduced below.

OpenSSL

THIRD PARTY LICENSE TERMS AND CONDITIONS, NOTICES ANDINFORMATION The license agreement for this product refers you to this file for

details concerning terms and conditions applicable to third party software codeincluded in this product, and for certain notices and other information IBM mustprovide to you under its license to certain software code. The relevant terms andconditions, notices and other information are provided or referenced below. Pleasenote that any non-English version of the licenses below is unofficial and isprovided to you for your convenience only. The English version of the licenses

below, provided as part of the English version of this file, is the official version.

Notwithstanding the terms and conditions of any other agreement you may havewith IBM or any of its related or affiliated entities (collectively ″IBM″), the thirdparty software code identified below are ″Excluded Components″ and are subjectto the following terms and conditions:

v

The Excluded Components are provided on an″

AS IS″

basis;v IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES

AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS,INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OFNON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIEDWARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESSFOR A PARTICULAR PURPOSE;

– IBM will not be liable to you or indemnify you for any claims related to theExcluded Components; and

– IBM will not be liable for any direct, indirect, incidental, special, exemplary,punitive or consequential damages with respect to the Excluded Components.

OpenSSL: The Program is accompanied by software currently developed by The

OpenSSL Project (http://www.openssl.org/). IBM obtained the majority of theOpenSSL software under the terms and conditions of the following licenses:

LICENSE ISSUES==============

The OpenSSL toolkit stays under a dual license, i.e. both the conditions ofthe OpenSSL License and the original SSLeay license apply to the toolkit.See below for the actual license texts. Actually both licenses are BSD-styleOpen Source licenses. In case of any license issues related to OpenSSLplease contact [email protected].

OpenSSL License---------------

/* ====================================================================* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.** Redistribution and use in source and binary forms, with or without* modification, are permitted provided that the following conditions* are met:** 1. Redistributions of source code must retain the above copyright* notice, this list of conditions and the following disclaimer.** 2. Redistributions in binary form must reproduce the above copyright* notice, this list of conditions and the following disclaimer in* the documentation and/or other materials provided with the

Notices 305



* distribution.** 3. All advertising materials mentioning features or use of this* software must display the following acknowledgment:* "This product includes software developed by the OpenSSL Project* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"** 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

* endorse or promote products derived from this software without* prior written permission. For written permission, please contact* [email protected].** 5. Products derived from this software may not be called "OpenSSL"* nor may "OpenSSL" appear in their names without prior written* permission of the OpenSSL Project.** 6. Redistributions of any form whatsoever must retain the following* acknowledgment:* "This product includes software developed by the OpenSSL Project* for use in the OpenSSL Toolkit (http://www.openssl.org/)"** THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS’’ AND ANY* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED* OF THE POSSIBILITY OF SUCH DAMAGE.* ====================================================================** This product includes cryptographic software written by Eric Young* ([email protected]). This product includes software written by Tim* Hudson ([email protected]).*

*/

Original SSLeay License

/* Copyright (C) 1995-1998 Eric Young ([email protected])* All rights reserved.** This package is an SSL implementation written* by Eric Young ([email protected]).* The implementation was written so as to conform with Netscapes SSL.** This library is free for commercial and non-commercial use as long as* the following conditions are aheared to. The following conditions* apply to all code found in this distribution, be it the RC4, RSA,* lhash, DES, etc., code; not just the SSL code. The SSL documentation* included with this distribution is covered by the same copyright terms* except that the holder is Tim Hudson ([email protected]).** Copyright remains Eric Young’s, and as such any Copyright notices in* the code are not to be removed.* If this package is used in a product, Eric Young should be given attribution* as the author of the parts of the library used.* This can be in the form of a textual message at program startup or* in documentation (online or textual) provided with the package.** Redistribution and use in source and binary forms, with or without* modification, are permitted provided that the following conditions




* are met:* 1. Redistributions of source code must retain the copyright* notice, this list of conditions and the following disclaimer.* 2. Redistributions in binary form must reproduce the above copyright* notice, this list of conditions and the following disclaimer in the* documentation and/or other materials provided with the distribution.* 3. All advertising materials mentioning features or use of this software* must display the following acknowledgement:

* "This product includes cryptographic software written by* Eric Young ([email protected])"* The word ’cryptographic’ can be left out if the rouines from the library* being used are not cryptographic related :-).* 4. If you include any Windows specific code (or a derivative thereof) from* the apps directory (application code) you must include an acknowledgement:* "This product includes software written by Tim Hudson ([email protected])"** THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS’’ AND* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF* SUCH DAMAGE.** The licence and distribution terms for any publically available version or* derivative of this code cannot be changed. i.e. this code cannot simply be* copied and put under another distribution licence* [including the GNU Public Licence.]*/

XML Parser Toolkit License

Copyright © 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the ″Software″), to deal in theSoftware without restriction, including without limitation the rights to use, copy,modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,and to permit persons to whom the Software is furnished to do so, subject to thefollowing conditions:

The above copyright notice and this permission notice shall be included in allcopies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED ″AS IS″, WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIESOF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT.

IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLEFOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN ANACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGSIN THE SOFTWARE.

Notices 307



Pluggable Authentication Module License

Copyright © 1995 by Red Hat Software, Marc Ewing Copyright (c) 1996-8, AndrewG. Morgan <[email protected]>

All rights reserved

Redistribution and use in source and binary forms, with or without modification,are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, and theentire permission notice in its entirety, including the disclaimer of warranties.

2. Redistributions in binary form must reproduce the above copyright notice, thislist of conditions and the following disclaimer in the documentation and/orother materials provided with the distribution.

3. The name of the author may not be used to endorse or promote productsderived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED ″AS IS″’ AND ANY EXPRESS OR IMPLIEDWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLEFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ONANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAYOUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE.

Apache Axis Servlet

Copyright ©2002 The Apache Software Foundation. All rights reserved.


1. Redistributions of source code must retain the above copyright notice, this listof conditions and the following disclaimer.


3. The end-user documentation included with the redistribution, if any, mustinclude the following acknowledgment: ″This product includes softwaredeveloped by the Apache Software Foundation (http://www.apache.org/).″Alternately, this acknowledgment may appear in the software itself, if andwherever such third-party acknowledgments normally appear.

4. The names ″Apache Forrest″ and ″Apache Software Foundation″ must not beused to endorse or promote products derived from this software without priorwritten permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called ″Apache″, nor may″Apache″ appear in their name, without prior written permission of theApacheSoftware Foundation.




THIS SOFTWARE IS PROVIDED ``AS IS’’ AND ANY EXPRESSED OR IMPLIEDWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWAREFOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIALDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OFLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OFTHE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OFSUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the ApacheSoftware Foundation, please see http://www.apache.org/.

JArgs command line option parsing suite for Java

Copyright ©2001, Stephen Purcell All rights reserved.




3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software withoutspecific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS ″AS IS″ AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BELIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ONANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE.

Java DOM implementation

Copyright © 2000-2002 Brett McLaughlin & Jason Hunter. All rights reserved.Redistribution and use in source and binary forms, with or without modification,are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this listof conditions, and the following disclaimer.

Notices 309



2. Redistributions in binary form must reproduce the above copyright notice, thislist of conditions, and the disclaimer that follows these conditions in thedocumentation and/or other materials provided with the distribution.

3. The name ″ JDOM″ must not be used to endorse or promote products derivedfrom this software without prior written permission. For written permission,please contact [email protected].

4.Products derived from this software may not be called

″

JDOM″

, nor may″ JDOM″ appear in their name, without prior written permission from the JDOM Project Management ([email protected]).

5. In addition, we request (but do not require) that you include in the end-userdocumentation provided with the redistribution and/or in the software itself anacknowledgement equivalent to the following: ″This product includes softwaredeveloped by the JDOM Project (http://www.jdom.org/).″

6. In addition, we request (but do not require) that you include in the end-userdocumentation provided with the redistribution and/or in the software itself anacknowledgement equivalent to the following: ″This product includes softwaredeveloped by the JDOM Project (http://www.jdom.org/).″ Alternatively, theacknowledgment may be graphical using the logos available athttp://www.jdom.org/images/logos.

THIS SOFTWARE IS PROVIDED ``AS IS’’ AND ANY EXPRESSED OR IMPLIEDWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE JDOM AUTHORS ORTHE PROJECT CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTEGOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESSINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the JDOM Project and was originally created by Brett McLaughlin([email protected]) and Jason Hunter ([email protected]). For more information onthe JDOM Project, please see http://www.jdom.org/.

Alfalfa Software

Copyright for Alfalfa Software Copyright 1990, by Alfalfa Software Incorporated,Cambridge, Massachusetts.

All Rights Reserved

Permission to use, copy, modify, and distribute this software and its documentationfor any purpose and without fee is hereby granted, provided that the abovecopyright notice appear in all copies and that both that copyright notice and thispermission notice appear in supporting documentation, and that Alfalfa’s name not

be used in advertising or publicity pertaining to distribution of the softwarewithout specific, written prior permission.

ALFALFA DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND




FITNESS, IN NO EVENT SHALL ALFALFA BE LIABLE FOR ANY SPECIAL,INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGESWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHERTORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USEOR PERFORMANCE OF THIS SOFTWARE.

Kerberos

Copyright for IBM Kerberos

Copyright (C) 1985-2001 by the Massachusetts Institute of Technology.

All rights reserved.

Export of this software from the United States of America may require a specificlicense from the United States Government. It is the responsibility of any person ororganization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute thissoftware and its documentation for any purpose and without fee is hereby granted,provided that the above copyright notice appear in all copies and that both thatcopyright notice and this permission notice appear in supporting documentation,and that the name of M.I.T. not be used in advertising or publicity pertaining todistribution of the software without specific, written prior permission. Furthermoreif you modify this software you must label your software as modified software andnot distribute it in such a fashion that it might be confused with the original MITsoftware. M.I.T. makes no representations about the suitability of this software forany purpose. It is provided ″as is″ without express or implied warranty.

THIS SOFTWARE IS PROVIDED ``AS IS’’ AND WITHOUT ANY EXPRESS ORIMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE.

Individual source code files are copyright MIT, Cygnus Support, OpenVision,Oracle, Sun Soft, FundsXpress, and others.

Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, andZephyr are trademarks of the Massachusetts Institute of Technology (MIT). Nocommercial use of these trademarks may be made without prior writtenpermission of MIT.

″Commercial use″ means use of a name in a product or other for-profit manner. Itdoes NOT prevent a commercial firm from referring to the MIT trademarks in

order to convey information (although in doing so, recognition of their trademarkstatus should be given).

InfoZip

Copyright for InfoZip

Copyright (c) 1990-2002 Info-ZIP. All rights reserved.

For the purposes of this copyright and license, ″Info-ZIP″ is defined as thefollowing set of individuals: Mark Adler, John Bush, Karl Davis, Harald Denker,

Notices 311



Jean-Michel Dubois, Jean-loup Gailly, Hunter Goatley, Ian Gorman, Chris Herborth,Dirk Haase, Greg Hartwig, Robert Heath, Jonathan Hudson, Paul Kienitz, DavidKirschbaum, Johnny Lee, Onno van der Linden, Igor Mandrichenko, Steve P.Miller, Sergio Monesi, Keith Owens, George Petrov, Greg Roelofs, Kai UweRommel, Steve Salisbury, Dave Smith, Christian Spieler, Antoine Verheijen, Paulvon Behren, Rich Wales, Mike White

This software is provided ″as is,″ without warranty of any kind, express orimplied. In no event shall Info-ZIP or its contributors be held liable for any direct,indirect, incidental, special or consequential damages arising out of the use of orinability to use this software.

Permission is granted to anyone to use this software for any purpose, includingcommercial applications, and to alter it and redistribute it freely, subject to thefollowing restrictions:

1. Redistributions of source code must retain the above copyright notice,definition, disclaimer, and this list of conditions.

2. Redistributions in binary form (compiled executables) must reproduce theabove copyright notice, definition, disclaimer, and this list of conditions in

documentation and/or other materials provided with the distribution. The soleexception to this condition is redistribution of a standard UnZipSFX binary aspart of a self-extracting archive; that is permitted without inclusion of thislicense, as long as the normal UnZipSFX banner has not been removed fromthe binary or disabled.

3. Altered versions--including, but not limited to, ports to new operating systems,existing ports with new graphical interfaces, and dynamic, shared, or staticlibrary versions--must be plainly marked as such and must not bemisrepresented as being the original source. Such altered versions also must not

be misrepresented as being Info-ZIP releases--including, but not limited to,labeling of the altered versions with the names ″Info-ZIP″ (or any variationthereof, including, but not limited to, different capitalizations), ″Pocket UnZip,″″WiZ,″ or ″MacZip″ without the explicit permission of Info-ZIP. Such altered

versions are further prohibited from misrepresentative use of the Zip-Bugs orInfo-ZIP e-mail addresses or of the Info-ZIP URL(s).

4. Info-ZIP retains the right to use the names ″Info-ZIP,″ ″Zip,″ ″UnZip,″″UnZipSFX,″ ″WiZ,″ ″Pocket UnZip,″ ″Pocket Zip,″ and ″MacZip″ for its ownsource and binary releases.

gSOAP

Part of the software embedded in this product is gSOAP software.

Portions created by gSOAP are Copyright (C) 2001-2003 Robert A. van Engelen,Genivia inc. All Rights Reserved.

THE SOFTWARE IN THIS PRODUCT WAS IN PART PROVIDED BY GSOAPSOFTWARE AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUTNOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY ANDFITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENTSHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUTNOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVERCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)




ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IFADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

gSOAP source code is available under the terms of the gSOAP Public License andis available at http://gsoap2.sourceforge.net.

A copy of the license is available at

http://www.cs.fsu.edu/~engelen/soaplicense.html

Any terms in the IBM Tivoli Access Manager for e-business license that differ fromthe gSOAP license are offered by IBM and not offered by the Initial Developer orany Contributor originator of the gSOAP source code.

Apache Software

Apache software License Terms

Certain components include Apache Xalan, Xerces, FOP, and Log4J Library, whichare licensed under the following terms:

The Apache Software License, Version 1.1 Copyright (c) 1999 The Apache SoftwareFoundation. All rights reserved. Redistribution and use in source and binary forms,with or without modification, are permitted provided that the following conditionsare met:



3. The end-user documentation included with the redistribution, if any, mustinclude the following acknowledgment: ″This product includes softwaredeveloped by the Apache Software Foundation (http://www.apache.org/).″Alternately, this acknowledgment may appear in the software itself, if andwherever such third-party acknowledgments normally appear.

4. The names ″Xerces″ and ″Apache Software Foundation″ must not be used toendorse or promote products derived from this software without prior writtenpermission. For written permission, please contact [email protected].

5. Products derived from this software may not be called ″Apache″, nor may″Apache″ appear in their name, without prior written permission of the ApacheSoftware Foundation.

THIS SOFTWARE IS PROVIDED ″AS IS″ AND ANY EXPRESSED OR IMPLIEDWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWAREFOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIALDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OFSUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OFLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OFTHE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OFSUCH DAMAGE.

Notices 313



Trademarks

The following terms are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both:

AIXDB2

IBMIBM logo

J2EELotusNotesMVSOS/390SecureWayTivoliTivoli logoUniversal DatabaseWebSpherezSeriesz/OS

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Sun Microsystems, Inc. in the United States and other countries.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all

Java-based trademarks and logos are trademarks or registered trademarks of SunMicrosystems, Inc. in the United States and other countries.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, or service names may be trademarks or service marks of others.




Glossary

A

access control. In computer security, the process of ensuring that the resources of a computer system can be accessed only by authorized users in authorizedways.

access control list (ACL). In computer security, a listthat is associated with an object that identifies all thesubjects that can access the object and their accessrights. For example, an access control list is a list that isassociated with a file that identifies the users who canaccess the file and identifies the users’ access rights tothat file.

access permission. The access privilege that applies to

the entire object.

action. An access control list (ACL) permissionattribute. See also access control list.

ACL. See access control list.

administration service. An authorization API runtimeplug-in that can be used to perform administrationrequests on a Tivoli Access Manager resource managerapplication. The administration service will respond toremote requests from the pdadmin command toperform tasks, such as listing the objects under aparticular node in the protected object tree. Customersmay develop these services using the authorizationADK.

attribute list. A linked list that contains extendedinformation that is used to make authorizationdecisions. Attribute lists consist of a set of name = valuepairs.

authentication. (1) In computer security, verification of the identity of a user or the user’s eligibility to accessan object. (2) In computer security, verification that amessage has not been altered or corrupted. (3) Incomputer security, a process that is used to verify theuser of an information system or of protected resources.See also multi-factor authentication, network-based

authentication, and step-up authentication.

authorization. (1) In computer security, the rightgranted to a user to communicate with or make use of a computer system. (2) The process of granting a usereither complete or restricted access to an object,resource, or function.

authorization rule. See rule.

authorization service plug-in. A dynamically loadablelibrary (DLL or shared library) that can be loaded by

the Tivoli Access Manager authorization API runtimeclient at initialization time in order to perform

operations that extend a service interface within theAuthorization API. The service interfaces that arecurrently available include Administration, ExternalAuthorization, Credentials modification, Entitlementsand PAC manipulation interfaces. Customers maydevelop these services using the authorization ADK.

B

BA. See basic authentication.

basic authentication. A method of authentication thatrequires the user to enter a valid user name andpassword before access to a secure online resource is

granted.

bind. To relate an identifier to another object in aprogram; for example, to relate an identifier to a value,an address or another identifier, or to associate formalparameters and actual parameters.

blade. A component that provides application-specificservices and components.

business entitlement. The supplemental attribute of auser credential that describes the fine-grainedconditions that can be used in the authorization of requests for resources.

C

CA. See certificate authority.

CDAS. See Cross Domain Authentication Service.

CDMF. See Cross Domain Mapping Framework .

certificate. In computer security, a digital documentthat binds a public key to the identity of the certificateowner, thereby enabling the certificate owner to beauthenticated. A certificate is issued by a certificateauthority.

certificate authority (CA). An organization that issuescertificates. The certificate authority authenticates thecertificate owner’s identity and the services that theowner is authorized to use, issues new certificates,renews existing certificates, and revokes certificates belonging to users who are no longer authorized to usethem.

CGI. See common gateway interface.




cipher. Encrypted data that is unreadable until it has been converted into plain data (decrypted) with a key.

common gateway interface (CGI). An Internetstandard for defining scripts that pass information froma Web server to an application program, through anHTTP request, and vice versa. A CGI script is a CGIprogram that is written in a scripting language, such as

Perl.

configuration. (1) The manner in which the hardwareand software of an information processing system areorganized and interconnected. (2) The machines,devices, and programs that make up a system,subsystem, or network.

connection. (1) In data communication, an associationestablished between functional units for conveyinginformation. (2) In TCP/IP, the path between twoprotocol applications that provides reliable data streamdelivery service. In the Internet, a connection extendsfrom a TCP application on one system to a TCP

application on another system. (3) In systemcommunications, a line over which data can be passed between two systems or between a system and adevice.

container object. A structural designation thatorganizes the object space into distinct functionalregions.

cookie. Information that a server stores on a clientmachine and accesses during subsequent sessions.Cookies allow servers to remember specific informationabout clients.

credentials. Detailed information, acquired duringauthentication, that describes the user, any groupassociations, and other security-related identityattributes. Credentials can be used to perform amultitude of services, such as authorization, auditing,and delegation.

credentials modification service. An authorizationAPI runtime plug-in which can be used to modify aTivoli Access Manager credential. Credentialsmodification services developed externally bycustomers are limited to performing operation to addand remove from the credentials attribute list and onlyto those attributes that are considered modifiable.

cross domain authentication service (CDAS). AWebSEAL service that provides a shared librarymechanism that allows you to substitute the defaultWebSEAL authentication mechanisms with a customprocess that returns a Tivoli Access Manager identity toWebSEAL. See also WebSEAL.

cross domain mapping framework (CDMF). Aprogramming interface that allows a developer tocustomize the mapping of user identities and thehandling of user attributes when WebSEALe-Community SSO function are used.

D

daemon. A program that runs unattended to performcontinuous or periodic systemwide functions, such asnetwork control. Some daemons are triggeredautomatically to perform their task; others operateperiodically.

directory schema. The valid attribute types and objectclasses that can appear in a directory. The attributetypes and object classes define the syntax of theattribute values, which attributes must be present, andwhich attributes may be present for the directory.

distinguished name (DN). The name that uniquelyidentifies an entry in a directory. A distinguished nameis made up of attribute:value pairs, separated bycommas.

digital signature. In e-commerce, data that isappended to, or is a cryptographic transformation of, adata unit and that enables the recipient of the data unitto verify the source and integrity of the unit and torecognize potential forgery.

DN. See distinguished name.

domain. (1) A logical grouping of users, systems, andresources that share common services and usuallyfunction with a common purpose. (2) That part of acomputer network in which the data processingresources are under common control. See also domainname.

domain name. In the Internet suite of protocols, aname of a host system. A domain name consists of a

sequence of subnames that are separated by a delimitercharacter. For example, if the fully qualified domainname (FQDN) of a host system isas400.rchland.vnet.ibm.com, each of the following is adomain name: as400.rchland.vnet.ibm.com,vnet.ibm.com, ibm.com.

E

EAS. See External Authorization Service.

encryption. In computer security, the process of transforming data into an unintelligible form in such away that the original data either cannot be obtained orcan be obtained only by using a decryption process.

entitlement. A data structure that containsexternalized security policy information. Entitlementscontain policy data or capabilities that are formatted ina way that is understandable to a specific application.

entitlement service. An authorization API runtimeplug-in which can be used to return entitlements froman external source for a principal or set of conditions.Entitlements are normally application specific data thatwill be consumed by the resource manager application




in some way or added to the principal’s credentials foruse further on in the authorization process. Customersmay develop these services using the authorizationADK.

external authorization service. An authorization APIruntime plug-in that can be used to make applicationor environment specific authorization decisions as part

of the Tivoli Access Manager authorization decisionchain. Customers may develop these services using theauthorization ADK.

F

file transfer protocol (FTP). In the Internet suite of protocols, an application layer protocol that usesTransmission Control Protocol (TCP) and Telnetservices to transfer bulk-data files between machines orhosts.

G

global signon (GSO). A flexible single sign-onsolution that enables the user to provide alternativeuser names and passwords to the back-end Webapplication server. Global signon grants users access tothe computing resources they are authorized to use —through a single login. Designed for large enterprisesconsisting of multiple systems and applications withinheterogeneous, distributed computing environments,GSO eliminates the need for users to manage multipleuser names and passwords. See also single signon.

GSO. See global signon.

H

host. A computer that is connected to a network (suchas the Internet or an SNA network) and provides anaccess point to that network. Also, depending on theenvironment, the host may provide centralized controlof the network. The host can be a client, a server, or both a client and a server simultaneously.

HTTP. See Hypertext Transfer Protocol.

hypertext transfer protocol (HTTP). In the Internetsuite of protocols, the protocol that is used to transferand display hypertext documents.

I

Internet protocol (IP). In the Internet suite of protocols, a connectionless protocol that routes datathrough a network or interconnected networks and actsas an intermediary between the higher protocol layersand the physical network.

Internet suite of protocols. A set of protocolsdeveloped for use on the Internet and published as

Requests for Comments (RFCs) through the InternetEngineering Task Force (IETF).

interprocess communication (IPC). (1) The process bywhich programs communicate data to each other andsynchronize their activities. Semaphores, signals, andinternal message queues are common methods of interprocess communication. (2) A mechanism of an

operating system that allows processes to communicatewith each other within the same computer or over anetwork.

IP. See Internet Protocol.

IPC. See Interprocess Communication.

J

junction. An HTTP or HTTPS connection between afront-end WebSEAL server and a back-end Webapplication server. WebSEAL uses a junction to provideprotective services on behalf of the back-end server.

K

key. In computer security, a sequence of symbols thatis used with a cryptographic algorithm for encryptingor decrypting data. See private key and public key.

key database file. See key ring.

key file. See key ring.

key pair. In computer security, a public key and aprivate key. When the key pair is used for encryption,

the sender uses the public key to encrypt the message,and the recipient uses the private key to decrypt themessage. When the key pair is used for signing, thesigner uses the private key to encrypt a representationof the message, and the recipient uses the public key todecrypt the representation of the message for signatureverification.

key ring. In computer security, a file that containspublic keys, private keys, trusted roots, and certificates.

L

LDAP. See Lightweight Directory Access Protocol.

lightweight directory access protocol (LDAP). Anopen protocol that (a) uses TCP/IP to provide access todirectories that support an X.500 model and (b) doesnot incur the resource requirements of the morecomplex X.500 Directory Access Protocol (DAP).Applications that use LDAP (known asdirectory-enabled applications) can use the directory asa common data store and for retrieving informationabout people or services, such as e-mail addresses,public keys, or service-specific configurationparameters. LDAP was originally specified in RFC

Glossary 317



1777. LDAP version 3 is specified in RFC 2251, and theIETF continues work on additional standard functions.Some of the IETF-defined standard schemas for LDAPare found in RFC 2256.

lightweight third party authentication (LTPA). Anauthentication framework that allows single sign-onacross a set of Web servers that fall within an Internet

domain.

LTPA. See lightweight third party authentication.

M

management domain. The default domain in whichTivoli Access Manager enforces security policies forauthentication, authorization, and access control. Thisdomain is created when the policy server is configured.See also domain.

management server. Obsolete. See policy server.

metadata. Data that describes the characteristics of stored data.

migration. The installation of a new version or releaseof a program to replace an earlier version or release.

multi-factor authentication. A protected object policy(POP) that forces a user to authenticate using two ormore levels of authentication. For example, the accesscontrol on a protected resource can require that theusers authenticate with both user name/password anduser name/token passcode. See also protected object policy.

multiplexing proxy agent (MPA). A gateway thataccommodates multiple client access. These gatewaysare sometimes known as Wireless Access Protocol(WAP) gateways when clients access a secure domainusing a WAP. Gateways establish a single authenticatedchannel to the originating server and tunnel all clientrequests and responses through this channel.

N

network-based authentication. A protected objectpolicy (POP) that controls access to objects based on theinternet protocol (IP) address of the user. See also protected object policy.

P

PAC. See privilege attribute certificate.

permission. The ability to access a protected object,such as a file or directory. The number and meaning of permissions for an object are defined by the accesscontrol list (ACL). See also access control list.

policy. A set of rules that are applied to managedresources.

policy server. The Tivoli Access Manager server thatmaintains the location information about other serversin the secure domain.

polling. The process by which databases are

interrogated at regular intervals to determine if dataneeds to be transmitted.

POP. See protected object policy.

portal. An integrated Web site that dynamicallyproduces a customized list of Web resources, such aslinks, content, or services, available to a specific user, based on the access permissions for the particular user.

privilege attribute certificate. A digital document thatcontains a principal’s authentication and authorizationattributes and a principal’s capabilities.

privilege attribute certificate service. Anauthorization API runtime client plug-in whichtranslates a PAC of a predetermined format in to aTivoli Access Manager credential, and vice-versa. Theseservices could also be used to package or marshall aTivoli Access Manager credential for transmission toother members of the secure domain. Customers maydevelop these services using the authorization ADK.See also privilege attribute certificate.

protected object. The logical representation of anactual system resource that is used for applying ACLsand POPs and for authorizing user access. See also protected object policy and protected object space.

protected object policy (POP). A type of securitypolicy that imposes additional conditions on theoperation permitted by the ACL policy to access aprotected object. It is the responsibility of the resourcemanager to enforce the POP conditions. See also accesscontrol list, protected object, and protected object space.

protected object space. The virtual objectrepresentation of actual system resources that is usedfor applying ACLs and POPs and for authorizing useraccess. See also protected object and protected object policy.

private key. In computer security, a key that is knownonly to its owner. Contrast with public key.

public key. In computer security, a key that is madeavailable to everyone. Contrast with private key.

Q

quality of protection. The level of data security,determined by a combination of authentication,integrity, and privacy conditions.




R

registry. The datastore that contains access andconfiguration information for users, systems, andsoftware.

replica. A server that contains a copy of the directory

or directories of another server. Replicas back upservers in order to enhance performance or responsetimes and to ensure data integrity.

resource object. The representation of an actualnetwork resource, such as a service, file, and program.

response file. A file that contains a set of predefinedanswers to questions asked by a program and that isused instead of entering those values one at a time.

role activation. The process of applying the accesspermissions to a role.

role assignment. The process of assigning a role to a

user, such that the user has the appropriate accesspermissions for the object defined for that role.

routing file. An ASCII file that contains commandsthat control the configuration of messages.

RSA encryption. A system for public-keycryptography used for encryption and authentication. Itwas invented in 1977 by Ron Rivest, Adi Shamir, andLeonard Adleman. The system’s security depends onthe difficulty of factoring the product of two largeprime numbers.

rule. One or more logical statements that enable the

event server to recognize relationships among events(event correlation) and to execute automated responsesaccordingly.

run time. The time period during which a computerprogram is executing. A runtime environment is anexecution environment.

S

scalability. The ability of a network system to respondto increasing numbers of users who access resources.

schema. The set of statements, expressed in a data

definition language, that completely describe thestructure of a database. In a relational database, theschema defines the tables, the fields in each table, andthe relationships between fields and tables.

secure sockets layer (SSL). A security protocol thatprovides communication privacy. SSL enablesclient/server applications to communicate in a way thatis designed to prevent eavesdropping, tampering, andmessage forgery. SSL was developed by NetscapeCommunications Corp. and RSA Data Security, Inc.

security management. The management disciplinethat addresses an organization’s ability to control accessto applications and data that are critical to its success.

self-registration. The process by which a user canenter required data and become a registered TivoliAccess Manager user, without the involvement of anadministrator.

service. Work performed by a server. A service can bea simple request for data to be sent or stored (as withfile servers, HTTP servers, e-mail servers, and fingerservers), or it can be more complex work such as thatof print servers or process servers.

silent installation. An installation that does not sendmessages to the console but instead stores messagesand errors in log files. Also, a silent installation can useresponse files for data input. See also response file.

single signon (SSO). The ability of a user to logononce and access multiple applications without having

to logon to each application separately. See also globalsignon.

SSL. See Secure Sockets Layer.

SSO. See Single Signon.

step-up authentication. A protected object policy(POP) that relies on a preconfigured hierarchy of authentication levels and enforces a specific level of authentication according to the policy set on a resource.The step-up authentication POP does not force the userto authenticate using multiple levels of authenticationto access any given resource but requires the user toauthenticate at a level at least as high as that required

by the policy protecting a resource.

suffix. A distinguished name that identifies the topentry in a locally held directory hierarchy. Because of the relative naming scheme used in LightweightDirectory Access Protocol (LDAP), this suffix applies toevery other entry within that directory hierarchy. Adirectory server can have multiple suffixes, eachidentifying a locally held directory hierarchy.

T

token. (1) In a local area network, the symbol of

authority passed successively from one data station toanother to indicate the station temporarily in control of the transmission medium. Each data station has anopportunity to acquire and use the token to control themedium. A token is a particular message or bit patternthat signifies permission to transmit. (2) In local areanetworks (LANs), a sequence of bits passed from onedevice to another along the transmission medium.When the token has data appended to it, it becomes aframe.

Glossary 319



trusted root. In the Secure Sockets Layer (SSL), thepublic key and associated distinguished name of acertificate authority (CA).

U

uniform resource identifier (URI). The character

string used to identify content on the Internet,including the name of the resource (a directory and filename), the location of the resource (the computerwhere the directory and file name exist), and how theresource can be accessed (the protocol, such as HTTP).An example of a URI is a uniform resource locator, orURL.

uniform resource locator (URL). A sequence of characters that represent information resources on acomputer or in a network such as the Internet. Thissequence of characters includes (a) the abbreviatedname of the protocol used to access the informationresource and (b) the information used by the protocol

to locate the information resource. For example, in thecontext of the Internet, these are abbreviated names of some protocols used to access various informationresources: http, ftp, gopher, telnet, and news; and thisis the URL for the IBM home page:http://www.ibm.com.

URI. See uniform resource identifier.

URL. See uniform resource locator.

user. Any person, organization, process, device,program, protocol, or system that uses a serviceprovided by others.

user registry. See registry.

V

virtual hosting. The capability of a Web server thatallows it to appear as more than one host to theInternet.

W

Web Portal Manager (WPM). A Web-based graphicalapplication used to manage Tivoli Access Manager Baseand WebSEAL security policy in a secure domain. Analternative to the pdadmin command line interface, thisGUI enables remote administrator access and enablesadministrators to create delegated user domains andassign delegate administrators to these domains.

WebSEAL. A Tivoli Access Manager blade. WebSEALis a high performance, multi-threaded Web server thatapplies a security policy to a protected object space.WebSEAL can provide single sign-on solutions andincorporate back-end Web application server resourcesinto its security policy.

WPM. See Web Portal Manager.




Index

Special characters.kdb 228

AActive Directory

requirements 22ADK

installingon AIX 108on HP-UX 109on Linux 110on Solaris 111on Windows 112using wizard 107

uninstallingon AIX 174

on HP-UX 175on Linux 176on Solaris 176on Windows 177

wizard config options 207AIX

installingADK 108authorization server 100GSKit 145IBM JRE 153IBM Tivoli Directory Client 150IBM Tivoli Directory Server 51

Java runtime environment 114policy proxy server 120

policy server 90runtime 126standby policy server 249Web admin tool 167Web Portal Manager 133WebSphere Application Server 157

removing packages 174uninstalling components 174uninstalling packages 174

amwpmcfg utility 274authentication

server 227server and client 227, 244

authority, certificate 229, 245authorization server


overview 6pdconfig options 222required components 11supported platforms 11uninstalling

on AIX 174

authorization server (continued)uninstalling (continued)


wizard config options 205

B back up data 279 backward compatibility 30 base system installation 45 base, components 6

Ccertificate

authority 229, 245personal 228, 229, 245self-signed 229, 246server 239, 240

code setsfile directories 43language support 43

compatibility, backward 30components

base 6installation 6prerequisites 9required 11

configuration options, installation 197

configuringIBM Tivoli Directory Server 63

creating a self-signed certificate 229, 246

Ddeployment

planning for 4descriptions, component 6development (ADK) system

required components 12supported platforms 12

disk space and memory requirements 24domain, secure 5

Eextract data 279extracting a self-signed certificate 229, 246

Ffiles

gsk7ikm.exe 228, 242, 244, 246key database 242, 244key database (.kdb) 228key database file (.kdb) 228




GGlobal Security Kit

See GSKit 9gsk7ikm file 228, 242, 244, 246GSKit

installingon AIX 145on HP-UX 145

on Linux 146on Solaris 147on Windows 147

overview 9setting up iKeyman 147uninstalling

on AIX 174on HP-UX 175on Linux 176on Solaris 176on Windows 177

HHACMP software 249hardware acceleration card support 31HP-UX

installingADK 109authorization server 101GSKit 145IBM JRE 153IBM Tivoli Directory Client 150IBM Tivoli Directory Server 53

Java runtime environment 114policy proxy server 121policy server 91runtime 127Tivoli Access Manager packages 91, 101, 109, 121, 126Web admin tool 168

Web Portal Manager 135WebSphere Application Server 159

uninstalling components 175uninstalling packages 175

IIBM JRE

installingIBM JRE 153on HP-UX 153on Linux 154on Solaris 155on Windows 155

overview 9

IBM Security Server for OS/390requirements 21

IBM Tivoli Directoryserver

configuring 63IBM Tivoli Directory Client

installingon AIX 150on HP-UX 150on Linux 151on Solaris 151on Windows 152

overview 9

IBM Tivoli Directory Client (continued)uninstalling


IBM Tivoli Directory Server

install_ammgr scenario 189install_ldap_server scenario 180installing

on AIX 51, 53on HP-UX 53on Linux 54on Solaris 56on Windows 58using wizard 50

overview 9pre-installation 48required components 12requirements 19setting up 48supported platforms 12unconfiguring 174

wizard config options 214IBM z/OS Security Server LDAP Server

requirements 21iKeyman key management utility

creating a key database file 242enabling SSL 228

iKeyman utility, setting up 147install_amacld 99, 205install_amadk 107, 207install_amjrte 113, 208install_ammgr 89, 189, 209install_ampfs 15install_amproxy 119, 211install_amrte 125, 212install_amwpm 131, 213

install_ldap_server 50, 180, 214installation

component descriptions 6components 6language support 35, 37methods 15native utilities 15overview 3planning for 1process 17

installation wizardsconfiguration options 197install_amacld 99install_amadk 107install_amjrte 113

install_ammgr 89install_ampfs 15install_amproxy 119install_amrte 125install_amwpm 131install_ldap_server 50list of 15overview 15scenarios 179

installing base systems 45IBM Tivoli Directory Server 48registry server 47




integration, Tivoli Identity Manager 8internationalization

code sets 43language support 37, 39languages supported 34locale variables 39locale variants 41message catalogs 42

Internationalization 31iPlanet Directoryrequirements 22

iPlanet Directory Serverproduct documentation 84

ivrgy_tool utility 277

J Java runtime environment

installingon AIX 114on HP-UX 114on Linux 115on Solaris 116

on Windows 117using wizard 113



wizard config options 208 Java Runtime Environment (JRE)

See IBM JRE 9

Kkey database file 228, 242, 244

LLANG variable

purpose 39UNIX 40Windows 41

language settings, modifying 39language support

code sets 43locale names

UNIX 40Windows 41

locale variables 39locale variants, implementing 41message catalogs 42overview 34

language support, installation 35, 37language support, uninstalling 39LDAP servers

enabling SSL 230Linux

installingADK 110

Linux (continued)installing (continued)

authorization server 102GSKit 146IBM JRE 154IBM Tivoli Directory Client 151IBM Tivoli Directory Server 54

Java runtime environment 115

policy proxy server 122policy server 93runtime 128Web admin tool 169Web Portal Manager 137WebSphere Application Server 161


locale namesUNIX 40Windows 41

locale variants 41location of code set files 43Lotus Domino

requirements 22

Mmemory and disk space requirements 24message catalog

internationalization 42language directories 42

methods, installation 15

Nnative installation

overview 15NLSPATH variable

use of 42

Novell eDirectoryrequirements 22

Ooperating systems, supported 26overview

ADK 6authorization server 6GSKit 9IBM JRE 9IBM Tivoli Directory Client 9IBM Tivoli Directory Server 9installation 3installation wizards 15

Java runtime environment 6policy proxy server 7policy server 7provisioning fast start 8runtime 7secure domain 5Web Admin Tool 10Web Portal Manager 8WebSphere Application Server 10

Index 323



Ppatches, platform-specific 26pd_start utility 292pdbackup utility 279pdconfig utility 217, 287pdinfo command (deprecated) 279pdinfo utility (deprecated)

see pdbackup command 279

pdjrtecfgconfigures Java runtime component 288

personal certificate 228, 229, 245planning for deployment 4planning for installation 1platforms, supported 11policy proxy server


overview 7

pdconfig options 225required components 13supported platforms 13uninstalling


wizard config options 211policy server

installingon AIX 90on HP-UX 91on Linux 93

on Solaris 94on Windows 95using wizard 89

overview 7pdconfig options 224required components 13setting up a standby 249supported platforms 13uninstalling


wizard config options 209prerequisite products 9

process, installation 17provisioning fast start, overview 8

RRegional setting, for Windows 39registries, supported 19registry server, setting up 47related publications xiiiremoving packages

on AIX 174required components 11

required platform-specific patches 26requirements, system 26

See system requirements 19response files 293restore data 279runtime

installingon AIX 126

on HP-UX 127on Linux 128on Solaris 128on Windows 129using wizard 125

overview 7pdconfig options 218, 219, 221uninstalling


wizard config options 198, 200, 203, 212runtime system

required components 13

supported platforms 13

Sscenarios, installation wizards 179secAuthority=Default 67, 87secure domain, overview 5secure sockets layer

See SSL 227Secure Sockets Layer (SSL)

enabling 227enabling access on the LDAP server 230testing 236, 243, 247

self-signed certificate 229, 246server and client authentication 227, 244server authentication 227server certificate 239, 240setting up

GSKit iKeyman utility 147IBM Tivoli Directory Server 48registry server 47

signer certificatecertificate

signer 243, 247silent installation 293Solaris

installingADK 111authorization server 103GSKit 147

IBM JRE 155IBM Tivoli Directory Client 151IBM Tivoli Directory Server 56

Java runtime environment 116policy proxy server 123policy server 94runtime 128Tivoli Access Manager packages 94, 103, 111, 123, 128Web admin tool 170Web Portal Manager 139WebSphere Application Server 162





SSLenabling 227

standby policy server, setting up 249suffixes 67Sun ONE Directory

requirements 22Sun ONE Directory Server

product documentation 84

supporthardware acceleration card 31supported

platforms, required patches for 26registries 19

supported platforms 11system requirements 19

Active Directory 22 backward compatibility 30disk space and memory 24hardware acceleration support 31IBM Security Server for OS/390 21IBM Tivoli Directory Server 19IBM z/OS Security Server LDAP Server 21iPlanet Directory 22Lotus Domino 22

Novell eDirectory 22patches 26platforms 26Sun ONE Directory 22supported registries 19Web admin tool 20

systems, types of 11

Ttext encoding

See code sets 43Tivoli Access Manager ADK

overview 6Tivoli Access Manager systems 11Tivoli Identity Manager integration 8types of Tivoli Access Manager systems 11

Uunconfiguring components 173Unicode 43uninstalling

language support 39uninstalling components

on AIX 174on HP-UX 175on Linux 176on Solaris 176

on Windows 177UNIXlanguage support 40

UTF-8 encoding 43utilities 273

amwpmcfg 274ivrgy_tool 277pd_start 292pdbackup 279pdconfig 287pdinfo (deprecated) 279pdinfo (deprecated), see pdbackup 279pdjrtecfg 288

Vvariables

LANGUNIX 40Windows 41

locale variables 39NLSPATH

use of 42

variants, language locales 41

WWeb admin tool


installing into WebSphere 171requirements 20

Web Admin Tooloverview 10

Web Portal Managerconfigure using amwpmcfg utility 274installing

on AIX 133on HP-UX 135on Linux 137on Solaris 139on Windows 141using wizard 131


on AIX 174


wizard config options 213WebSphere Application Server


overview 10Windows

installing

ADK 112authorization server 104GSKit 147IBM JRE 155IBM Tivoli Directory Client 152IBM Tivoli Directory Server 58

Java runtime environment 117policy proxy server 124policy server 95runtime 129Web admin tool 170Web Portal Manager 141WebSphere Application Server 164

Index 325



Windows (continued)language support 41uninstalling components 177uninstalling packages 177

wizards, installationSee installation wizards 15


Am51 Install

Documents

Transcript of Am51 Install