Am41 Install

7/28/2019 Am41 Install

http://slidepdf.com/reader/full/am41-install 1/242

IBM Tivoli Access Manager

Base Installation Guide

Version 4.1

SC32-1131-01





IBM Tivoli Access Manager

Base Installation Guide

Version 4.1

SC32-1131-01



NoteBefore using this information and the product it supports, read the information in Appendix E, “Notices”, on page 207.

Second Edition (August 2003)

This edition replaces GC32-0815-00.

© Copyright International Business Machines Corporation 2001, 2003. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.



Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Who should read this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

What this book contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Release information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Base information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi WebSEAL information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Web security information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Developer references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Technical supplements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

IBM Global Security Toolkit. . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii IBM DB2 Universal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii IBM Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii IBM WebSphere Application Server . . . . . . . . . . . . . . . . . . . . . . . . . xiii IBM Tivoli Access Manager for Business Integration . . . . . . . . . . . . . . . . . . . xiv

IBM Tivoli Access Manager for Operating Systems . . . . . . . . . . . . . . . . . . . . xiv Accessing publications online . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Contacting software support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Conventions used in this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Operating system differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Chapter 1. Tivoli Access Manager installation overview . . . . . . . . . . . . . . . 1 Planning for deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Secure domain overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Installation components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

User registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 IBM Directory client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

IBM Global Security Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Tivoli Access Manager policy server . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Tivoli Access Manager authorization server . . . . . . . . . . . . . . . . . . . . . . . . 4 Tivoli Access Manager Java runtime environment . . . . . . . . . . . . . . . . . . . . . . 5 Tivoli Access Manager runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Tivoli Access Manager Web Portal Manager . . . . . . . . . . . . . . . . . . . . . . . . 5 Tivoli Access Manager application development kit . . . . . . . . . . . . . . . . . . . . . 5

Installation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Easy installation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Native installation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Internationalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Language support overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Installing language support packages . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Installing language packages for prerequisite software . . . . . . . . . . . . . . . . . . . . 12 Uninstalling language support packages . . . . . . . . . . . . . . . . . . . . . . . . . 13 Locale environment variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

LANG variable and UNIX systems . . . . . . . . . . . . . . . . . . . . . . . . . 14 LANG variable and Windows systems . . . . . . . . . . . . . . . . . . . . . . . . 15 Using locale variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Message catalogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Text encoding (code set) support . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Location of code set files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 2. Configuring registries for Tivoli Access Manager . . . . . . . . . . . . . 17 LDAP server configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

© Copyright IBM Corp. 2001, 2003 iii



Configuring the IBM Directory server . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Configuring the iPlanet Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . 24 Configuring Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Adding a GSO suffix for configuration to Tivoli Access Manager . . . . . . . . . . . . . . . . 28 Configuring z/OS and OS/390 security servers . . . . . . . . . . . . . . . . . . . . . . . 28

Creating a DB2 database for the TDBM backend . . . . . . . . . . . . . . . . . . . . . . 29 Creating an LDAP configuration file for a TDBM backend . . . . . . . . . . . . . . . . . . . 29 Starting the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Updating and loading schema files . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Appying ACLs to new LDAP suffixes . . . . . . . . . . . . . . . . . . . . . . . . . 31 Enabling LDAP replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Adding a stanza to the replica LDAP server’s configuration file . . . . . . . . . . . . . . . . 31 Adding an object to the master LDAP server’s backend . . . . . . . . . . . . . . . . . . 31

Configuring Tivoli Access Manager for LDAP . . . . . . . . . . . . . . . . . . . . . . . 32 Native authentication user administration . . . . . . . . . . . . . . . . . . . . . . . . 32

Configuring Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Active Directory considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Creating an Active Directory domain . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Joining an Active Directory domain . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Creating an Active Directory administrative user . . . . . . . . . . . . . . . . . . . . . . 37 Active Directory replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Configuring Lotus Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Installing a Lotus Notes client on the Domino server . . . . . . . . . . . . . . . . . . . . 38 Creating a Tivoli Access Manager administrative user for Domino . . . . . . . . . . . . . . . . 39

Chapter 3. Installing Tivoli Access Manager on AIX . . . . . . . . . . . . . . . . 41 Using easy installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Using native installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Installing the IBM Global Security Toolkit . . . . . . . . . . . . . . . . . . . . . . . . 43 Installing the IBM Directory client . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Installing and configuring Tivoli Access Manager components . . . . . . . . . . . . . . . . . 44 Installing the platform-specific JRE . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Installing and configuring the Tivoli Access Manager Java runtime environment . . . . . . . . . . . 45 Installing and configuring a Web Portal Manager system . . . . . . . . . . . . . . . . . . . 45

Installing IBM WebSphere Application Server, Advanced Single Server . . . . . . . . . . . . . 47

Installing IBM WebSphere Application Server FixPack 3 . . . . . . . . . . . . . . . . . . 47 Uninstalling Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Unconfiguring Tivoli Access Manager components . . . . . . . . . . . . . . . . . . . . . 48 Removing Tivoli Access Manager packages . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 4. Installing Tivoli Access Manager on HP-UX . . . . . . . . . . . . . . . 51 Using easy installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Using native installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Installing the IBM Global Security Toolkit . . . . . . . . . . . . . . . . . . . . . . . . 53 Installing the IBM Directory client . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Installing and configuring Tivoli Access Manager components . . . . . . . . . . . . . . . . . 54 Installing the platform-specific JRE . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Installing and configuring the Tivoli Access Manager Java runtime environment . . . . . . . . . . . 55

Uninstalling Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Unconfiguring Tivoli Access Manager components . . . . . . . . . . . . . . . . . . . . . 56 Removing Tivoli Access Manager packages . . . . . . . . . . . . . . . . . . . . . . . . 56

Chapter 5. Installing Tivoli Access Manager on Linux . . . . . . . . . . . . . . . 59 Using easy installation (Red Hat Linux only) . . . . . . . . . . . . . . . . . . . . . . . . 59 Using native installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Installing the IBM Global Security Toolkit . . . . . . . . . . . . . . . . . . . . . . . . 61 Installing the IBM Directory client . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Installing and configuring Tivoli Access Manager components . . . . . . . . . . . . . . . . . 62 Installing the platform-specific JRE . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Installing and configuring the Tivoli Access Manager Java runtime environment (Red Hat Linux only) . . . . 64

iv IBM Tivoli Access Manager: Base Installation Guide



Uninstalling Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Unconfiguring Tivoli Access Manager components . . . . . . . . . . . . . . . . . . . . . 65 Removing Tivoli Access Manager packages . . . . . . . . . . . . . . . . . . . . . . . . 66

Chapter 6. Installing Tivoli Access Manager on Solaris . . . . . . . . . . . . . . . 67 Using easy installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Using native installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Installing the IBM Global Security Toolkit . . . . . . . . . . . . . . . . . . . . . . . . 69 Installing the IBM Directory client . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Installing and configuring Tivoli Access Manager components . . . . . . . . . . . . . . . . . 70 Installing the platform-specific JRE . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Installing and configuring Tivoli Access Manager Java runtime environment . . . . . . . . . . . . 71 Installing and configuring a Web Portal Manager system . . . . . . . . . . . . . . . . . . . 72

Installing IBM WebSphere Application Server, Advanced Single Server . . . . . . . . . . . . . 73 Installing IBM WebSphere Application Server FixPack 3 . . . . . . . . . . . . . . . . . . 74


Chapter 7. Installing Tivoli Access Manager on Windows . . . . . . . . . . . . . . 77 Using easy installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Using native installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Installing the IBM Global Security Toolkit . . . . . . . . . . . . . . . . . . . . . . . . 79 Installing the IBM Directory client . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Installing and configuring Tivoli Access Manager components . . . . . . . . . . . . . . . . . 81 Installing the platform-specific JRE . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Installing and configuring the Tivoli Access Manager Java runtime environment . . . . . . . . . . . 83 Installing and configuring a Web Portal Manager system . . . . . . . . . . . . . . . . . . . 83

Installing IBM WebSphere Application Server, Advanced Single Server . . . . . . . . . . . . . 84 Installing IBM WebSphere Application Server FixPack 3 . . . . . . . . . . . . . . . . . . 87


Chapter 8. Upgrading to Tivoli Access Manager, Version 4.1 . . . . . . . . . . . . . 91 Upgrade considerations for LDAP registries . . . . . . . . . . . . . . . . . . . . . . . . 91 Upgrading the policy server system . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Upgrading the policy server using two systems . . . . . . . . . . . . . . . . . . . . . . . 93 Upgrading other Tivoli Access Manager systems . . . . . . . . . . . . . . . . . . . . . . . 95 Retiring the existing policy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Restoring a system to its previous level . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Chapter 9. UNIX easy installation scenarios . . . . . . . . . . . . . . . . . . . . 99 Setting up an IBM Directory server system . . . . . . . . . . . . . . . . . . . . . . . . . 99 Setting up the Tivoli Access Manager policy server system . . . . . . . . . . . . . . . . . . . 104 Setting up a Tivoli Access Manager runtime system . . . . . . . . . . . . . . . . . . . . . 111 Setting up a Web Portal Manager system . . . . . . . . . . . . . . . . . . . . . . . . . 116

Chapter 10. Windows easy installation scenarios . . . . . . . . . . . . . . . . . 123 Setting up the IBM Directory server system . . . . . . . . . . . . . . . . . . . . . . . . 123 Setting up the Tivoli Access Manager policy server system . . . . . . . . . . . . . . . . . . . 129 Setting up a Tivoli Access Manager runtime system . . . . . . . . . . . . . . . . . . . . . 137 Setting up a Web Portal Manager system . . . . . . . . . . . . . . . . . . . . . . . . . 139

Chapter 11. Using easy installation response files . . . . . . . . . . . . . . . . 149 Creating a response file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Installing components using a response file . . . . . . . . . . . . . . . . . . . . . . . . 149 Response file examples (ezinstall) . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

UNIX example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Contents v



Windows example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Response file examples (install_pdrte) . . . . . . . . . . . . . . . . . . . . . . . . . . 152

UNIX example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Windows example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Response file options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 UNIX response file options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Windows response file options . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Appendix A. Enabling Secure Sockets Layer . . . . . . . . . . . . . . . . . . . 157 Configuring the IBM Directory server for SSL access . . . . . . . . . . . . . . . . . . . . . 157

Creating the key database file and the certificate . . . . . . . . . . . . . . . . . . . . . 158 Obtaining a personal certificate from a certificate authority . . . . . . . . . . . . . . . . . . 159 Creating and extracting a self-signed certificate . . . . . . . . . . . . . . . . . . . . . . 159 Enabling SSL access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Configuring the iPlanet Directory Server for SSL access . . . . . . . . . . . . . . . . . . . . 162 Obtaining a server certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Installing the server certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Enabling SSL access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Configuring OS/390 and z/OS LDAP servers for SSL access . . . . . . . . . . . . . . . . . . 165 Setting up the security options . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Creating a key database file . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Configuring the Novell eDirectory server for SSL access . . . . . . . . . . . . . . . . . . . . 167 Creating an organizational certificate authority object . . . . . . . . . . . . . . . . . . . . 167 Creating a self-signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Creating a server certificate for the LDAP server . . . . . . . . . . . . . . . . . . . . . 168 Enabling SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Adding the self-signed certificate to the IBM key file . . . . . . . . . . . . . . . . . . . . 169

Configuring the IBM Directory client for SSL access . . . . . . . . . . . . . . . . . . . . . 169 Creating a key database file . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Adding a signer certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Testing SSL access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Configuring LDAP server and client authentication . . . . . . . . . . . . . . . . . . . . . . 172 Creating a key database file . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Obtaining a personal certificate from a certificate authority . . . . . . . . . . . . . . . . . . 173 Creating and extracting a self-signed certificate . . . . . . . . . . . . . . . . . . . . . . 174

Adding a signer certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Testing the SSL access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Enabling SSL for Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Creating the SSL key ring file . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Enabling SSL access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Appendix B. Tivoli Access Manager configuration reference . . . . . . . . . . . . 179 UNIX native configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Tivoli Access Manager runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Tivoli Access Manager policy server . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Tivoli Access Manager authorization server . . . . . . . . . . . . . . . . . . . . . . . 180

Windows native configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Tivoli Access Manager runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

LDAP registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Lotus Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Tivoli Access Manager policy server . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Tivoli Access Manager authorization server . . . . . . . . . . . . . . . . . . . . . . . 185

Default ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Appendix C. OS/390 and z/OS LDAP configuration reference . . . . . . . . . . . . 187 Sample LDAP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Sample DB2 database and tablespace script for SPUFI . . . . . . . . . . . . . . . . . . . . . 188 Sample DB2 index script for SPUFI . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Sample CLI bind batch job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

vi IBM Tivoli Access Manager: Base Installation Guide



Sample CLI initialization file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Appendix D. Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . 199 Security policy for Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . 199

Base security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 System security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Tivoli Access Manager network policy . . . . . . . . . . . . . . . . . . . . . . . . . 200

Enabling polling for security policy database updates . . . . . . . . . . . . . . . . . . . . 201 Assumptions on the behavior of users . . . . . . . . . . . . . . . . . . . . . . . . . 201 CC evaluation compliant installation and configuration . . . . . . . . . . . . . . . . . . . . 202

Installing Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Securing WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Configuring WebSEAL authentication mechanisms . . . . . . . . . . . . . . . . . . . . . 203 Selecting the supported cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . 203 Configuring auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Other WebSEAL functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Login policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Password policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Cryptographic key management . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

CC-compliant configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Appendix E. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 XML Parser Toolkit License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Pluggable Authentication Module License . . . . . . . . . . . . . . . . . . . . . . . . . 209 Apache Axis Servlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

JArgs command line option parsing suite for Java . . . . . . . . . . . . . . . . . . . . . . 210 Java DOM implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Contents vii



viii IBM Tivoli Access Manager: Base Installation Guide



Preface

IBM® Tivoli® Access Manager (Tivoli Access Manager) is the base software that isrequired to run applications in the IBM Tivoli Access Manager product suite. It

enables the integration of IBM Tivoli Access Manager applications that provide awide range of authorization and management solutions. Sold as an integratedsolution, these products provide an access control management solution thatcentralizes network and application security policy for e-business applications.

Note: IBM Tivoli Access Manager is the new name of the previously releasedsoftware entitled Tivoli SecureWay® Policy Director. Also, for users familiarwith the Tivoli SecureWay Policy Director software and documentation, themanagement server is now referred to as the policy server.

The IBM Tivoli Access Manager Base Installation Guide explains how to install,configure, and upgrade Tivoli Access Manager base software.

Who should read this book

This guide is for system administrators responsible for the installation anddeployment of IBM Tivoli Access Manager.

Readers should be familiar with the following:

v PC and UNIX® operating systems

v Database architecture and concepts

v Security management

v Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), andTelnet

v Lightweight Directory Access Protocol (LDAP) and directory servicesv A supported registry

v Authentication and authorization

If you are enabling Secure Sockets Layer (SSL) communication, you also should befamiliar with SSL protocol, key exchange (public and private), digital signatures,cryptographic algorithms, and certificate authorities.

What this book contains

This guide contains the following sections:

v Chapter 1, “Tivoli Access Manager installation overview”, on page 1

Describes Tivoli Access Manager components, explains easy and nativeinstallation processes, and lists the steps that you need to follow to set up aTivoli Access Manager secure domain. This chapter also instructs how to installlanguage packages to enable Tivoli Access Manager for non-Englishenvironments.

v Chapter 2, “Configuring registries for Tivoli Access Manager”, on page 17

Describes how to set up and configure supported registries for use with TivoliAccess Manager.

v Chapter 3, “Installing Tivoli Access Manager on AIX”, on page 41

v Chapter 4, “Installing Tivoli Access Manager on HP-UX”, on page 51

© Copyright IBM Corp. 2001, 2003 ix



v Chapter 5, “Installing Tivoli Access Manager on Linux”, on page 59

v Chapter 6, “Installing Tivoli Access Manager on Solaris”, on page 67

v Chapter 7, “Installing Tivoli Access Manager on Windows”, on page 77

Provides instructions on how to install and configure Tivoli Access Managercomponents using easy installation scripts or native operating system utilities.Also provides instructions for unconfiguring and removing Tivoli Access

Manager components.v Chapter 8, “Upgrading to Tivoli Access Manager, Version 4.1”, on page 91

Explains how to upgrade an existing Tivoli Access Manager, Version 3.8, orVersion 3.9 secure domain to IBM Tivoli Tivoli Access Manager, Version 4.1.

v Chapter 9, “UNIX easy installation scenarios”, on page 99

Provides step-by-step instructions with illustrations on how to install andconfigure Tivoli Access Manager systems using easy installation files on UNIXsystems.

v Chapter 10, “Windows easy installation scenarios”, on page 123

Provides step-by-step instructions with illustrations on how to install andconfigure Tivoli Access Manager systems using easy installation files on

Windows systems.v Chapter 11, “Using easy installation response files”, on page 149

Explains how to use a response file to perform a silent, unattended installationof Tivoli Access Manager components supported by easy installation scripts.

v Appendix A, “Enabling Secure Sockets Layer”, on page 157

Explains how to enable SSL data encryption for secure communications betweenthe LDAP server and IBM Directory clients. Also includes instructions onenabling SSL between a Lotus Domino server and IBM Directory clients.

v Appendix B, “Tivoli Access Manager configuration reference”, on page 179

Provides descriptions of the configuration options that you are prompted forwhen configuring Tivoli Access Manager components using native installationutilities.

v Appendix C, “OS/390 and z/OS LDAP configuration reference”, on page 187

Provides reference information when configuring an OS/390 or z/OS SecurityServer for use with Tivoli Access Manager.

v Appendix D, “Common Criteria”, on page 199

v Appendix E, “Notices”, on page 207

v “Glossary” on page 213

Publications

The Tivoli Access Manager library is organized into the following categories:

v “Release information”

v “Base information” on page xi

v “WebSEAL information” on page xi

v “Web security information” on page xi

v “Developer references” on page xii

v “Technical supplements” on page xii

Release informationv IBM Tivoli Access Manager Read Me First Card

GI11-4198-00 (am41_readme.pdf)

x IBM Tivoli Access Manager: Base Installation Guide

http://am41_readme_first.pdf/

http://am41_readme_first.pdf/



Provides information for installing and getting started using Tivoli AccessManager.

v IBM Tivoli Access Manager Release Notes SC32-1130-00 (am41_relnotes.pdf)

Provides late-breaking information, such as software limitations, workarounds,and documentation updates.

Base informationv IBM Tivoli Access Manager Base Installation Guide

SC32-1131-01 (am41_install.pdf)

Explains how to install, configure, and upgrade Tivoli Access Manager software,including the Web Portal Manager interface.

v IBM Tivoli Access Manager Base Administrator’s Guide SC32-1132-01 (am41_admin.pdf)

Describes the concepts and procedures for using Tivoli Access Manager services.Provides instructions for performing tasks from the Web Portal Managerinterface and by using the pdadmin command.

WebSEAL informationv IBM Tivoli Access Manager WebSEAL Installation Guide

SC32-1133-01 (amweb41_install.pdf)

Provides installation, configuration, and removal instructions for the WebSEALserver and the WebSEAL application development kit.

v IBM Tivoli Access Manager WebSEAL Administrator’s GuideSC32-1134-01 (amweb41_admin.pdf)

Provides background material, administrative procedures, and technicalreference information for using WebSEAL to manage the resources of yoursecure Web domain.

Web security informationv IBM Tivoli Access Manager for WebSphere Application Server User’s Guide

SC32-1136-01 (amwas41_user.pdf)

Provides installation, removal, and administration instructions for Tivoli AccessManager for IBM WebSphere® Application Server.

v IBM Tivoli Access Manager for WebLogic Server User’s GuideSC32-1137-01 (amwls41_user.pdf)

Provides installation, removal, and administration instructions for Tivoli AccessManager for BEA WebLogic Server.

v IBM Tivoli Access Manager Plug-in for Edge Server User’s GuideSC32-1138-01 (amedge41_user.pdf)

Describes how to install, configure, and administer the plug-in for IBMWebSphere Edge Server application.

v IBM Tivoli Access Manager Plug-in for Web Servers User’s GuideSC32-1139-01 (amws41_user.pdf)

Provides installation instructions, administration procedures, and technicalreference information for securing your Web domain using the plug-in for Webservers.

Preface xi

http://am41_relnotes.pdf/

http://am41_install.pdf/

http://am41_admin.pdf/

http://amweb41_install.pdf/

http://amweb41_admin.pdf/

http://amwas41_user.pdf/

http://amwls41_user.pdf/

http://amedge41_user.pdf/

http://amws41_user.pdf/

http://amws41_user.pdf/

http://amedge41_user.pdf/

http://amwls41_user.pdf/

http://amwas41_user.pdf/




http://am41_install.pdf/




Developer referencesv IBM Tivoli Access Manager Authorization C API Developer’s Reference

SC32-1140-01 (am41_authC_devref.pdf)

Provides reference material that describes how to use the Tivoli Access Managerauthorization C API and the Access Manager service plug-in interface to addTivoli Access Manager security to applications.

v IBM Tivoli Access Manager Authorization Java Classes Developer’s ReferenceSC32-1141-01 (am41_authJ_devref.pdf)

Provides reference information for using the Java™ language implementation of the authorization API to enable an application to use Tivoli Access Managersecurity.

v IBM Tivoli Access Manager Administration C API Developer’s ReferenceSC32-1142-01 (am41_adminC_devref.pdf)

Provides reference information about using the administration API to enable anapplication to perform Tivoli Access Manager administration tasks. Thisdocument describes the C implementation of the administration API.

v IBM Tivoli Access Manager Administration Java Classes Developer’s ReferenceSC32-1143-01 (am41_adminJ_devref.pdf)

Provides reference information for using the Java language implementation of the administration API to enable an application to perform Tivoli AccessManager administration tasks.

v IBM Tivoli Access Manager WebSEAL Developer’s Reference SC32-1135-01 (amweb41_devref.pdf)

Provides administration and programming information for the Cross-domainAuthentication Service (CDAS), the Cross-domain Mapping Framework (CDMF),and the Password Strength Module.

Technical supplementsv IBM Tivoli Access Manager Command Reference

GC32-1107-01 (am41_cmdref.pdf)Provides information about the command line utilities and scripts provided withTivoli Access Manager.

v IBM Tivoli Access Manager Error Message ReferenceSC32-1144-01 (am41_error_ref.pdf)

Provides explanations and recommended actions for the messages produced byTivoli Access Manager.

v IBM Tivoli Access Manager Problem Determination GuideGC32-1106-01 (am41_pdg.pdf)

Provides problem determination information for Tivoli Access Manager.

v IBM Tivoli Access Manager Performance Tuning Guide

SC32-1145-01 (am41_perftune.pdf)Provides performance tuning information for an environment consisting of TivoliAccess Manager with the IBM Directory server defined as the user registry.

Related publicationsThis section lists publications related to the Tivoli Access Manager library.

The Tivoli Software Library provides a variety of Tivoli publications such as whitepapers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli

xii IBM Tivoli Access Manager: Base Installation Guide

http://am41_authc_devref.pdf/



http://am41_authj_devref.pdf/



http://am41_adminc_devref.pdf/



http://am41_adminj_devref.pdf/



http://amweb41_devref.pdf/



http://am41_cmdref.pdf/

http://am41_error_ref.pdf/

http://am41_pdg.pdf/

http://am41_perftune.pdf/

http://am41_perftune.pdf/

http://am41_pdg.pdf/

http://am41_error_ref.pdf/









Software Library is available on the Web at:http://www.ibm.com/software/tivoli/library/

The Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available, in English only,from the Glossary link on the left side of the Tivoli Software Library Web pagehttp://www.ibm.com/software/tivoli/library/

IBM Global Security ToolkitTivoli Access Manager provides data encryption through the use of the IBM GlobalSecurity Toolkit (GSKit). GSKit is included on the IBM Tivoli Access Manager BaseCD for your particular platform.

The GSKit package installs the iKeyman key management utility, gsk5ikm, whichenables you to create key databases, public-private key pairs, and certificaterequests. The following document is available on the Tivoli Information CenterWeb site in the same section as the IBM Tivoli Access Manager productdocumentation:

v Secure Sockets Layer Introduction and iKeyman User’s Guide(gskikm5c.pdf)

Provides information for network or system security administrators who plan toenable SSL communication in their Tivoli Access Manager environment.

IBM DB2 Universal DatabaseIBM DB2® Universal Database™ is required when installing IBM Directory Server,z/OS™, and OS/390® LDAP servers. DB2 is provided on the product CDs for thefollowing operating system platforms:

v IBM AIX® v Microsoft™ Windows™ v Sun Solaris Operating Environment

DB2 information is available at:

http://www.ibm.com/software/data/db2/

IBM Directory ServerIBM Directory Server, Version 4.1, is included on the IBM Tivoli Access ManagerBase CD for all platforms except Linux for zSeries™. You can obtain the IBMDirectory Server software for Linux for S/390 at:

http://www.ibm.com/software/network/directory/server/download/

If you plan to use IBM Directory Server as your user registry, see the informationprovided at:

http://www.ibm.com/software/network/directory/library/

IBM WebSphere Application ServerIBM WebSphere Application Server, Advanced Single Server Edition 4.0.3, isincluded on the Web Portal Manager CDs and installed with the Web PortalManager interface. For information about IBM WebSphere Application Server, see:

http://www.ibm.com/software/webservers/appserv/infocenter.html

Preface xiii

http://www.ibm.com/software/tivoli/library/














IBM Tivoli Access Manager for Business IntegrationIBM Tivoli Access Manager for Business Integration, available as a separatelyorderable product, provides a security solution for IBM MQSeries®, Version 5.2,and IBM WebSphere® MQ for Version 5.3 messages. IBM Tivoli Access Manager forBusiness Integration allows WebSphere MQSeries applications to send data withprivacy and integrity by using keys associated with sending and receivingapplications. Like WebSEAL and IBM Tivoli Access Manager for Operating

Systems, IBM Tivoli Access Manager for Business Integration, is one of theresource managers that use the authorization services of IBM Tivoli AccessManager for e-business.

The following documents associated with IBM Tivoli Access Manager for BusinessIntegration Version 4.1 are available on the Tivoli Information Center Web site:

v IBM Tivoli Access Manager for Business Integration Administrator’s Guide(SC23-4831-00)

v IBM Tivoli Access Manager for Business Integration Release Notes (GI11-0957-00)

v IBM Tivoli Access Manager for Business Integration Read Me First (GI11-0958-00)

IBM Tivoli Access Manager for Operating Systems

IBM Tivoli Access Manager for Operating Systems, available as a separatelyorderable product, provides a layer of authorization policy enforcement on UNIXsystems in addition to that provided by the native operating system. IBM TivoliAccess Manager for Operating Systems, like WebSEAL and IBM Tivoli AccessManager for Business Integration, is one of the resource managers that use theauthorization services of IBM Tivoli Access Manager for e-business.

The following documents associated with IBM Tivoli Access Manager forOperating Systems Version 4.1 are available on the Tivoli Information Center Website:

v IBM Tivoli Access Manager for Operating Systems Installation Guide (SC23-4829-00)

v IBM Tivoli Access Manager for Operating Systems Administration Guide

(SC23-4827-00)v IBM Tivoli Access Manager for Operating Systems Problem Determination Guide

(SC23-4828-00)

v IBM Tivoli Access Manager for Operating Systems Release Notes (GI11-0951-00)

v IBM Tivoli Access Manager for Operating Systems Read Me First (GI11-0949-00)

Accessing publications onlineThe publications for this product are available online in Portable Document Format(PDF) or Hypertext Markup Language (HTML) format, or both in the TivoliSoftware Library: http://www.ibm.com/software/tivoli/library

To locate product publications in the library, click the Product manuals link on the

left side of the Library page. Then, locate and click the name of the product on theTivoli Software Information Center page.

Product publications include release notes, installation guides, user’s guides,administrator’s guides, and developer’s references.

Note: To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is available when you clickFile →Print).

xiv IBM Tivoli Access Manager: Base Installation Guide





Accessibility

Accessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You also canuse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Contacting software support

Before contacting IBM Tivoli Software support with a problem, refer to the IBMTivoli Software support Web site at:http://www.ibm.com/software/sysmgmt/products/support/

If you need additional help, contact software support by using the methodsdescribed in the IBM Software Support Guide at the following Web site:http://techsupport.services.ibm.com/guides/handbook.html

The guide provides the following information:

v

Registration and eligibility requirements for receiving supportv Telephone numbers and e-mail addresses, depending on the country in which

you are located

v A list of information you should gather before contacting customer support

Conventions used in this book

This reference uses several conventions for special terms and actions and foroperating system-dependent commands and paths.

Typeface conventionsThe following typeface conventions are used in this reference:

Bold Lowercase commands or mixed case commands that are difficult todistinguish from surrounding text, keywords, parameters, options, namesof Java classes, and objects are in bold.

Italic Variables, titles of publications, and special words or phrases that areemphasized are in italic.

MonospaceCode examples, command lines, screen output, file and directory namesthat are difficult to distinguish from surrounding text, system messages,text that the user must type, and values for arguments or commandoptions are in monospace.

Operating system differencesThis book uses the UNIX convention for specifying environment variables and fordirectory notation. When using the Windows command line, replace $variable with%variable% for environment variables and replace each forward slash (/) with a

backslash (\) in directory paths. If you are using the bash shell on a Windowssystem, you can use the UNIX conventions.

Preface xv

http://www.ibm.com/software/sysmgmt/products/support/

http://techsupport.services.ibm.com/guides/handbook.html

http://techsupport.services.ibm.com/guides/handbook.html

http://www.ibm.com/software/sysmgmt/products/support/



xvi IBM Tivoli Access Manager: Base Installation Guide



Chapter 1. Tivoli Access Manager installation overview

Before you begin installing IBM Tivoli Access Manager, you must become familiarwith its components and installation options. This chapter includes the following

sections:

v “Planning for deployment”

v “Secure domain overview” on page 2

v “Installation components” on page 3

v “Installation process” on page 6

v “Internationalization” on page 9

AttentionSee the IBM Tivoli Access Manager Release Notes for system requirements,supported platforms, and prerequisite product information.

Planning for deployment

Before you implement a particular Tivoli Access Manager solution, you mustdetermine the specific security and management capabilities that are required of your network.

The first step in planning the deployment of a Tivoli Access Manager securityenvironment is to define the security requirements for your computingenvironment. Defining security requirements means determining the businesspolicies that must apply to users, programs, and data. This includes defining thefollowing:

v Objects to be securedv Actions permitted on each object

v Users that are permitted to perform the actions

Enforcing a security policy requires an understanding of the flow of accessrequests through your network topology. This includes identifying proper rolesand locations for firewalls, routers, and subnets. Deploying a Tivoli AccessManager security environment (called a secure domain) also requires identifying theoptimal points within the network for installing software that evaluates user accessrequests, and grants or denies the requested access.

Implementation of a security policy requires understanding the quantity of users,

data, and throughput that your network must accommodate. You must alsoevaluate performance characteristics, scalability, and the need for failovercapabilities. Integration of legacy software, databases, and applications with TivoliAccess Manager software must also be considered.

After you have an understanding of the features that you want to deploy, you candecide which Tivoli Access Manager components and applications can becombined to best implement your security policy.

For helpful planning documentation and business scenarios, see the following Websites:

© Copyright IBM Corp. 2001, 2003 1





www.ibm.com/redbooks

http://www-3.ibm.com/software/sysmgmt/products/support/Field_Guides_Technical.html

Secure domain overview

The computing environment in which Tivoli Access Manager enforces yoursecurity policies for authentication, authorization, and access control is called thesecure domain. Integral to the secure domain is a registry and an authorizationservice, consisting of an authorization database and an authorization engine. Thesecore components must exist for Tivoli Access Manager to perform fundamentaloperations, such as permitting or denying user access to protected objects(resources). All other Tivoli Access Manager services and components are built onthis base.

Figure 1 represents the systems in a typical secure domain. For illustrationpurposes, this figure depicts a single system for each type of setup—user registry,policy server, authorization server, and so on. Keep in mind that you can deployTivoli Access Manager on multiple systems as shown or install all the softwarenecessary to configure and use a secure domain on one standalone system. Asingle system setup is useful when prototyping a deployment or developing andtesting an application. After you establish the environment, you can set upadditional systems in the existing secure domain, such as a runtime client orapplication development system.

Table 1 on page 3 lists required and optional components for the Tivoli AccessManager systems illustrated in Figure 1. For descriptions of these components, see“Installation components” on page 3.

Tivoli Access Manager Secure Domain

User registry

GSKit

Policy server Runtime system

Development systemWeb Portal Manager

systemJava runtimeenvironment

Authorization server

Optional Workstations

Figure 1. Example of systems in a secure domain

Planning Security Requirements

2 IBM Tivoli Access Manager: Base Installation Guide



Table 1. Tivoli Access Manager system components

System Required Components

Tivoli Access Managerpolicy server

v IBM Global Security Toolkit

v IBM Directory client *

v Tivoli Access Manager runtime

v Tivoli Access Manager policy server

Tivoli Access Managerruntime system




Tivoli Access Managerdevelopment system




v Tivoli Access Manager Application Development Kit

v Tivoli Access Manager Java runtime environment

Tivoli Access Managerauthorization server


v

IBM Directory client *v Tivoli Access Manager runtime

v Tivoli Access Manager authorization server

Tivoli Access Manager Java runtime environment


v Platform-specific JRE

Tivoli Access ManagerWeb Portal Manager system



v Tivoli Access Manager runtime environment

v IBM WebSphere Application Server, Advanced SingleServer 4.0 and FixPack 3

v

Tivoli Access Manager Web Portal Managerv Tivoli Access Manager Java runtime environment

* If you plan to install Active Directory as your registry, the IBM Directory client isnot required on Tivoli Access Manager systems in your secure domain.

Installation components

This section introduces base components, which are generally common to all TivoliAccess Manager installations.

User registryTivoli Access Manager requires a user registry to support the operation of itsauthorization functions. The registry provides a database of the user identitiesknown to Tivoli Access Manager. It also provides a representation of groups inTivoli Access Manager roles that may be associated with users.

For a list of supported registries, see the IBM Tivoli Access Manager Release Notes.


Chapter 1. Tivoli Access Manager installation overview 3






IBM Directory clientThe IBM Directory client supports all Tivoli Access Manager registries with theexception of Active Directory. You must install and configure this client on eachsystem that runs Tivoli Access Manager, with the following exceptions:

v The IBM Directory client is not required on systems using Active Directory asthe Tivoli Access Manager registry.

v The IBM Directory client is not required on a Tivoli Access Manager Javaruntime environment system.

The IBM Directory client is shipped with IBM Directory on the IBM Tivoli AccessManager Base CD for your particular platform. This installation package includestwo graphical user interfaces (GUIs). The Web-based Server Administrationinterface enables you to perform server and database tasks for the IBM Directoryserver. The Directory Management Tool (DMT) enables you to browse and editinformation in your directory, such as schema definitions, the directory tree, anddata entries. Indepth documentation for each interface is available through theonline help systems.

Note: The Web-based Server Administration interface is not supported on Linux

for zSeries.

IBM Global Security ToolkitTivoli Access Manager provides data encryption through the use of IBM GlobalSecurity Toolkit (GSKit). The GSKit package installs the iKeyman key managementutility (gsk5ikm), which enables you to create key databases, public-private keypairs, and certificate requests.

For information about using this utility to enable SSL, see the Secure Sockets LayerIntroduction and iKeyman User’s Guide and Appendix A, “Enabling Secure SocketsLayer”, on page 157.

Tivoli Access Manager policy serverThe Tivoli Access Manager policy server, referred to in previous versions as themanagement server, maintains the master authorization database for the securedomain. This server is key to the processing of access control, authentication, andauthorization requests. It also updates authorization database replicas andmaintains location information about other Tivoli Access Manager servers in thesecure domain.

There can be only one instance of the policy server and its master authorizationdatabase in any secure domain at one time. For availability purposes, a standbyserver can be configured to take over policy server functions in the event of asystem failure.

Tivoli Access Manager authorization serverThe authorization server offloads access control and authorization decisions fromthe policy server. It maintains a replica of the authorization policy database andfunctions as the authorization decision-making evaluator. A separate authorizationserver also provides access to the authorization service for third-party applicationsthat use the Tivoli Access Manager authorization API in remote cache mode. Thiscomponent is optional.





Tivoli Access Manager Java runtime environmentThe Tivoli Access Manager Java runtime environment offers a reliable environmentfor developing and deploying Java applications in an Tivoli Access Manager securedomain. Use it to add Tivoli Access Manager authorization and security services tonew or existing Java applications. Keep in mind that before you install thiscomponent, you must install a platform-specific JRE.

In contrast to other Tivoli Access Manager components, you must use the pdjrtecfgcommand to configure the Tivoli Access Manager Java runtime environment to usethe proper JRE on your system. You can also configure the Tivoli Access Manager

Java runtime environment to several different JREs on the same system, if sodesired.

Note that if you plan to install the Web Portal Manager interface, this componentis required. It is also required with the Tivoli Access Manager ADK if you are adeveloper using Tivoli Access Manager Java runtime environment classes. Formore information, see IBM Tivoli Access Manager Administration Java ClassesDeveloper’s Reference and the IBM Tivoli Access Manager Authorization Java ClassesDeveloper’s Reference.

Tivoli Access Manager runtimeThe Tivoli Access Manager runtime contains runtime libraries and supporting filesthat applications can use to access Tivoli Access Manager servers.

You must install the Tivoli Access Manager runtime or the Tivoli Access Manager Java runtime environment on every system in your secure domain.

Tivoli Access Manager Web Portal ManagerThe Web Portal Manager is a Web-based graphical user interface (GUI) used forTivoli Access Manager administration. Similar to the pdadmin command lineinterface, this GUI provides management of users, groups, roles, permissions,

policies, and other Tivoli Access Manager tasks. A key advantage is that you canperform these tasks remotely, without requiring any special network configuration.

The Web Portal Manager also includes a set of delegated management services thatenables a business to delegate user administration, group and role administration,security administration, and application access provisioning to participants(sub-domains) in the business system. These sub-domains can further delegatemanagement and administration to trusted sub-domains under their control,thereby supporting multi-level delegation and management hierarchy based onroles.

This component is shipped separately on the IBM Tivoli Access Manager WebPortal Manager CD and is available on AIX, Solaris Operating Environment

(hereinafter referred to as Solaris), and Windows platforms. This component isoptional.

Tivoli Access Manager application development kitThe ADK provides a development environment that enables you to codethird-party applications to query the authorization server for authorizationdecisions. The ADK contains support for using both C APIs and Java classes forauthorization and administration functions. This component is optional.


















Installation process

To install Tivoli Access Manager systems or components, follow these basic steps:

1. Plan your Tivoli Access Manager deployment. Ensure that you understand the business security requirements for which Tivoli Access Manager is beingdeployed. For more information, see “Planning for deployment” on page 1.

2.Ensure that you are aware of and meet all software requirements listed in theIBM Tivoli Access Manager Release Notes.

3. Decide which combination of Tivoli Access Manager systems that you want toinstall. For more information, see “Secure domain overview” on page 2.

4. Choose an installation option listed in Table 2 and follow instructions.

Table 2. Installation options

Option Purpose Instructions

Easy installation Use to expedite the installation andconfiguration of one or more Tivoli AccessManager systems in a secure domain.

See“Easy installationprocess”.

Native installation Use to step through the installation and

configuration of Tivoli Access Managercomponents using native operating systemutilities.

See“Native installation

process” on page 7.

Upgrade Use to upgrade from Tivoli SecureWayPolicy Director, Version 3.8 or Tivoli AccessManager, Version 3.9.

See Chapter 8,“Upgrading to TivoliAccess Manager, Version4.1”, on page 91.

Easy installation processTo install and configure Tivoli Access Manager systems in a secure domain usingeasy installation, follow these basic steps:

1. Review the ″Using easy installation″ section in the installation chapter for yourparticular platform. Ensure that easy installation programs are available for theplatform on which you want to set up the Tivoli Access Manager system.

2. To view status and messages in a language other than English (default), youmust install a language support package before running easy installation scripts.For instructions, see “Installing language support packages” on page 10.

3. To install and configure a supported registry for use with Tivoli AccessManager, do one of the following:

v If you have an existing registry that you want to use for Tivoli AccessManager, ensure that you upgrade the server to the version supported bythis release. Then follow instructions in Chapter 2, “Configuring registries forTivoli Access Manager”, on page 17 to configure the registry for use withTivoli Access Manager.

v To install and configure IBM Tivoli Directory Server (shipped with TivoliAccess Manager), run the ezinstall_ldap_server program. This easyinstallation program installs and configures IBM Tivoli Directory Server andits prerequisites, while, at the same time, enabling SSL.

v To install a supported registry other than IBM Tivoli Directory Server, consultthe product’s documentation. Then follow instructions in Chapter 2, “Configuring registries for Tivoli Access Manager”, on page 17 to configureyour registry for use with Tivoli Access Manager.








4. Run the ezinstall_pdmgr script to set up a Tivoli Access Manager policy serversystem.

5. After configuring the policy server, you can set up additional systems in thesecure domain. For example, you can do the following:

v Run the ezinstall_pdauthADK script to install a development system withthe application development kit (ADK).

v

Run the ezinstall_pdacld script to set up an authorization server system.v Run the ezinstall_pdwpm script to set up a runtime system with the Web

Portal Manager interface.

v Run the install_pdrte InstallShield program to install one or more runtimeclient systems.

6. Optional: If you are developing and deploying Java applications in an TivoliAccess Manager secure domain, you can install the Tivoli Access Manager Javaruntime environment. Because this component is not available using easyinstallation, follow native installation instructions in the installation chapter foryour particular platform.

7. Optional: It is recommended that you enable SSL between your LDAP serverand IBM Directory clients. For instructions, see Appendix A, “Enabling Secure

Sockets Layer”, on page 157.

Note: If you enabled SSL while running the ezinstall_ldap_server script, youcan skip this step.

Native installation processThe following procedure shows you how to install and configure all Tivoli AccessManager components in the appropriate order. Depending on your system’srequirements, select only the components that you need to install. For a list of required components for a specific Tivoli Access Manager system, see Table 1 onpage 3.

To install and configure Tivoli Access Manager components using nativeinstallation, follow these basic steps:

1. To install and configure a supported registry for use with Tivoli AccessManager, do one of the following:

Note: If you are installing the IBM Directory server, see installation instructionsin IBM Directory Server Version 4.1 Installation and Configuration Guide for

Multiplatforms at:


v To install a supported registry other than IBM Directory server, consult yourproduct’s documentation.

v

If you have an existing registry that you want to use for Tivoli AccessManager, ensure that you upgrade the server to the version supported bythis release.

v To install the IBM Directory server on AIX, Solaris, or Windows systems,follow these steps:

a. Install IBM Directory server using the IBM Tivoli Access Manager BaseCDs for AIX, Solaris, or Windows. To install IBM Directory server, enterone of the following:

– On AIX systems:

installp -c -a -g -X -d /dev/cd0 ldap.server





– On Solaris systems:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault \IBMldaps

– On Windows systems:

/windows/Directory/ismp/setup.exe

b. Install the IBM Directory LDAP patch, located in the root directory on the

IBM Tivoli Access Manager Base CDs for AIX, Solaris, and Windows. Toapply this patch, enter one of the following:

– On AIX and Solaris systems:

apply_ldap41_patch.sh

– On Windows systems:

apply_ldap41_patch.bat

c. Install the IBM HTTP Server patch, located in the root directory on theIBM Tivoli Access Manager Base CDs for AIX, Solaris, and Windows. Toapply this patch, enter one of the following:

– On AIX and Solaris systems:

http_1319_efix2.sh

– On Windows systems:http_1319_efix2.bat

v To install the IBM Directory server on Linux for zSeries systems, follow thesesteps:

a. Install IBM Directory server for Linux on zSeries, available at:


b. Install Fixpack 1 for IBM Directory 4.1. The Linux 390 OS Fixpack(FP410T-01.tar.Z) is available at:

http://www.ibm.com/software/network/directory/server/support/efixes.html

c. Install the Bulkload patch for 4.1(.1) Fixpack 1. The Linux 390 OS Fixpack

(P410T-001A.tar.Z) is available at:http://www.ibm.com/software/network/directory/server/support/efixes.html

2. For Lotus Domino registries only, it is recommended that you enable SSLcommunication between the Domino server and IBM Directory clients at thistime. For instructions, see “Enabling SSL for Domino” on page 176.

3. Do one of the following:

v If you installed IBM Directory server on Linux for zSeries, skip to step 4. Youmust install Tivoli Access Manager before configuring the IBM Directoryserver.

v Configure your registry for use with Tivoli Access Manager. For instructions,see Chapter 2, “Configuring registries for Tivoli Access Manager”, on page 17.

4. Set up Tivoli Access Manager systems in your secure domain. Depending onthe system that you are setting up, install and configure one or more of thefollowing components in this order.

v IBM Global Security Toolkit (GSKit) — You must install GSKit beforeinstalling any other Tivoli Access Manager component. GSKit is aprerequisite to the Tivoli Access Manager runtime environment, which isrequired on all systems in the secure domain.

v IBM Directory client — This client is required on each system that runs TivoliAccess Manager except Active Directory.










v Tivoli Access Manager Web Portal Manager

For instructions, see the installation chapter for your particular platform.

Notes

v For a list of required components for a specific type of system setup,see Table 1 on page 3.

v You must install and configure only one policy server for each securedomain.

v When installing the policy server, you must install the runtimeenvironment first. However, you must not configure the runtimeenvironment until the policy server is installed.

5. If you installed IBM Directory on Linux for zSeries, configure your server foruse with Tivoli Access Manager at this time. For instructions, see “Configuringthe IBM Directory server” on page 18.

6. It is recommended that you enable SSL communication between your registryand IBM Directory clients. For instructions, see Appendix A, “Enabling Secure Sockets Layer”, on page 157.

Note: Active Directory for Tivoli Access Manager uses Kerberos for encryption,not SSL.

7. To view status and messages in a language other than English (default), youmust install your language support package after installing Tivoli AccessManager components, but before configuring them. For instructions, see

“Installing language support packages” on page 10.

Internationalization

This chapter describes the internationalization features for a Tivoli Access Managersecure domain. This section contains the following topics:

v “Language support overview” on page 10

v “Installing language support packages” on page 10

v “Installing language packages for prerequisite software” on page 12

v “Uninstalling language support packages” on page 13

v “Locale environment variables” on page 14

v

“Message catalogs” on page 15v “Text encoding (code set) support” on page 16

AttentionEnsure that you review the internationalization section in the IBM Tivoli

Access Manager Release Notes for any language-specific limitations orrestrictions.









Language support overviewTivoli Access Manager software is translated into the following languages:

v Brazilian Portuguese

v Czech

v Chinese (Simplified)

v

Chinese (Traditional)v French

v German

v Hungarian

v Italian

v Japanese

v Korean

v Polish

v Spanish

v Russian

The translations for these languages are provided as language support packages onthe IBM Tivoli Access Manager Language Support CD for each product. To obtainlanguage support for Tivoli Access Manager, you must install the language supportpackage for that product.

Keep in mind that if you use easy installation, you must install the languagepackage before installing Tivoli Access Manager so that you can view configurationmessages in your native language. For native installation, install the languagepackage after installing Tivoli Access Manager components but before configuringthem. If you do not install the language support package, the associated productdisplays all text in English. Note that each language is a separately installableproduct installation image.

If language support for a product is installed and you upgrade the product, youmust also install the corresponding language support product, if one exists. Referto the upgrade documentation for the specific product to determine if languagesupport is required. If you do not install the language support after upgrading, theassociated product might display some fields and messages in English.

Installing language support packagesTo install language support packages, follow these steps:

1. Log in to your system as root or as an Administrative user.

2. Insert or mount the IBM Tivoli Access Manager Language Support CD and changeto the root directory where the CD is located.

3. Install the supported platform-specific JRE for your particular operating system.For instructions, see one of the following:

v On AIX systems, see page 45.

v On HP-UX systems, see page 55.

v On Red Hat Linux or Linux for zSeries systems, see page 64.

v On Solaris systems, see page 71.

v On Windows systems, see page 82.

4. Depending on the Tivoli Access Manager product that you want to install, runone or more of the following setup scripts.





Attention

v Scripts are used for UNIX systems; batch files (.bat extension) are usedfor Windows systems.

v If you issue a script without specifying the jre_path, you must ensure

that the Java executable is part of the PATH statement. Otherwise, issuethe script specifying the jre_path as follows:

package jre_path

For example, to install the language package for Tivoli Access ManagerBase, enter the following:

install_pdrte_lp /usr/bin

where /usr/bin is the path to the JRE.

Language packages are as follows:

install_pdjrte_lp Specifies to install language packages for TivoliAccess Manager Java runtime environment.

install_pdrte_lp Specifies to install language packages for TivoliAccess Manager Base.

install_pdwas_lp Specifies to install language packages for theWebSphere Application Server.

install_pdwbpi_lp Specifies to install language packages for TivoliAccess Manager Plug-in for Web Servers.

install_pdweb_lp Specifies to install language packages for TivoliAccess Manager WebSEAL.

install_pdwls_lp Specifies to install language packages for the

WebLogic Server.

install_pdwpm_lp Specifies to install language packages for TivoliAccess Manager Web Portal Manager.

install_pdwsl_lp Specifies to install language packages for TivoliAccess Manager Plug-in for Edge Server.

5. Click Next to begin installation. The Software License Agreement dialog isdisplayed.

6. To accept the license agreement, select I accept the terms in the licenseagreement and then click Next. A dialog showing a list of language packages isdisplayed.

7. Select the language packages that you want to install and click Next. A dialog

showing the location and features of the language packages you selected isdisplayed.

8. To accept the language packages you selected, click Next. The languagepackages you selected are installed.

9. After installation for the Tivoli Access Manager language pack has completedsuccessfully, click Finish to close the wizard and restart your system.





Installing language packages for prerequisite softwareIn addition to installing language packages for Tivoli Access Manager software,you must install language packages for IBM HTTP Server, IBM Directory, and IBMDB2 products on AIX and Solaris systems only. These language packages are alsoprovided on the IBM Tivoli Access Manager Language Support CD.

1. To install the prerequisite language packages, do one of the following:

v On AIX systems, enter the following command:installp -c -a -g -X -d /dev/cd0 package

where package, located in the usr/sys/inst.images directory, is one or moreof the following:

http_server.html. lang Specifies IBM HTTP Server documentation.

http_server.msg. lang.admin Specifies IBM HTTP Server messages.

http_server.msg. lang.ssl.core Specifies IBM HTTP Server SSL messages.

ldap.html.lang Specifies IBM Directory documentation.

ldap.msg.lang Specifies IBM Directory messages.

db2_07_01.msg.lang Specifies IBM DB2 product messages.

where lang is the language file abbreviation.

For example, to install the IBM HTTP Server documentation in the Italianlanguage, enter the following:

installp -c -a -g -X -d /dev/cd0 http_server.html.it_IT

v On Solaris systems, enter the following command:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault package

where package, located in the /solaris directory, is one or more of thefollowing:

IBMHAlang Specifies IBM HTTP Server messages.

IBMHSlang Specifies IBM HTTP Server documentation.

IBMHSSlang Specifies IBM HTTP Server SSL messages.

IBMldilang Specifies IBM Directory documentation.

IBMldmlang Specifies IBM Directory messages.

db2mslang1 Specifies IBM DB2 product messages.

and lang is the language file abbreviation.

For example, to install the IBM Directory messages in the Japanese language,enter the following:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IBMldmJa

2. Stop the IBM HTTP Server and IBM HTTP Administration daemons (orservices) if they are running. For example, from the http_directory/bindirectory on a UNIX system, enter the following commands:

apachectl stop

adminctl stop

Note: To view if the httpd process is running, enter the following command:





ps -ef | grep -i http

If the httpd process exists, then issue the kill command as follows:

kill -i http_process_id_(pid)

3. From the http_directory/bin directory, issue the setuplang command. Thisshell script modifies the httpd.conf and admin.conf files for the new language.Choose the desired language from the menu table.

4. To restart the HTTP servers, issue the following commands:

http_directory/bin/apachectl start

http_directory/bin/adminctl start

5. The servers should be running in your desired language. Access the serverthrough a Web browser and verify that the screens are in the appropriatelanguage.

Uninstalling language support packagesTo uninstall language support packages, follow these steps:

1. Change to one of the following directories:

v On UNIX systems:

/opt/location

v On Windows systems:

C:\Program Files\location

where location is as follows:

PDBLP/Lp_uninst Specifies the location of the language packagesfor Tivoli Access Manager Base.

PDJrtLP/lp_uninst Specifies the location of the language packagesfor Tivoli Access Manager Java runtimeenvironment.

PDWasLP/lp_uninst Specifies the location of the language packages

for the WebSphere Application Server.

PDWpiLP/lp_uninst Specifies the location of the language packagesfor Tivoli Access Manager Plug-in for WebServers.

PDWebLP/lp_uninst Specifies the location of the language packagesfor Tivoli Access Manager WebSEAL.

PDWlsLP/lp_uninst Specifies the location of the language packagesfor the WebLogic Server.

PDWpmLP/Lp_uninst Specifies the location of the language packagesfor Tivoli Access Manager Web Portal Manager.

PDWslLP/Lp_uninst Specifies the location of the language packagesfor Tivoli Access Manager Plug-in for EdgeServer.

2. To uninstall the language support packages, enter one of the following:

v On UNIX systems:

jre_path/java package


jre_path\java -jar package





where jre_path is the path where the Java executable is located and package isone of the following:

Note: If the Java executable is in the path, you do not have to specify jre_path.

pdrte_lp_uninstall.jar Specifies the language package for Tivoli AccessManager Base.

pdjrte_lp_uninstall.jar Specifies the language package for the TivoliAccess Manager Java runtime environment.

pdwas_lp_uninstall.jar Specifies the language package for theWebSphere Application Server.

pdwbpi_lp_uninstall.jar Specifies the language package for the Plug-infor Web Servers.

pdweb_lp_uninstall.jar Specifies the language package for Tivoli AccessManager WebSEAL.

pdwls_lp_uninstall.jar Specifies the language package for theWebLogic Server.

pdwsl_lp_uninstall.jar Specifies the language package for the TivoliAccess Manager Plug-in for Edge Server.

Locale environment variablesAs with most current operating systems, localized behavior is obtained byspecifying the desired locale. For Tivoli Access Manager software, you set theLANG environment variable to the desired locale name as specified by POSIX,X/Open, or other open systems standards.

Note: If you are in a Windows environment, you can alternatively modify thelanguage setting in the Regional Settings of the Control Panel.

If you specify theLANG

environment variable and modify the regional settings,the LANG environment variable overrides this regional setting.

As specified by open systems standards, other environment variables overrideLANG for some or all locale categories. These variables include the following:

v LC_CTYPE

v LC_TIME

v LC_NUMERIC

v LC_MONETARY

v LC_COLLATE

v LC_MESSAGES

v LC_ALL

If any of the previous variables are set, you must remove their setting for theLANG variable to have full effect.

LANG variable and UNIX systemsMost UNIX systems use the LANG variable to specify the desired locale. DifferentUNIX operating systems, however, require different locale names to specify thesame language. Be sure to use a value for LANG that is supported by the UNIXoperating system that you are using.





To obtain the locale names for your UNIX system, enter the following command:

locale -a

LANG variable and Windows systemsMost operating systems do not use the LANG environment variable. Tivoli AccessManager software, however, can use LANG to determine the desired language. Todo so, set the LANG to the canonical locale name based on the ISO language or

territory codes without a code set suffix. For example:v fr is the locale for standard French

v ja is the locale for Japanese

v pt_BR is the locale for Brazilian Portuguese

v C is the locale for English in C locale

On Windows systems, if LANG is not set, Tivoli Access Manager uses the currentselection in the Regional Settings object of the Windows Control Panel.

Using locale variantsAlthough Tivoli Access Manager software currently provides only one translatedversion for each language, you can use a preferred locale variant, and Tivoli Access

Manager finds the corresponding language translation. For example, Tivoli AccessManager provides one translation for French, but each of the following localesettings finds the appropriate translation:

v fr is the locale name for standard French

v fr_FR is the locale name for French in France

v fr_CA is the locale name for French in Canada

v fr_CH is the locale name for French in Switzerland

Message catalogsMessage catalogs are typically installed in a msg subdirectory and each of thesemessage catalogs is installed under a language-specific subdirectory as follows:

v On UNIX systems:/opt/PolicyDirector/nls/msg/locale


install_dir/nls/msg/locale

Tivoli Access Manager recognizes variations in UNIX locale names and is usuallyable to map the specified value to the appropriate message catalog.

The NLSPATH variable is used to find the appropriate message catalog directory,as specified by open systems standards. For example, if the message catalogs are in /opt/PolicyDirector/nls/msg, the NLSPATH variable is set to the following:

/opt/PolicyDirector/nls/msg/%L/%N.cat:/opt/PolicyDirector/nls/msg/%L/%N

Note: For Windows, use a semi-colon ( ;) instead of a (:) as the separator.

The %L directive is expanded to the message catalog directory that most closelymatches the current user language selection, and %N.cat expands to the desiredmessage catalog.

If a message catalog is not found for the desired language, the English C messagecatalogs are used.





For example, suppose you specify the AIX locale for German in Switzerland asfollows:

LANG=De_CH.IBM-850

The %L directive is expanded in the following order to locate the specified locale:

1. de_CH

2.de

3. C

Because Tivoli Access Manager does not provide a German in Switzerlandlanguage package, de_CH is not found. If the Tivoli Access Manager Germanlanguage package is installed, de is used. Otherwise, the default locale C is used,causing text to be displayed in English.

Text encoding (code set) supportDifferent operating systems often encode text in different ways. For example,Windows systems use SJIS (code page 932) for Japanese text, but UNIX systemsoften use eucJP.

In addition, multiple locales can be provided for the same language so thatdifferent code sets can be used for the same language on the same machine. Thiscan cause problems when text is moved from system to system or betweendifferent locale environments.

Tivoli Access Manager addresses these problems by using Unicode and UTF-8 (themulti-byte form of Unicode) as the internal canonical representation for text.

Message catalogs are encoded using UTF-8, and the text is converted to the localeencoding before being presented to the user. In this way, the same French messagecatalog files can be used to support a variety of Latin 1 code sets, such asISO8859-1, Microsoft 1252, IBM PC 850, and IBM MVS

™ 1047.

UTF-8 is also used to achieve text interoperability. For example, Common ObjectRequest Broker Architecture (CORBA) strings are transmitted as UTF-8. Thisenables remote management within a heterogeneous network in which local textencoding can vary. For example, Japanese file names can be manipulated on

Japanese PC endpoints from a desktop executing in the UNIX Japanese EUC locale.

Text interoperability across the secure domain is also achieved by storing strings asUTF-8 within the Tivoli object database. Strings are converted to the local encodingfor viewing and manipulation by applications that are executing on differentoperating system code sets.

Location of code set files

Interoperability across your secure domain depends on code set files, which areused to perform UTF-8 conversion and other types of encoding-specific textprocessing. These files are installed in the following directories:

v On UNIX systems:

/opt/PolicyDirector/nls/msg/locale


install_dir/nls/msg/locale





Chapter 2. Configuring registries for Tivoli Access Manager

This chapter describes how to set up a supported registry for use with TivoliAccess Manager. This step in the installation process is required prior to installing

Tivoli Access Manager systems in your secure domain (as specified in “Installationprocess” on page 6). For system requirements for a specific registry, see the IBMTivoli Access Manager Release Notes.

This chapter includes the following main sections:

v “LDAP server configuration overview”

v “Configuring the IBM Directory server” on page 18

v “Configuring the iPlanet Directory Server” on page 24

v “Configuring Novell eDirectory” on page 27

v “Configuring z/OS and OS/390 security servers” on page 28

v “Configuring Active Directory” on page 33

v “Configuring Lotus Domino” on page 38

LDAP server configuration overview

Data is stored within the LDAP server in a hierarchical tree structure called theDirectory Information Tree (DIT). The top of the tree is called a suffix (also referredto as a naming context or root). An LDAP server can contain multiple suffixes toorganize the data tree into logical branches or organizational units.

The following sections show you how to create Tivoli Access Manager suffixes foryour particular LDAP server. During the configuration process, Tivoli AccessManager automatically attempts to add appropriate access control lists (ACLs) to

every suffix that currently exists in the LDAP server. This is necessary to giveTivoli Access Manager needed permission to manage users and groups definedwithin those suffixes. If you add suffixes after the initial configuration of TivoliAccess Manager, you must add the appropriate ACLs manually. For instructions,see the IBM Tivoli Access Manager Base Administrator’s Guide.

Tivoli Access Manager requires that you create a suffix namedsecAuthority=Default, which maintains Tivoli Access Manager metadata. You mustadd this suffix only once—when you first configure the LDAP server. This suffixenables Tivoli Access Manager to easily locate and manage the data. It also securesaccess to the data, thus avoiding integrity or corruption problems.

Additionally, you are prompted for a global signon (GSO) distinguished name

(DN) during configuration of the policy server. To store GSO metadata, you caneither create a suffix or specify the distinguished name of an existing LDAP DITlocation. You can store the GSO metadata anywhere you choose within the LDAPDIT, but the location must already exist. If you decide to create a suffix, you mightconsider storing both GSO metadata and your user definitions in a single suffix.For instance, the following sections use o=tivoli,c=us as an example to store bothGSO metadata and user definitions. Note that you can also create additionalsuffixes to maintain user and group definitions.

After you create suffixes, you also must create directory entries for each suffix.This is necessary to instantiate the suffix. Otherwise, Tivoli Access Manager is














unable to attach ACLs when it is being configured. ACLs give Tivoli AccessManager needed permission to manage users and groups defined within thosesuffixes.

Note: For complete instructions about creating suffixes, see the productdocumentation shipped with your particular LDAP server. The followinginstructions serve as a general guide to creating suffixes. It is recommended

that you create suffixes that mirror your organizational structure.

The following sections describe how to configure the following supported LDAPregistries:

v “Configuring the IBM Directory server”

v “Configuring the iPlanet Directory Server” on page 24

v “Configuring Novell eDirectory” on page 27

v “Configuring z/OS and OS/390 security servers” on page 28

Configuring the IBM Directory server

Attentionv If you used the easy installation ezinstall_ldap_server script to install and

configure the IBM Directory server, skip the instructions in this chapter.Easy installation configures the IBM Directory server automatically.

v Before you configure the IBM Directory server, ensure that you have readand are following steps in the order described in “Native installation process” on page 7. Patches are required before configuration.

v If you are installing IBM Directory on Linux for zSeries, ensure that youconfigure the server after installing Tivoli Access Manager as indicated inthe “Native installation process” on page 7.

To configure the IBM Directory server for Tivoli Access Manager, follow thesesteps:

1. Ensure that the IBM Directory server is installed.


v For all systems except Linux on zSeries, skip to step 3 on page 19.

v For Linux on zSeries systems only, follow these steps:

a. Apply Tivoli Access Manager schema. This file, named secschema.def,is located in the etc directory where Tivoli Access Manager is installed.To apply this schema, enter the following command (on one line):

ldapmodify -h ldap_host -p port -D cn=root -w pswd -c -v -f secschema.def

b. Install the JRE for Linux on Series. For instructions, see “Installing the

platform-specific JRE” on page 64.

Note: The IBM Directory server dmt and ldapcfg tools require JRE 1.3.1or higher to run successfully.

c. For the dmt and ldapcfg tools to use JRE version 1.3.1 instead of the JREversion installed with IBM Directory, update the following:

– Edit the /usr/ldap/bin/dmt script and comment out the followinglines:

find_java(){

# First, try to find the version of Java that we install with LDAP.




# if [ "${ENV_JAVA}" == "" ] ; then COMMENT THIS LINE# OVERRIDE=${LDAPIDIR}/java/bin/java COMMENT THIS LINE# fi COMMENT THIS LINE

– Edit the /usr/ldap/bin/ldapcfg script and comment out thefollowing lines:

find_java()

{ # First, try to find the version of Java that we install with LDAP.# if [ "${OS}" != "HP-UX" ] ; then COMMENT THIS LINE# if [ "${ENV_JAVA}" == "" ] ; then COMMENT THIS LINE# OVERRIDE=${LDAPCIDIR}/java/bin/java COMMENT THIS LINE# fi COMMENT THIS LINE# fi COMMENT THIS LINE


v For all systems except Linux on zSeries, access the IBM Directory serverWeb administration tool at the following address and then continue to step4 on page 20:

http://servername: port/ldap/index.html

where servername is the name of the LDAP server and port is the port

number listed in the httpd.conf file.v For Linux on zSeries systems only, you must manually modify the

slapd32.conf file to add required suffixes. To do so, modify the dn:cn=Directory section of the slapd32.conf file by adding the followingrequired Tivoli Access Manager suffix and a suffix (or existing DN) for GSOmetadata and user definitions (for example, o=tivoli,c=us). Then skip tostep 14 on page 22 to continue configuring the IBM Directory server.

dn: cn=Directory, cn=RDBM Backends, cn=IBM, cn=Schemas, cn=Configurationcn: Directoryibm-slapdDbAlias: ldapdb2bibm-slapdDbConnections: 30ibm-slapdDbInstance: ldapdb2ibm-slapdDbName: ldapdb2ibm-slapdDbUserId: ldapdb2ibm-slapdDbUserPW: >1aV1aFVp/G44POPw/p4ZkJAldiDt+GsRizdgwYF0F7tJYkcEUuBg4K7HnRFBgMev8jrleaPmiblTpnxb3br96RQ6ZjHeu75ZqCQ9/cIGqH/G6aDVCfbkmk3xyErW1eQdNt7i8iY9HHqgICIGQek6Qm1K<ibm-slapdPlugin: database /lib/libback-rdbm.so rdbm_backend_initibm-slapdReadOnly: FALSEibm-slapdSuffix: o=tivoli,c=usibm-slapdSuffix: secAuthority=Defaultibm-slapdSuffix: cn=localhostobjectclass: topobjectclass: ibm-slapdRdbmBackend

IBM Directory server

Chapter 2. Configuring supported registries 19



4. Type the name and password of the LDAP administrator and then click theLogon button as shown:

The IBM Directory server Administration Web page is displayed.5. To ensure that the IBM Directory server is started, select Current state →

Server status in the left navigation pane. A window similar to the following isdisplayed:

6. If your server is stopped, click Start/Stop and then click Start to start theserver. A message is displayed when the server successfully starts or stops.

7. To create a suffix, select Settings → Suffixes from the left navigation pane. TheSuffixes window is displayed.

8. To create the suffix where Tivoli Access Manager maintains its metadata, typethe following required suffix as shown:

secAuthority=Default

Note: The suffix distinguished name is not case-sensitive.

9. Click Update. The Suffixes window is displayed. Your new suffixes aredisplayed in the Current server suffixes table.

10. If you chose to create a suffix for the GSO metadata, type the new suffixdistinguished name in the Suffix DN field. For example, you might





type o=tivoli,c=us as shown:

You are prompted for the GSO suffix when you configure Tivoli AccessManager components. For information about why a GSO suffix is required,see “LDAP server configuration overview” on page 17.

11. Click Update. The Suffixes window is displayed again. At this point, you cancreate additional suffixes to maintain user and group definitions.

Note: For more information about how to add suffixes, click the Help icon inthe upper-right pane of the window.

12. When you have finished adding suffixes, click restart the server in themessage in the upper pane of the window as shown:

The following message is displayed after a few minutes:

The directory server is running.

If the message fails to display, restart the IBM Directory server. For example,on Windows systems, select Start → Settings → Control Panel and clickServices. Select the IBM Directory service and click Start to restart the LDAPserver.






v If you did not add any suffixes other than secAuthority=Default, skip steps14 through 20 on page 23. A directory entry for secAuthority=Default isautomatically added when the policy server is configured.

v If you added suffixes other than secAuthority=Default, continue to step 14to create directory entries for each suffix.

14. To create directory entries, enter dmt from a command prompt to start the

directory management tool (DMT). The following window is displayed:

15. Click the Add server button in the bottom pane. A window similar to thefollowing is displayed:


v If you want to use Secure Sockets Layer (SSL) between the DMT and theLDAP server, select to use SSL and complete the fields specified. Click Helpfor descriptions of these fields.

v If you do not want to use SSL between the DMT and the LDAP server,select an authentication type.

a. If you select None or SASL External, no additional information isrequired.





b. If you select Simple or CRAM MD5, enter the user DN and userpassword and then click OK.

17. Select Browse Tree from the left pane. Warning messages are displayedindicating that the suffixes that you created do not contain data. Click OK todismiss these messages. A window similar to the following is displayed:

18. Select the host name in the list on the right and click Add. For example, thehost name is ldap://dliburd2.tivoli.com:389 in the previous example.

19. In the Add an LDAP Entry window, complete the fields and click OK. Forexample, if you are adding a directory entry for the GSO suffix, a windowsimilar to the following is displayed:

20. Enter values for the attributes and then click Add. For example, the GSOsuffix example appears as shown:





21. When you have completed adding directory entries for the suffixes youcreated, click Exit to close the IBM Directory Management Tool window.

Configuring the iPlanet Directory Server

Before you begin, ensure that you have completed the basic server installation andconfiguration as described in the iPlanet Directory Server product documentation.

For more information, see the iPlanet Directory Server documentation at thefollowing Web address:

http://docs.iplanet.com/docs/manuals/directory.html

To configure iPlanet Directory Server for Tivoli Access Manager, follow these steps:

1. To ensure that the directory server daemon (slapd-serverID) and theadministration server daemon (admin-serv) are running, do one of thefollowing:

v On UNIX systems, enter the following commands:

/usr/iplanet/servers/slapd-serverID/start-slapd

/usr/iplanet/servers/start-admin

v On Window systems, select Start → Settings → Control Panel and then clickthe Services icon. Select the iPlanet Administration Server 5.0 and iPlanetDirectory Server 5 services and then click Start.

2. To start the iPlanet Console, enter one of the following:

v On UNIX systems, enter the following:

% /usr/iplanet/servers/startconsole

v On Windows systems, select Start → Programs → iPlanet Server Products →iPlanet Console 5.0.

The iPlanet Console Login window is displayed unless your configurationdirectory (o=NetscapeRoot directory) is stored in a separate instance of iPlanetDirectory Server. In this case, a window is displayed requesting your

administrator user ID, password, and the Web address of the administrativeserver for that directory server.

3. Log in using the user ID and password for the LDAP administrator. Forexample, type cn=Directory Manager and the appropriate password as shown:

The iPlanet console is displayed.

4. From the Topology tab, click the Directory Server icon. The iPlanet DirectoryServer console is displayed.

5. From the iPlanet Directory Server console, select the Configuration tab.

6. Right-click Data in the left navigation panel and then select New Root Suffix.You can also create a new suffix by selecting Data and then selecting Object →





Suffix from the menu bar as shown:

A pop-up window is displayed prompting you for the new suffix and adatabase name.

7. To create the suffix that maintains Tivoli Access Manager data, typesecAuthority=Default in the New suffix field. Then type a unique name forthe new database and click OK as shown:

Note: The Create associated database automatically check box is preselected.This is necessary so that a database is created at the same time as thenew root suffix. The new root suffix is disabled until you create adatabase.

8. If you chose to create a suffix to maintain GSO data, type the suffixdistinguished name in the New suffix field and enter a unique databasename. For example, you might type o=tivoli,c=us and then click OK asshown:

You are prompted for the GSO suffix when you configure Tivoli AccessManager. For more information about GSO, see “LDAP server configurationoverview” on page 17.


iPlanet Directory Server




v If you did not add any suffixes other than secAuthority=Default, skip steps10 through 13. A directory entry for secAuthority=Default is automaticallyadded when the policy server is configured.

v If you added suffixes other than secAuthority=Default, continue to step 10to create directory entries for each suffix.

10. Click the Directory tab and highlight the name of the server in the top of the

left pane.11. Select Objects → New Root Object. A list of new suffixes for which no entry

yet exists is displayed as shown:

12. For each new suffix (other than secAuthority=Default), select the new suffix.The New Object pane is displayed. Scroll down to find the entry type thatcorresponds to the suffix you are creating. For example, you might selectorganization for a suffix named o=tivoli,c=us. Highlight the entry type andclick OK as shown:

13. From the Property Editor window, enter a value for the entry. For theo=tivoli,c=us example, enter tivoli as the value for organization and then





click OK as shown:

14. After you have created entries for each suffix that you added, select Console →Exit to close the console.

Configuring Novell eDirectory

Before you begin, ensure that you have completed the basic server installation andconfiguration for Novell eDirectory and the ConsoleOne tool as described in theNovell product documentation at the following Web address:

http://www.novell.com/documentation/lg/ndsedir86/index.html

In addition, ensure that you have reviewed and comply with system requirementsand Tivoli Access Manager prerequisites listed in the IBM Tivoli Access ManagerRelease Notes.

To configure Novell eDirectory for Tivoli Access Manager, follow these steps:1. Log in to the Novell Client workstation and start ConsoleOne.

2. Expand the NDS tree and then expand the tree that you created duringinstallation. Under the tree are two child entries: an organization object and aSecurity container object.

3. Select the organization icon; for example, select AM. The left pane of thewindow displays the objects for your organization.

4. To update the schema so that Tivoli Access Manager can install it, right-clickthe LDAP Group object and select Properties. The Properties notebook isdisplayed.

5. From the Properties of the LDAP Group window, select the Class Mappingstab.

6. From the Table of LDAP Group Class Mappings window, delete the followingentries and then select Apply:

inetOrgPerson

groupOFNames

7. From the Properties of the LDAP Group screen, select the Attribute Mappingstab. The Table of LDAP Group Attribute Mappings window is displayed.

8. Scroll through the table and select the NDS Attributes Member attribute. Verifythat the corresponding LDAP attribute value is also Member. If the LDAPattribute value is not Member, click Modify.










9. From the Attribute Mapping window, enter the following and then select OK.

v NDS Attribute = Member

v Primary LDAP Attribute = Member

v Secondary LDAP attribute = uniqueMember

10. From the Properties of the LDAP Group window, click Apply and Close.

Adding a GSO suffix for configuration to Tivoli AccessManager

As part of the configuration process, you must add a GSO suffix. To do so, followthese steps:

1. Start ConsoleOne.

2. Determine what suffix to use. This is the distinguished name of where in theLDAP server directory information tree (DIT) that where you want globalsignon (GSO) metadata to be located. You can either enter a suffix or specifythe DN of an existing LDAP DIT location (but it must designate a containerobject).

3. Right-click on the organization object, select New → Object → Country , and

then click OK.4. Type in the country code. For example, type US and click OK. The country is

displayed under the IBM tree in the console.

5. Right-click on the country (US), select New → Object → Organization, and thenclick OK.

6. Type in your organization. For example, type Tivoli and click OK.

Configuring z/OS and OS/390 security servers

This section describes the configuration steps necessary to prepare the LDAPserver on z/OS or OS/390 for Tivoli Access Manager. Particular emphasis is givento configuring Tivoli Access Manager against a native security authorization facility

(SAF) registry.

These guidelines assume a new LDAP server instance dedicated to the TivoliAccess Manager registry. For more information, consult the LDAP ServerAdministration and Use manual for your particular release of OS/390 or z/OS.This document is available through the z/OS library at:

http://www-1.ibm.com/servers/eserver/zseries/zos/bkserv/

For system requirements and applicable program temporary fixes (PTFs), see theIBM Tivoli Access Manager Release Notes.

This chapter includes the following sections. Sample configuration files are also

provided.

v Creating a DB2 database for the TDBM backend

v Creating an LDAP configuration file for a TDBM backend

v Starting the server

v Updating and loading schema files

v Enabling LDAP replication

v Configuring Tivoli Access Manager for LDAP

Novell eDirectory







Creating a DB2 database for the TDBM backendTo create a DB2 database for the TDBM backend, follow instructions in the READMEfile located in the following directory of your LDAP installation:

/usr/lpp/ldap/examples/sample_server

Steps are as follows:

1. Bind the Call Level Interface (CLI). The CLI provides an abstraction layer toSQL commands. This step establishes the environment needed for the LDAPserver to use the CLI. The sample server provides a job file to bind the CLI. Anadministrator must move the file to an MVS™ partition before it is possible toexecute the job. See “Sample CLI bind batch job” on page 195 for a copy of thisfile.

2. Create a CLI initialization file. The initialization file provides the LDAP server afacility and the data source for the CLI. An example of this file is found withthe sample server. It is referred to in the LDAP configuration file. See “SampleCLI initialization file” on page 197 for a copy of this file.

3. Create a new database. Use SQL Processor Using File Input (SPUFI) scripts torun with DB2 Interactive (DB2 I) on OS/390 to perform SQL commands. To

create a new database and associated tablespaces, run the SPUFI file located in“Sample DB2 database and tablespace script for SPUFI” on page 188. To createthe indexes for the new database, run the SPUFI file located in “Sample DB2 index script for SPUFI” on page 193. Note that to execute a SPUFI script, youmust invoke DB2 I and select SPUFI from the Primary Option Menu.

Creating an LDAP configuration file for a TDBM backendTo create an LDAP configuration file for a TDBM backend, use the sampleconfiguration file in “Sample LDAP configuration” on page 187. The followingentries are required for a TDBM:

database TDBM GLDBTDBMSpecifies the database type and library name. This entry marks the

beginning of the TDBM section for the configuration file.

databasename dbnameSpecifies the name of the DB2 database used for the backend. It is specifiedin the CREATE DATABASE option of the SPUFI used to create thedatabase and tablespaces. See step 3 on page 29.

dsnaoini datasetSpecifies the DB2 initialization file. See step 2 for details about creating thisfile. The value of this option is of the form USERID.FILENAME.

dbuserid useridSpecifies the OS/390 user that owns the DB2 tables. The userid is the sameas the administrator who ran the SPUFI scripts (per step 2).

servername stringSpecifies the name of the DB2 server location that manages the tables forthe LDAP server. The string is the value specified in the DATA SOURCEstanza of the CLI initialization file.

attrOverflowSize num_of_bytesSpecifies the size at which the entries of attributes are loaded in separateDB2 tables. Choose a value such that large binary data is stored in theseparate table space.

suffix dn_suffixSpecifies the root of a subtree in the name space managed by this server

z/OS and OS/390 Security Servers




within this backend. Include both the organization suffix DN for yourregistry and the secAuthority=Default, which specifies the DN for theTivoli Access Manager security registry.

The following additional entries are required to make use of native authentication.For detailed explanations about these entries, see the OS/390 LDAP Server

Administration and Usage publication.

UseNativeAuth [SELECTED | ALL | OFF]The SELECTED option specifies that user entries with a value for theibm-nativeId attribute are authenticated against SAF. Choosing SELECTEDprovides the most flexibility and minimizes additional administrativeduties. The ALL option specifies that the SAF authentication is madeagainst the user name found in an entry’s UID attribute (if noibm-nativeId attribute is specified).

NativeAuthSubTree dn_suffixSpecifies the root of a subtree or trees in the name space for which nativeauthentication applies.

nativeAuthUpdateAllowed YES

Enables Tivoli Access Manager users to update their SAF passwordsthrough the Web-based pkmspasswd utility.

Starting the serverProvide the location of the configuration file created in “Configuring Tivoli AccessManager for LDAP” on page 32. The LDAP server searches for and loads a numberof dynamic link libraries (DLLs) during its startup processing. The DLLs arelocated in a PDS file system. When starting slapd from the z/OS shell, the correctPDS must be referenced in the STEPLIB environment variable as follows:

export STEPLIB=GLD.SGLDLNKexport PATH=$PATH:/usr/lpp/ldap/sbinGLDSLAPD -f slapd.conf

Updating and loading schema filesTo update and load schema files, you must first copy the following schema files toyour working directory:

v schema.user.ldif

v schema.IBM.ldif

The schema files contain the objects and attributes used to organize data for theTivoli Access Manager services, as well as the SAF native authentication objectclass.

You must modify each schema file to match the organization distinguished name(DN) suffix in the LDAP configuration file. There is a single line describing the DN

of the schema to be updated.

For example, edit each schema file and change:

dn: cn=schema, suffix

to the following:

dn: cn=schema,o=tivoli,c=us

To load these entries, use the ldapmodify command as follows:

ldapmodify -h hostname -p port -D bind_DN -w bind_pwd -f schema_file





Note: You must load schema.user.ldif followed by schema.IBM.ldif. It is notnecessary to reload the schema for each suffix DN configured.

Appying ACLs to new LDAP suffixesFor every suffix Tivoli Access Manager accesses, you must apply an ACL LDIF asfollows. Note that there is a new restricted permission for members of cn=securitygroup

.

The ldapmodify command is as follows:

ldapmodify -h hostname -p port -D admin_DN -c -v -f ldif_filename

Enabling LDAP replicationThis section describes how to enable LDAP replication. LDAP servers behave inthe master-slave model for replication tasks. The master server forwards directoryupdates to the slave. The slave, or replica server, can share the load for readrequests and act as a backup server.

By default, an LDAP server is configured to run as a master server. Providing themaster with an object detailing the location of one or more replica servers enablesreplication.

Adding a stanza to the replica LDAP server’s configuration fileTo add a stanza to the replica LDAP server’s configuration file, see the stanzaexample in “Sample LDAP configuration” on page 187. Required entries for areplica LDAP server are as follows:

masterServer ldapURLSpecifies the LDAP URL in the form ldap://server_name: port. This optionrefers to the FQDN and port of the master server.

masterServerDN DNSpecifies the DN that you provide the replicaBindDN in “Adding an objectto the master LDAP server’s backend”.

masterServerPW stringSpecifies the password that you provide the replicaCredentials in“Adding an object to the master LDAP server’s backend”.

Adding an object to the master LDAP server’s backendAn example of an ldif file representing such an object is as follows:

dn: cn=replicasobjectclass: replicaObjectcn: replicasreplicaHost: hostname

<suffix>aclpropagate=TRUEaclentry=group:cn=ivacld-servers,cn=securitygroups,secauthority=default:normal:csraclentry=group:cn=remote-acl-users,cn=securitygroups,secauthority=default:normal:csraclentry=group:cn=securitygroup,secauthority=default:object:ad:normal:cwsr:sensitive:cwsr:critical: \cwsr:restricted:cwsraclentry=access-id:<LDAP admin DN>:object:ad:normal:rwsc:sensitive:rwsc:critical:cwsr:restricted:cwsr

<suffix>ownerpropagate=TRUEentryOwner=group:cn=SecurityGroup,secAuthority=DefaultentryOwner=access-id:LDAP admin DN>





replicaPort: portreplicaBindDn: any_unique_DN_to_bind_withreplicaCredentials: password_to_bind_withdescription:"Description Here"

This object can be loaded with an ldapmodify command as follows:


Configuring Tivoli Access Manager for LDAPTo use native authentication, you must turn off auth-using-compare. To do so, editthe [ldap]stanza of the ivmgrd.conf and webseald.conf file and change the line asfollows:

auth-using-compare = no

By default, authentications to LDAP are made with a compare operation, ratherthan a bind.

Tivoli Access Manager supports LDAP failover and load-balancing for readoperations. Tivoli Access Manager read operations include authentication requests

and queries for GSO data. If you configured a replica server (see “Enabling LDAP replication” on page 31), you can provide the replica host name to Tivoli AccessManager in the ldap.conf file.

Native authentication user administrationThe majority of administrative tasks remain unchanged with the addition of nativeauthentication. Operations such as user create, user show, adding a user to an ACLentry or group, and all user modify commands (except password) work the sameas Tivoli Access Manager configured against any other LDAP registry. Users canchange their own SAF passwords with the Web-based pkmspasswd utility.

Native authentication provides the added feature of many-to-one mapping of Tivoli Access Manager users to SAF user IDs. Multiple users can have the same

ibm-nativeId, and all bind with the same password. For this reason, it might beprudent to prevent many-to-one mapped users from changing the SAF password(otherwise there is an increased risk that users might inadvertently lock their peersout of their accounts).

pdadmin> group modify SAFusers add user1pdadmin> acl create deny_pkmspdadmin> acl modify deny_pkms set group SAFusers Tpdadmin> acl attach /Webseal/server_name/pkmspasswd deny_pkms

OS/390 LDAP native authentication bind does not provide the authority toperform a password reset. For example, with native authentication enabled, thefollowing Tivoli Access Manager administration command does not work:

pdadmin> user modify user1 password ChangeMe1

Furthermore, there is no out-of-the-box administration command to set theibm-nativeId entry for a user. To that end, the following instructions assist themanagement of Tivoli Access Manager users with an associated nativeId.

The user create command does not change:

pdadmin> user create user1 cn=user1,o=tivoli,c=us user1 user1 ChangeMe1pdadmin> user modify user1 account-valid yes





The password (ChangeMe1, in this example) is set to the user’s userpassword entryin LDAP, which has no effect with native authentication enabled. In production,consider making this password something long and difficult to guess—in casenative authentication is ever inadvertently disabled.

To set the ibm-nativeId entry for a user, create an ldif file similar to the following:

cn=user1,o=tivoli,c=us

objectclass=inetOrgPersonobjectclass=ibm-nativeAuthenticationibm-nativeId=SAF_username

You can load the ldif file using the ldapmodify command as follows:


The SAF command to reset a user’s password is as follows:

subsystem_prefix ALTUSER userid PASSWORD password

Configuring Active Directory

To set up Active Directory for Tivoli Access Manager, you must perform thefollowing tasks in this order:

1. Create an Active Directory domain.

2. Join an Active Directory domain

3. Create an Active Directory administrative user

After you set up an Active Directory domain for use with Tivoli Access Manager,the next step is to set up Tivoli Access Manager systems in your secure domain.For instructions, see Chapter 7, “Installing Tivoli Access Manager on Windows”, onpage 77. Keep in mind that Active Directory does not require installation of theIBM Directory client. In addition, you must install Tivoli Access Managercomponents in the order specified in step 4 on page 8 of the native installationprocess.

Active Directory considerationsIt is important to review the following information before configuring ActiveDirectory for Tivoli Access Manager:

v Tivoli Access Manager can be configured in an Active Directory single domainor multi-domain environment. For information about single domain ormulti-domain environments, see the Active Directory product documentation atthe following Web address:

http://www.microsoft.com/windows2000/en/server/help/

v In a single-domain environment, the non-domain controller system needs to jointhe same domain where Tivoli Access Manager is configured. In a multi-domain

environment, the non-domain controller system needs to join the ActiveDirectory domain.

v You cannot use the easy installation batch files to install Tivoli Access Manager.

v Supports security global group only.

v To import an Active Directory user as a Tivoli Access Manager user, use theActive Directory user ’s login name as the user ID for the Tivoli Access Manageruser.

v If you installed and configured Tivoli Access Manager on a client of ActiveDirectory (for example, Tivoli Access Manager and Active Directory are on





different systems), the client system must join the domain and you must sign onto the domain as the Administrator to perform Tivoli Access Managerconfiguration on the client system.

v The DNS in the network TCP/IP setting on the client system must be the sameas the domain controller ’s network TCP/IP setting. You can use the root domaincontroller as the DNS server or you can use a separate DNS.

v

If you configured Tivoli Access Manager in the single domain, and the domainis the non-root domain, you must run adschema_update.exe manually on theroot domain controller.

Creating an Active Directory domainUse the Active Directory configuration wizard to promote your Windows 2000server system to a domain controller. The act of creating a domain controller alsocreates an Active Directory domain.

Before you begin, you must decide if you want to create a domain controller for anew domain or create an additional domain controller for an existing domain. If you plan to create a domain controller for a new domain, you must also answerwhether or not this new domain will be one of the following:

v The first domain in a new forest

v The first domain in a new domain tree in an existing forest

v A child domain in an existing domain tree

Note: If the new domain name does not exist in Forward Lookup Zones in DNS, itmust be created as a new zone before configuring a new domain controller.For more information about domain controllers, domain trees, and forests,consult your Windows 2000 server documentation.

To create a domain or add an additional domain controller to an existing domain,follow these steps:

v

“ Joining an Active Directory domain” v “Creating an Active Directory administrative user” on page 37

Joining an Active Directory domainAfter you create an Active Directory domain, follow these steps to join a Windows2000 Advanced Server to an Active Directory domain.

Note: Ensure that you are logged on as an administrator to the local system andhave a valid user name and password. Also ensure that the client and serversystems are in the same DNS before adding a system to the domain.

1. Right-click My Computer and then click Properties from the pop-up dialog.The System Properties notebook is displayed.

Active Directory




2. Click the Network Identification tab.

3. Click Properties. Under Member of, select Domain and type the name of thedomain that you want to join. Click OK to continue.

Active Directory




4. From the Domain Username And Password window, type a valid user nameand password and then click OK to join the system to the domain.

5. If the join operation is successful, a welcome window is displayed as shown.Click OK to continue.

6. A dialog is displayed indicating that the system needs to be rebooted. Click OKto continue.

7. The System Properties notebook is displayed, indicating that the join operationhas completed. Click OK to restart your system.

Active Directory




Note: After your system is restarted, ensure that you are signing into the ADdomain that you’ve just joined. Usually, the local domain is the defaultdomain in a Windows 2000 Login window.

Creating an Active Directory administrative userTo create an Active Directory administrative user for Tivoli Access Manager

initialization, follow these steps:1. On the Active Directory server system, select Start → Programs →

Administrative Tools → Active Directory Users and Computers.

2. Create a new user and add this new user to the groups of Administrators,Domain Admins, Enterprise Admins and Schema Admins. This user is anActive Directory user only, not an Tivoli Access Manager user. You can selectany name as the user login name, except sec_master, which is reserved for theTivoli Access Manager administrator.

Active Directory replicationWhen a domain controller writes a change to its local copy of the Active Directory,a timer is started that determines when the domain controller’s replication partners

should be notified of the change. By default, this interval is 300 seconds (5minutes). When this interval elapses, the domain controller initiates a notificationto each intra-site replication partner that it has changes that need to be propagated.Another configurable parameter determines the number of seconds to pause

between notifications. This parameter prevents simultaneous replies by thereplication partners. By default, this interval is 30 seconds. Both of these intervalscan be modified by editing the registry.

To modify the delay between the change to the Active Directory and firstreplication partner notification, use the Registry Editor to modify value data for theReplicator notify pause after modify (secs) DWORD value in the followingregistry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Attention: Use caution when modifying data using the Registry Editor. Incorrectuse can cause serious problems that might require you to reinstall your operatingsystem.

The default value data for the Replicator notify pause after modify (secs)DWORD value is 0x12c, which in hexadecimal format is 300 decimal (5 minutes).

To modify the notification delay between domain controllers, use the RegistryEditor to modify value data for the Replicator notify pause between DSAs (secs)DWORD value in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

The default value data for the Replicator notify pause between DSAs (secs)DWORD value is 0x1e, which in hexadecimal format is 30 decimal (30 seconds).

Note: You must stop the policy server before editing the registry and then restartthe system afterwards.

During Active Directory multi-domain configuration, a data propagation delayoccurs with a default value of 5 minutes. A user or group, which was just createdin non-root domains, might not be visible when user list or group list commandsare issued. Similarly, a user or group, newly created in the primary root domaincontroller, might not be immediately visible in the secondary root domain. By

Active Directory




adjusting the values of Replicator notify pause after modify and Replicator notifypause between DSAs in the Windows 2000 system registry, you can change the

behavior to best fit into your environment needs.

Configuring Lotus Domino

To configure a Domino™ server as a registry for Tivoli Access Manager, you must

install a Lotus Notes® client on the Domino server. The Domino server must alsohave the Lightweight Directory Access Protocol (LDAP) interface enabled. This isrequired so that Tivoli Access Manager can authenticate users using their Internetpassword. For system requirements, see the IBM Tivoli Access Manager Base

Administrator’s Guide.

Tivoli Access Manager using a Domino registry is supported on Windowsplatforms only. This is because Tivoli Access Manager requires the Notes client,which is available only on supported Windows platforms. Because LDAPcommunication is required, each Tivoli Access Manager system also requires thatthe IBM Directory client be installed on your system.

The IBM Directory client is used to perform remote authentication to the DominoLDAP server to verify user name and password information. The Notes client isused for direct access to the domain (using a pre-defined privileged account) for allother tasks, such as viewing and updating user information.

Installing a Lotus Notes client on the Domino serverTo install a Notes client on the Domino server, follow these steps:

1. Run the Notes client setup file on the Notes/Domino CD for Windows.

2. In the Notes Installation Options window, select Typical to install the Notesclient only. For detailed information about the Notes client installation, see theLotus Notes Installation Guide.

3. When the installation is complete, launch the Notes client to perform

configuration.4. Select Connect to a Domino Server.

5. Select Network connection (via LAN).

6. Enter the fully qualified Domino server name. For example, enter thefollowing:

domino1/Tivoli

7. Select the Use my name as identification option radio button and enter theTivoli Access Manager administrative user ID (for example, AMDaemons). If you provide the ID file, select the User ID was supplied to you in a filecheck box and put the ID file in the c:\lotus\notes\data directory.

8. Click OK to continue. If you are prompted for additional configurationinformation, you can simply accept all the default values. Click Finish tocontinue the Notes client configuration steps.

9. If appropriate, select the Do not connect to an internet proxy server radio button.

A password prompt window appears when the Notes client can access theremote Domino server.

10. Enter the password for the Tivoli Access Manager administrative user. If thepassword is correct, the Notes client continues to finish the remainingconfiguration.

Active Directory











When configuration is complete, the Notes ID file for the administrative useris installed in the Notes installation directory on the local system.

Creating a Tivoli Access Manager administrative user forDomino

1. From the Domino Administrator workspace GUI, select the People menu on the

right hand side.2. From the pull down menu, select Register.

3. Select the Domino server ’s Certifier ID (default location isC:\Lotus\Domino\data).

4. Type in the Certifier ’s password (this was set up during server configuration).

5. Select the Advanced check box and enter the Tivoli Access Manageradministrative user information and password. For example:

v First name: PD

v Last name: Daemons

v Password: password

6. Click ID Info to make sure the Notes ID file is stored in the Domino directory.

7. Click the Add person button to add the Tivoli Access Manager administrativeuser to the Registration queue. The person document appears in the queue.

8. Highlight the person document in the queue and click Register to add the userto the Domino server.

9. From the View menu, click Refresh and verify that the Tivoli Access Manageruser’s person document was created in the Domino server.

Domino




Domino




Chapter 3. Installing Tivoli Access Manager on AIX

This chapter provides information about installing and configuring Tivoli AccessManager components on AIX systems. Instructions are provided for both easy and

native installation methods. The following main sections are included:

v “Using easy installation”

v “Using native installation” on page 43

v “Uninstalling Tivoli Access Manager” on page 48

Using easy installation

Before you begin

v Install all operating system patches and review system requirements listedin the IBM Tivoli Access Manager for e-business Release Notes.

v Ensure that you set up Tivoli Access Manager systems in the order listed inthe “Installation process” on page 6.

v Become familiar with the configuration decisions that you need to makeduring easy installation. For descriptions of easy installation configurationoptions and step-by-step instructions with illustrations, see Chapter 9,“UNIX easy installation scenarios”, on page 99.

Use easy installation scripts to create a secure domain or add systems orcomponents to an existing one. Easy installation makes it easy for you to installTivoli Access Manager by automatically installing software prerequisites at thesame time. For example, if you run ezinstall_ldap_server to install and configureIBM Directory server as your Tivoli Access Manager registry, this script installs

IBM Directory server and any prerequisite products and patches. Easy installationalso detects when required products are installed and does not attempt to reinstallthem. For example, if you run ezinstall_pdmgr to set up the policy server on thesame system where you ran ezinstall_ldap_server, it does not reinstall GSKit andthe IBM Directory client.

An easy installation script begins by prompting you for configuration information.After you supply this information, the components are installed and configuredwithout further intervention. And if you ever need to install these componentsagain, you can use the associated response file that is generated when you run aneasy installation script. The response file automatically stores the configurationinformation that you entered so that you do not need to re-enter it. For moreinformation, see Chapter 11, “Using easy installation response files”, on page 149.

Table 3 on page 42 lists easy installation scripts for the AIX platform. All programsare located in the root directory on the IBM Tivoli Access Manager Base for AIX CDexcept for ezinstall_wpm, which is located in the root directory on the IBM Tivoli

Access Manager Web Portal Manager for AIX CD.




Table 3. Easy Installation Scripts for AIX

File name Description

ezinstall_ldap_server Sets up an IBM Directory server system with the followingsoftware packages:

v IBM DB2


v IBM HTTP Server

v IBM Directory client

v IBM Directory server

Note: If an existing version of IBM Directory server exists,remove it before running this script.

ezinstall_pdacld Sets up an authorization server system with the followingsoftware packages:





ezinstall_pdauthadk Sets up a Tivoli Access Manager development system withthe following software packages:





ezinstall_pdmgr Sets up the Tivoli Access Manager policy server systemwith the following software packages:





ezinstall_pdwpm Sets up a Web Portal Manager system with the followingsoftware packages:




v IBM WebSphere Application Server, Advanced SingleServer 4.0 and FixPack 3



install_pdrte Sets up a Tivoli Access Manager runtime system with the

following software packages:v IBM Global Security Toolkit



AIX




Using native installation

Before you begin

v Install all operating system patches and review system requirements listedin the IBM Tivoli Access Manager Base Administrator’s Guide.

v Ensure that you follow instructions and set up Tivoli Access Manager

systems in the order listed in the “Installation process” on page 6.

v Become familiar with the configuration decisions that you need to makeduring native installation. For descriptions of native configuration options,see “UNIX native configuration options” on page 179.

This section includes information about installing and configuring Tivoli AccessManager using native operating system utilities. Unlike the automated scripts usedin easy installation, you must manually install each component and anyprerequisite software in the appropriate order.

This section includes the following main topics:

v

“Installing the IBM Global Security Toolkit” v “Installing the IBM Directory client”

v “Installing and configuring Tivoli Access Manager components” on page 44

v “Installing the platform-specific JRE” on page 45

v “Installing and configuring the Tivoli Access Manager Java runtimeenvironment” on page 45

v “Installing and configuring a Web Portal Manager system” on page 45

Installing the IBM Global Security ToolkitTo install GSKit on an AIX system, follow these steps:

1. Log in to the system as root.

2. Insert the IBM Tivoli Access Manager Base for AIX CD.

3. At the command prompt, enter the following:

installp -c -a -g -X -d /dev/cd0 gskkm.rte

4. For the iKeyman utility to run correctly, you must set the following AIXvariable:

export JAVA_HOME= path

where path is the path where the Tivoli Access Manager Java runtimeenvironment is installed.

After you install GSKit, no configuration is necessary.

Note that the iKeyman key management utility (gsk5ikm) is installed with theGSKit package. This enables you to create SSL key files, public-private key pairs,and certificate requests. For more information, see Appendix A, “Enabling SecureSockets Layer”, on page 157 and the Secure Sockets Layer Introduction and iKeymanUser’s Guide.

Installing the IBM Directory clientTo install the IBM Directory client on an AIX system, follow these steps:


AIX

Chapter 3. Installing Tivoli Access Manager on AIX 43










installp -c -a -g -X -d /dev/cd0 ldap.clientldap.max_crypto_client

After you install the IBM Directory client, no configuration is necessary.

Installing and configuring Tivoli Access Manager components

Before you begin

v Install all operating system patches and review system requirements listedin the IBM Tivoli Access Manager Base Administrator’s Guide.

v Ensure that you follow instructions and set up Tivoli Access Managersystems in the order listed in the “Installation process” on page 6.


To install Tivoli Access Manager components, follow these steps:


2. To install Tivoli Access Manager components, do one of the following:

v Insert the IBM Tivoli Access Manager Base for AIX CD.

v For the Web Portal Manager component only, insert the IBM Tivoli Access Manager Web Portal Manager for AIX CD.


installp -c -a -g -X -d /dev/cd0 package

where /dev/cd0 is the directory and package is one or more of the followingcomponents:

PD.RTE Indicates the Tivoli Access Manager runtime.

PD.Mgr Indicates the Tivoli Access Manager policy server.

PD.AuthADK Indicates the Tivoli Access Manager Application DevelopmentKit.

PD.Acld Indicates the Tivoli Access Manager authorization server.

PD.WPM Indicates the Tivoli Access Manager Web Portal Manager.Ensure that you follow instructions in “Installing and configuring a Web Portal Manager system” on page 45. Thiscomponent is only a part of the Web Portal Managerinstallation procedure.

PDJ.rte Indicates the Tivoli Access Manager Java runtime environment.Ensure that you follow instructions in “Installing and configuring the Tivoli Access Manager Java runtime environment” on page 45. This component is only a part of the

Java runtime environment installation procedure.

4. To start the configuration utility, enter the following command:

pdconfig

The Tivoli Access Manager Setup Menu is displayed.

AIX









5. Type the menu number for Configure Package. The Tivoli Access ManagerConfiguration Menu is displayed. The list of installed Tivoli Access Managerpackages is displayed.

6. Select the component that you want to configure, one at a time.

Depending on the component that you selected, you are prompted forconfiguration options. For assistance with these configuration options, see

“UNIX native configuration options” on page 179. 7. When a message appears indicating that the package has been successfully

configured, press Enter to configure another component or select the x optiontwice to close the configuration utility.

Installing the platform-specific JREA platform-specific JRE is required when installing the Tivoli Access Manager Javaruntime component and language support packages. To install the prerequisite JREpackage for AIX, enter the following command:

installp -c -a -g -X -d /dev/cd0 Java131.rte

To set the environmental variable path, enter the following:

export PATH= jre_path:$PATH

To check if the JRE level on your system is supported, see the IBM Tivoli Access Manager Base Administrator’s Guide.

Installing and configuring the Tivoli Access Manager Javaruntime environment

To install and configure the Tivoli Access Manager Java runtime environment,follow these steps:



3.Install a supported platform-specific JRE. For instructions, see “Installing theplatform-specific JRE”.

4. To install the Tivoli Access Manager Java runtime environment, enter thefollowing:

installp -c -a -g -X -d /dev/cd0 PDJ.rte

5. To configure the Tivoli Access Manager Java runtime environment for usewithin the current JRE, change to the install_dir/sbin directory and thenenter the following command:

pdjrtecfg -action config

Note: For more information about the pdjrtecfg command, see the IBM Tivoli Access Manager Command Reference.

Installing and configuring a Web Portal Manager systemFollow these steps to install and configure a Web Portal Manager system:

1. Install GSKit. See “Installing the IBM Global Security Toolkit” on page 43.

2. Install the IBM Directory client. See “Installing the IBM Directory client” onpage 43.

3. Install the IBM WebSphere Application Server, Advanced Single Server 4.0. See“Installing IBM WebSphere Application Server, Advanced Single Server” onpage 47.

AIX
















4. Install IBM WebSphere Application Server FixPack 3. See “Installing IBMWebSphere Application Server FixPack 3” on page 47.

5. Install the Tivoli Access Manager Java runtime component. To do so, enter thefollowing:

installp -c -a -g -X -d /dev/cd0 PDJ.rte

Note: Configuration of the Tivoli Access Manager Java runtime component isnot required. In addition, manually installing a platform-specific JRE isnot required. WebSphere installs a platform-specific JRE and configurethe Tivoli Access Manager Java runtime environment for use within thecurrent JRE.

6. Install and configure the Tivoli Access Manager runtime and the Web PortalManager components. See “Installing and configuring Tivoli Access Managercomponents” on page 44.

Note: The Tivoli Access Manager runtime and Web Portal Managercomponents must be installed on the same system as the IBMWebSphere Application Server. In addition, if you install IBMWebSphere Application Server after installing the Tivoli Access Manager

runtime, ensure that the GSKit version supported by Tivoli AccessManager is installed.

7. Before you start the Web Portal Manager interface, ensure that the WebSphereApplication Server is running. To do so, run the startServer.sh script, locatedin the /usr/WebSphere/AppServer/bin directory.

Note: The configuration process automatically configures the IBM WebSphereApplication Server for SSL communication over port 443.

8. SSL support is enabled automatically between your browser and the IBMHTTP Server through a default SSL key file and stash file. These files areprovided for evaluation use only. You must acquire your own certificate andreplace the following files on your system:

/var/PolicyDirector/keytab/pdwpm.kdbSpecifies the key database file. The path of the file is specified in thehttpd.conf file.

/var/PolicyDirector/keytab/pdwpm.sthSpecifies the file where the key database password is stored.

9. If you installed an LDAP server that does not use IBM HTTP Server and youare installing Web Portal Manager on the same system, ensure that the Webserver ports are different. To change the IBM HTTP Server default port, editthe /usr/HTTPServer/conf/httpd.conf file and change default port 80 to 8080as shown:

# Port: The port the standalone listens to.Port 8080

10. To access the Web Portal Manager interface, enter the following address inyour Web browser:

https://hostname/pdadmin

where hostname is the name of the host running the IBM HTTP Server.

Note: For secure communications with the IBM HTTP Server, you must nowuse https instead of http.

AIX




A secure connection dialog is displayed, along with the Web Portal Managerwelcome screen.

Installing IBM WebSphere Application Server, Advanced SingleServerTo install IBM WebSphere Application Server, Advanced Single Server 4.0, followthese steps:

1. Log in to the system as root.2. Insert the IBM Tivoli Access Manager Web Portal Manager for AIX CD.

3. Change to the usr/sys/inst.images/WebSphere directory on the drive where theCD is located.


v To install IBM WebSphere Application Server using the GUI, enter thefollowing:

./install.sh

v To use a response file, run the install.sh script as follows and then skip to“Installing IBM WebSphere Application Server FixPack 3”.

./install.sh -silent -responseFile ./install.script \

-prereqfile ./prereq.properties

The WebSphere Application Server, Advanced Single Server Edition windowis displayed. Click Next to continue.

Note: Ensure that you view the screen during the installation process in caseyou are prompted for instructions or an error occurs.

5. Select Typical installation (the default choice) and click Next.

6. Default paths are displayed for the WebSphere Application Server destinationdirectory and IBM HTTP Server. If the system already has a supported versionof IBM HTTP Server installed, this choice is not displayed. Write down thesepaths and select Next to accept the defaults.

Note: You are prompted for the following paths during the installation of theWebSphere Application Server FixPack 3. Default paths are as follows:

v WebSphere Application Server: /usr/WebSphere/AppServer.

v IBM HTTP Server: /usr/HTTPServer

A dialog is displayed indicating your installation selections. Select Install to begin the installation process.

7. IBM WebSphere Application Server installs the IBM HTTP Server. You mustinstall the following patch, located in the root directory on the IBM Tivoli Access

Manager Web Portal Manager for AIX CD. To do so, enter the following:

http_1319_efix2.sh

8. To install the FixPack, see “Installing IBM WebSphere Application Server FixPack 3”.

Installing IBM WebSphere Application Server FixPack 3To install IBM WebSphere Application Server FixPack 3, follow these steps:

1. Stop the WebSphere Application Server, HTTP Server, and the LDAP server (if installed on the same system).

2. Insert the IBM Tivoli Access Manager Web Portal Manager for AIX CD.

3. Change to the /usr/sys/inst.images/WebSphere_PTF3 directory on the drivewhere the CD is located and run the following script:

AIX




install.sh

4. Type the IBM WebSphere Application Server home directory and press Enter.For example, enter the following:

/usr/WebSphere/AppServer

5. Select Yes to use the Application Server.

6. Select Yes to perform the update of the JDK.

7. If you are using iPlanet Directory as your registry, select Yes to update iPlanetweb server configuration for support by WebSphere. Otherwise, select No.

8. Select Yes to update the IBM HTTP Server.

9. If using IBM HTTP Server, type the the IBM HTTP Server home directory andpress Enter. For example, enter the following:

/usr/HTTPServer

10. Select Yes to use the Application Server Logs directory.

11. Select Yes to place backups under the WebSphere Application Server homedirectory.

The upgrade begins. A prompt displays the message Upgrading IBM JDK. Thisupgrade installs the IBM Developer Kit for AIX® in the WebSphere directory.

There is not a conflict if you already have the toolkit installed elsewhere onyour system.

When the upgrade is complete, a prompt displays the message Installationcompleted with no errors. Please view the activity log for details.Press any key to continue.

12. Press any key to continue.

WebSphere Application Server, Advanced Single Server 4.0 and FixPack 3 arenow installed.

13. Restart your system for changes to take effect.

Uninstalling Tivoli Access Manager

Before you begin

v Stop all Tivoli Access Manager services and applications before uninstallingcomponents.

v Unconfigure Tivoli Access Manager applications, such as WebSEAL, beforeunconfiguring the Tivoli Access Manager policy server and runtimecomponents.

v Unconfigure and remove the policy server system last.

Uninstalling Tivoli Access Manager is a two-part process. You must unconfigurecomponents and then remove them, unless instructed to do otherwise, such as

during the upgrade process.


v “Unconfiguring Tivoli Access Manager components”

v “Removing Tivoli Access Manager packages” on page 49

Unconfiguring Tivoli Access Manager componentsBefore you remove Tivoli Access Manager packages, you must ensure that thecomponent is unconfigured. To do so, follow these steps:


AIX




2. To start the configuration utility, enter the following:

pdconfigThe Access Manager for e-business Setup Menu is displayed.

3. To unconfigure a component, type the number of the menu item for the TivoliAccess Manager component. Repeat this procedure for each package that youwant to unconfigure.

Notes:v If a component is not configured, you can simply remove it. Skip to

“Removing Tivoli Access Manager packages”.

v If you are unconfiguring a server, you are prompted for the distinguishedname and password of the LDAP administrative user.

v Unconfiguring the policy server removes all configuration and authorizationinformation from the secure domain. This includes information used byTivoli Access Manager applications, such as WebSEAL. To proceed, enter y.

4. To unconfigure the Tivoli Access Manager Java runtime environment, use thepdjrtecfg command. For example, enter the following to unconfigure the JREspecified by the jre_path variable:

pdjrtecfg -action unconfig -java_home jre_path

Note: Ensure that you use the pdjrtecfg command for each configured JRE. Formore information, see the IBM Tivoli Access Manager Command Reference.

Removing Tivoli Access Manager packagesTo remove components from an AIX system, follow these steps:

1. Ensure that the components are unconfigured. Follow the instructions in“Unconfiguring Tivoli Access Manager components” on page 48.

2. To remove one or more packages and any dependent software, enter thefollowing:

installp -u -g package

where package is one of the following:

Note: Use the –g option only if you want dependent software for the specifiedpackage removed.

PD.AuthADK Indicates the Tivoli Access Manager Application DevelopmentKit.

PD.Mgr Indicates the Tivoli Access Manager policy server.

PD.Acld Indicates the Tivoli Access Manager authorization server.

PD.RTE Indicates the Tivoli Access Manager runtime.

PDJ.rte Indicates the Tivoli Access Manager Java runtime environment.

PD.WPM Indicates the Tivoli Access Manager Web Portal Manager.

ldap.client Indicates the IBM Directory client.

ldap.max_crypto_clientIndicates the highest level of encryption for the IBM Directoryclient.

gskkm.rte Indicates GSKit.

AIX







AIX




Chapter 4. Installing Tivoli Access Manager on HP-UX

This chapter provides information about installing and configuring Tivoli AccessManager components on HP-UX systems. Instructions are provided for both easy

and native installation methods. The following main sections are included:





Before you begin

v Install all operating system patches and review system requirements listedin the IBM Tivoli Access Manager Release Notes.



Use easy installation scripts to create a secure domain or add systems orcomponents to an existing one. Easy installation makes it easy for you to installTivoli Access Manager by automatically installing software prerequisites at thesame time. For example, if you run ezinstall_pdmgr to set up a Tivoli AccessManager policy server system, the process installs the policy server component and

any prerequisite software and patches. Easy installation also detects when requiredproducts are installed and does not attempt to reinstall them. For example, if yourun ezinstall_pdacld on a system that is already set up using install_pdrte, it doesnot reinstall GSKit, the IBM Directory client, or the Tivoli Access Manager runtime.


Table 4 on page 52 lists easy installation scripts for the HP-UX platform. Thesescripts are located in the root directory on the IBM Tivoli Access Manager Base for

HP-UX CD.







Table 4. Easy Installation Scripts for HP-UX

Script Name Description






ezinstall_pdauthadk Sets up Tivoli Access Manager development system withthe following software packages:







v IBM Directory clientv Tivoli Access Manager runtime


install_pdrte Sets up a Tivoli Access Manager runtime system with thefollowing software packages:





Before you begin


v Ensure that you set follow instructions and set up Tivoli Access Managersystems in the order listed in the “Installation process” on page 6.


This section includes information about how to install and configure Tivoli Access

Manager components using native operating system utilities. Unlike the automatedscripts used in easy installation, you must manually install each component andany necessary patches in the appropriate order.


v “Installing the IBM Global Security Toolkit” on page 53

v “Installing the IBM Directory client” on page 53



HP-UX








Installing the IBM Global Security ToolkitTo install GSKit on an HP-UX system, follow these steps:


2. Insert the IBM Tivoli Access Manager Base for HP-UX CD.3. Start pfs_mountd and then pfsd in the background, if they are not running.

Mount the CD with the pfs_mount command. For example, enter thefollowing:

/usr/sbin/pfs_mount /dev/dsk/c0t0d0 /cd-rom

where /dev/dsk/c0t0d0 is the CD device and /cd-rom is the mount point.


swinstall -s /cd-rom/hp gsk5bas

where /cd-rom/hp is the directory.

5. Verify that SHLIB_PATH is set to either /usr/lib or /opt/ibm/gsk5/lib. If it isnot set, enter the following::

export SHLIB_PATH=/usr/lib;$SHLIB_PATH

When this variable is not set, the Tivoli Access Manager authorization servicemany not be able to access the GSKit libraries.


Note that the SHLIB_PATH is only required to run the iKeyman key managementutility (gsk5ikm), which is installed with the GSKit package. This enables you tocreate SSL key files, public-private key pairs, and certificate requests. For moreinformation about gsk5ikm, see Appendix A, “Enabling Secure Sockets Layer”, on

page 157 and the Secure Sockets Layer Introduction and iKeyman User’s Guide.

Installing the IBM Directory clientTo install the IBM Directory client on an HP-UX system, follow these steps:

1. Ensure that you remove any previous LDAP client packages prior to installingthis version.


3. Insert the IBM Tivoli Access Manager Base for HP-UX CD.

4. Start pfs_mountd and then pfsd in the background, if they are not running.Mount the CD with the pfs_mount command. For example, enter thefollowing:




swinstall -s /cd-rom/hp LDAPClient

where /cd-rom/hp is the directory and LDAPClient is the name of the IBMDirectory client package.

6. From the root directory on the IBM Tivoli Access Manager Base for HP-UX CD,enter the following to install the IBM Directory client patch:

HP-UX

Chapter 4. Installing Tivoli Access Manager on HP-UX 53



apply_ldap41_patch.sh



Before you begin


v Ensure that you set follow instructions and set up Tivoli Access Managersystems in the order listed in the “Installation process” on page 6.


To install Tivoli Access Manager on HP-UX, follow these steps:



3. Start pfs_mountd and then pfsd in the background, if they are not running.Mount the CD with the pfs_mount command. For example, enter thefollowing:




swinstall -s /cd-rom/hp package

where /cd-rom/hp is the directory and package is one or more of the following:

PDRTE Indicates the Tivoli Access Manager runtime.

PDMgr Indicates the Tivoli Access Manager policy server.

PDAuthADK Indicates the Tivoli Access Manager Application DevelopmentKit.

PDAcld Indicates the Tivoli Access Manager authorization server.

PDJrte Indicates the Tivoli Access Manager Java runtime environment.Ensure that you follow instructions in “Installing and configuring the Tivoli Access Manager Java runtime environment” on page 55. This component is only a part of the

Java runtime environment installation procedure.


pdconfig


6. Type the menu number for Configure Package. The Tivoli Access ManagerConfiguration Menu is displayed. The list of installed Tivoli Access Managerpackages is displayed.


Depending on the component that you selected, you are prompted forconfiguration options. For assistance with these configuration options, see“UNIX native configuration options” on page 179.

HP-UX







8. When a message appears indicating that the package has been successfullyconfigured, press Enter to configure another component or select the x optiontwice to close the configuration utility.

Installing the platform-specific JREA platform-specific JRE is required when installing the Tivoli Access Manager Java

runtime component and language support packages. To install the prerequisite JREpackage for HP-UX, enter the following command:

swinstall -s /cd_drive/hp rte_13101os11.depot B9789AA

where /cd_drive is the CD mount point and /cd_drive/hp is the directory.


PATH= java_path:$PATH

To check if the JRE level on your system is supported, see the IBM Tivoli Access Manager Release Notes.





3. Start pfs_mountd and then pfsd in the background, if they are not running.Mount the CD with the pfs_mount command.

4. Install a supported platform-specific JRE. For instructions, see “Installing theplatform-specific JRE”.

5. To install the Tivoli Access Manager Java runtime environment, enter thefollowing:

swinstall -s /cd-rom/hp PDJrte

6. To configure the Java runtime environment for use within the current JRE,change to the install_dir/sbin directory and then enter the followingcommand:

pdjrtecfg -action config -java_home jre_path



Before you beginv Stop all Tivoli Access Manager services and applications before uninstalling

components.



HP-UX














Uninstalling Tivoli Access Manager is a two-part process. You must unconfigurecomponents and then remove them, unless you are instructed to do otherwise,such as during the upgrade process.

This section includes the following topics:


v

“Removing Tivoli Access Manager packages”

Unconfiguring Tivoli Access Manager componentsBefore you remove Tivoli Access Manager packages from a UNIX system, youmust unconfigure components. To do so, follow these steps:



pdconfigThe Tivoli Access Manager Setup Menu is displayed.

3. Press 2 to display the Unconfiguration menu. Then type the number of themenu item for the Tivoli Access Manager component that you want tounconfigure. Repeat this procedure for each package that you want to

unconfigure.

Notes:

v If a component is not configured you can simply remove it. Skip to“Removing Tivoli Access Manager packages”.

v If you are unconfiguring a server, a prompt is displayed requesting thedistinguished name and password of the LDAP administrative user.


4. To unconfigure the Tivoli Access Manager Java runtime environment, use thepdjrtecfg command. For example, enter the following to unconfigure the JRE

specified by the jre_path variable:pdjrtecfg -action unconfig -java_home jre_path


Removing Tivoli Access Manager packagesTo remove components from an HP-UX system, follow these steps:

1. Ensure that the components are unconfigured. Follow the instructions in“Unconfiguring Tivoli Access Manager components”.

2. To remove one or more packages, enter the following:

swremove package

where package is one or more of the following:

PDAuthADK Indicates the ADK.




PDJrte Indicates the Tivoli Access Manager Java runtime environment.

HP-UX









LDAPClient Indicates the IBM Directory client.

gsk5bas Indicates GSKit.

A prompt is displayed indicating the preremove script is being run. Each file islisted as it is removed.

HP-UX




HP-UX




Chapter 5. Installing Tivoli Access Manager on Linux

This chapter provides information about installing and configuring Tivoli AccessManager components on Red Hat Linux and Linux on zSeries systems. Instructions

are provided for both easy and native installation methods. The following mainsections are included:

v “Using easy installation (Red Hat Linux only)”



Table 5 lists supported Tivoli Access Manager components and installationmethods.

Table 5. Supported Tivoli Access Manager components

Component Red Hat Linux Linux on zSeries

Easy Native Easy Native

Tivoli Access Manager ApplicationDevelopment Kit

U U U

Tivoli Access Managerauthorization server

U

Tivoli Access Manager Javaruntime environment

U

Tivoli Access Manager policyserver

U

Tivoli Access Manager runtime U U U

Using easy installation (Red Hat Linux only)

Before you begin




v

Before running easy installation scripts, ensure that the ksh is installed, orcreate a soft link to the bash as shown:

ln -s /bin/bash /bin/ksh

v Before installing components, remove the nss_ldap-149.1 package or otherconflicting LDAP packages, if installed.

Use easy installation scripts to create a secure domain or add systems orcomponents to an existing one. Easy installation makes it easy for you to installTivoli Access Manager by automatically installing software prerequisites at thesame time. For example, you might run install_pdrte to set up a runtime







environment and then run ezinstall_pdauthadk on a different system to install aseparate authorization server. Or, you might run both scripts to install andconfigure these components on the same system. Easy installation also detectswhen required products are installed and does not attempt to reinstall them.

An easy installation script begins by prompting you for configuration information.After you supply this information, the components are installed and configured

without further intervention. And if you ever need to install these componentsagain, you can use the associated response file that is generated when you run aneasy installation script. The response file automatically stores the configurationinformation that you entered so that you do not need to re-enter it. For moreinformation, see Chapter 11, “Using easy installation response files”, on page 149.

Table 6 lists easy installation scripts for the Red Hat Linux platform. These scriptsare located in the root directory on the IBM Tivoli Access Manager Base for LinuxCD.

Table 6. Easy Installation Scripts for Red Hat Linux







install_pdrte Sets up a Tivoli Access Manager runtime system with thefollowing software packages:





Before you begin




This section includes information about how to install and configure Tivoli AccessManager components using native operating system utilities on Red Hat Linux andLinux on zSeries systems. Unlike the automated scripts used in easy installation,you must manually install each component and any necessary patches in theappropriate order.


v “Installing the IBM Global Security Toolkit” on page 61

v “Installing the IBM Directory client” on page 61

Linux









v “Installing and configuring the Tivoli Access Manager Java runtime environment(Red Hat Linux only)” on page 64

Installing the IBM Global Security Toolkit

To install GSKit on a Linux system, follow these steps:1. Log in to the system as root.

2. For SuSE SLES-7 31 – bit systems only: Ensure that the compat-libstdc++ packageis installed. This package, compat.rpm, provides legacy C++ support required byGSKit and is located on the SuSE SLES-7 developer CD 1 in the /suse/a1directory.

Note: SuSE SLES-7 64– bit systems are shipped with the compat-libstdc++package.

3. Insert the IBM Tivoli Access Manager Base for Linux or IBM Tivoli Access ManagerBase for Linux on zSeries CD.


v For Red Hat Linux systems, change to the /mnt/cdrom/linux directory where/mnt/cdrom is the mount point for your CD.

v For Linux on zSeries systems, obtain access to the Tivoli Access ManagerBase for Linux on zSeries rpm files.

Note: Linux on zSeries does not support attachment of a CD drive at thistime. To obtain the necessary files, do one of the following:

– Load the Tivoli Access Manager Base for Linux on zSeries rpm filesonto another workstation. Then use ftp to transfer the files to adirectory on this system.

– Mount the Tivoli Access Manager Base for Linux on zSeries CD on

another workstation. Then use NFS to access it from this system.5. To install GSKit in the default location, do the following:

v For Red Hat Linux, enter the following:

rpm -i gsk5bas-5.0.5.46.i386.rpm

v For Linux on zSeries, enter the following:

rpm -i gsk5bas-5.0.5.46.s390.rpm

Note: When upgrading GSKit, use the –U option. For example, enter thefollowing:

rpm -U gsk5bas-5.0.5.46.s390.rpm

6. On Red Hat Linux or SuSE SLES-7 31– bit systems, ensure that you have set theLD_PRELOAD environment variable. To do so, enter the following command:

export LD_PRELOAD=/usr/lib/libstdc++-libc6.1-2.so.3

This is required before using GSKit and LDAP command line utilities.

After you install GSKit, no configuration is necessary. For more information aboutGSKit, see Appendix A, “Enabling Secure Sockets Layer”, on page 157 and theSecure Sockets Layer Introduction and iKeyman User ’s Guide.

Installing the IBM Directory clientTo install the IBM Directory client on a Linux system, follow these steps:

Linux

Chapter 5. Installing Tivoli Access Manager on Linux 61



Note: Remove any existing version of the IBM Directory client before installingthis version.


2. Remove the nss_ldap-149-1 package or other conflicting LDAP packages, if installed.

3. Insert the IBM Tivoli Access Manager Base for Linux or IBM Tivoli Access Manager

Base for Linux on zSeries CD.4. Change to one of the following directories:

a. For Red Hat Linux systems, change to the /mnt/cdrom/linux directorywhere /mnt/cdrom is the mount point for your CD.

b. For Linux on zSeries systems, obtain access to the Tivoli Access ManagerBase for Linux on zSeries rpm files.


v Load the Tivoli Access Manager Base for Linux on zSeries rpmfiles onto another workstation. Then use ftp to transfer the files toa directory on this system.

v Mount the Tivoli Access Manager Base for Linux on zSeries CD onanother workstation. Then use NFS to access it from this system.

5. To install the IBM Directory client in the default location, do the following:

a. For Red Hat Linux, enter the following:

rpm -i ldap-clientd-4.1-1.i386.rpmrpm -i ldap-dmtjavad-4.1-1.i386.rpm

b. For Linux on zSeries, enter the following:

rpm -i ldap-clientd-4.1-1.s390.rpm

6. On Red Hat Linux or SuSE SLES-7 31– bit systems, ensure that you have set theLD_PRELOAD environment variable. To do so, enter the following command:

export LD_PRELOAD=/usr/lib/libstdc++-libc6.1-2.so.3

This is required before using GSKit and LDAP command line utilities, whichuse SSL.



Before you begin



systems in the order listed in the “Installation process” on page 6. v Become familiar with the configuration decisions that you need to make

during native installation. For descriptions of native configuration options,see “UNIX native configuration options” on page 179.

To install Tivoli Access Manager components on Red Hat Linux or Linux onzSeries, follow these steps:


Linux







2. Insert the IBM Tivoli Access Manager Base for Linux or IBM Tivoli Access ManagerBase for Linux on zSeries CD.


a. For Red Hat Linux systems, change to the /mnt/cdrom/linux directorywhere /mnt/cdrom is the mount point for your CD.

b. For Linux on zSeries systems, obtain access to the Tivoli Access Manager

Base for Linux on zSeries rpm files.


v Load the Tivoli Access Manager Base for Linux on zSeries rpmfiles onto another workstation. Then use ftp to transfer the files toa directory on this system.

v Mount the Tivoli Access Manager Base for Linux on zSeries CD onanother workstation. Then use NFS to access it from this system.

4. To install components in the default location, enter one of the following:

v To install Tivoli Access Manager components:

rpm -i package

v To upgrade Tivoli Access Manager components:

rpm –U package

where package is one of the following:

v For Red Hat Linux:

PDRTE-PD-4.1.0-0.i386.rpm Indicates the Tivoli Access Manager runtime.

PDAuthADK-PD-4.1.0-0.i386.rpmIndicates the Tivoli Access ManagerApplication Development Kit.

PDJrte-PD-4.1.0-0.i386.rpm Indicates the Tivoli Access Manager Javaruntime environment.

Ensure that you follow instructions in“Installing and configuring the Tivoli Access Manager Java runtime environment (Red HatLinux only)” on page 64. This component isonly a part of the Java runtime environmentinstallation procedure.

v For Linux on zSeries:

PDRTE-PD-4.1.0-0.s390.rpm Indicates the Tivoli Access Manager runtime.

PDMgr-PD-4.1.0-0.s390.rpm Indicates the Tivoli Access Manager policyserver.

PDAcld-PD-4.1.0-0.s390.rpm Indicates the Tivoli Access Managerauthorization server.

PDAuthADK-PD-4.1.0-0.s390.rpmIndicates the Tivoli Access ManagerApplication Development Kit.

Note: During the upgrade process on Linux systems, you can ignoremessages similar to the following:

The Access Manager Runtime is still configured.Please unconfigre the runtime package before uninstalling.

Linux




Execution of PDRTE-PD-3.9.0-0 script failed, exit status 1


pdconfig


6. Type the menu number for Configure Package. The Tivoli Access Manager

Configuration Menu is displayed. The list of installed Tivoli Access Managerpackages is displayed.



8. When a message appears indicating that the package has been successfullyconfigured, press Enter to configure another component or select the x optiontwice to close the configuration utility.

Installing the platform-specific JREA platform-specific JRE is required when installing the Tivoli Access Manager Java

runtime component and language support packages. To install the prerequisite JREpackage for Linux, enter one of the following:

v On Red Hat Linux:

1. To install the JRE, enter the following:

rpm -i IBMJava2-JRE-1.3-10.0.i386.rpm

2. To set the environmental variable path, enter the following:

export PATH= jre_path:$PATH

v On Linux for zSeries:

1. Obtain the JRE from the IBM Tivoli Access Manager Language Support CD. Youcan also download IBM Java Runtime Environment, Version 1.3.1, from theIBM Java for Linux site at:

https://www6.software.ibm.com/dl/lxdk/lxdk-p

2. To install the JRE, enter the following:

rmp -i IBMJava2-JRE-1.3.1-2.0.s390.rpm

3. To ensure that the JRE is accessible through the PATH environment variable,enter the following:

export PATH=/opt/IBMJava2-s390-131/jre/bin:$PATH

To check if the JRE level on your system is supported, see the IBM Tivoli Access Manager Release Notes.

Installing and configuring the Tivoli Access Manager Javaruntime environment (Red Hat Linux only)

To install the Tivoli Access Manager Java runtime environment on a Red Hat Linuxsystem, follow these steps.

Note: This component is not supported for Linux on zSeries.


2. Insert the IBM Tivoli Access Manager Base for Linux CD.

3. Change to the directory /mnt/cdrom/linux where /mnt/cdrom is the mount pointfor your CD.

Linux









4. Install a supported platform-specific JRE. For instructions, see “Installing theplatform-specific JRE” on page 64.

5. To install the Tivoli Access Manager Java runtime environment in the defaultlocation, enter the following:

rpm -i PDJrte-PD-4.1.0-0.i386.rpm

6. To configure the Tivoli Access Manager Java runtime environment for use

within the current JRE, change to the opt/PolicyDirector/sbin directory andthen enter the following command:

./pdjrtecfg -action config -java_home jre_path



Uninstalling Tivoli Access Manager is a two-part process. You must unconfigurecomponents and then remove Tivoli Access Manager packages.




Unconfiguring Tivoli Access Manager components

Before you begin




Before you remove Tivoli Access Manager packages from a Linux system, youmust unconfigure components. To do so, follow these steps:



pdconfig


3. Press 2 to display the Unconfiguration menu. Then type the number of themenu item for the Tivoli Access Manager component that you want to

unconfigure. Repeat this procedure for each package that you want tounconfigure.


/opt/PolicyDirector/sbin/pdjrtecfg -action unconfig -java_home jre_path


Linux














Removing Tivoli Access Manager packagesTo remove components from a Linux system, follow these steps:

1. Ensure that you have unconfigured components. Follow instructions in“Unconfiguring Tivoli Access Manager components” on page 65.


rpm -e package


v For Red Hat Linux:

PDAuthADK-PD Indicates the Tivoli Access ManagerApplication Development Kit.

PDRTE-PD Indicates the Tivoli Access Manager runtime.

ldap_clientd Indicates the IBM Directory client.

ldap_dmtjavad Indicates the Directory Management Tool(DMT).

gsk5bas-5.0.5.46 Indicates GSKit.

v For Linux on zSeries:

PDRTE-PD-4.1.1–0 Indicates the Tivoli Access Manager runtime.

PDAcld-PD-4.1.0–0 Indicates the Tivoli Access Managerauthorization server.

PDMgr-PD-4.1.0–0 Indicates the Tivoli Access Manager policyserver.

PDAuthADK-PD-4.1.0–0 Indicates the Tivoli Access ManagerApplication Development Kit.

ldap_clientd-4.1.0–0 Indicates the IBM Directory client.

gsk5bas-5.0.5.46 Indicates GSKit.

Linux




Chapter 6. Installing Tivoli Access Manager on Solaris

This chapter provides information about installing and configuring Tivoli AccessManager components on Solaris systems. Instructions are provided for both easy

and native installation methods. The following main sections are included:





Before you begin




Use easy installation scripts to create a secure domain or add systems orcomponents to an existing one. Easy installation makes it easy for you to installTivoli Access Manager by automatically installing software prerequisites at thesame time. For example, if you run ezinstall_ldap_server to install and configureIBM Directory server as your Tivoli Access Manager registry, this script installs the

LDAP server and any prerequisite software and patches. Easy installation alsodetects when required products are installed and does not attempt to reinstallthem. For example, if you run ezinstall_pdmgr to set up the policy server on thesame system where you ran ezinstall_ldap_server, it does not reinstall GSKit andthe IBM Directory client.


Table 7 on page 68 lists easy installation scripts for the Solaris platform. Allprograms are located in the root directory on the IBM Tivoli Access Manager Base forSolaris CD except for ezinstall_pdwpm, which is located in the root directory onthe IBM Tivoli Access Manager Web Portal Manager for Solaris CD.







Table 7. Easy Installation Scripts for Solaris


ezinstall_ldap_server Sets up an IBM Directory server system with the followingsoftware packages:

v IBM DB2


v IBM HTTP Server


v IBM Directory server

Note: If an existing version of IBM Directory server exists,remove it before running this script.
















ezinstall_pdwpm Sets up a Web Portal Manager system with the followingsoftware packages:




v IBM WebSphere Application Server Single Server andFixPack 3



install_pdrte Sets up a Tivoli Access Manager runtime system with the

following software packages:v IBM Global Security Toolkit



Solaris





Before you begin


v Ensure that you set up Tivoli Access Manager systems in the order listed in

the “Installation process” on page 6.


This section includes information about how to install and configure Tivoli AccessManager components using native operating system utilities. Unlike the automatedscripts used in easy installation, you must manually install each component andany prerequisite software in the appropriate order.


v

“Installing the IBM Global Security Toolkit” v “Installing the IBM Directory client”



v “Installing and configuring Tivoli Access Manager Java runtime environment” onpage 71


Installing the IBM Global Security ToolkitTo install GSKit on a Solaris system, follow these steps:


2. Insert the IBM Tivoli Access Manager Base for Solaris CD.

3. Change to the /cdrom/cdrom0/solaris directory.

4. To install the required GSKit file, enter the following:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault gsk5bas


Note that the iKeyman key management utility (gsk5ikm) is installed with theGSKit package. This enables you to create SSL key files, public-private key pairs,and certificate requests. For more information about gsk5ikm, see Appendix A,“Enabling Secure Sockets Layer”, on page 157 and the Secure Sockets LayerIntroduction and iKeyman User’s Guide.

Installing the IBM Directory clientTo install the IBM Directory client on a Solaris system, follow these steps:



3. Change to the /cdrom/cdrom0/solaris directory.

4. To install the IBM Directory client, enter the following:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IBMldapc

Solaris

Chapter 6. Installing Tivoli Access Manager on Solaris 69






5. During installation, you are asked if you want to use /opt as the basedirectory. If space permits, use /opt as the base installation directory. To accept/opt as the base directory, press Enter.



Before you begin






2. If you are not installing Tivoli Access Manager from a remote file system, doone of the following:

v Insert the IBM Tivoli Access Manager Base for Solaris CD.

v For the Web Portal Manager component only, insert the IBM Tivoli Access Manager Web Portal Manager for Solaris CD.

3. To install Tivoli Access Manager packages, enter the following command:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault package

where -d /cdrom/cdrom0/solaris specifies the location of the package and -a/cdrom/cdrom0/solaris/pddefault specifies the location of the installation

administration script.

Installable packages are as follows. You must install one or more of thesepackages in the following order:





PDWPM Indicates the Tivoli Access Manager Web Portal Manager.

Ensure that you follow instructions in “Installing and configuring a Web Portal Manager system” on page 72. Thiscomponent is only a part of the Web Portal Managerinstallation procedure.

PDJrte Indicates the Tivoli Access Manager Java runtime environment.Ensure that you follow instructions in “Installing and configuring Tivoli Access Manager Java runtime environment” on page 71. This component is only a part of the Java runtimeenvironment installation procedure.

Solaris







When the installation process is complete for each package, the followingmessage is displayed:

Installation of package successful.


pdconfig

The Access Manager for e-business Setup Menu is displayed.5. Type the menu number for Configure Package. The Tivoli Access Manager

Configuration Menu is displayed. The list of installed Tivoli Access Managerpackages is displayed.



Note: You are not prompted for an installation directory. The default directoryis /opt.

7. When a message appears indicating that the package has been successfully

configured, press Enter to configure another component or select the x optiontwice to close the configuration utility.

Installing the platform-specific JREA platform-specific JRE is required when installing the Tivoli Access Manager Javaruntime component and language support packages. To install the prerequisite JREpackage for Solaris, enter the following command:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault SUNWj3rt

where /cdrom/cdrom0/solaris is the directory where the JRE package is located.


PATH= jre_path:$PATHexport PATH

To check if the JRE level on your system is supported, see the IBM Tivoli Access Manager for e-business Release Notes.

Installing and configuring Tivoli Access Manager Java runtimeenvironment




3. Install a supported platform-specific JRE. For instructions, see “Installing theplatform-specific JRE”.

4. To install the Tivoli Access Manager Java runtime environment, enter thefollowing command:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDJrte

where -d /cdrom/cdrom0/solaris specifies the location of the package and -a/cdrom/cdrom0/solaris/pddefault specifies the location of the installationadministration script.

Solaris




5. To configure the Java runtime environment for use within the current JRE,change to the install_dir/sbin directory and then enter the followingcommand:

pdjrtecfg -action config -java_home jre_path




2. Install the IBM Directory client. See “Installing the IBM Directory client” onpage 69.

3. Install the IBM WebSphere Application Server, Advanced Single Server 4.0. See“Installing IBM WebSphere Application Server, Advanced Single Server” onpage 73.

4. Install IBM WebSphere Application Server, FixPack 3. See “Installing IBM WebSphere Application Server FixPack 3” on page 74.

5. Install the Tivoli Access Manager Java runtime component. To do so, enter thefollowing:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDJrte

where -d /cdrom/cdrom0/solaris specifies the location of the package and -a/cdrom/cdrom0/solaris/pddefault specifies the location of the installationadministration script.

Note: Configuration of the Tivoli Access Manager Java runtime component isnot required. In addition, manually installing a platform-specific JRE isnot required. WebSphere installs a platform-specific JRE and configurethe Tivoli Access Manager Java runtime environment for use within the

current JRE.6. Install and configure the Tivoli Access Manager runtime and Web Portal

Manager components. See “Installing and configuring Tivoli Access Managercomponents” on page 70.

Note: The Tivoli Access Manager runtime and Web Portal Managercomponents must be installed on the same system as the IBMWebSphere Application Server. In addition, if you install IBMWebSphere Application Server after installing the Tivoli Access Managerruntime, ensure that the GSKit version supported by Tivoli AccessManager is installed.

7. Before you start the Web Portal Manager interface, ensure that the WebSphereApplication Server is running. To do so, run the startServer.sh script, locatedin the /opt/WebSphere/AppServer/bin directory.



Solaris











9. If you installed an LDAP server that does not use IBM HTTP Server and you

are installing Web Portal Manager on the same system, ensure that the Webserver ports are different. To change the IBM HTTP Server default port, editthe /usr/HTTPServer/conf/httpd.conf file and change default port 80 to 8080as shown:


10. To start the Web Portal Manager, enter the following address in your Web browser:





Installing IBM WebSphere Application Server, Advanced SingleServerTo install IBM WebSphere Application Server, follow these steps:


2. Insert the IBM Tivoli Access Manager Web Portal Manager for Solaris CD.

3. Change to the /solaris/WebSphere directory on the drive where the CD islocated.


v To install IBM WebSphere Application Server using the GUI, enter thefollowing:

./install.sh

v To use a response file, run the install.sh script as follows and then skip to“Installing IBM WebSphere Application Server FixPack 3” on page 74.

./install.sh -silent -responseFile ./install.script \-prereqfile ./prereq.properties

The WebSphere Application Server, Advanced Single Server Edition v4.0window is displayed. Click Next to continue.

Note: Ensure that you view the screen in case you are prompted forinstructions or an error occurs.

5. Select Typical installation (the default choice) and click Next.

6. Default paths are displayed for the WebSphere Application Server destinationdirectory and IBM HTTP Server. If the system already has the IBM HTTPServer installed on it, this choice is not displayed. Write down these paths andselect Next to accept the defaults.

Note: You are prompted for the following paths during the installation of theWebSphere Application Server FixPack. Default paths are as follows:

Solaris




v WebSphere Application Server: /opt/WebSphere/AppServer

v IBM HTTP Server: /opt/IBMHTTPD

A dialog is displayed indicating your installation selections. Select Install to begin the installation process.

7. IBM WebSphere Application Server installs the IBM HTTP Server. You must

install the following patch, located in the root directory on the IBM Tivoli Access Manager Web Portal Manager for Solaris CD. To do so, enter the following:

http_1319_efix2.sh

8. To install the FixPack, see“Installing IBM WebSphere Application ServerFixPack 3”.



2. Insert the IBM Tivoli Access Manager Web Portal Manager for Solaris CD.

3. Change to the /usr/sys/inst.images/solaris/WebSphere_PTF3 directory and

run the following script:install.sh


/opt/WebSphere/AppServer





9. If using IBM HTTP Server, type the the IBM HTTP Server home directory and

press Enter. For example, enter the following:/opt/IBMHTTP


11. Select Yes to place backups under the WebSphere Application Server homedirectory.

The upgrade begins. A prompt displays the message Upgrading IBM JDK. Thisupgrade installs the IBM Developer Kit for Solaris in the WebSphere directory.There is not a conflict if you already have the toolkit installed elsewhere onyour system.

When the upgrade is complete, a prompt displays the message Installationcompleted with no errors. Please view the activity log for details.Press any key to continue.


WebSphere Application Server Single Server 4.0 and FixPack 3 are nowinstalled.


Solaris





Before you begin


v Unconfigure Tivoli Access Manager applications, such as WebSEAL, before

unconfiguring the Tivoli Access Manager policy server and runtimecomponents.






Unconfiguring Tivoli Access Manager componentsBefore you remove Tivoli Access Manager packages from a UNIX system, youmust unconfigure components. To do so, follow these steps:


2. Change to the following directory:

cd /opt/PolicyDirector/bin


pdconfigThe Tivoli Access Manager Setup Menu is displayed.

4. Type the number of the menu item for the Tivoli Access Manager component

that you want to unconfigure. You must unconfigure components in the reverseorder that you configured them. For example, unconfigure components in thefollowing order:


PDWPM Indicates the Tivoli Access Manager Web Portal Manager.




5. Repeat this procedure for each package that you want to unconfigure.

Notes:

v If a component is not configured, you can simply remove it. Skip to“Removing Tivoli Access Manager packages” on page 76.

v If you are unconfiguring a server, a prompt is displayed requesting thedistinguished name and password of the LDAP administrative user.


Solaris







Removing Tivoli Access Manager packagesTo remove components from a Solaris system, follow these steps:

1. Ensure that the components are unconfigured. To unconfigure components,follow the instructions in “Unconfiguring Tivoli Access Manager components” on page 75.


pkgrm package


PDAuthADK Indicates the ADK.

PDMgr Indicates the policy server.

PDAcld Indicates the authorization server.


PDJrte Indicates the Tivoli Access Manager Java runtime environment.

PDWPM Indicates the Web Portal Manager.

IBMldapc Indicates the IBM Directory client.

gsk5bas Indicates GSKit.

3. When prompted to confirm the removal of these components, enter y.

A prompt is displayed indicating the preremove script is being run. Each file islisted as it is removed.

Solaris









Chapter 7. Installing Tivoli Access Manager on Windows

This chapter provides information about installing and configuring Tivoli AccessManager components on Windows systems. Instructions are provided for both easy

and native installation methods. It includes the following main sections:





Before you begin



v Become familiar with the configuration decisions that you need to makeduring easy installation. For descriptions of easy installation configurationoptions and step-by-step instructions with illustrations, see Chapter 10,“Windows easy installation scenarios”, on page 123.

Use easy installation batch files to create a secure domain or add systems orcomponents to an existing one. Easy installation makes it easy for you to installTivoli Access Manager by automatically installing software prerequisites at thesame time. For example, if you run ezinstall_ldap_server.bat to install andconfigure IBM Directory server as your Tivoli Access Manager registry, the process

installs the LDAP server and any prerequisite software and patches. This processalso detects when required products are installed and does not attempt to reinstallthem. For example, if you run ezinstall_pdmgr.bat to set up the policy server onthe same system where you ran ezinstall_ldap_server.bat, it does not reinstallGSKit and the IBM Directory client.

An easy installation file begins by prompting you for configuration information.After you supply this information, the components are installed and configuredwithout further intervention. And if you ever need to install these componentsagain, you can use the associated response file that is generated when you run aneasy installation script. The response file automatically stores the configurationinformation that you entered so that you do not need to re-enter it. For moreinformation, see Chapter 11, “Using easy installation response files”, on page 149.

Keep in mind that you must intermittently restart your system throughout the easyinstallation process on Windows systems. During the installation process youmight also receive notification that some services did not start. No action isnecessary. Continue with the installation process.

Table 8 on page 78 lists easy installation scripts for the Windows platform. All easyinstallation files are located in the root directory on the IBM Tivoli Access ManagerBase for Windows except for the ezinstall_pdwpm.bat file, which is located in theroot directory on the IBM Tivoli Access Manager Web Portal Manager for WindowsCD.







Table 8. Easy Installation Programs for Windows


ezinstall_ldap_server.bat Sets up an IBM Directory Server system with the followingsoftware packages:

v IBM DB2


v IBM HTTP Server

v IBM Directory Server, which includes the IBM DirectoryClient

Note: If an existing version of IBM Directory server exists,remove it before running this program.

ezinstall_pdacld.bat Sets up an authorization server system with the followingsoftware packages:



v Access Manager Runtime

v Access Manager Authorization Server

ezinstall_pdauthadk.bat Sets up a Tivoli Access Manager development system withthe following software packages:




v Access Manager Application Developer Kit

ezinstall_pdmgr.bat Sets up the Tivoli Access Manager policy server systemwith the following software packages:




v

Access Manager Policy Serverezinstall_pdwpm.bat Sets up a Web Portal Manager system with the following

software packages:




v IBM WebSphere Application Server Single Server andFixPack 3


v Access Manager Java runtime

install_pdrte.exe Sets up a Tivoli Access Manager runtime system with thefollowing software packages:




Windows





Before you begin



systems in the order listed in the “Installation process” on page 6.

v Become familiar with the configuration decisions that you need to makeduring native installation. For descriptions of native configuration options,see “Windows native configuration options” on page 181.

This section includes information about how to install and configure Tivoli AccessManager components using native operating system utilities. Unlike the automatedscripts used in easy installation, you must manually install each component andany necessary patches.


v

“Installing the IBM Global Security Toolkit” v “Installing the IBM Directory client” on page 80





Installing the IBM Global Security ToolkitTo install GSKit on a Windows system, follow these steps:

1. Log in to the system as a user with administrator privileges.

2. Insert the IBM Tivoli Access Manager Base for Windows CD.

3. From a command prompt, change to the windows\gskit directory on the drivewhere the CD is located and enter the following:

setup.exe PolicyDirector

The Welcome dialog is displayed.

4. Click Next. The Choose Destination Location dialog is displayed.

5. Accept the default destination directory or click Browse to select a path toanother directory on the local system. If the directory does not exist, you mustconfirm that you want the directory created or specify a directory that exists.

6. Click Next to install GSKit. The Setup Complete dialog is displayed.

7. Click Finish to exit the installation program.8. Restart your system.


Note that the iKeyman key management utility (gsk5ikm) is installed with theGSKit package. This enables you to create SSL key files, public-private key pairs,and certificate requests. For more information about gsk5ikm, see Appendix A,“Enabling Secure Sockets Layer”, on page 157 and the Secure Sockets LayerIntroduction and iKeyman User’s Guide.

Windows

Chapter 7. Installing Tivoli Access Manager on Windows 79






Installing the IBM Directory clientTo install the IBM Directory client on a Windows system, follow these steps.

Note: If you installed Active Directory as your registry, the IBM Directory client isnot required.


2. Insert the IBM Tivoli Access Manager Base for Windows CD.3. Run the setup.exe file in the following directory:

windows\Directory\ismp

The Choose Setup Language dialog is displayed.

4. Select the language that you want to use for the installation and click OK.

5. The Welcome dialog is displayed. Click Next to continue.

6. Read the license agreement. Select to accept the terms and then click Next.

7. Ensure that you have closed any running Windows programs and click Nextto continue. A dialog informs you of packages that are already installed and if any action is required. Satisfy any requirements and click Next.

8. Click Next to install IBM Directory in the specified default directory. Tospecify a different directory, type a directory path or click Browse to selectone.

9. Select the language for IBM Directory and click Next.

10. Select Typical to install IBM Directory.

Windows




11. Select to install the Client SDK and the Directory Management Tool (DMT)and then click Next.

12. Review your current settings and then click Next to start copying files.

13. After the files are installed, the README file is displayed. Review theREADME and then click Next to continue.

14. Select whether you want to restart your system now or later and click Next.



Before you begin



v Become familiar with the configuration decisions that you need to makeduring native installation. For descriptions of native configuration options,see “Windows native configuration options” on page 181.


1. Log in to the Windows domain as a user with Windows administratorprivileges.

2. To install Tivoli Access Manager components, do one of the following:

v Insert the IBM Tivoli Access Manager Base for Windows CD.

v For the Web Portal Manager component only, insert the IBM Tivoli Access Manager Web Portal Manager for Windows CD.

3. Run the setup.exe file in the following directory:

windows\PolicyDirector\Disk Images\Disk1The Choose Language Setup dialog is displayed.

4. Select the language that you want to use for the installation and click OK. TheWelcome dialog is displayed.

Windows







5. Click Next. The License Agreement dialog is displayed.

6. Read the license agreement and click Yes if you agree to the terms. The SelectPackages dialog is displayed.

7. Select the packages that you want to install on your system and click Next. If you selected to install the Tivoli Access Manager runtime or Java runtimeenvironment, the Tivoli Access Manager Runtime Setup dialog is displayed.

Choose a destination folder where you want the runtime setup files to beinstalled and click Next.

When installation is completed, the Tivoli Access Manager InstallationComplete dialog is displayed.

AttentionTo install the Tivoli Access Manager Web Portal Manager or Java runtimeenvironment components, ensure that you follow instructions in“Installing and configuring a Web Portal Manager system” on page 83 or“Installing and configuring the Tivoli Access Manager Java runtime environment” on page 83.

8. Restart your system for changes to take effect.9. After restarting your system, select Start → Programs →Access Manager for

e-business → Configuration. The Access Manager for e-business Configurationdialog is displayed.

10. Select a component to configure and click Configure. You must configure eachcomponent separately and in the order listed.

11. Depending on the component that you selected, you are prompted forconfiguration options. For assistance with these configuration options, see“Windows native configuration options” on page 181. After configuration iscomplete, the Access Manager for e-business Configuration dialog is displayedagain.

12. Review your selections and click Finish. The Access Manager for e-businessConfiguration dialog is displayed. Select another component in the list toconfigure or click Close to exit the tool.

Installing the platform-specific JREA platform-specific JRE is required when installing the Tivoli Access Manager Javaruntime component and language support packages.

To install the supported JRE package shipped with Tivoli Access Manager, do thefollowing:

1. Change to the \windows\JRE directory on the drive where the CD is located andenter the following:

install

2. Follow online instructions. When prompted to install the Java RuntimeEnvironment as the System JVM, click Yes.

3. To set the environmental variable path, enter the following:

set PATH=install_dir;%PATH%

For example, if you installed the IBM Developer Kit for Windows, Java 2Technology Edition, Version 1.3.1, in the default directory on your C drive,enter the following:

set PATH=C:\Program Files\IBM\Java131\jre;%PATH%

Windows






1. Log in to the Windows domain as a user with Windows administratorprivileges.

2. Insert the IBM Tivoli Access Manager Base for Windows CD.

3. Install a supported platform-specific JRE. For instructions, see “Installing theplatform-specific JRE” on page 82.

4. To install the Tivoli Access Manager Java runtime environment, run thesetup.exe file in the following directory:

windows\PolicyDirector\Disk Images\Disk1\PDJRTE\Disk Images\Disk1The Choose Setup Language dialog is displayed.


6. The Welcome screen is displayed. Click Next to continue.

7. Read the license agreement and click Yes if you agree to the terms. TheChoose Destination Location dialog is displayed if you have not installed a

supported runtime environment.8. Accept the default destination directory or click Browse to select a path to

another directory on the local system. If the directory does not exist, you mustconfirm that you want the directory created or specify a directory that exists.

9. To start copying files to the destination folder, click Next. If you want toreview or change any settings, click Back.

The Setup Status dialog is displayed.

10. When the runtime installation has completed, select Yes to restart yourcomputer.

11. To configure the Java runtime environment for use within the current JRE,change to the install_dir\sbin directory and then enter the following

command:pdjrtecfg -action config




2. Install the IBM Directory client. See “Installing the IBM Directory client” on page 80.

3. Install the IBM WebSphere Application Server, Advanced Single Server 4.0. See

“Installing IBM WebSphere Application Server, Advanced Single Server” onpage 84.

4. Install IBM WebSphere Application Server, FixPack 3. See “Installing IBM WebSphere Application Server FixPack 3” on page 87.

5. Install the Tivoli Access Manager Java runtime component. To do so, run thesetup.exe file in the following directory.

windows\PolicyDirector\Disk Images\Disk1

Follow the online instructions to install the Access Manager Java runtimepackage.

Windows









Note: Configuration of the Tivoli Access Manager Java runtime component isnot required. In addition, manually installing a platform-specific JRE isnot required. WebSphere installs a platform-specific JRE and configurethe Tivoli Access Manager Java runtime environment for use within thecurrent JRE.

6. Install and configure the Tivoli Access Manager runtime and Web PortalManager components. See “Installing and configuring Tivoli Access Manager

components” on page 81.

Note: The Tivoli Access Manager runtime and Web Portal Managercomponents must be installed on the same system as the IBMWebSphere Application Server. In addition, if you install IBMWebSphere Application Server after installing the Tivoli Access Managerruntime, ensure that the GSKit version supported by Tivoli AccessManager is installed.

7. Before you start the Web Portal Manager interface, ensure that the WebSphereApplication Server is running. To do so, click Start → Programs → IBMWebSphere → Application Server 4.0 → Start Application Server.



C:\Program Files\Tivoli\Policy Director\keytab\pdwpm.kdbSpecifies the key database file. The path of the file is specified in thehttpd.conf file.

C:\Program Files\Tivoli\Policy Director\keytab\pdwpm.sthSpecifies the file where the key database password is stored.

9.

If you installed an LDAP server that does not use IBM HTTP Server and youare installing Web Portal Manager on the same system, ensure that the Webserver ports are different. To change the IBM HTTP Server default port, editthe C:\Program Files\IBM HTTP Server\conf\httpd.conf file and changedefault port 80 to 8080 as shown:


10. To start the Web Portal Manager, enter the following address in your Web browser:





Installing IBM WebSphere Application Server, Advanced SingleServerTo install IBM WebSphere Application Server, follow these steps:


Windows




2. Insert the IBM Tivoli Access Manager Web Portal Manager for Windows CD.

3. Change to the windows\WebSphere directory on the drive where the CD islocated and enter the following:

setup.exe

The Choose Setup Language dialog is displayed.

4.Select the language that you want to use for the installation and click OK.

5. Ensure that you have closed any running Windows programs and click Nextto continue.

6. Select Typical Installation (default choice), and click Next.

7. In the Security Options window, enter a user name and password and thenselect Next. This is a user name and password for WebSphere, and must be auser ID and password on the local system.

8. The InstallShield program presents a default path for the WebSphereApplication Server destination directory and IBM HTTP Server. If the systemalready has the IBM HTTP Server installed on it, this choice is not displayed.

Windows




Accept these defaults by selecting Next.

Note: Write down these paths. You are prompted for these paths during theinstallation of the WebSphere Application Server. Default paths are as

follows:v WebSphere Application Server: C:\WebSphere\AppServer

v IBM HTTP Server: C:\IBM HTTP Server if it is installed as part of theWebSphere installation; c:\Program Files\IBM HTTP Server if installed as part of the Web Portal Manager

9. Select a Windows Program Folder location; the default is IBMWebSphere\Application Server V4.0 AES. Select Next.

The installation process begins.

10. When installation completes, you are prompted to restart Windows. Select No,

do not restart Windows. The system is restarted after the FixPack 3 isinstalled.

11. IBM WebSphere Application Server installs the IBM HTTP Server. You mustinstall the following patch, located in the root directory on the IBM Tivoli

Access Manager Web Portal Manager for Windows CD. To do so, enter thefollowing:

http_1319_efix2.bat install_path

where install_path specifies the installation path for the IBM HTTP Server. Thedefault path is C:\Program Files\IBM HTTP Server.

Windows




12. To install the FixPack, see “Installing IBM WebSphere Application ServerFixPack 3”.



2. Insert the IBM Tivoli Access Manager Web Portal Manager for Windows CD.

3. From a command prompt, change to the windows\WebSphere\ptf403 directoryon the drive where the CD is located.

4. Copy the contents of the ptf403 directory into a temporary directory on yoursystem and run the following batch file:

install.bat


C:\WebSphere\AppServer





10. If using IBM HTTP Server, type the the IBM HTTP Server home directory andpress Enter. For example, enter the following:

C:\Program Files\IBM HTTP Server


12. Select Yes to place backups under the WebSphere Application Server homedirectory.The upgrade begins. A prompt displays the message Upgrading IBMJDK. This upgrade installs the IBM Developer Kit for Windows in theWebSphere directory. There is not a conflict if you already have the toolkit

installed elsewhere on your system.When the upgrade is complete, a prompt displays the message Installationcompleted with no errors. Please view the activity log for details.Press any key to continue.


WebSphere Application Server Single Server 4.0 and FixPack 3 are nowinstalled.



Before you beginv Stop all Tivoli Access Manager applications before uninstalling

components.



Windows







v

“Removing Tivoli Access Manager packages” on page 89

Unconfiguring Tivoli Access Manager componentsTo unconfigure Tivoli Access Manager components on a Windows system, followthese steps.

Note: If you have already unconfigured a Tivoli Access Manager component, youare not prompted for administrator name and password information duringthe unconfiguration process. The configuration utility caches thisinformation.

1. Log in as a Windows user with administrator privilege.

2. Ensure that your registry server and policy server are running (unless you are

uninstalling the Tivoli Access Manager policy server).3. Select Start → Programs → Access Manager for e-business → Configuration or

enter the pdconfig command from a command prompt.

4. From the Access Manager for e-business Configuration dialog, click one of theTivoli Access Manager components listed. Components must be unconfiguredin the following order:


v Access Manager Policy Server


v Access Manager Web Portal Manager

Note:For Active Directory registry users only, ensure that the Administrationconsole application is closed before you unconfigure the Tivoli AccessManager policy server.

5. Click Unconfigure.

6. If you selected to unconfigure the authorization server, specify the SecurityMaster password.

7. If you selected to unconfigure the policy server, type the LDAP administratorname (for example, cn=root) and the appropriate password. A warningmessage is displayed informing you that by unconfiguring this package,configuration and authorization information for all Tivoli Access Managerservers in the secure domain will be removed. Click Yes to remove; click No toexit this task.

8. To unconfigure another component, repeat steps 4 through 7.9. To unconfigure the Tivoli Access Manager Java runtime environment, use the

pdjrtecfg command. For example, enter the following to unconfigure the JREspecified by the jre_path variable:



Windows









Removing Tivoli Access Manager packagesTo remove components from a Windows system, follow these steps:

1. Log in as a Windows user with administrator privilege.

2. Select Start → Settings → Control Panel and then click the Add/RemovePrograms icon.

3. Select one of the following components and then click Add/Remove:

v IBM Directory V4.1.1


v Access Manager Application Development Kit

v Access Manager Java runtime environment

v Access Manager Policy Server


v Access Manager Web Portal Manager

v WebSphere Application Server

The Choose Language Setup dialog is displayed.

4. Select the language that you want to use for the Tivoli Access Manager removal

process and click OK.

5. From the Confirm Component Removal message box, click Yes.

TheTivoli Access Manager component is removed.

6. Select another component from the list or click OK to exit the program.

7. To remove GSKit from your system, enter the following command:

isuninst -f"c:\program files\ibm\gsk\ibm\gsk5\gsk5bui.isu"

where c:\program files\ibm\gsk\ibm\gsk5 is the fully-qualified path where thegsk5BUI.isu file is located.

Note: You cannot uninstall GSKit using the Add/Remove Programs icon

similar to the other Tivoli Access Manager components.

Windows




Windows




Chapter 8. Upgrading to Tivoli Access Manager, Version 4.1

This chapter describes how to upgrade Tivoli Access Manager, Version 3.8 andVersion 3.9 systems to Tivoli Access Manager, Version 4.1. The following

procedures constitute the recommended steps for components at the time of publication. For system requirements and late-breaking information specific to theupgrade process, see the IBM Tivoli Access Manager Release Notes on the TivoliCustomer Support Web site.

Note: If you are attempting to upgrade your secure domain from Tivoli SecureWayPolicy Director, Version 3.7.x or earlier, you must first upgrade to TivoliAccess Manager, Version 3.8 or 3.9 before installing Version 4.1.

This chapter includes the following sections:

v “Upgrade considerations for LDAP registries”

v “Upgrading the policy server system” on page 92

v “Upgrading the policy server using two systems” on page 93

v “Upgrading other Tivoli Access Manager systems” on page 95

v “Retiring the existing policy server” on page 96

If you plan to upgrade from either a Version 3.8 or Version 3.9 policy server, youcan choose to upgrade on the same policy server system or use two systems —yourcurrent policy server system and a second, clean system for Version 4.1. Thistwo-system approach provides the ability to keep your current policy serverfunctioning as you set up and test a second Version 4.1 policy server system. If youencounter a problem when upgrading using two systems, you can simply take theVersion 4.1 server offline.

Upgrade considerations for LDAP registriesBefore upgrading to Version 4.1, review the following considerations:

v As a standard precaution when upgrading between versions, make sure to backup all Tivoli Access Manager servers before you begin. In addition, it isrecommended that you use LDAP commands to back up and later restore LDAPdata. For instructions, see your LDAP product documentation.

v You are not required to upgrade all systems in your secure domain to a Version4.1 level. For a list of Version 3.8 and 3.9 systems that are backward compatiblewith a Version 4.1 policy server, see theIBM Tivoli Access Manager Release Notes.

v The upgrade process does not support changing your registry type. For example,you cannot upgrade from an LDAP registry to a Domino registry.

v If upgrading a system with an existing Tivoli Access Manager applicationinstalled, see the application documentation posted on the Tivoli Support Website for additional requirements and recommendations during the upgradeprocess.

v On UNIX systems only:

– All commands are run as the root user.

– The temporary directory is /tmp.

– The installation path is /opt/PolicyDirector and /var/PolicyDirector.

v On Windows systems only:









– Commands are run by a user included in the Administrator group.

– The temporary directory is the value specified by the TMP variable. If theTMP variable does not exist, the value specified by the TEMP variable isused. If neither of these variables are set, the system directory is thetemporary directory.

– The installation path varies and is dependent on the directory specified

during installation.– You can upgrade the registry any time before or after the upgrade of Tivoli

Access Manager, except for when IBM Directory server is installed on asystem with a Tivoli Access Manager component. In this case, the registrymust be upgraded the same time that the IBM Directory client is upgraded.

Upgrading the policy server system

Follow these steps to upgrade your existing policy server system to Tivoli AccessManager, Version 4.1.

1. To stop all Tivoli Access Manager services, do one of the following:

v On Windows systems, select Start → Settings → Control Panel →

Administrative Tools (Windows 2000 only) and then double-click theServices icon. Stop all Tivoli Access Manager services running on the localsystem, including applications, such as WebSEAL.

v On UNIX systems, use the pd_start command. For example, enter thefollowing:

pd_start stop

To ensure that all Tivoli Access Manager services and applications arestopped, issue the ps command. If any Tivoli Access Manager service orapplication is still running, issue the kill command.

2. Install all operating system patches needed by Tivoli Access Manager, Version4.1, and its prerequisite products. For information about prerequisite products

and required operating system patches, see software requirements in the IBMTivoli Access Manager Release Notes.

3. Install the supported version of IBM Global Security Toolkit (GSKit) andupgrade the IBM Directory client. For instructions, see the ″Using nativeinstallation″ section in the chapter for your particular platform. After you havecompleted the native installation steps, return to this procedure.

Notes:

v If during the GSKit upgrade you are prompted to reboot, make sure toreboot and then continue with this procedure.

v If the IBM Directory client is on the same system as the IBM Directory server,it is necessary to upgrade your server. For information about upgrading theserver, see the IBM Directory documentation.

4. To back up critical Tivoli Access Manager information on the current policyserver, use the pdbackup command. For example, enter the following:

pdbackup -action backup -file archive_name -list /path/pdbackup.lst

where archive_name is the Tivoli Access Manager data archive file name and/path/ is one of the following directories (where your pdbackup.lst file exists):

v On AIX systems:

cd_drive/usr/sys/inst.images/migrate

v On HP-UX systems:

cd_drive/HP/migrate

Upgrading to Tivoli Access Manager, Version 4.1









v On Red Hat Linux systems:

cd_drive/linux/migrate

v On Linux for zSeries systems:

cd_drive/zSeries/migrate

v On Solaris systems:

cd_drive/solaris/migrate


cd_drive\windows\migrate

Note: For more information about the pdbackup command, see the IBM Tivoli Access Manager Command Reference.

5. Make sure your LDAP server is running and then install Tivoli AccessManager, Version 4.1, components. For instructions, see the native installationprocedure in the chapter for your particular platform.

6. Make sure your Tivoli Access Manager policy server is running. Start any TivoliAccess Manager applications and perform any necessary product-specific tasks.

Upgrading the policy server using two systemsFollow these steps to set up a new Version 4.1 policy server on a second system,while, allowing your existing policy server system to continue functioning.

1. To stop all Tivoli Access Manager services on your existing policy server, doone of the following:

v On Windows systems, select Start → Settings → Control Panel →Administrative Tools (Windows 2000 only) and then double-click theServices icon. Stop all Tivoli Access Manager services running on the localsystem, including applications, such as WebSEAL.

v On UNIX systems, use the pd_start utility. For example, enter the following:

pd_start stop

To ensure that all Tivoli Access Manager services and applications arestopped, issue the ps command. If any service or application is stillrunning, issue the kill command.

2. To back up critical Tivoli Access Manager information on the existing policyserver, use the pdbackup command. For example, enter one of the following:

v For Version 3.8:

pdbackup -action backup -file archive_name -list mig38to41.lst -path path

v For Version 3.9:

pdbackup -action backup -file archive_name -list mig39to41.lst -path path

where archive_name is the Tivoli Access Manager data archive file name onUNIX or the archive directory name on Windows and path is the path where

the archive file or archive directory is created. Once the pdbackup commandis complete, a Tivoli Access Manager data archive file or data archivedirectory is produced in the path specified.


3. To restart the policy server daemon (pdmgrd) or service on the existing policyserver, do one of the following:

v On Windows systems, select Start → Settings → Control Panel →Administrative Tools (Windows 2000 only) and then double-click the


Chapter 8. Upgrading to Tivoli Access Manager, Version 4.1 93













Services icon. Start all Tivoli Access Manager services running on the localsystem, including applications, such as WebSEAL.


pd_start start

4. Copy the archive produced by the pdbackup command from the existingpolicy sever to the new 4.1 policy server. If you are using a Windows system,

copy the archive directory and all of its contents to the new 4.1 policy server.In addition, if using SSL with the LDAP server, copy the SSL client key file tothe new system, using the same target path and file name that was used asthe source for the key file on the first system.

Note: The new 4.1 policy server must be a clean system. Do not use anexisting system.

5. On the new system, install all operating system patches needed by TivoliAccess Manager, Version 4.1 and its prerequisite products. For informationabout prerequisite products and required operating system patches, seesoftware requirements in the IBM Tivoli Access Manager Command Reference.

6. Ensure your LDAP server is running and then install Tivoli Access Manager,Version 4.1, and its prerequisites on the new 4.1 policy server. For instructions,see the ″Using native installation″ section in the chapter for your particularplatform.

7. To extract registry data to the new 4.1 policy server, use the pdbackupcommand. For example, enter the following:

pdbackup -action extract -path restore_directory -file archive_name

where restore_directory is the temporary directory on the new 4.1 policyserver you want to extract your archive data to and archive_name is the TivoliAccess Manager data archive file or archive directory name.


8. Configure the runtime on the new 4.1 policy server. When prompted for anLDAP server, specify the name of the LDAP server that is used by the existingpolicy server.

9. Configure the new 4.1 policy server. When prompted if you want to configurethe policy for migration purposes, select yes and enter the restore_directoryspecified by the –path option in Step 7.

CautionIf there is a configuration problem, do not unconfigure this system orelse critical data needed by the existing policy server will be destroyed.Follow instructions in “Retiring the existing policy server” on page 96

with the new server. Note that the new system is a clone of the existingsystem. This means that the placement of critical files, such as certificatefiles, must be identical to the existing system. For example, if a certificatefile is in the /certs directory on the existing policy server, it must belocated in the /certs directory on the new system.

10. Your system is ready. Run pdadmin and query both the ACL database and theregistry to verify their status.

11. Install and configure other Tivoli Access Manager components on the newsystem, as needed.













12. If you have made updates or changes to your database during the migrationprocess, you must copy the database files from the old policy server to thenew 4.1 policy server. The default locations of the files to copy are as follows:

v On UNIX systems: /var/PolicyDirector/db/master_authzn.db

v On Windows systems: install_dir\db\master_authzn.db

13. Continue to the next section, “Upgrading other Tivoli Access Manager

systems”, to upgrade other systems to Version 4.1. After you have updated allyour Tivoli Access Manager systems, complete the procedure in “Retiring theexisting policy server” on page 96 to retire your existing policy server.

Upgrading other Tivoli Access Manager systems

Follow these steps to migrate Tivoli Access Manager systems (other than the policyserver) to Tivoli Access Manager, Version 4.1:

1. Stop Tivoli Access Manager applications and services running on the systemand perform any product-specific instructions. To stop all applications andservices, do one of the following:

v On Windows systems, select Start → Settings → Control Panel →

Administrative Tools (Windows 2000 only) and then double-click theServices icon. Stop all Tivoli Access Manager services running on the localsystem, including applications, such as WebSEAL.


pd_start stop

Note: To ensure that all Tivoli Access Manager services and applications arestopped, issue the ps command. If any Tivoli Access Manager serviceor application is still running, issue the kill command.

2. Install all operating system patches needed by Tivoli Access Manager, Version4.1 and its prerequisite products. For information about prerequisite productsand required operating system patches, see software requirements in the IBM

Tivoli Access Manager Command Reference. 3. Install the supported version of IBM Global Security Toolkit (GSKit) and

upgrade the IBM Directory client. For instructions, see the ″Using nativeinstallation″ section in the chapter for your particular platform. Removal of previous IBM Global Security Toolkit product versions is not required. Onceyou have completed the native installation steps, return to this procedure toensure successful procedure completion.

Notes:

v If during the GSKit upgrade you are prompted to reboot, reboot and thencontinue with this procedure.

v If the IBM Directory client is on the same system as the IBM Directory server,it will be necessary to upgrade your server. For information about upgrading

the server, see the IBM Directory documentation.4. To back up critical Tivoli Access Manager information on the current policy

server, use the pdbackup command. For example, enter the following:

pdbackup -action backup -file archive_name -list /path/pdbackup.lst

where archive_name is the Tivoli Access Manager data archive file name and/path/ is one of the following directories (where your pdbackup.lst file exists):

v On AIX systems:

cd_drive/usr/sys/inst.images/migrate










v On HP-UX systems:

cd_drive/HP/migrate

v On Red Hat Linux systems:

cd_drive/linux/migrate

v On Linux for zSeries systems:

cd_drive/zSeries/migrate


cd_drive/solaris/migrate


cd_drive\windows\migrate


5. Ensure that the LDAP server and the policy server are running and then installTivoli Access Manager, Version 4.1, components. For instructions, see the nativeinstallation procedure in the chapter for your particular platform.

6. Start any Tivoli Access Manager applications and perform any product-specific

tasks.

Retiring the existing policy server

If you upgraded the policy server using the two system approach, follow thesesteps to retire the existing policy server after its data and client/server has beensuccessfully migrated to the Version 4.1 policy server system.

1. Copy the following file from the Version 4.1 policy server to a temporarydirectory on the existing policy server:

v On UNIX systems: opt/PolicyDirector/sbin/pdmgr_ucf

v On Windows systems: pd_install_path/sbin/pdmgr_ucf.exe

where pd_install_path is the Tivoli Access Manager installation path.

2. On the existing policy server, run the pdmgr_ucf (pfmgr_ucf.exe on Windows)executable.

3. Uninstall your previous version of Tivoli Access Manager. Refer to TivoliAccess Manager, Version 3.8 or Version 3.9 documentation for uninstallationprocedures.

Note: Do not unconfigure the existing policy server or the new policy server atany time during the upgrade process. Unconfiguration of your existingpolicy server or new policy server will result in a non-working TivoliAccess Manager environment.

Restoring a system to its previous level

If you encounter a problem when migrating to Version 4.1 using the single-systemapproach, you might need to restore the system to its previous level. To do so,follow these steps.

Note: If you encounter a problem during the backup of existing data, contactTivoli Support for assistance before continuing with the upgrade process.

1. Ensure that all Tivoli Access Manager applications and base services arestopped.

2. To remove Tivoli Access Manager, Version 4.1, do one of the following:










v On AIX systems, use smitty to remove the Tivoli Access Manager packagesfrom the system.

v On HP-UX systems, enter the following commands in this order:

rm -f /opt/PolicyDirector/.configure/*swremove -x enforce_dependencies=false package_namerm -fR /opt/PolicyDirectorrm -fR /var/PolicyDirector

v On Linux, enter the following commands:rm -f /opt/PolicyDirector/.configure/*rpm -e package_namerm -fR /opt/PolicyDirectorrm -fR /var/PolicyDirector

v On Solaris systems, enter the following commands:

rm -f /opt/PolicyDirector/.configure/*pkgrm package_namerm -fR /opt/PolicyDirectorrm -fR /var/PolicyDirector

The pkgrm command prompts if you want to continue removing thecomponent even though it is still configured. Enter yes to continue. If you

have dependencies installed, such as WebSEAL, you are prompted if youwant to uninstall the Tivoli Access Manager base component even thoughthere are applications dependent on it. Enter yes to continue.

v On Windows systems, follow these steps:

a. Log in as a Windows user with administrator privilege.

b. Select Start → Settings → Control Panel and then click the Add/RemovePrograms icon.

c. Use the Add/Remove button to remove the Tivoli Access Managerpackages.

3. Install your previous version of Tivoli Access Manager. For instructions, see theBase Installation Guide for your particular version.

Note: On AIX systems only, you must issue the installp command with the –Foption. Or if using SMIT to install Version 3.8 or 3.9 packages, answeryes when prompted to overwrite same or newer versions and no whenprompted to automatically install requisite software.

4. Apply any Tivoli Access Manager fixpacks that were on the system prior to theupgrade to Version 4.1.

5. To restore your previous data, change to the temporary directory use thepdbackup –action restore command. For examples and descriptions of pdbackup options, see the IBM Tivoli Access Manager Command Reference.












Chapter 9. UNIX easy installation scenarios

This appendix provides the following scenarios using easy installation scripts onUNIX platforms:

v “Setting up an IBM Directory server system” v “Setting up the Tivoli Access Manager policy server system” on page 104

v “Setting up a Tivoli Access Manager runtime system” on page 111

v “Setting up a Web Portal Manager system” on page 116

Before you begin



vReview the

″Using easy installation

″section in the Tivoli Access Manager

installation chapter for your particular platform to see which easyinstallation scripts are supported.

Essential components in a secure domain include a supported registry and theTivoli Access Manager policy server. For the purpose of these scenarios, thefollowing conditions exist:

v IBM Directory server is installed and configured as the Tivoli Access Managerregistry.

v Secure Sockets Layer (SSL) communication is enabled between the IBMDirectory server and its LDAP clients.

Setting up an IBM Directory server system

The following scenario uses the ezinstall_ldap_server script to install andconfigure IBM Directory server as the Tivoli Access Manager registry. This scriptinstalls and configures all necessary software on your system, includingprerequisite products, Tivoli Access Manager components, and associated patches.

Unlike Windows easy installation files, you do not have the option to changeinstallation directories. Default directories are as follows:

v For AIX systems:

– IBM DB2 — /usr/ldap/db2

– IBM HTTP Server — /usr/HTTPServer

– LDAP — /usr/ldap

– GSKit — /usr/opt/ibm/gskkm

v For Solaris systems:

– IBM DB2 — /opt/IBMdb2

– IBM HTTP Server — /opt/IBMHTTP

– LDAP server — /opt/IBMldaps

– LDAP client — /opt/IBMldapc

– GSKit — /opt/ibm/gsk5







Table 9 lists configuration options for IBM Directory server and its prerequisitesoftware. Read the following scenario and identify these values in the spacesprovided before you are prompted during installation.

Table 9. IBM Directory server Installation Worksheet

IBM HTTP Server Configuration Default Value Your Value

Administration ID

Easy installation detects the

administration ID used to sign onto thesystem.

____________________________

Administration Password ____________________________

HTTP Port 80 ____________________________

IBM Directory server Configuration Default Value Your Value

LDAP Administrator ID (DN) cn=root ____________________________

LDAP Administrator Password ____________________________

LDAP Server HostnameEasy installation detects and fills in thehost name of your system.

____________________________

LDAP DN for GSO DatabaseSuggest:o=tivoli,c=us

____________________________

LDAP Server Port 389 ____________________________

LDAP SSL Keyfile cd_drive/common/pd_ldapkey.kdb ____________________________

LDAP SSL Key File Password gsk4ikm ____________________________

SSL Client Certificate Label PDLDAP ____________________________

To install and configure IBM Directory server and its prerequisite software, followthese steps:

Note: If an existing version of IBM Directory server exists, remove it. Also ensurethat you exit from all running programs before initiating easy installation

scripts.1. Log in to the system as root.

2. A default SSL LDAP key file (pd_ldapkey.kdb) is copied to your systemduring easy installation. If you are enabling SSL and plan to use a differentSSL key file, ensure that you manually copy the SSL key file that you plan touse to a directory on this system.

3. Run the ezinstall_ldap_server file, located in the root directory on the TivoliAccess Manager Base CD for your particular platform.

If you previously ran an easy installation file on this system, you areprompted to use a stored response file. To continue with this scenario, pressN. For more information about response files, see Appendix B, “Tivoli AccessManager configuration reference”, on page 179.

A window similar to the following is displayed. This shows the current statusof the products required for the IBM Directory server. To start the installation

UNIX easy installation scenarios




process, press Enter and supply configuration information when prompted.

Note: Easy installation does not prompt you to change default values.However, you can change these values at the end of each set of configuration options. When prompted, simply type the option’sassociated number, change its value, and press Enter.

4. Type the password associated with the root ID you used to log onto thissystem and press Enter.


Chapter 9. Easy installation scenarios on UNIX 101



5. To continue, type Y and press Enter. Next, create a password for the LDAPAdministrator ID, entering it again for confirmation.

6. You are prompted to enter the LDAP DN for GSO Database. This is thedistinguished name of where in the LDAP server directory information tree(DIT) that where you want global signon (GSO) metadata to be located. Youcan either enter a suffix or specify the DN of an existing LDAP DIT location.For example, enter o=tivoli,c=us to create a new suffix for GSO metadata.

Note: The LDAP DN for the GSO database is required regardless of whetheryou implement a single signon solution with Tivoli Access Manager.For more information about the LDAP DN for the GSO database, see“LDAP server configuration overview” on page 17.

7. After you enter the LDAP DN for the GSO database, you have theopportunity to modify any of the IBM Directory server configuration options.For example, if you do not want to use the default LDAP SSL Keyfile (option7), type 7 and press Enter to change its value. If you change the SSL key filevalue, also ensure that you change values for options 8 and 9 accordingly.





8. If you did not change the default value for option 7 (LDAP SSL Keyfile), youare prompted to press Enter to copy the cd_drive/common/pd_ldapkey.kdb fileto the var/ldap/keytab/pd_ldapkey.kdb directory on your system. Tocontinue, type Y and press Enter.

Notes:

v Option 8 (LDAP SSL Key File Password) is the password associated with

the defaultpd_ldapkey.kdb

file. This default password is gsk4ikm. If youdecide to change this password using the gsk5ikm utility, you must recallthis password.

v If you changed the default pd_ldapkey.kdb file in option 7, you are notprompted to copy this key file.

9. The installation process begins for IBM Directory server and its prerequisiteproducts.

10. Continue monitoring the installation and configuration of IBM Directoryserver and its prerequisite products. This process could take several minutes.Wait for the process to complete. When installation has completed, the status





for all products is Configured as shown:

Note: If you encounter an error during installation, you can view the/var/ezinstall_ldap_server.log file.

Setting up the Tivoli Access Manager policy server system

After you have successfully completed installing your LDAP registry, the next stepis to set up your policy server. The following scenario uses the ezinstall_pdmgrscript to install and configure the policy server. This script installs and configuresall necessary software on your system, including prerequisite products, TivoliAccess Manager components, and associated patches.

This scenario installs the policy server on the same system as the registry installedin “Setting up an IBM Directory server system” on page 99. This is useful whenprototyping a deployment or developing and testing an application. In an actualdeployment, however, it is recommended that these servers be installed onseparate systems. Note that the only difference in a separate system setup is thatthe installation process also installs the IBM Global Security Toolkit and IBMDirectory client.

Table 10 lists configuration options for the Tivoli Access Manager policy server andits prerequisite software. Read the following scenario and identify these values inthe spaces provided before you are prompted during installation.

Table 10. Tivoli Access Manager Policy Server Installation Worksheet

IBM Tivoli Access Manager RuntimeConfiguration

Default Value Your Value

Configure Using This RegistryldapOnly LDAP is supported at thistime.

____________________________

LDAP Server Hostname ____________________________

LDAP Server Port 389 ____________________________

IBM Tivoli Access Policy ServerConfiguration








Table 10. Tivoli Access Manager Policy Server Installation Worksheet (continued)


Enable SSL betwen Policy Server andLDAP?

Recommended: Y ____________________________

If you enable SSL with the LDAP server, you are prompted for the next four values:

LDAP SSL Client Key File ____________________________

LDAP Client Certificate LabelValue not required if using the defaultSSL key file.

____________________________

SSL Keyfile Password gsk4ikm ____________________________

LDAP Server SSL Port 636 ____________________________

LDAP DN for GSO DatabaseBe sure to specify the same DN that youused to configure the LDAP server.

____________________________

SSL Server Port for AM Policy Server 7135 ____________________________

Policy Server SSL Certificate Lifetime 365 ____________________________

Enable Download of Certificates Recommended: Y ____________________________

To install and configure the Tivoli Access Manager policy server, follow these steps:

1. Ensure that you are logged onto your system as the root administrator.


v If you are installing the policy server on a separate system, manually copythe SSL key file that you used to configure the LDAP server to a directoryon this system. For example, copy the default pd_ldapkey.kdb file from thevar/ldap/keytab directory on the IBM Directory server system to the/var/ldap/keytab directory on this system.

v If you are installing the policy server on the same system where youinstalled the IBM Directory server, skip to step 3.

3. Run the ezinstall_pdmgr file, located in the root directory on the Tivoli Access

Manager Base CD for your particular platform.If you previously ran an easy installation file on this system, you areprompted to use a stored response file. To continue with this scenario, pressN. For more information about response files, see Appendix B, “Tivoli AccessManager configuration reference”, on page 179.





A window similar to the following is displayed. To start the installationprocess, press Enter and supply configuration information when prompted.

If you plan to install the policy server on the same system as your LDAPserver, the ezinstall_pdmgr script detects that the IBM Global Security Toolkitand the IBM Directory client are already installed.

4. Type the host name of the LDAP server and press Enter. This is the name of the host system where you installed the IBM Directory server. For example,pdsun3 was the host name used for the IBM Directory server in the previousscenario. You can either enter the short or fully qualified host name, such aspdsun3.dev.company.com.

5. To continue, type Y and press Enter. For security purposes, it is recommendedthat you enable SSL communication with the LDAP server. To do so, type Y





and press Enter. Otherwise, enter N and skip to step 8 on page 108.

6. Type the fully qualified path where you copied the LDAP SSL client key fileto in step 2 on page 105 and press Enter. For example, if you copied thedefault pd_ldapkey.kdb file to the /var/ldap/keytab directory, enter/var/ldap/keytab/pd_ldapkey.kdb.

7. Type the password for the LDAP SSL client key file and press Enter. The

default pd_ldapkey.kdb file included with easy installation has a defaultpassword of gsk4ikm. Use this default password only if you installed andconfigured the IBM Directory server using the ezinstall_ldap_server script orif you specified this default key file during native installation. If you decide tochange this password using the gsk5ikm utility, you must recall this defaultpassword.

Note: Option 7 specifies the label in the client GSKit key database file of theclient certificate to be sent to the LDAP server. When enabling SSLusing default values, this value is not required. This value is requiredonly if the server is configured to require client authentication during





SSL establishment or you want to use the non-default certificate in yourkey file. Typically, the LDAP server requires only server-side certificatesthat were specified during the creation of the client .kdb file.

8. Type the password for the LDAP Administrator ID that you created when youinstalled the LDAP server and press Enter.

9. Create a password for the security master ID (sec_master), entering it again

for confirmation. Use this administrative ID to define your own administrative





IDs, groups, and their capabilities.

10. Type the LDAP DN for GSO database value that you entered during LDAPserver configuration and press Enter. For example, o=tivoli,c=us was thesuffix used in the previous scenario.

11. Configuration of the Tivoli Access Manager policy server creates a default SSLcertificate authority file named pdcacert.b64, which enables communication

between the server and other Tivoli Access Manager runtime systems. You cansimplify configuration by enabling Tivoli Access Manager runtime systems todownload this file automatically. Otherwise, you must manually copy this fileto each subsequent Tivoli Access Manager runtime system before configuringthe system.

To enable automatic downloading of the SSL certificate authority file, type Yand press Enter.

Note: If you do not enable automatic downloading, the SSL certificateauthority file is placed in the following directory:





/var/PolicyDirector/keytab/pdcacert.b64

12. To continue, type Y and press Enter. Monitor the progress of the installation.When installation has completed, the status for all products are Configured asshown:

13. After configuring the policy server, you can set up additional Tivoli Access

Manager systems in your secure domain. For example, you can do thefollowing:

v Run the install_pdrte InstallShield program to install one or more runtimeclient systems (without the policy server). For instructions, see “Setting up aTivoli Access Manager runtime system” on page 111.

v Run the ezinstall_pdwpm script to install a Tivoli Access Manager runtimeclient with the Web Portal Manager interface. For instructions, see “Settingup a Web Portal Manager system” on page 116.

v Run the ezinstall_pdacld script to set up an authorization server system.





v Run the ezinstall_pdauthADK script to install a development system withthe application development kit (ADK).

Note: If you encounter an error during installation, you can view the/var/ezinstall_pdmgr.log file.

Setting up a Tivoli Access Manager runtime systemThe following scenario uses the install_pdrte InstallShield wizard to install andconfigure a Tivoli Access Manager runtime system. Unlike the other easyinstallation scripts, the install_pdrte program uses an InstallShield wizard to stepyou through installation of a runtime system. All prerequisite products and TivoliAccess Manager components are installed and configured except for a prerequisite

JRE, which must be installed manually.

Table 11 lists configuration options for the Tivoli Access Manager runtime and itsprerequisite software. Read the following scenario and identify these values in thespaces provided before you are prompted during installation.

Note: If a product is already installed, InstallShield does not prompt you for theinstallation directory. In addition, keep in mind that easy installation is onlysupported with using an LDAP-based registry.

Table 11. Tivoli Access Manager Runtime System Installation Worksheet

IBM Tivoli Access Manager Runtime Default Value Your Value

Policy server host name ____________________________

Policy server SSL port 7135 ____________________________

Policy server CA certificate file

No value is required if you selected toallow other Tivoli Access Managerruntime systems to download the defaultcertificate file during policy serverinstallation.

____________________________

LDAP server host name ____________________________

LDAP server port 389 ____________________________

SSL with the LDAP server is enabled by default. You are prompted for the following values:

Key file with full path

You must copy the defaultpd_ldapkey.kdb file from the IBMDirectory server to a directory on thissystem.

____________________________

Key file password gsk4ikm ____________________________

LDAP SSL key file DN (if required)No value is required if you use the defaultpd_ldapkey.kdb key file

____________________________

SSL port number 636 ____________________________

Note: You are not prompted for configuration options for GSKit and the IBMDirectory client. In addition, SSL is automatically enabled with the IBMDirectory server.

To install and configure a Tivoli Access Manager runtime system, follow thesesteps:

1. Ensure that your LDAP server and the policy server are up and running andthat you are logged on as the root administrator.





2. Manually copy the SSL key file that you used to configure the LDAP server toa directory on this system. For example, copy the default pd_ldapkey.kdb filefrom the /var/ldap/keytab directory on the IBM Directory server system tothe var/ldap/keytab directory on this system.

3. Install a supported platform-specific JRE. For instructions, see one of thefollowing:

v

On AIX systems, see page 45. v On HP-UX systems, see page 55.

v On Red Hat Linux systems, see page 64.

v On Solaris systems, see page 71.


5. To begin the InstallShield Wizard for the Tivoli Access Manager runtime, clickNext.





6. Read the license agreement. Select to accept the terms and click Next.

7. Complete the following fields and press Next.

v Policy server host name—Type the host name of the policy server system.

v Policy server SSL port—The policy server SSL port is already provided(7135). If you changed this port number, modify this value.

v Policy server CA Certificate File—For the Tivoli Access Manager runtimeto authenticate the other Tivoli Access Manager servers that it connects to, itmust have a copy of the pdcacert.b64 file that the policy server generated

during configuration. Do one of the following:– If you enabled the policy server to allow the download of the

pdcacert.b64 file, no value is required.

– If you did not enable the policy server to download this certificate file,type the fully qualified path where you copied the pdcacert.b64 file onthis system.





8. Type the host name of the LDAP server system. The LDAP server port isalready provided (389). If necessary, modify this port and press Next tocontinue.





9. Review the configuration options. Select Next to begin the installation.

10. The installation process begins. This process could take serveral minutes.

11. Continue monitoring the installation of the Tivoli Access Manager runtimeand the creation of the uninstallation program. When installation hascompleted, you are notified that runtime installation completed successfully.





To exit this program, click Finish as shown:

If you encounter an error during installation, you can view the/tmp/msg__amismp.log file.

Setting up a Web Portal Manager system

The following scenario uses the ezinstall_pdwpm script to install and configure aTivoli Access Manager runtime system with the Web Portal Manager interface. This

script installs and configures all necessary software on your system, includingprerequisite products, Tivoli Access Manager components, and associated patches.

Table 12 lists configuration options for Web Portal Manager and its prerequisitesoftware. Read the following scenario and identify these values in the spacesprovided before you are prompted during installation.

Table 12. Web Portal Manager System Installation Worksheet


Administration IDEasy installation detects theadministration ID used to sign onto thesystem.

____________________________

Administration Password ____________________________HTTP Port 80 ____________________________


Configure Using This Registry Type ldap ____________________________


LDAP Server Port 389 ____________________________

Access Manager Policy Server Hostname ____________________________

SSL Server Port 7135 ____________________________





Table 12. Web Portal Manager System Installation Worksheet (continued)

Policy Server CA Certificate FilenameIf you enabled the policy server to allowthe download of the certificate file, novalue is required.

____________________________

IBM Tivoli Access Manager Web PortalManager


PDADMIN Login Name sec_master ____________________________Security Master Password ____________________________

To install and configure a Tivoli Access Manager system with the Web PortalManager interface, follow these steps:

1. Ensure that your LDAP server and the policy server are up and running andthat you are logged on as the root administrator.

2. Ensure that you have a Web browser installed that supports the Web PortalManager interface. For supported browsers, see the IBM Tivoli Access ManagerRelease Notes.

3. Run the ezinstall_pdwpm script, located in the root directory on the IBM

Tivoli Access Manager Web Portal Manager CD for your particular UNIXplatform.



Note: If you previously installed the Tivoli Access Manager runtimecomponent on this system, the Status column indicates that the IBMGlobal Security Toolkit, the IBM Directory client, and the Tivoli AccessManager runtime component are already installed.

4. Type the password associated with the root ID you used to log onto thissystem and press Enter. Keep in mind that easy installation upgrades the IBM










HTTP Server version installed with IBM WebSphere Application Server. It alsoinstalls a required IBM HTTP Server patch.

Note: Option 3 specifies the port used by the IBM HTTP Server. If youinstalled an LDAP server that does not use IBM HTTP Server and youare installing Web Portal Manager on the same system, ensure that theports are different. You can either change the value for option 3 during

easy installation or edit the /usr/HTTPServer/conf/httpd.conf file andchange default port 80 to 8080 as shown:


5.To continue, type Y and press Enter. Next, type the host name of the LDAPserver and press Enter. This is the name of the host system where you

installed the IBM Directory server. For example, pdsun3 was the host name of the IBM Directory server used in the previous scenario. You can either enter





the short or fully qualified host name, such as pdsun3.dev.company.com.

6. Type the host name of the policy server and press Enter.

7. For the Tivoli Access Manager runtime to authenticate the other Tivoli AccessManager servers that it connects to, it must have a copy of the CA certificatefile that the policy server generated during configuration.

Do one of the following:

v If you enabled the policy server to allow the download of the pdcacert.b64file, press Enter. No value is required.

v If you did not enable the policy server to automatically download thiscertificate file, type the fully qualified path where you copied thepdcacert.b64 file on this system and press Enter.





8. To continue, type Y and press Enter. Next, enter the security master ID(sec_master) password, which was created during installation of the policyserver. To continue, type Y and press Enter.





9. The installation process begins. Products are installed in the sequence listed.

The components are then configured and Web Portal Manager is installed. TheTivoli Access Manager Java runtime environment is also silently installed withthe Web Portal Manager component.

10. Continue monitoring the installation of the products listed. This process couldtake several minutes. Wait for the process to complete. When installation hascompleted, the status for all products are Configured as shown:

11. Before you start the Web Portal Manager interface, ensure that the WebSphereApplication Server is running. To do so, run the startServer.sh script in one of the following directories:

v On AIX systems:

/usr/WebSphere/AppServer/bin


/opt/WebSphere/AppServer/bin









13. To access the Web Portal Manager interface, enter the following address inyour Web browser.



Note: For secure communications with the IBM HTTP Server, you must now

use https instead of http.


Note: If you encounter an error during installation, you can view the/var/ezinstall_pdwpm.log file.





Chapter 10. Windows easy installation scenarios

This appendix provides the following scenarios using easy installation files on aWindows platform:

v “Setting up the IBM Directory server system” v “Setting up the Tivoli Access Manager policy server system” on page 129

v “Setting up a Tivoli Access Manager runtime system” on page 137

v “Setting up a Web Portal Manager system” on page 139

Before you begin

v Install all operating system patches and review system requirements listedin the IBM Tivoli Access Manager for e-business Release Notes.


Essential components in a secure domain include a supported registry and theTivoli Access Manager policy server. For the purpose of these scenarios, thefollowing conditions exist:

v IBM Directory server is installed and configured as the Tivoli Access Managerregistry.

v Secure Sockets Layer (SSL) communication is enabled between the IBMDirectory server and its LDAP clients.

Setting up the IBM Directory server system

The following scenario uses the ezinstall_ldap_server.bat file to install andconfigure IBM Directory server as the Tivoli Access Manager registry. This batchfile installs and configures all necessary software on your system, includingprerequisite products, Tivoli Access Manager components, and associated patches.

Table 13 lists configuration options for IBM Directory server and its prerequisitesoftware. Read the following scenario and identify these values in the spacesprovided before you are prompted during installation.

Table 13. IBM Directory server Installation Worksheet

IBM DB2 Configuration Default Value Your Value

Administration ID db2admin ____________________________


Installation Directory C:\Program Files\SQLLIB ____________________________



____________________________


HTTP Port 80 ____________________________

Installation Directory C:\Program Files\IBM HTTP Server ____________________________




Table 13. IBM Directory server Installation Worksheet (continued)

IBM Global Security Toolkit Default Value Your Value

Installation Directory C:\Program Files\IBM\GSK ____________________________

IBM Directory server Configuration Default Value Your Value



LDAP Server HostnameEasy installation detects and fills in thehost name of your system.

____________________________

LDAP DN for GSO DatabaseSuggest:o=tivoli,c=us

____________________________

LDAP Server Port 389 ____________________________

LDAP SSL Keyfile cd_drive:\common\pd_ldapkey.kdb ____________________________


SSL Client Certificate Label PDLDAP ____________________________

Installation Directory C:\Program Files\IBM\LDAP ____________________________

To install and configure IBM Directory server and its prerequisite software, followthese steps:

Notes:

v If an existing version of IBM Directory server exists, remove it.

v On Windows systems, you are prompted intermittently to restart your system.Exit from all running programs before running easy installation.

1. Log onto your Windows system as the Administrator user or with an ID thatis a member of the Administrators group.

2. A default SSL LDAP key file (pd_ldapkey.kdb) is copied to your systemduring easy installation. If you are enabling SSL and plan to use a differentSSL key file, ensure that you manually copy the SSL key file that you plan touse to a directory on this system.

3. Run the ezinstall_ldap_server.bat file, located in the root directory on the IBMTivoli Access Manager Base for Windows CD.


A window similar to the following is displayed. This shows the current statusof the products required for the IBM Directory server. To start the installation

Windows easy installation scenarios




process, press Enter and supply configuration information when prompted.

4. Create a password for the DB2 administration ID, entering it again forconfirmation.

Note: You are prompted to re-enter all new passwords for confirmation.

Note: Easy installation does not prompt you to change default values.However, you can change these values at the end of each set of configuration options (as shown in step 6 on page 126). Simply type theoption’s associated number, change its value, and press Enter.

5. To continue, type Y and press Enter. Next, type the password associated withthe administration ID you used to log onto this system (value specified in


Chapter 10. Easy installation scenarios on Windows 125



Option 1) and press Enter.

6. To continue, type Y and press Enter. To install GSKit in the default directory,type Y and press Enter.

7. Create a password for the LDAP Administrator ID, entering it again forconfirmation.

8. You are prompted to enter an LDAP DN for the GSO database. This is thedistinguished name of the location in the LDAP server directory information





tree (DIT) where you want global signon (GSO) metadata to be located. Youcan either enter a suffix or specify the DN of an existing LDAP DIT location.For example, enter o=tivoli,c=us to create a new suffix for GSO metadata.

Note: The LDAP DN for the GSO database is required regardless of whetheryou implement a single signon solution with Tivoli Access Manager.For more information about the LDAP DN for the GSO database, see

“LDAP server configuration overview” on page 17.

9. After you enter the LDAP DN for the GSO database, you have theopportunity to modify any of the IBM Directory server configuration options.For example, if you do not want to use the default LDAP SSL Keyfile (option6), type 6 and press Enter to change its value. If you change the SSL key filevalue, also ensure that you change values for options 7 and 8 accordingly.

10. If you did not change the default value for option 6 (LDAP SSL Keyfile), youare prompted to press Enter to copy the cd_drive:\common\pd_ldapkey.kdbfile to the c:\keytabs directory on your system.

Notes:

v Option 7 (LDAP SSL Key File Password) is the password associated withthe default pd_ldapkey.kdb file. This default password is gsk4ikm. Whenyou decide to change this password using the gsk5ikm utility, you mustrecall this password.

v If you changed the default pd_ldapkey.kdb file in option 6, you are notprompted to copy this key file. You must copy this key file manually toyour LDAP server system.





11. To continue, type Y and press Enter. The installation process begins for IBMDirectory server and its prerequisite product. After DB2 is installed, pressEnter to restart the system automatically.

12. After your system is restarted, the IBM Directory server is installed withrequired LDAP patches as shown. After IBM Directory server is installed,press Enter to restart your system again.





13. After your system is restarted, continue monitoring the installation of the IBMDirectory server and its prerequisite products. This process could take severalminutes. Wait for the process to complete. When installation has completed,the status for all products is Configured as shown:

If you encounter an error during installation, you can view the ezinstall.logfile located in the temporary directory, which is the value specified by the%TEMP% variable.

Setting up the Tivoli Access Manager policy server system

After you have successfully completed installing your LDAP registry, the next stepis to set up your policy server. The following scenario uses the ezinstall_pdmgr.batfile to install and configure the policy server. This batch file installs and configuresall necessary software on your system, including prerequisite products, TivoliAccess Manager components, and associated patches.

This scenario installs the policy server on the same system as the registry installedin “Setting up the IBM Directory server system” on page 123. This is useful whenprototyping a deployment or developing and testing an application. In an actualdeployment, however, it is recommended that these servers be installed onseparate systems. Note that the only difference in a separate system setup is thatthe installation process also installs the IBM Global Security Toolkit and IBMDirectory client.

Table 14 lists configuration options for the Tivoli Access Manager policy server andits prerequisite software. Read the following scenario and identify these values inthe spaces provided before you are prompted during installation.

Table 14. Tivoli Access Manager Policy Server Installation Worksheet

IBM Tivoli Access Manager RuntimeConfiguration


Configure Using This Registry ldap ____________________________


LDAP Server Port 389 ____________________________


____________________________

Enable SSL with LDAP server Recommended: Y ____________________________






Table 14. Tivoli Access Manager Policy Server Installation Worksheet (continued)

LDAP SSL Keyfile ____________________________

LDAP SSL Keyfile DNValue not required if using the defaultSSL key file.

____________________________



Installation DirectoryC:\Program Files\Tivoli\PolicyDirector

____________________________

IBM Tivoli Access Manager PolicyServer Configuration


LDAP Administration ID (DN) cn=root ____________________________

LDAP Administration Password ____________________________

Security Master Password ____________________________

SSL Server Port 7135 ____________________________

Policy Server SSL Certificate Lifetime 365 ____________________________

Enable Download of Certificates Recommended: Y ____________________________

To install and configure the Tivoli Access Manager policy server, follow these steps:

1. Ensure that you are logged onto your Windows system as the Administratoruser or with an ID that is a member of the Administrators group.


v If you are installing the policy server on a separate system, manually copythe SSL key file to a directory on this system. For example, copy the defaultpd_ldapkey.kdb file from the c:\keytabs directory on the IBM Directoryserver system to the c:\keytabs directory on this system.

v If you are installing the policy server on the same system where youinstalled the IBM Directory server, skip to step 3.

3. Run the ezinstall_pdmgr.bat file, located in the root directory on the IBMTivoli Access Manager Base for Windows CD.







If you plan to install the policy server on the same system as your LDAPserver, the ezinstall_pdmgr.bat file detects that the IBM Global SecurityToolkit and the IBM Directory client are already installed.

4. Type the host name of the LDAP server and press Enter. This is the name of the host system where you installed the IBM Directory server. For example,dliburdi2 was the host name used for the IBM Directory server in theprevious scenario. You can either enter the short or fully qualified host name,such as dliburdi2.dev.company.com.

5. Type the LDAP DN for GSO database value that you entered during LDAPserver configuration and press Enter. For example, o=tivoli,c=us was the





suffix used in the previous scenario.

6. For security purposes, it is recommended that you enable SSL communicationwith the LDAP server. To do so, type Y and press Enter. Otherwise, enter N

and skip to step 9 on page 133.

7. Type the fully qualified path where you copied the LDAP SSL client key filein step 2 on page 130 and press Enter. For example, if you copied the defaultpd_ldapkey.kdb file to the c:\keytabs directory, enter





c:\keytabs\pd_ldapkey.kdb.

8. Type the password for the LDAP SSL client key file and press Enter. Thedefault pd_ldapkey.kdb file shipped with easy installation has a default

password of gsk4ikm. You can use this default password only if you installedand configured the IBM Directory server using this default key file.

Note: Option 7 specifies the label in the client GSKit key database file of theclient certificate to be sent to the LDAP server. When enabling SSLusing default values, this value is not required. This value is requiredonly if the server is configured to require client authentication duringSSL establishment or you want to use the non-default certificate in yourkey file. Typically, the LDAP server requires only server-side certificatesthat were specified during the creation of the client .kdb file.

9. To continue, type Y and press Enter. Next, type the password for the LDAPAdministrator ID that you created when you installed the LDAP server and





press Enter.

10. Create a password for the security master ID (sec_master), entering it againfor confirmation. Use this administrative ID to define your own administrative

IDs, groups, and their capabilities.

11. To continue, type Y and press Enter. Configuration of the Tivoli AccessManager policy server creates a default SSL certificate authority file namedpdcacert.b64, which enables communication between the server and otherTivoli Access Manager runtime systems. You can simplify configuration byenabling Tivoli Access Manager runtime systems to download this fileautomatically. Otherwise, you must manually copy this file to each subsequentTivoli Access Manager runtime system before configuring the system.

To enable automatic downloading of the SSL certificate authority file, type Y

and press Enter.

Note: If you do not enable automatic downloading, the SSL certificateauthority file is placed in the following directory:

install_dir\keytab\pdcacert.b64

For example:

c:\Program Files\Tivoli\Policy Director\keytab\pdcacert.b64





12. To continue, type Y and press Enter. The installation process begins for theproducts listed.

13. Press Enter to restart the system automatically.

14. After your system is restarted, continue monitoring the progress of theproducts listed. The runtime environment is configured only after the policy





server is installed as shown:

15. When installation has completed, the status for all products are Configured asshown:

Note that if you encounter an error during installation, you can view theezinstall.log file located in the temporary directory, which is the valuespecified by the TEMP variable.

16. After configuring the policy server, you can set up additional Tivoli AccessManager systems in your secure domain. For example, you can do thefollowing:

v Run the install_pdrte.exe InstallShield program to install one or moreruntime client systems (without the policy server). For instructions, see“Setting up a Tivoli Access Manager runtime system” on page 137.

v Run the ezinstall_pdwpm.bat file to install a Tivoli Access Managerruntime client with the Web Portal Manager interface. For instructions, see“Setting up a Web Portal Manager system” on page 139.

v Run the ezinstall_pdacld.bat file to set up an authorization server system.

v Run the ezinstall_pdauthADK.bat file to install a development system withthe application development kit (ADK).





Setting up a Tivoli Access Manager runtime system

The following scenario uses the install_pdrte.exe InstallShield wizard to install andconfigure a Tivoli Access Manager runtime system. Unlike the other easyinstallation scripts, the install_pdrte.exe program uses an InstallShield wizard tostep you through installation of a runtime system. All prerequisite products andTivoli Access Manager components are installed and configured except for a

platform-specific JRE, which must be installed manually.

Table 15 lists configuration options for the Tivoli Access Manager runtime and itsprerequisite software. Read the following scenario and identify these values in thespaces provided before you are prompted during installation.

Note: If a product is already installed, InstallShield does not prompt you for theinstallation directory. In addition, keep in mind that easy installation is onlysupported with using an LDAP-based registry.

Table 15. Tivoli Access Manager Runtime System Installation Worksheet


Directory nameC:\Program Files\IBM\GSK

____________________________IBM Directory Client Default Value Your Value

Directory name C:\Program Files\IBM\ldapc ____________________________


Directory nameC:\Program Files\Tivoli\PolicyDirector

____________________________

Policy server host name ____________________________

Policy server SSL port 7135 ____________________________

Policy server CA certificate file

No value is required if you selected toallow other Tivoli Access Managerruntime systems to download the

certificate file during policy serverinstallation.

____________________________

User registry selection LDAP ____________________________

LDAP server hostname ____________________________

LDAP server port 389 ____________________________

LDAP DN for GSO databaseBe sure to specify the same DN that youused to configure the LDAP server.

____________________________

Enable SSL with the IBM Directoryserver

Recommended: Y ____________________________

If you enable SSL with the LDAP server, you are prompted for the following values:

Key file with full path

You must copy the default

pd_ldapkey.kdb file from the IBMDirectory server to a directory on thissystem

____________________________

Key file password gsk4ikm ____________________________

LDAP SSL key file DN (if required)No value is required if you use the defaultpd_ldapkey.kdb key file

____________________________

SSL port number 636 ____________________________





To install and configure a Tivoli Access Manager runtime system, follow thesesteps:

1. Ensure that your LDAP server and the policy server are up and running andthat you are logged onto your Windows system as the Administrator user (orwith an ID that is a member of the Administrators group).

2. Manually copy the SSL key file that you used to configure the LDAP server to

a directory on this system. For example, copy the defaultpd_ldapkey.kdb

filefrom the c:\keytabs directory on the IBM Directory server system to thec:\keytabs directory on this system.

3. Install a supported platform-specific JRE. For instructions, see “Installing the platform-specific JRE” on page 82.


5. To begin the InstallShield Wizard for the Tivoli Access Manager runtime, clickNext.

6. Read the license agreement. Select to accept the terms and click Next.

7. To install GSKit in the default directory, click Next.

8. To install the IBM Directory client in the default directory, click Next.

9.

To install the Tivoli Access Manager runtime environment in the defaultdirectory, click Next.


v Policy server host name—Type the host name of the policy server system.

v Policy server SSL port—The policy server SSL port is already provided(7135). If you changed this port number, modify this value.

v Policy server CA Certificate File—For the Tivoli Access Manager runtimeto authenticate the other Tivoli Access Manager servers that it connects to, itmust have a copy of the pdcacert.b64 file that the policy server generatedduring configuration. Do one of the following:

– If you enabled the policy server to allow the download of thepdcacert.b64 file, no value is required.

– If you did not enable the policy server to download this certificate file,type the fully qualified path where you copied the pdcacert.b64 file onthis system.

Note: The user registry selection is LDAP. You cannot change this option.


v LDAP server host name—Type the host name of the LDAP server system.

v LDAP server port—The LDAP server port is already provided (389).Modifythis port number if needed.

v LDAP DN for GSO database—Type the suffix or existing DN value thatyou entered during LDAP server configuration. For example, o=tivoli,c=us

was the suffix used in the previous scenario.v Enable Secure Sockets Layer (SSL) with the IBM Directory server—For

security purposes, it is recommended that you enable SSL with the LDAPserver. To do so, select this check box to be prompted for SSL options listedin step 12. Otherwise, skip to step 13.

12. If you selected to enable SSL with the LDAP server, complete the followingfields and select Next.

v Key file with full path—Type the fully qualified path where the LDAP SSLclient key file is located. For example, if you copied the pd_ldapkey.kdb fileto the c:\keytabs directory, enter c:\keytabs\pd_ldapkey.kdb.





v Key file password—Type the password associated with the key file. Thedefault password for the pd_ldapkey.kdb file is gsk4ikm. In the future,when you change this password using the gsk5ikm utility, you must recallthis default password.

v LDAP SSL key file DN (if required)—The SSL certificate label is notrequired if using the easy installation default key file (pd_ldapkey.kdb).

v

SSL port number—The SSL port number is already provided (636). Modifythe port number if needed.

13. Review the configuration options that are displayed. Select Next to begin theinstallation.

14. The installation process begins. This process could take several minutes. Waitfor the runtime installation process to complete.

15. Click Next to restart the system automatically.

16. After your system is restarted, select the language you want to use to continuethe installation and click OK.

17. Continue monitoring the installation of the Tivoli Access Manager runtimeand the creation of the uninstallation program. When installation hascompleted, you are notified that runtime installation completed successfully.

To exit this program, click Finish.

If you encounter an error during installation, you can view the msg__amismp.logfile located in the temporary directory, which is the value specified by the TEMPvariable.

Setting up a Web Portal Manager system

The following scenario uses the ezinstall_pdwpm.bat file to install and configure aTivoli Access Manager runtime system with the Web Portal Manager interface. This

batch file installs and configures all necessary software on your system, includingprerequisite products, Tivoli Access Manager components, and associated patches.

Table 16 lists configuration options for Web Portal Manager and its prerequisitesoftware. Read the following scenario and identify these values in the spacesprovided before you are prompted during installation.

Table 16. Web Portal Manager System Installation Worksheet


Directory name C:\Program Files\IBM\GSK ____________________________



____________________________

Administration Password ___________________ ____________________________HTTP Port 80 ____________________________

Installation Directory C:\Program Files\IBM HTTP Server ____________________________

IBM Directory Client Default Value Your Value

Installation Directory C:\Program Files\IBM\LDAP ____________________________


Configure Using This Registry Type ldap ____________________________






Table 16. Web Portal Manager System Installation Worksheet (continued)

LDAP Server Port 389 ____________________________


____________________________

Enable SSL with LDAP Server Recommended: Y ____________________________


LDAP SSL Keyfile ____________________________

LDAP SSL Keyfile DNValue not required if using the defaultSSL key file.

____________________________



Installation DirectoryC:\Program Files\Tivoli\PolicyDirector

____________________________

Access Manager Policy Server Hostname ____________________________

SSL Server Port for AM Policy Server 7135 ____________________________

Policy Server CA Certificate FilenameIf you enabled the policy server to allowthe download of the certificate file, novalue is required.

____________________________

To install and configure a Tivoli Access Manager system with the Web PortalManager interface, follow these steps:

1. Ensure that your LDAP server and the policy server are up and running andthat you are logged onto your Windows system as the Administrator user (orwith an ID that is a member of the Administrators group).

2. Manually copy the SSL key file that you used to configure the LDAP server toa directory on this system. For example, copy the default pd_ldapkey.kdb filefrom the c:\keytabs directory on the IBM Directory server system to thec:\keytabs directory on this system.

3. Ensure that you have a Web browser installed that supports the Web PortalManager interface. For supported browsers, see the IBM Tivoli Access Manager

for e-business Release Notes.

4. Run ezinstall_pdwpm.bat, located in the root directory on the IBM Tivoli Access Manager Web Portal Manager for Windows CD.







Note: If you previously installed the Tivoli Access Manager runtimecomponent on this system, the Status column indicates that the IBMGlobal Security Toolkit, the IBM Directory client and the Tivoli AccessManager runtime components are already installed. In this case, skip tostep 15 on page 146.

5. To install GSKit in the default directory, type Y and press Enter.

6. Type the password associated with the administration ID you used to log ontothis system (value specified in option 1) and press Enter. Keep in mind thateasy installation upgrades the IBM HTTP Server version installed with IBMWebSphere Application Server. It also installs a required IBM HTTP Serverpatch.

Note: Option 3 specifies the port used by the IBM HTTP Server. If youinstalled an LDAP server that does not use IBM HTTP Server and you





are installing Web Portal Manager on the same system, ensure that theWeb server ports are different. You can either change the value foroption 3 during easy installation or edit the C:\Program Files\IBM HTTPServer\conf\httpd.conf file and change default port 80 to 8080 asshown


7. To continue, type Y and press Enter. Next, press Enter to install the IBMDirectory client in the default directory.

8. Type the host name of the LDAP server and press Enter. This is the name of the host system where you installed the IBM Directory server. For example,dliburdi2 was the host name of the IBM Directory server used in the previousscenario. You can either enter the short or fully qualified host name, such as





dliburdi2.dev.company.com.

9. Type the LDAP DN for GSO database value that you entered during LDAPserver configuration and press Enter. For example, o=tivoli,c=us was thesuffix used in the previous scenario.





10. To enable SSL with the LDAP server, type Y and press Enter.

11. Type the fully qualified path where the LDAP SSL client key file is locatedand press Enter. For example, if you copied the pd_ldapkey.kdb file to thec:\keytabs directory, type c:\keytabs\pd_ldapkey.kdb and press Enter.

12. Type the password for the LDAP SSL client key file and press Enter. Thepd_ldapkey.kdb file included with easy installation has a default password of gsk4ikm. Use this default password only if you installed and configured theIBM Directory server using the ezinstall_ldap_server.bat file or if youspecified this default key file during native installation.





Note: If you decide to change this password using the gsk5ikm utility, youmust recall this default password.

13. To continue, type Y and press Enter. Next, type the host name of the policyserver and press Enter.

14. For the Tivoli Access Manager runtime to authenticate the other Tivoli AccessManager servers that it connects to, it must have a copy of the CA certificatefile that the policy server generated during configuration.

Do one of the following:

v If you enabled the policy server to allow the download of the pdcacert.b64file, press Enter. No value is required.

v If you did not enable the policy server to automatically download thiscertificate file, type the fully qualified path where you copied thepdcacert.b64 file on this system and press Enter.





15.To continue, type Y and press Enter. Next, type the password associated withthe administration ID you used to log onto this system (value specified inoption 1) and press Enter.

16. To continue, type Y and press Enter. The installation process begins. Productsare installed in the sequence listed. When installation for the IBM WebSphere





Application Server begins, notifications and messages are shown as follows:

17. The installed components are then configured and the Web Portal Manager isinstalled. The Tivoli Access Manager Java runtime environment is also silentlyinstalled with the Web Portal Manager component.

To complete installation of a runtime client system with the Web PortalManager, press Enter to restart the system automatically.

18.Before you start the Web Portal Manager interface, ensure that the WebSphereApplication Server is running. To do so, click Start → Programs → IBMWebSphere → Application Server 4.0 → Start Application Server.







C:\Program Files\Tivoli\Policy Director\keytab\pdwpm.kdbSpecifies the key database file. The path of the file is specified in thehttpd.conf file.

C:\Program Files\Tivoli\Policy Director\keytab\pdwpm.sthSpecifies the file where the key database password is stored.

20. To access the Web Portal Manager interface, enter the following address in

your Web browser.https://hostname/pdadmin




Note: If you encounter an error during installation, you can view theezinstall.log file located in the temporary directory, which is the value

specified by the TEMP variable.





Chapter 11. Using easy installation response files

Tivoli Access Manager allows you to create response files to streamline theinstallation and configuration of easy installation components. A response file is a

text file that contains the product and system information needed to install andconfigure components. It is useful for performing unattended (silent) installations.The installation process reads the information from the response file instead of prompting you to fill in the blanks. You can also reuse a response file for futureinstallations, using a text editor to add components or to customize options.

This section includes the following sections:

v “Creating a response file”

v “Installing components using a response file”

v “Response file examples (ezinstall)” on page 150

v “Response file options” on page 152

Note: Considerations for response files are the same as those for easy installation.

Creating a response file

You can create a response file from scratch using any text editor, or you can useezinstall scripts to automatically generate response files based on the responsesthat you supply during installation.

On UNIX systems, the response file is named based on the package that youinstalled and configured. For example, if you run the ezinstall_ldap_server script,the response file that is generated is named ezinstall_ldap_server.rsp. Responsefiles for each package that you run are stored in the /var/tmp directory.

On Windows systems, easy installation generates a response file namedezinstall.rsp. This response file resides in the temporary directory that is the valuespecified by the %TEMP% variable. For example, if you run theezinstall_ldap_server.bat file, the response file that is generated is named%TEMP%\ezinstall.rsp.

Note that the install_pdrte InstallShield program works a bit differently than theezinstall scripts and batch files. To create a Tivoli Access Manager runtimeresponse file, you must copy a template provided on the Tivoli Access ManagerBase CD to your hard drive and edit its values. Templates are located in thefollowing directories and are named as follows:

v On UNIX systems:

/common/unixismp.rsp.template


\common\winismp.rsp.template

Installing components using a response file

To use a response file to install Tivoli Access Manager components, follow these basic steps:

1. Edit the response file to check its syntax and to ensure that the information isaccurate. For descriptions of the stanzas in the response file, see “Response file




options” on page 152. Note that for all ezinstall processes (exceptinstall_pdrte), you can supply actual passwords for the values or wait untilyou are prompted for passwords when ezinstall is run with the response file. If using install_pdrte, you must supply all required values or the process fails.

2. Run the easy installation script and specify the response file. For example:

v On UNIX systems, enter the following:

ezinstall_ldap_server /tmp/ezinstall_ldap_server.rsp

where /tmp/ezinstall_ldap_server.rsp is the fully qualified name of theresponse file.

v On Windows systems, enter the following:

ezinstall_ldap_server c:\temp\ezinstall.rsp

where c:\temp\ezinstall.rsp is the fully qualified name of the response file.

3. To run the install_pdrte process with a response file, enter the following:

install_pdrte -options response_file

where response_file is the fully qualified path to the response file. This usage

applies to both Windows and UNIX systems.

Note: After installation, it is recommended that you secure or erase the generatedresponse file.

Response file examples (ezinstall)

A response file contains stanzas of attribute=value pairs. A stanza starts with aline containing the stanza name in brackets, for example, [LDAPS], and ends eitherwhen another line begins with another stanza name in brackets or when the end of the file is reached. Each stanza contains zero or more attribute=value pairs. Astanza name cannot be repeated more than once in a response file. Comments can

be added to a response file by using the character # before the comment.

The following examples illustrate response files generated from easy installationscripts. Note that easy installation pauses during configuration to allow you tospecify any missing values.

Note: The default key file password for the IBM Directory client is gsk4ikm.

UNIX example[HTTPD]http-admin-id = roothttp-admin-pwd = secrethttp-port = 80

[LDAPS]ldap-adminid = cn=rootldap-password = secretsuffix = o=tivoli,c=ushost = ldapserv.tivoli.comport = 389ldap-ssl-client-keyfile = /cdrom/common/pd_ldapkey.kdbldap-ssl-client-keyfile-pwd = gsk4ikmldap-label = PDLDAP

[PDRTE]ldap-or-domino = 1host = ldapserv.tivoli.com

Using easy installation response files




port = 389ldap-server-ssl-port = 636master-host = pdmgr.tivoli.compd-cacert =enable-ssl = Yssl-client-keyfile = /var/ldap/keytab/pd_ldapkey.kdbssl-keyfile-pwd = gsk4ikmssl-port = 7135

[PDMGR]ldap-adminid = cn=rootldap-password = secretssl-life = 365ssl-port = 7135sec-master-pwd = secretenable-cert-download = Yprompt-languages = N

Windows example[PDRTE]registry-type=ldapldap-server=ldapserv.tivoli.comldap-port=389ldap-ssl-port=636pdmgr-host=pdmgr.tivoli.comcacert=enable-ssl=Yssl-client-keyfile=c:\keytabs\pd_ldapkey.kdbssl-client-keyfile-dn=suffix=o=tivoli,c=uspdmgr_ssl_port=7135pdc_dir=C:\Program Files\Tivoli\Policy Directorssl-client-keyfile-pwd=gsk4ikm

[PDMGR]ldap-admin-id=cn=rootldap-admin-pwd=secretssl-port=7135

cert-life=365enable-cert-download=Ysec-master-pwd=secret

[DB2]admin-pwd=db2admininstall_dir=C:\SQLDIR

[HTTPD]admin-id=administratoradmin-pwd=secretport=80install_dir=C:\Program Files\IBM HTTP Server

[LDAPS]

admin-id=cn=rootadmin-pwd=secrethostname=ldapserv.tivoli.comserver-port=389suffix=o=tivoli,c=usssl-client-keyfile=c:\keytabs\pd_ldapkey.kdbssl-client-keyfile-pwd=gsk4ikmlabel=PDLDAP

[PDACLD]admin-id=cn=rootadmin-pwd=secret


Chapter 11. Using easy installation response files 151



sec-master-pwd=secret

[LDAP]install_dir=C:\Program Files\IBM\LDAP

Response file examples (install_pdrte)

A response file contains –w attribute=value pairs. The attributes consist of awizard panel bean name followed by a period, and then followed by an optionname. The bean names are built into the install_pdrte process and cannot bemodified. Comments can be added to a response file by using the character #

before the comment. The following examples illustrate response templatescontained on the CD in the /common directory. For readability, the required optiondescriptions have been placed between less than (<) and greater than (>)characters. Ensure that you replace the entire string to the right of the equal sign(=).

Note: The default key file password for the IBM Directory client is gsk4ikm.

UNIX example

# To run the process in silent mode, specify –silent either here or on the cmd line.-silent-W AMRTE_ServerOptions_Panel.hostName=<Policy Server Hostname>-W AMRTE_ServerOptions_Panel.listeningPort=7135-W AMRTE_ServerOptions_Panel.certFile=-W AMRTE_LDAP_Options_Panel.ldapHostName=<LDAP Server Hostname>-W AMRTE_LDAP_Options_Panel.ldapPortNumber=389-W AMRTE_LDAP_Options_Panel.enableSSL=N-W AMRTE_LDAPSSLOptions_Panel.sslPort=636-W AMRTE_LDAPSSLOptions_Panel.keyFile=-W AMRTE_LDAPSSLOptions_Panel.keyFilePasswd=-W AMRTE_LDAP_Options_Panel.ldapDNGSO=<dn for gso database - example: o=tivoli,c=us>

Windows example# To run the process in silent mode, specify –silent either here or on the cmd line.-silent-W GSKIT_Panel.installDirectory=c:\Program Files\IBM\gskit-W LDAPC_Panel.installDirectory=c:\Program Files\LDAP-W AMRTE_Panel.installDirectory=c:\Program Files\Tivoli\Policy Director-W AMRTE_ServerOptions_Panel.hostName=<Policy Server Hostname>-W AMRTE_ServerOptions_Panel.listeningPort=7135-W AMRTE_ServerOptions_Panel.certFile=-W AMRTE_LDAP_Options_Panel.ldapHostName=<LDAP Server Hostname>-W AMRTE_LDAP_Options_Panel.ldapPortNumber=389-W AMRTE_LDAP_Options_Panel.enableSSL=N-W AMRTE_LDAPSSLOptions_Panel.sslPort=636-W AMRTE_LDAPSSLOptions_Panel.keyFile=-W AMRTE_LDAPSSLOptions_Panel.keyFilePasswd=

-W AMRTE_LDAP_Options_Panel.ldapDNGSO=<dn for gso database - example: o=tivoli,c=us>

Response file options

The following tables show the various stanza-keyword options available for use ina response file. The stanza names are used for readability on UNIX platforms.





UNIX response file options

Stanza Name Keyword Description

[HTTPD] http-admin-id Specifies the administrator’s user name.The default is Administrator.

[HTTPD] http-admin-pwd Specifies the administrator’s password.

[HTTPD] http-port Specifies the port that HTTPD uses.

[LDAPS] ldap-adminid Specifies the LDAP administrator ID orDistinguished Name (DN). The defaultis cn=root.

[LDAPS] ldap-password Specifies the LDAP administratorpassword.

[LDAPS] host Specifies the LDAP server host name.The default is the host name of thesystem being configured.

[LDAPS] server-port Specifies the LDAP server non-SSL portnumber. The default port number is389.

[LDAPS] suffix Specifies the LDAP distinguished namefor the global signon (GSO) database.For example, o=tivoli,c=us.

[LDAPS] ldap-ssl-client-keyfile Specifies the path to the LDAP SSL keyfile. The default is/common/pd_ldapkey.kdb which isshipped on the CD. If this file is used,the password of gsk4ikm and theserver-side label of PDLDAP arerequired.

[LDAPS] ldap-ssl-client-keyfile-pwd Specifies the password associated withthe key file. If using the default of media/common/pd_ldapkey.kdb, thepassword is gsk4ikm.

[LDAPS] ldap-label Specifies the label associated with theSSL key file. If using the default of media/common/pd_ldapkey.kdb, the labelis PDLDAP.

[PDMGR] ldap-adminid Specifies the LDAP administrator ID.The default is cn=root. This ID iscreated during the configuration of theLDAP server.

[PDMGR] ldap-password Specifies the LDAP administratorpassword.

[PDMGR] port Specifies the LDAP server non-SSL port.

The default port number is 389.

[PDMGR] ssl-life Specifies the lifetime of the certificatefile (pdcacert.b64). The default is 365days.

[PDMGR] enable-cert-download Specifies to enable Tivoli AccessManager runtime environments onother systems to automaticallydownload the certificate file(pdcacert.b64). Valid values are Y(enable) or N (disable).





Stanza Name Keyword Description

[PDMGR] sec-master-pwd Specifies the security master password.

[PDACLD] ldap-adminid Specifies the LDAP administrator ID.The default is cn=root. This ID iscreated during the configuration of theLDAP server.

[PDACLD] ldap-password Specifies the LDAP administratorpassword.

[PDACLD] sec-master-pwd Specifies the security master password.This password is created during theconfiguration of the policy server.

Windows response file options

Stanza Name Win32 Keyword Description

[DB2] admin-pwd Specifies the administrator’s password. If you login to a Windows system as Administrator, use thedefault password of db2admin.

[DB2] admin-uid Specifies the administrator’s user name. If you login to a Windows system as Administrator, use thedefault password of db2admin.

[DB2] install_dir Specifies the installation directory (WIN32 only).Specify the drive and directory. For example:C:\SQLDIR

[HTTPD] admin-id Specifies the administrator’s user name. The defaultis Administrator.

[HTTPD] admin-pwd Specifies the administrator’s password.

[HTTPD] port Specifies the port that HTTPD uses.

[HTTPD] install_dir Specifies the installation directory. Specify the drive

and directory. For example: C:\Program Files\IBMHTTP Server

[LDAP] install_dir Specifies the installation directory (WIN32 only).Specify the drive and directory. For example:C:\Program Files\IBM\LDAP. The LDAP client andserver software reside in this directory.

[LDAPS] admin-id Specifies the LDAP administrator ID orDistinguished Name (DN). The default is cn=root.

[LDAPS] admin-pwd Specifies the LDAP administrator password.

[LDAPS] hostname Specifies the LDAP server host name. The defaultis the host name of the system being configured.

[LDAPS] server-port Specifies the LDAP server non-SSL port number.The default port number is 389.

[LDAPS] suffix Specifies the LDAP distinguished name for theglobal signon (GSO) database. For example,o=tivoli,c=us.

[LDAPS] ssl-client-keyfile Specifies the path to the LDAP SSL key file. Thedefault is /common/pd_ldapkey.kdb, which isshipped on the CD. If this file is used, thepassword of gsk4ikm and the server-side label of PDLDAP are required.





Stanza Name Win32 Keyword Description

[LDAPS] ssl-client-keyfile-pwd

Specifies the password associated with the key file.If using the default of media/common/pd_ldapkey.kdb, the password isgsk4ikm.

[LDAPS] label Specifies the label associated with the SSL key file.

If using the default of media/common/pd_ldapkey.kdb, the label isPDLDAP.

[GSKIT] install_dir Specifies the installation directory (WIN32 only).Specify the drive and path. For example:C:\Program Files\IBM\GSK

[PDMGR] ldap-admin-id Specifies the LDAP administrator ID. The default iscn=root. This ID is created during theconfiguration of the LDAP server.

[PDMGR] ldap-admin-pwd Specifies the LDAP administrator password.

[PDMGR] ssl-port Specifies the LDAP server non-SSL port. Thedefault port number is 389.

[PDMGR] cert-life Specifies the lifetime of the certificate file(pdcacert.b64). The default is 365 days.

[PDMGR] enable-cert-download

Specifies to enable Tivoli Access Manager runtimeenvironments on other systems to automaticallydownload the certificate file (pdcacert.b64). Validvalues are Y (enable) or N (disable).

[PDMGR] sec-master-pwd Specifies the security master password.

[PDACLD] admin-id Specifies the LDAP administrator ID. The default iscn=root. This ID is created during theconfiguration of the LDAP server.

[PDACLD] admin-pwd Specifies the LDAP administrator password.

[PDACLD] sec-master-pwd Specifies the security master password. This

password is created during the configuration of thepolicy server.

[WEB] install_dir Specifies the installation directory for IBMWebSphere Application Server, Advanced SingleServer, which is a prerequisite for the Web PortalManager. Specify the drive and directory. Forexample: C:\WebSphere\AppServer








Appendix A. Enabling Secure Sockets Layer

It is recommended that you enable Secure Sockets Layer (SSL) communication between your LDAP or Domino server and IBM Directory clients that support IBM

Tivoli Access Manager software.

Note: If you used easy installation to install the IBM Directory server, you can skipthe instructions in this appendix. The ezinstall_ldap_server script stepsyou through the process of enabling SSL while, at the same time, installingand configuring this LDAP server and its prerequisites.

To enable SSL communication, you must first configure SSL on the server, and thenconfigure SSL on the IBM Directory client. During SSL configuration, you areprompted to choose one of the following authentication types:

Server authenticationThe server sends its certificate to the client and the client authenticates the

server.

Server and client authenticationAfter the server has sent its certificate to the client and has beenauthenticated by the client, the server requests the client’s certificate. Inthis case, a certificate needs to be established for the client system as wellas the server.

If you choose to implement server authentication only, you must configure yourserver and IBM Directory clients for SSL access. However, if you choose toimplement server and client authentication, you must configure SSL on the server,configure SSL on the client, and then follow instructions in “Configuring LDAPserver and client authentication” on page 172.

This chapter contains the following main sections:

v “Configuring the IBM Directory server for SSL access”

v “Configuring the iPlanet Directory Server for SSL access” on page 162

v “Configuring the Novell eDirectory server for SSL access” on page 167

v “Configuring the IBM Directory client for SSL access” on page 169

v “Configuring OS/390 and z/OS LDAP servers for SSL access” on page 165

v “Configuring LDAP server and client authentication” on page 172

v “Enabling SSL for Domino” on page 176

Configuring the IBM Directory server for SSL access

You can enable the use of SSL to protect communication between the Tivoli AccessManager servers and the LDAP server. This step needs to be done only the firsttime SSL communication is set up between the LDAP server and the IBM Directoryclient.

If you previously enabled SSL access to the LDAP server during the LDAP serverconfiguration, you must copy a client and server key ring pair to each additionalTivoli Access Manager system that uses SSL access.




If SSL access is required by your LDAP server, use GSKit to perform SSL keymanagement. GSKit provides a graphical key management utility named gsk5ikm.

Note: For complete instructions on how to use the gsk5ikm utility to enable SSL,see the IBM SecureWay Installation and Configuration Guide.

To enable SSL access on the IBM Directory server, complete the instructions in the

following sections:v “Creating the key database file and the certificate” on page 158

v “Obtaining a personal certificate from a certificate authority” on page 159 or“Creating and extracting a self-signed certificate” on page 159

v “Enabling SSL access” on page 160

Creating the key database file and the certificateTo enable SSL support on the LDAP server, the server must have a certificate thatidentifies it and that it can use as a personal certificate. This personal certificate isthe certificate that the server sends to the client to allow the client to authenticatethe server. The certificates and the public and private key pair are stored in a key

database file. A user typically acquires a signed certificate from a certificateauthority, such as VeriSign.

Alternatively, a user can use a self-signed certificate. If the user is using aself-signed certificate, the system on which the certificate is generated becomes thecertificate authority.

Use the gsk5ikm utility to create the key database file and the certificate. To createthe key database file and certificate (self-signed or signed), follow these steps:

1. Ensure that the supported version of GSKit and gsk5ikm are installed on boththe LDAP server and any IBM Directory clients that will be using SSL.

Note: On a SuSE SLES-7 2.4 kernel system only, ensure that the correct C++

library is used by the GSKit utilities. To do so, enter the followingcommand:

export LD_PRELOAD=/usr/lib/libstdc++libc6.1-2.so.3

This environment variable is not required if you run gsk5ikm on a 2.2kernel system.

2. Start the gsk5ikm utility, which is located in one of the following defaultdirectories:

System Path

AIX /usr/opt/lpp/ibm/gsk5/bin/gsk5ikm

HP-UX /opt/ibm/gsk5/bin/gsk5ikm

Linux /usr/local/ibm/gsk5/bin/gsk5ikm

Solaris /opt/IBM/GSK5/bin/gsk5ikm

Windows C:\Program Files\IBM\GSK5\bin\GSK5ikm.exe

Note: On Linux for zSeries only, to run the gsk5ikm utility, an X-windowssession is required and IBM Java, Version 1.3.1, must be accessiblethrough the PATH environment variable as follows:

export PATH=/opt/IBMJava2-s390-131/jre/bin:$PATH

SSL — IBM Directory server




IBM Java Runtime Environment, Version 1.3.1, can be downloaded fromthe IBM Java for Linux site at:

http://www6.software.ibm.com/dl/lxdk/lxdk-p

3. To create a new key database file, select Key Database File → New.

4. Verify that the CMS key database file is the selected key database type.

5. Type the information in the File Name and Location fields where you wantthe key database file to be located. A key database file’s extension is.kdb.

6. Click OK.

7. Enter the key database file password, and confirm it. Remember thispassword because it is required when the key database file is edited.

8. Accept the default expiration time, or change it to your organization’srequirements.

9. If you want the password to be masked and stored into a stash file, selectStash the password to a file.

A stash file can be used by some applications so that the application does nothave to know the password to use the key database file. The stash file has thesame location and name as the key database file and has an extension of .sth.

10. Click OK. This completes the creation of the key database file. There is set of default signer certificates. These signer certificates are the default certificateauthorities that are recognized.

Obtaining a personal certificate from a certificate authorityIf you plan to use a certificate from a certificate authority instead of a self-signedcertificate, you must request the certificate from the certificate authority and thenreceive it after it has been completed.

If you plan to use a self-signed certificate, skip this section and go to “Creatingand extracting a self-signed certificate”.

To request and receive a certificate, follow these steps:

1. Use gsk5ikm to request a certificate from a certificate authority and thenreceive the new certificate into your key database file.

2. Click the Personal Certificate Requests section of the key database file.

3. Click New.

4. To produce a request that can be sent to the certificate authority, complete theinformation and then click OK.

5. To install the certificate to your key database file after the certificate authorityreturns it, click the Personal Certificates section and then click Receive.

6. After you have the LDAP server ’s certificate in the key database file, configurethe LDAP server to enable SSL.

Continue to “Enabling SSL access” on page 160.

Creating and extracting a self-signed certificateIf you obtained a certificate from a known certificate authority, as described in“Obtaining a personal certificate from a certificate authority”, skip this section andgo to “Enabling SSL access” on page 160.

To create a new self-signed certificate and store it into the key database file, followthese steps:


Appendix A. Enabling SSL 159



1. Select Create → New Self-Signed Certificate.

2. Type a name in the Key Label field that GSKit can use to identify this newcertificate in the key database. For example, the label can be the system nameof the LDAP server.

3. Accept the defaults for the Version field (X509 V3) and for the Key Size field.

4. Either accept the default system name or enter a different distinguished name

in the Common Name field for this certificate.5. Enter a company name in the Organization field.

6. Complete any optional fields or leave them blank.

7. Either accept the defaults for the Country field and 365 for the ValidityPeriod field or change them to suit your organization’s requirements.

8. Click OK. GSKit generates a new public and private key pair and creates thecertificate.

If you have more than one personal certificate in the key database file, GSKitqueries if you want this key to be the default key in the database. You canaccept one of them as the default. The default certificate is used at runtimewhen a label is not provided to select which certificate to use.

This completes the creation of the LDAP server’s personal certificate. It isdisplayed in the Personal Certificates section of the key database file. Use themiddle bar of the key management utility to select between the types of certificates kept in the key database file.

The certificate also is displayed in the Signer Certificates section of the keydatabase file. When you are in the Signer Certificates section of the keydatabase, verify that the new certificate is there.

Next, you must extract your LDAP server ’s certificate to a Base64-encodedASCII data file.

9. Use gsk5ikm to extract your LDAP server’s certificate to a Base64-encodedASCII data file. This file is used in “Adding a signer certificate” on page 171.

10. Highlight the self-signed certificate that you just created.

11. Click Extract Certificate.12. Click Base64-encoded ASCII data as the data type.

13. Type a certificate file name for the newly extracted certificate. The certificatefile’s extension is usually.arm.

14. Type the location where you want to store the extracted certificate.

15. Click OK.

16. Copy this extracted certificate to the IBM Directory client system.

You can now configure the LDAP server to enable SSL. Continue to “Enabling SSLaccess”.

Enabling SSL accessTo configure the LDAP server to enable SSL, ensure that the LDAP server isinstalled and running and then follow these steps.

For Linux on zSeries systems only, you must manually update the slapd32.conf fileto configure the LDAP server to enable SSL. To do so, update thecn=SSL,cn=Configuration entry in the slapd32.conf file similar to the exampleshown:





No further action is required.

For all systems except Linux on zSeries, do the following:

1. Access the IBM Directory server Web administration tool at the followingaddress:

http://servername/ldap

where servername is the name of the LDAP server system.

2. Log on as the LDAP administrator (for example, cn=root) if you are notalready logged on.

3. Select Security → SSL → Settings.

4. Click either SSL On, which enables SSL, or click SSL Only for the SSL statusthat you want to set. For example:

5. Choose one of the following authentication methods:

v Server Authentication

For server authentication, the server sends its certificate to the client andthe client authenticates the server.

v Server and Client Authentication

For server and client authentication, after the server has sent its certificateto the client and has been authenticated by the client, the server requeststhe client’s certificate. In this case, a certificate needs to be established forthe client system also.

dn: cn=SSL, cn=Configurationcn: SSLibm-slapdSecurePort: 636#ibm-slapdSecurity must be one of none/SSL/SSLOnlyibm-slapdSecurity: SSL#ibm-slapdSslAuth must be one of serverAuth/serverClientAuthibm-slapdSslAuth: serverauthibm-slapdSslCertificate: ldapcert

#ibm-slapdSslCipherSpecs must be decimal value of bits in the mask 0x3F00ibm-slapdSslCipherSpecs: 12288#ibm-slapdSslKeyDatabase must be location of the key database# If a password stash file is present, the password need not be specifiedibm-slapdSslKeyDatabase: /usr/ldap/etc/key.kdbobjectclass: topobjectclass: ibm-slapdSSL





You must establish the certificate for the client when enabling SSL access forthe client in “Configuring LDAP server and client authentication” onpage 172.

6. Type a port number, or accept the default port number of 636.

7. Type the key database path and file name that you specified in “Creating thekey database file and the certificate” on page 158.

The key database file’s extension is.kdb.8. Type the name in the Key Label field that you used to identify it when you

stored the LDAP server ’s certificate in the key database. For example, thelabel might be the system name of the LDAP server.

9. Enter the key database file password and confirm it. You can leave thepassword field blank if you want the LDAP server to use the stash file.

10. Click Apply.

11. Click the restart the server link to restart the LDAP server and allow thischange to take effect.

To test that SSL has been enabled, type the following command from a LDAPserver command line:

ldapsearch -h servername -Z -K keyfile -P key_pw -b ""-s base objectclass=*The command variables are as follows:

Variable Description

servername The DNS host name of the LDAP server.

keyfile The fully qualified path name of the generated keyring.

key_pw The password of the generated key ring.

The ldapsearch command returns the LDAP base information, which includes the

suffixes on the LDAP server.

The LDAP server SSL setup is now complete.

Next, set up the IBM Directory client for SSL access. Continue to “Configuring theIBM Directory client for SSL access” on page 169.

Configuring the iPlanet Directory Server for SSL access

SSL allows the data that is transmitted between the Tivoli Access Manager servicesand iPlanet Directory Server to be encrypted to provide data privacy and integrity.It is recommended that administrators enable SSL to protect information such asuser passwords and private data. However, SSL is not required for Tivoli Access

Manager to operate.

This procedure needs to be done only the first time SSL communication is set up between the iPlanet Directory Server and IBM Directory clients. To enable SSLcommunication, both iPlanet Directory Server and the IBM Directory clients must

be configured.

For complete information about enabling SSL access on iPlanet Directory Server,see the iPlanet Directory Server documentation.

Complete the instructions in the following sections:





v “Obtaining a server certificate” on page 163

v “Installing the server certificate” on page 164

v “Enabling SSL access” on page 164

Obtaining a server certificateTo enable SSL support, iPlanet Directory Server requires a certificate that proves its

identity to client systems. The server sends the certificate to the client to enable theclient to authenticate with the server. This certificate is called a Server-Cert.

Use the iPlanet Console 5.0 and the Certificate Setup Wizard to establish theServer-Cert:

1. Start the iPlanet Console 5.0.

2. Enter the user ID for the LDAP administrator.

3. Enter the password.

4. Enter the administration Web address.

5. Select the domain to be used by Tivoli Access Manager.

6. Expand the server name.

7. Expand Server Group.8. Select the entry labeled Directory Server.

Configuration information about iPlanet Directory Server is displayed.

9. Click Open. The iPlanet Directory Server is accessed.

10. Click the Configuration tab.

11. Click the Encryption tab.

12. Verify that the Enable SSL for this server check box is not selected.

13. Click the Tasks tab and then click Manage Certificates.

Note: The private key for the certificate is stored on an internal securitydevice called a token, which is password protected. The first time that

you click the Manage Certificates button, you are prompted to createthe password for this token.

14. Enter the Security password twice and then click OK. The ManageCertificates window is displayed.

15. In the Security Device pull-down, ensure that internal (software) is selectedand that the Server Certs tab is selected.

16. Click the Request button at the bottom of the window. The Certificate RequestWizard panel is displayed.

17. Ensure that the Request certificate manually button is selected and clickNext.

18. Enter the requestor information and then click Next. Ensure that you completeall fields. When prompted to continue, click Yes.

19. Ensure that the Active Encryption token field states internal (software).

20. Enter the security device password and then click Next.

21. To save the certificate request to a file, click Save to File. To copy the requestto the clipboard, click Copy to Clipboard. Then click Done to complete yourrequest.

22. E-mail your request or attach the saved file and send your request to thecertificate authority administrator.

SSL — iPlanet Directory Server




Installing the server certificateAfter you have received the certificate from the certificate authority, install it bycompleting the following steps:

1. Open the iPlanet Directory Server Console.

2. Click the Tasks tab and then click Manage Certificates.

3. Ensure that Server Certs is selected and then click Install.


v To install the certificate from a file, select In this local file.

v To paste the text in the window, select In the following encoded text block,copy the text of the certificate, and then click Paste from Clipboard.

5. Click Next.

6. Verify that the certificate information is correct and click Next.

7. In the This certificate will be named field, type a certificate name or accept thedefault name, server-cert, and then click Next.

8. Enter the token password and then click Done. If the process is successful, theManage Certificate panel is displayed and the server certificate name is listedunder the Server Certs tab.

9. Continue to “Enabling SSL access”.

Enabling SSL accessWhen you have exited the Certificate Setup Wizard, you are returned to theEncryption tab on the iPlanet Console 5.0 as shown:

1. Select Enable SSL.

2. Check RSA Cipher Family.3. If you do not plan to require certificate-based client authentication, select Do

not allow client authentication.

4. Click Save.

5. Restart iPlanet Directory Server for changes to take effect.

Note: You have to type the trust database password each time the server isstarted.





SSL is now enabled on iPlanet Directory Server. Next, you need to enable SSLon the IBM Directory client systems that will function as LDAP clients toiPlanet Directory Server.

See “Configuring the IBM Directory client for SSL access” on page 169.

Configuring OS/390 and z/OS LDAP servers for SSL accessWhen Tivoli Access Manager and LDAP services are not on the same protectednetwork, it is recommended that you enable SSL communication between theLDAP server and the clients that support Tivoli Access Manager software. Thisprotocol provides secure, encrypted communications between each server andclient. Tivoli Access Manager uses these communications channels as part of theprocess for making authentication and authorization decisions.

To configure an LDAP server on OS/390 or z/OS for SSL communications, consultthe LDAP Server Administration and Use manual for your particular release of OS/390 or z/OS. This document is located at:

http://www-1.ibm.com/servers/eserver/zseries/zos/bkserv/

The following high-level steps are required to enable SSL support for LDAP onz/OS releases 1.2 through 1.4. These steps assume that you have already installedand configured the LDAP directory server and installed z/OS CryptographicServices System SSL.

1. Configure the LDAP server to listen for LDAP requests on the SSL port forserver authentication and, optionally, client authentication.

2. Generate the LDAP server private key and server certificate and mark it as thedefault in the key database or use its label on the sslCertificate configurationfile option.

3. Restart the LDAP server.

Setting up the security optionsThe following options for SSL can be set in the slapd.conf file:

listen ldap_URLSpecifies, in LDAP URL format, the IP address (or host name) and the portnumber where the LDAP server will listen to incoming client requests. Thisparameter may be specified more than one time in the configuration file.

sslAuth {serverAuth | serverClientAuth}Specifies the SSL authentication method. The serverAuth method allowsthe LDAP client to validate the LDAP server on the initial contact betweenthe client and the server. The serverAuth method is the default.

sslCertificate {certificateLabel | none}Specifies the label of the certificate that is used for server authentication. Itis stored in the key database file, which is created and managed using thegskkyman tool.

sslCipherSpecs intSpecifies the SSL cipher specifications that will be accepted from clients.

Table 17. Supported ciphers

Cipher Hexadecimal value Decimal value

SLAPD_SSL_RC4_MD5_US 0x0800 2048





Table 17. Supported ciphers (continued)

Cipher Hexadecimal value Decimal value

SLAPD_SSL_RC4_SHA_US 0x0400 1024

SLAPD_SSL_TRIPLE_DES_SHA_US 0x0100 256

SLAPD_SSL_DES_SHA_EXPORT 0x0200 512

SLAPD_SSL_RC2_MD5_EXPORT 0x1000 4096SLAPD_SSL_RC4_MD5_EXPORT 0x2000 8192

The integer value used with the sslCipherSpecs keyword is the decimalrepresentation of the ORed bitmask defined by the hexadecimal values inTable 17 on page 165. For example, to use all the available ciphers in theUS, the value should be 15104. (Outside the US, the value to indicate allvalid cipher specs is 12288.) In this case, clients that support any one of these ciphers would be able to establish an SSL connection with the server.

sslKeyRingFile filenameSpecifies the path and file name of the SSL key database file for the server.The file name must match the key database file name using the gskkyman

tool.

sslKeyRingFilePW stringSpecifies the password protecting access to the SSL key database file. Thepassword string must match the password to the key database file that wascreated using the gskkyman tool.

Note: Use of the sslKeyRingFilePW configuration option is stronglydiscouraged. As an alternative, use either the RACF key ringsupport or the sslKeyRingPWStashFile configuration option. Thiseliminates this password from the configuration file.

sslKeyRingPWStashFile filenameSpecifies a file name where the password for the server’s key database fileis stashed. If this option is present, then the password from this stash fileoverrides the sslKeyRingFilePW configuration option, if present. Use thegskkyman utility with the –s option to create a key database passwordstash file.

Creating a key database fileThe following example shows you how to use the gskkyman utility to create a keydatabase file.

1. Start the gskkyman utility from a shell prompt (OMVS or rlogin session) asfollows:

$ gskkyman

The gskkyman utility provides a menu-based interface. To perform a function,choose the option you want to perform by entering its number at the commandprompt.

2. To create a new key database file, select option 1.

3. Enter the key database file name (key.kdb is the default).

4. Enter a password to protect the key database.

5. Re-enter the password for verification.

6. Enter the password expiration interval in days or press Enter to indicate noexpiration date.

SSL — OS/390 and z/OS Servers




7. Enter the database record length or press Enter to use 2500.

The key database is created and a message is displayed indicating the successor failure of this operation

8. From the Key Management Menu , select option 6 to create a self-signedcertificate and follow the prompts.

9. After the certificate is created, you must extract this certificate so it can be sent

to the LDAP client system and added as a trusted CA certificate. To do so,follow these steps:

a. Select option 1 to manage keys and certificates.

b. From the Key and Certificate List, enter the label number.

c. From the Key and Certificate Menu, enter option 6 to export the certificateto a file.

d. From the Export File Format dialog, select the export format. For example,select option 1 to export to Binary ASN.1 DER.

The certificate is exported.You can now transfer the exported file to theLDAP client system, and add it as a trusted CA certificate. Since the fileformat of binary DER was specified on the export, this same file type must

be specified to the gsk5ikm utility on the LDAP client system, when doing

the Add operation.

Configuring the Novell eDirectory server for SSL access

Secure Socket Layer (SSL) allows the data, which is transmitted between the TivoliAccess Manager services and the NDS eDirectory, to be encrypted to provide dataprivacy and integrity. It is recommended that administrators enable SSL to protectinformation, such as user passwords and private data. However, SSL is notrequired for Tivoli Access Manager to operate. If SSL is not required in your TivoliAccess Manager environment, skip this section.

Tivoli Access Manager supports server-side authentication with NDS eDirectory

only. To configure the NDS eDirectory server for SSL, ensure that the ConsoleOnetool is installed and complete the following sections:

v “Creating an organizational certificate authority object”

v “Creating a self-signed certificate” on page 168

v “Creating a server certificate for the LDAP server” on page 168

v “Enabling SSL” on page 169

v “Adding the self-signed certificate to the IBM key file” on page 169

Note: For more information, see Novell product documentation at:

http://www.novell.com/documentation/lg/ndsedir86/index.html

Creating an organizational certificate authority objectDuring installation of eDirectory, an NDSPKI:Certificate Authority object iscreated by default (if one does not already exist in the network). It is importantthat the subject name (not the object name) be a valid signatory. The subject namemust have an organization field and a country field to be recognized as valid byTivoli Access Manager. The default subject name is as follows:

0=<organizational entry name>.OU=Organizational CD

This is not a valid signatory. To change it, you must recreate the CertificateAuthority object with a valid subject name. To do so, follow these steps:

SSL — OS/390 and z/OS Servers




1. Start ConsoleOne.

2. Select the Security container object. Objects are displayed in the right-handpane of the window.

3. Select the Organization CA object and delete it.

4. Right-click the Security container object again and click New → Object.

5. From the list box in the New Object dialog, double-click NDSPKI: Certificate

Authority. The Create an Organizational Certificate Authority Object dialog isdisplayed. Follow the online instructions.

6. Select the target server and enter an eDirectory object name. For example:

Host Server Field = C22Knt_NDS.AM

Object Name Field = C22KNT-CA

7. In Creation Method, select Custom and click Next.

8. Edit the Subject name and enter your suffix. For example, enter:

.o=tivoli.c=us

9. The Organizational Certificate Authority is displayed in ConsoleOne asC22KNT-CA.

Creating a self-signed certificateTo create a self-signed certificate, do the following:

1. Go to the properties of the Organizational Certificate Authority (C22KNT-CA).The Properties window is displayed.

2. Select the Certificate tab and then select Self Signed Certificate from thedrop-down menu.

3. Validate the certificate.

4. Export the certificate. The Export a Certificate window is displayed.

5. Accept the default values and write down the location where the self-signedcertificate will be saved. For example:

c:\c22knt\CA-SelfSignedCert.der

6. Transfer (FTP) the file to the Tivoli Access Manager host directory. For example:

c:\Program Files\Tivoli\Policy Directory\keytab

Note that this is a binary file.

Creating a server certificate for the LDAP serverTo create the server certificate for the Novell eDirectory server, follow these steps:

1. To create a server certificate for the LDAP server, right-click on theOrganization entry and click New → Object. A New Object window isdisplayed.

2. Select NDSPKI: Key Material and then click OK. The Create Server Certificate

(Key Material) window is displayed.3. Enter the certificate name (for example, AM), select Custom for the creation

method, and click Next.

4. Use the default values for Specify the Certificate Authority option, which willsign the certificate and click Next.

5. Specify the key size (default 1024 bits), use the default values for all otheroptions, and click Next.

6. In the Specify the Certificate Parameters window, click on the Edit button beside the Subject name field. The Edit Subject window is displayed.

SSL — Novell eDirectory Server




7. Enter the subject name. Ensure that it has an Organization and a Country fieldand then click OK. The Create Server Certificate (Key Material) window isdisplayed with the Subject Name field updated. Click Next to continue.

8. To accept the default values in the following windows, click Next twice andthen click Finish to create a key material.

The Creating Certificate window is temporarily displayed. When it clears, the

right pane of ConsoleOne is updated with a Key Material entry named AM.This is the server certificate.

Enabling SSLTo enable SSL for the Novell LDAP server, do the following:

1. In the right-hand pane of ConsoleOne, locate an entry named LDAP Server – hostname and right-click on it.

2. From the drop-down menu, select Properties. From the Properties notebook,select the SSL Configuration tab.

3. Click the Tree Search icon beside the SSL Certificate field. The Select SSLCertificate window is displayed. The SSL Certificate List pane displays thecertificates known to the organization.

4. Select the AM certificate and click OK. The Properties of LDAP Server– hostname window is redisplayed with an updated SSL Certificate field.

Note: Do not select Enable and Require Mutual Authentication.

Adding the self-signed certificate to the IBM key fileTo add the self-signed certificate to the IBM key file on the Tivoli Access Managerserver, follow these steps:

1. Start the gsk5ikm utility. An IBM Key Manager window is displayed.

2. Select Key Database File → New. A New window is displayed.

3. Update the fields to the following values and then click OK:

Key database type: CMS key database fileFile name: key.kdbLocation: /var/PolicyDirector/keytabs

A Password Prompt window is displayed.

4. Create a password, entering it twice for configuration, and then click OK. TheIBM Key Manager window is displayed with the Signer Certificates dialogdisplayed.

5. Click the Add button. The Add CA’s Certificate from a File window isdisplayed. Update the following fields and then click OK:

Data type: Binary der dataCertificate file name: <hostname>CA-SelfSignedCert.derLocation: /var/PolicyDirector/keytabs

The Signer Certificates dialog is now updated with a certificate named AM.

Configuring the IBM Directory client for SSL access

You must first set up the LDAP server for SSL access before you set up the LDAPclient for SSL access. If you have not yet configured the LDAP server for SSLaccess, go to “Configuring the IBM Directory server for SSL access” on page 157.

SSL — Novell eDirectory Server




Similar to creating a key database file for the server, you must create a keydatabase file on the client system. Note that in order for the client to authenticatethe LDAP server, the client must recognize the certificate authority (signer) thatcreated the LDAP server’s certificate. If the LDAP server is using a self-signedcertificate, the client must be enabled to recognize the system that generated theLDAP server’s certificate as a trusted root (certificate authority).

To configure the LDAP client for SSL access to the LDAP server, complete theinstructions in the following sections:

v “Creating a key database file” on page 170

v “Adding a signer certificate” on page 171

v “Testing SSL access” on page 172

Creating a key database fileUse the gsk5ikm utility to create the key database file and the certificate. To createthe key database file and certificate (self-signed or signed), follow these steps:

1. Ensure that GSKit and the gsk5ikm utility are installed on both the LDAPserver and any LDAP clients that will be using SSL.


System Path






Note: On Linux for zSeries only, to run the gsk5ikm utility, an X-windowssession is required and IBM Java, Version 1.3.1, must be accessiblethrough the PATH environment variable as follows:

export PATH=/opt/java/IBMJava2-s390-131/jre/bin:$PATH

IBM Java Runtime Environment, Version 1.3.1, can be downloaded fromthe IBM Java for Linux Web site at:

http://www6.software.ibm.com/dl/lxdk/lxdk-p

In addition, to ensure that the correct C++ library is used by thegsk5ikm utility on SuSE SLES-7 31– bit systems, the LD_PRELOADenvironment variable must be set:

LD_PRELOAD=/usr/lib/libstdc++libc6.1–2.so.33. To create a new key database file, select Key Database File → New.



6. Click OK.

7. Enter the key database file password, and confirm it.

Remember this password because it is required when the key database file isedited.

SSL — iPlanet Directory Client






A stash file can be used by some applications so that the application does nothave to know the password to use the key database file. The stash file has the

same location and name as the key database file and has an extension of .sth

.10. Click OK. This completes the creation of the key database file. There is set of

default signer certificates. These signer certificates are the default certificateauthorities that are recognized.

In order for the client to be able to authenticate the LDAP server, the clientmust recognize the certificate authority (signer) that created the LDAP server ’scertificate. If the LDAP server is using a self-signed certificate, the client must

be enabled to recognize the system that generated the LDAP server ’scertificate as a trusted root (certificate authority).

11. After creating the key database file, change the file ownership of the keydatabase file to ivmgr. Use the appropriate operating system command forchanging file ownership. For example, on UNIX systems, enter the following:

# chown ivmgr keyfile

Adding a signer certificateTo add a signer certificate after the key database file has been created, follow thesesteps:

1. If you are using a self-signed certificate for the LDAP server, ensure that thecertificate that was extracted from the key database file in “Creating and extracting a self-signed certificate” on page 159 has been copied to the clientsystem. If it has not been copied, copy it now. Otherwise, ensure that youhave the certificate authority’s certificate which created your LDAP server ’scertificate.

2. Click the Signer Certificates section of the client’s CMS key database file.

3. Click Add.

4. Click Base64-encoded ASCII data to set the data type.

5. Indicate the certificate’s file name and its location. The certificate file’sextension is usually.arm.

6. Click OK.

7. Type a label for the signer certificate that you are adding. For example, youcan use the system name of the LDAP server for the label. If the LDAPserver’s certificate was created by a certificate authority, you can use thecertificate authority’s name as the label.

8. Click OK. The certificate is displayed in the client’s key database as a signercertificate.

9. Highlight the newly added signer certificate, and click View/Edit.10. Ensure that Set the certificate as a trust root is selected so that the certificate

is marked as a trusted root.

If the LDAP server ’s certificate was generated by a regular certificateauthority, be sure that the certificate authority is listed as a signer certificateand marked as a trusted root. If it is not, add the certificate authority’scertificate as a signer certificate and indicate that it is a trusted root.

The client is now able to establish an SSL session with the LDAP server.





Testing SSL accessTo test that SSL access has been enabled, enter the following command on theLDAP client:

ldapsearch -h servername -Z -K client_keyfile -P key_pw-b "" -s base objectclass=*The command variables are as follows:

Variable Description


client_keyfile The fully qualified path name of the generatedclient key ring.


This command returns the LDAP base information, which includes the suffixes onthe LDAP server.

During LDAP server configuration in “Configuring the IBM Directory server forSSL access” on page 157, you chose an authentication method of either ServerAuthentication or Server and Client Authentication.

v If you chose Server Authentication, the SSL setup is now complete.

v If you chose Server and Client Authentication, go to “Configuring LDAP serverand client authentication”.

Configuring LDAP server and client authentication

During the configuration of the LDAP server to enable SSL access, as described in“Enabling SSL access” on page 160, you were prompted to choose either ServerAuthentication or Server and Client Authentication.

If you chose Server Authentication, SSL configuration is complete.

If you chose Server and Client Authentication, you must now establish acertificate for the client system. In this mode of authentication, the server requeststhe client’s certificate and uses it to authenticate the client’s identity.

To establish a certificate for the client system, complete the instructions in thefollowing sections:

v “Creating a key database file” on page 172

v “Obtaining a personal certificate from a certificate authority” on page 173

v “Creating and extracting a self-signed certificate” on page 174

v “Adding a signer certificate” on page 175

v

“Testing the SSL access” on page 176

Creating a key database fileIf you have not already created a client key database file, use the gsk5ikm utilityto create the key database file and the certificate. If you have already created a keydatabase file, go to “Obtaining a personal certificate from a certificate authority” onpage 173.

To create the key database file and certificate (self-signed or signed), follow thesesteps:





1. Ensure that the GSKit and gsk5ikm are installed on both the LDAP server andany clients that will be using SSL.


System Path





Windows C:\Program Files\IBM\GSK5\bin\ GSK5ikm.exe

3. Select Key Database File → New.



6. Click OK.

7. Enter the key database file password, and confirm it. Remember thispassword because it is required when the key database file is edited.



A stash file can be used by some applications so that the application does nothave to know the password to use the key database file. The stash file has thesame location and name as the key database file and has an extension of .sth.

10. Click OK.

This completes the creation of the key database file. There is set of default

signer certificates. These signer certificates are the default certificateauthorities that are recognized.

11. After creating the key database file, change the file ownership of the keydatabase file to ivmgr. Use the appropriate operating system command forchanging file ownership. For example, on UNIX systems, enter the following:

# chown ivmgr keyfile

Obtaining a personal certificate from a certificate authorityIf you plan to use a certificate from a certificate authority (such as VeriSign),instead of a self-signed certificate, you must request the certificate from thecertificate authority and then receive it after it has been completed.

If you plan to use a self-signed certificate, skip this section and go to “Creatingand extracting a self-signed certificate” on page 174.

To request and receive a certificate, follow these steps:

1. Use gsk5ikm to request a certificate from a certificate authority and thenreceive the new certificate into your key database file.

2. Click the Personal Certificate Requests section of the key database file.

3. Click New.

4. To produce a request that can be sent to the certificate authority, complete theinformation and then click OK.

SSL — Server and Client Authentication




5. To install the certificate to your key database file after the certificate authorityreturns it, click the Personal Certificates section and then click Receive.

6. After you have the LDAP client’s certificate in the key database file, you canadd the certificate of the certificate authority, which created the client’scertificate to the LDAP server.

7. Continue to “Adding a signer certificate” on page 175.

Creating and extracting a self-signed certificateIf you obtained a certificate from a known certificate authority, as described in“Obtaining a personal certificate from a certificate authority” on page 173, skip thissection and go “Adding a signer certificate” on page 175.

To create a new self-signed certificate and store it into the key database file, followthese steps:


System Path

AIX /usr/opt/lpp/ibm/gsk5/bin/gsk5ikmHP-UX /opt/ibm/gsk5/bin/gsk5ikm




2. Select Create → New Self-Signed Certificate.

3. Type a name in the Key Label field that GSKit can use to identify this newcertificate in the key database.

For example, the label can be the system name of the LDAP client.

4. Accept the defaults for the Version field (X509 V3) and for the Key Size field.

5. Either accept the default system name or enter a different distinguished namein the Common Name field for this certificate.

6. Enter a company name in the Organization field.

7. Complete any optional fields or leave them blank.

8. Either accept the defaults for the Country field and 365 for the ValidityPeriod field or change them to suit your organization’s requirements.

9. Click OK. GSKit generates a new public and private key pair and creates thecertificate.

If you have more than one personal certificate in the key database file, GSKitqueries if you want this key to be the default key in the database. You canaccept one of them as the default. The default certificate is used at runtime

when a label is not provided to select which certificate to use.This completes the creation of the LDAP client’s personal certificate. It isdisplayed in the Personal Certificates section of the key database file. Use themiddle bar of the key management utility to select between the types of certificates kept in the key database file.

The certificate also is displayed in the Signer Certificates section of the keydatabase file. When you are in the Signer Certificates section of the keydatabase, verify that the new certificate is there.

Next, you must extract your LDAP server ’s certificate to a Base64-encodedASCII data file.





10. Use gsk5ikm to extract your LDAP server ’s certificate to a Base64-encodedASCII data file.

11. Highlight the self-signed certificate that you just created.

12. Click Extract Certificate.

13. Click Base64-encoded ASCII data as the data type.

14. Type a certificate file name for the newly extracted certificate. The certificate

file’s extension is usually.arm.15. Type the location where you want to store the extracted certificate and then

click OK.

16. Copy this extracted certificate to the LDAP server system.

On the LDAP server, after the client’s personal certificate has been created andadded to the client’s key database file, the certificate authority that created thatclient certificate must be recognized as a signer certificate (trusted root).

Adding a signer certificateYou must perform this step on the LDAP server.

To add a signer certificate after the key database file has been created, follow thesesteps:


v If you are using a self-signed certificate for the client, ensure that thecertificate that was extracted from the key database file in “Creating andextracting a self-signed certificate” on page 174 has been copied to theserver system. If it has not been copied, copy it now and skip the followingsteps.

v If the client certificate was created by a certificate authority, add thecertificate authority’s certificate as a trusted signer using the followingsteps.

2.

Click theSigner Certificates

section of the client’s CMS key database file.3. Click Add.

4. Click Base64-encoded ASCII data to set the data type.

5. Indicate the certificate’s file name and its location. The certificate file’sextension is usually.arm.

6. Click OK.

7. Type a label for the signer certificate that you are adding. For example, youcan use the system name of the LDAP client for the label or the name of thecertificate authority that generated the client’s certificate.

8. Click OK. The self-signed certificate is displayed in the client’s key databaseas a signer certificate.

9. Highlight the newly added signer certificate, and click View/Edit.

10. Ensure that Set the certificate as a trust root is selected so that the certificateis marked as a trusted root.

If the LDAP client’s certificate was generated by a regular certificate authority, be sure that the certificate authority is listed as a signer certificate and markedas a trusted root. If it is not, add the certificate authority ’s certificate as asigner certificate and indicate that it is a trusted root.

The server is now able to establish an SSL session with the LDAP client.

11. Continue to “Testing the SSL access” on page 176.





Testing the SSL accessAfter the LDAP server recognizes the certificate authority that created the client ’spersonal certificate, test SSL access using the following command on the LDAPclient:

ldapsearch -h servername -Z -K client_keyfile -P key_pw -N \client_label -b "" -s base objectclass=*

The command variables are as follows:Variable Description


client_keyfile The fully qualified path name of the generatedclient key ring.


client_label The label associated with the key, if any. This fieldis optional and is only needed if the LDAP serveris configured to perform both server and clientauthentication.

The ldapsearch command returns the LDAP base information, which includes thesuffixes on the LDAP server. Notice that the –N parameter indicates the label thatwas specified when the client’s personal certificate was added to the client’s keydatabase file.

Note: Do not specify the LDAP server’s signer certificate label. The –N option indicatesto GSKit which client certificate is sent to the server when requested. If nolabel is specified, then the default personal certificate is sent when the serverrequests the client’s certificate.

The SSL setup is now complete.

Enabling SSL for DominoIt is recommended that you enable Secure Sockets Layer (SSL) communication

between your Lotus Domino server and IBM Directory clients that support TivoliAccess Manager software.

This chapter includes the following sections:

1. “Creating the SSL key ring file”

2. “Enabling SSL access” on page 177

3. “Creating a Tivoli Access Manager administrative user for Domino” on page 39

Creating the SSL key ring fileTo support SSL on a Domino server, you must create a Domino server key ring filethat contains the server side digital certificate. To do so, follow these steps:

1. Start the Notes client on the Domino server and then select File → Database →Open. Open the Server Certificate Admin database on the Domino server.

Note: You must install the Domino Designer client on the Notes client system.

2. Depending on the environment, do one of the following:

v Create SSL key ring and populate it with certificates





Complete the Create Key Ring, Create Certificate Request, Install RootCertificate and Install Certificate into Key Ring options.

v Create a key ring with self-certified certificate for testing purpose

Double click on the Create Key Ring with Self-Certified Certificate option. Fillin the key ring file name and all other required fields. Click the Create KeyRing with Self-Certified Certificate button to complete the process.

Copy the key ring file and stash file to the following Domino server path:

\Lotus\Domino\Data

Enabling SSL accessDomino supports client-side authentication only. To enable SSL, follow these steps:

1. Start the Domino Administrator client and select the Configuration tab.

2. Select the All Server Documents option under Server category on the left handside of the GUI. Open the server document where you want to configureLDAP.

3. Click Edit Server to prepare the server configuration update.

4.Select the Ports tab on the server document.

5. Select the Internet Ports tab and enter the Domino server key ring file namecreated in “Creating the SSL key ring file” on page 176. Select Yes on AcceptSSL Site Certificates.

6. Select the Directory tab to update the LDAP configuration and then selectEnabled on SSL Port Status. Ensure that you indicate the following settings:

v Set client certificate to No.

v Set name & password to Yes.

v Set anonymous to either Yes or No.

7. Click OK to update the server document. The LDAP SSL setup is complete.

If the Domino server ’s certificate is not certified by the default Domino servertrusted certifier, you need to register the certifier in the Domino server key ringfile. To do so, follow these steps:

1. Highlight the server document and pull down the Registration menu on theright hand side.

2. From the pull down menu, select Internet Certifier.

3. Locate the Domino server key ring file and click Open to complete the InternetCertifier registration process.

4. To verify the registration above, select the People & Groups menu and click theCertificates tab to verify that the new Domino server ’s certifier has beeninserted in the Internet Certifiers list.

5. Save the server document.

6. From the Domino server console, restart the LDAP server by entering thefollowing commands:

tell ldap quit

load ldap

Enabling SSL for Domino




Enabling SSL for Domino




Appendix B. Tivoli Access Manager configuration reference

This appendix includes the following sections:

v “UNIX native configuration options”

v “Windows native configuration options” on page 181

UNIX native configuration options

This section lists configuration information that is required during the nativeinstallation process. It is recommended that you identify these values before youare prompted during installation. If you are planning to enable Secure SocketsLayer (SSL), configuration options are also provided.

Note that the configuration information for the policy server is used forconfiguring other Tivoli Access Manager components.

Tivoli Access Manager runtimeDuring the configuration of the Tivoli Access Manager runtime on a AIX, HP-UX,Linux, or Solaris system, you are prompted for the following information:

v registry Selection—Click to select the type of registry you configured for TivoliAccess Manager. Note that LDAP registry is the only supported choice.

v LDAP server hostname—Specifies the fully qualified host name of the LDAPserver. For example:

ldapserver.tivoli.com

v LDAP server port number—Specifies the port number on which the LDAPserver listens. The default port number is 389.

If the Tivoli Access Manager policy server is not installed on the same system asthe Tivoli Access Manager runtime, you are also prompted for the followinginformation:

v Hostname of the Policy Server machine—Specifies the fully qualified host nameof the policy server. For example:

pdmgr.tivoli.com

v SSL listening port used by Policy Server—Specifies the port number on whichthe policy server listens for SSL requests. The default port number is 7135.

Tivoli Access Manager policy serverDuring the configuration of the policy server on a AIX, HP-UX, Linux on zSeries,and Solaris system, you are prompted for the following information:

v LDAP administrative user DN—Specifies the distinguished name of the LDAPadministrator. The default name is cn=root.

v LDAP administrative user password—Specifies the password associated withthe LDAP administrator ID.

v Enable SSL communication between the Access Manager Policy Server andthe LDAP server—Specifies whether SSL should be enabled yes or no. If yes isspecified, the following information is requested.

– Location of the LDAP SSL client key file—Specifies the fully qualified pathname where the client LDAP key database file is located on the policy server.




To enable SSL support between your policy server and LDAP server, theTivoli Access Manager Base CD provides the following sample key file forevaluation use only:

/common/pd_ldapkey.kdb

This file is not intended for use in a production environment. To acquire yourown certificate, see information about creating a key database file and

certificate in Appendix A, “Enabling Secure Sockets Layer”, on page 157.

– SSL client certificate label (if required)—Specifies the label in the clientLDAP key database file of the client certificate to be sent to the server. Thislabel is required if the server is configured to require client authenticationduring SSL establishment or you want to use the non-default certificate inyour key file. If you use the ezinstall_ldap_server script and the default keyfile (pd_ldapkey.kdb), then the label should be left blank. Typically, the LDAPserver requires only server-side certificates that were specified during creationof the client .kbd file. In addition, if the SSL client key file label is notrequired, leave this field blank when configuring the policy server.

– LDAP SSL client key file password—Specifies the password of the clientLDAP key database file. The pd_ldapkey.kdb file shipped with easy

installation has a default password of gsk4ikm. These defaults are usable if you install and configure the IBM Directory server using theezinstall_ldap_server script. If you decide to change this password usingthe gsk5ikm utility, you must recall this default password.

– LDAP server SSL port number—Specifies the port number on which theLDAP server listens for SSL requests. The default port number is 636.

v LDAP DN for GSO database—Specifies the distinguished name of where in theLDAP server directory information tree (DIT) that the global signon (GSO)database is located. For example:

o=tivoli,c=us

For more information about the GSO suffix, see “LDAP server configuration

overview” on page 17. v Access Manager Administrator password—Specifies the password associated

with the sec_master primary administrator ID. You are prompted to re-enter thispassword for confirmation.

v SSL server port for Access Manager Policy Server—Specifies the port numberon which the policy server listens for SSL requests. The default port number is7135.

v Policy Server SSL certificate lifetime— Specifies the number of days that theSSL certificate file is valid. The default number of days is 365.

v Enable root CA Certificate download—Specify yes to enable automaticdownloading of the SSL certificate authority file. Regardless of whether youspecify yes or no, the SSL certificate authority file is placed in the following

directory:/var/PolicyDirector/keytab/pdcacert.b64

If this option is set to no, you must copy the pdcacert.b64 file on each TivoliAccess Manager runtime system in your secure domain.

Tivoli Access Manager authorization serverDuring the configuration of the authorization server on a AIX, HP-UX, Linux onzSeries, or Solaris system, you are prompted for the following information:




v LDAP administrative user DN —Specifies the distinguished name of the LDAPadministrator. The default name is cn=root.

v LDAP administrator user password—Specifies the password associated with theLDAP administrator ID.

v Enable SSL communication between the Access Manager Policy Server andthe LDAP server—Specifies whether SSL should be enabled yes or no. If yes is

specified, the following information is requested.– Location of the LDAP SSL client key file—Specifies the fully qualified path

name where the client LDAP key database file is located on the policy server.To enable SSL support between your policy server and LDAP server, theTivoli Access Manager Base CD provides the following sample key file forevaluation use only:

/common/pd_ldapkey.kdb

This file is not intended for use in a production environment. To acquire yourown certificate, see information about creating a key database file andcertificate in Appendix A, “Enabling Secure Sockets Layer”, on page 157.

– SSL client certificate label (if required)—Specifies the label in the clientLDAP key database file of the client certificate to be sent to the server. Thislabel is required if the server is configured to require client authenticationduring SSL establishment or you want to use the non-default certificate inyour key file. If you use the ezinstall_ldap_server script and the default keyfile (pd_ldapkey.kdb), then the label for configuring the LDAP server should

be PDLDAP. Typically, the LDAP server requires only server-side certificatesthat were specified during creation of the client .kbd file.

Note: If the SSL client key file label is not required, leave this field blankwhen configuring the authorization server.

– LDAP SSL client key file password—Specifies the password of the clientLDAP key database file. The pd_ldapkey.kdb file shipped with easyinstallation has a default password of gsk4ikm. These defaults are usable if

you install and configure the IBM Directory server using theezinstall_ldap_server script. If you decide to change this password usingthe gsk5ikm utility, you must recall this default password.

– LDAP server SSL port number—Specifies the port number on which theLDAP server listens for SSL requests. The default port number is 636.

v Password for the Access Manager Administrator—Specifies the passwordassociated with the sec_master primary administrator ID.

Windows native configuration options

This section lists configuration information that is required during the nativeinstallation process. It is recommended that you identify these values before you

are prompted during installation. If you are planning to enable Secure SocketsLayer (SSL), configuration options are also provided.

Note that the configuration information for the policy server is used forconfiguring other Tivoli Access Manager components. You are not prompted forconfiguration options for GSKit, the IBM Directory client, the ADK, and the WebPortal Manager components.

Appendix B. Tivoli Access Manager configuration reference 181



Tivoli Access Manager runtimeDuring the configuration of the Tivoli Access Manager runtime component, youare prompted for the following information:

v registry Selection—Click to select the type of registry you configured for TivoliAccess Manager. Choices are as follows:

– LDAP Registry (see “LDAP registry”)

– Active Directory (see “Active Directory” on page 183)

– Domino (see “Lotus Domino” on page 184)

LDAP registryDuring the configuration of the Tivoli Access Manager runtime on a Windowssystem, you are prompted for the following information:

v LDAP Server Hostname—Specifies the fully qualified host name of the LDAPserver. For example:

ldapserver.tivoli.com

v LDAP Server Port—Specifies the port number on which the LDAP serverlistens. The default port number is 389.

v LDAP DN for GSO database—Specifies the distinguished name of where in theLDAP server directory information tree (DIT) that the global signon (GSO)database is located. For example:

o=tivoli,c=us

For more information about the GSO suffix, see “LDAP server configurationoverview” on page 17.

v Enable SSL between Tivoli Access Manager and LDAP—Specifies whether SSLshould be enabled (yes or no). If yes is specified, the following information isrequested.

– LDAP SSL Client Key File—Specifies the fully qualified path name wherethe client LDAP key database file is located on the client system.

If you plan to enable SSL communication between your LDAP server andIBM Directory clients that support Tivoli Access Manager software, you mustmanually copy the C:\keytabs\pd_ldapkey.kdb file from its location on theLDAP server to a directory on your client systems.

– SSL Client Certificate Label (if required)—Specifies the label in the clientLDAP key database file of the client certificate to be sent to the server. Thislabel is required if the server is configured to require client authenticationduring SSL establishment or you want to use the non-default certificate inyour key file. If you use the ezinstall_ldap_server script and the default keyfile (pd_ldapkey.kdb), then the label for configuring the LDAP server should

be PDLDAP. Typically, the LDAP server requires only server-side certificatesthat were specified during creation of the client .kbd file.

Note: If the SSL client key file label is not required, then it may be left blankduring the configuration of the runtime.

– SSL Key File Password—Specifies the password of the client LDAP keydatabase file. The pd_ldapkey.kdb file shipped with easy installation has adefault password of gsk4ikm. These defaults are usable if you install andconfigure the IBM Directory server using the ezinstall_ldap_server script. If you decide to change this password using the gsk5ikm utility, you mustrecall this default password.

– LDAP Server SSL Port—Specifies the port number on which the LDAPserver listens for SSL requests. The default port number is 636.




v Installation Directory—Specifies the directory where Tivoli Access Manager is to be installed.

If the Tivoli Access Manager policy server is not installed on the same system asthe Tivoli Access Manager runtime, then you are also prompted for the followinginformation:

v Policy Server Hostname—Specifies the fully qualified host name of the policy

server. For example:

pdmgr.tivoli.com

v SSL Server Port— Specifies the port number on which the policy server listensfor SSL requests. The default port number is 7135.

v Tivoli Access Manager CA Certificate Filename—If you specified to enableautomatic downloading of the CA certificate file during the configuration of theTivoli Access Manager policy server, leave this option blank. It is automaticallyretrieved when configuring the Tivoli Access Manager runtime.

If you did not enable automatic downloading of the CA certificate file, you mustobtain the SSL certificate file from the policy server system. To do this, use a filetransfer program, such as ftp, to place a copy of the file in a location of yourchoice. On the policy server, the certificate file is located at:

/var/PolicyDirector/keytab/pdcacert.b64

You should copy this file after installing the runtime component, but beforeconfiguring it.

Active DirectoryIf you selected Active Directory as your registry, you are prompted for thefollowing information:

v Multiple domains—Select Yes to use a multiple domain or No to configure asingle domain.

– If you selected Yes to use multiple domains, you are prompted for thefollowing configuration information:

- Enable encrypted connection—Specifies whether you want to enableKerberos protocol as an encryption mechanism for secure connection to ADserver. This is an optional step during the configuration process. Select Yesto enable Kerberos.

– If you selected No to multiple domains, you are prompted for the following:

- Host name—Specifies the Active Directory domain controller server name.For example:

adserver.tivoli.com

- Domain name—Specifies the domain name. For example:

dc=adpd,dc=com

- Enable encrypted connection—Specifies whether you want to enable

Kerberos protocol as an encryption mechanism for secure connection to ADserver. this is an optional step during the configuration process. Select Yesto enable Kerberos.

v Active Directory Other Information—Type the Administrative ID and passwordthat you created in “Creating an Active Directory administrative user” on page37 and then click Next.

Notes:

– If you specified No for multiple domains, the Active Directory DataInformation panel is displayed. Type the distinguished name where you wantto store Tivoli Access Manager data. For example,




dc=wsm,dc=com

– If you are using Active Directory as your registry, a activedir.conf file iscreated in the following directory:

%PD_INSTALL_DIR%\etc

where PD_INSTALL_DIR is the directory where Tivoli Access Manager isinstalled. C:\Program Files\Tivoli\Policy Director is the default directory.

Lotus DominoIf you selected Domino as your registry, you are prompted for the followinginformation:

v Fully qualified domino server name—Specifies the fully qualified name of theDomino server. For example:

Domino/tivoli

v Domino server TCP/IP hostname—Specifies the TCP/IP host name of theDomino server. For example:

domino.tivoli.com

v Domino LDAP server port—Specifies the LDAP server port on which theDomino server listens. If you plan to enable SSL, the port number is 636. Fornon-SSL communication, the default port number is 389.

v Enable SSL communication to Domino server—Select Yes or No to enable SSLclient authentication to the Domino server. This is an optional step during theinstallation process. If you installed a client certificate during Domino setup,select Yes. For more information about enabling SSL communication, seeAppendix A, “Enabling Secure Sockets Layer”, on page 157.

If you specify Yes, you are prompted for the following information:

– Port number—Specifies the SSL port number. The default port number is 636.

– Key file with full path—Specifies the client key file that you created whenenabling SSL. When prompted for the Domino server’s key file, provide thename of your LDAP client key database file. For example:

d:\cert\dominoc.kdb– Certificate label—Specifies the SSL client certificate label. This field requires

that you type any character. Because you do not need to set up client-sidecertificate authentication, the character that you specify is ignored.

– Key file password—Specifies the password associated with the key file.

v Notes client password—Specifies the Notes client password to access theDomino database.

v Tivoli Access Manager Meta-data Database name—Specifies the database nameassociated with Tivoli Access Manager data. For example:

PDdata.nsf

Tivoli Access Manager policy serverDuring the configuration of the policy server on a Windows system, you areprompted for the following information:

v LDAP Administrator ID (DN)—Specifies the distinguished name of the LDAPadministrator. The default name is cn=root.

v LDAP Administrator Password—Specifies the password associated with theLDAP administrator ID.

v Security Master Password—Specifies the password associated with thesec_master primary administrator ID.




v SSL Server Port for Policy Server—Specifies the port number on which thepolicy server listens for SSL requests. The default port number is 7135.

v Policy Server SSL Certificate Lifetime— Specifies the number of days that theSSL certificate file is valid. The default number of days is 365.

v Enable Download of Certificates—Specify yes to enable automatic downloadingof the SSL certificate authority file. Regardless of whether you specify yes or no,

the SSL certificate authority file is placed in the following directory:install_dir/keytab/pdcacert.b64

If this option is set to no, you must copy the pdcacert.b64 file to each TivoliAccess Manager runtime client system.

Tivoli Access Manager authorization serverDuring the configuration of the authorization server on a Windows system, youare prompted for the following information:

v LDAP Administrator ID (DN)—Specifies the distinguished name of the LDAPadministrator. The default name is cn=root.

v LDAP Administrator Password—Specifies the password associated with the

LDAP administrator ID.v Security Master Password—Specifies the password associated with the

sec_master primary administrator ID.

Default ports

Default port numbers are as follows:

v LDAP server non-SSL port: 389

v LDAP server SSL port: 636

v Policy server SSL port: 7135

v WebSphere Application Server SSL port: 443







Appendix C. OS/390 and z/OS LDAP configuration reference

This appendix includes samples for the following:

v “Sample LDAP configuration”

v “Sample DB2 database and tablespace script for SPUFI” on page 188

v “Sample DB2 index script for SPUFI” on page 193

v “Sample CLI bind batch job” on page 195

v “Sample CLI initialization file” on page 197

Use these samples during the configuration process as described in “Configuringz/OS and OS/390 security servers” on page 28.

Sample LDAP configuration##########################################################################The values provided in this configuration file may reflect the

##generic values given in the example DB2 setup files.Make sure you##use values appropriate for a production installation.########################################################################

##########################################################################Global definitions########################################################################adminDN "cn=root"adminPW password1########################################################################## port & securePort directives deprecated, now using listen########################################################################listen ldap://:389listen ldaps://:636##########################################################################tdbm database definitions########################################################################database tdbm GLDBTDBMservername LOC1dbuserid LDAPSRVdatabaseName LDAPR10dsnaoini SUADMIN.DSNAOINI.DB2INIsuffix "o=ibm,c=us"suffix "secAuthority=Default"AttrOverflowSize 80##########################################################################Native (SAF)Authentication for TDBM########################################################################useNativeAuth SELECTEDnativeAuthSubtree "o=ibm,c=us"nativeUpdateAllowed YES

##########################################################################SSL definitions########################################################################sslAuth serverAuthsslKeyRingFile "/usr/lpp/ldap/etc/ldapserver.kdb"sslKeyRingPWStashFile "usr/lpp/ldap/etc/ldapserver.sth"sslCertificate ldapcertsslCipherSpecs 15104##########################################################################Replica definitions




########################################################################masterServer "ldap://jeff.endicott.ibm.com:3389"masterServerDN cn=mastermasterServerPW password1

Sample DB2 database and tablespace script for SPUFI

--*********************************************************************/--* This file contains sample code. IBM PROVIDES THIS CODE ON AN */--* ’AS IS’ BASIS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS */--* OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES */--* OF MERCHANT ABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */--*********************************************************************/

-- Use the following statements to create your LDAP Server DB2 database-- and tablespaces in SPUFI. The database and tablespace names you-- create will be used to update the database section of the LDAP-- Server configuration file. You also need to make DB2 decisions,-- in terms of buffer pool size selection for tablespaces and column-- size selection, all of which will be directly related to the data that-- will be stored in the database. See the instructions below for-- more information.

---- *************************-- Database Name Information-- *************************-- Change LDAPR10 to the name of the LDAP database name you want to create.-- Be sure this name is updated to match what is defined for databasename in-- the server configuration file.---- **************************-- DataBase Owner Information-- **************************-- Change the LDAPSRV to the MVS database owner id. This ID will be the-- highlevel qualifier for the tables---- **********************-- Tablespace Information-- **********************---- *********************************************************************-- NOTE: Refer to the DB2 manuals for a complete listing of valid buffer-- pool names.-- *********************************************************************---- Change the ENTRYTS to the LDAP entry tablespace name you want to create.---- Change the BP0 to the buffer pool name for the LDAP entry tablespace.-- The size of the buffer pool can be determined with the formula:---- result = 62 bytes + <dn column trunc size (from below)> +-- <maximum full size of a DN (from below)> +-- <size of entry data (which includes creator’s DN and modifiers DN)>

---- There is also a concept of a "spill over" table, where if the entry-- data does not fit into the row size, it will be broken up in order-- to fit into a row. Entry data may be spread across multiple rows-- if needed. So in the above formula, the <size of entry data>-- does not need to be the maximum size of the data, maybe the median-- size of the data would be a better choice. See the long entry-- tablespace description below.---- The default suggested size is 4K.---- Change the LENTRYTS to the LDAP long entry tablespace name you want to-- create.

OS/390 and z/OS LDAP configuration reference




---- Change the BP0 to the buffer pool name for the LDAP long entry-- tablespace. The long entry table space will hold "spill over" rows-- for entry data that does not fit into the entry table tablespace.-- To minimize the number of spill over rows, choose a large buffer-- pool size.---- The default suggested size is 4K.

---- Change the LATTRTS to the LDAP long attribute tablespace name you want to-- create.---- Change the BP0 to the buffer pool name for the LDAP long attribute-- tablespace. The long attribute table space will hold "spill over" rows-- for attribute data that does not fit into the entry table tablespace.-- To minimize the number of spill over rows, choose a large buffer-- pool size.---- The default suggested size is 4K.---- Change the MISCTS to the LDAP miscellaneous tablespace name you want to-- create.---- Change the DESCTS to the LDAP descendants tablespace name you want to-- create.---- Change the SEARCHTS to the LDAP search tablespace name you want to create.---- Change the BP0 to the buffer pool name for the LDAP search tablespace.-- The size of the buffer pool can be determined with the simple formula:---- result = 16 bytes + <search column trunc size (from below)> +-- <maximum size of attribute value you would like to search for>---- The result value is the maximum number of bytes a row in the search-- table containing an attribute value will occupy. Choose a buffer pool-- size which will accommodate this size.---- The default suggested size is 4K.

---- Change the REPTS to the LDAP replica tablespace name you want to create.---- *********************************-- Column Size Selection Information-- *********************************-- All searchable attributes of a given entry will be stored in two forms.-- The first will be a truncated version, which will be used as part of-- a DB2 index. The second version will be the entire attribute value,-- potentially truncated by the buffer pool size you choose. The reason-- two versions are stored is so that LDAP/DB2 can use indexes to increase-- search performance. The reason we do not index the entire searchable-- attribute value is because the cost (in terms of DASD) associated with-- having indexes on a large column where there is a large amount of data.--

-- The choice of the search column trunc size should take into account system-- limits you may have (as described in the above), and should account-- for the typical size of the attribute values that are stored in-- LDAP. For example, if most of your data is only 20 bytes long,-- choosing 20 for this trunc size would be wise.---- Change 32 to the search column trunc size you determine best fits your-- attribute data.---- The default suggested size is 32.---- Another search performance enhancement is related to the DN attribute.-- The DN attribute value is stored separately from the entry data to allow


Appendix C. OS/390 and z/OS LDAP configuration reference 189



-- a fast path lookup. It is also stored in two versions as well. The-- reasons are similar to those mentioned above for the attribute column.-- Since the DN data is stored in it’s own column, you need to define the-- maximum DN attribute value size here. You also need to choose a dn-- column trunc size that best fits your data.---- Change 32 to the dn trunc size you determine best fits your dn data.--

-- The default suggested size is 32.---- Change 512 to the maximum size of a DN. This value includes the null-- terminator, so the actual maximum length of a DN will be one less than-- this value.---- The default suggested size is 512.------ *************************-- Storage Group Information-- *************************-- Change the SYSDEFLT to the storage group you want to contain the-- LDAP DB2 tablespaces. Use SYSDEFLT to choose the default storage group.-- NOTE: The values provided below for PRIQTY and SECQTY probably need to be-- modified depending on the projected size of the Directory information to-- be stored.--

-- ***************************************************************************-- Use the following statements if you need to delete your LDAP Server DB2-- database and tablespaces in SPUFI. You need to remove the ’--’-- from each line before you can run these statements.-- Change the ENTRYTS to the LDAP entry tablespace name you want to delete.-- Change the LENTRYTS to the LDAP long entry tablespace name you want to-- delete.-- Change the LATTRTS to the LDAP long attr tablespace name you want to-- delete.-- Change the MISCTS to the LDAP miscellaneous tablespace name you want to-- delete.-- Change the SEARCHTS to the LDAP search tablespace name you want to delete.

-- Change the REPTS to the LDAP replica tablespace name you want to delete.-- Change the DESCTS to the LDAP descendants tablespace name you want to-- delete.-- Change the LDAPR10 to the LDAP database name you want to delete.-- ***************************************************************************

--DROP TABLESPACE LDAPR10.ENTRYTS;--DROP TABLESPACE LDAPR10.LENTRYTS;--DROP TABLESPACE LDAPR10.LATTRTS;--DROP TABLESPACE LDAPR10.MISCTS;--DROP TABLESPACE LDAPR10.SEARCHTS;--DROP TABLESPACE LDAPR10.REPTS;--DROP TABLESPACE LDAPR10.DESCTS;--DROP DATABASE LDAPR10;--COMMIT;

-- ************************-- Create the LDAP database-- ************************CREATE DATABASE LDAPR10 STOGROUP SYSDEFLT;

-- ********************************-- Create the LDAP entry tablespace-- ********************************CREATE TABLESPACE ENTRYTS IN LDAPR10

USING STOGROUP SYSDEFLTBUFFERPOOL BP0;





-- *************************************-- Create the LDAP long entry tablespace-- *************************************CREATE TABLESPACE LENTRYTS IN LDAPR10


-- ************************************

-- Create the LDAP long attr tablespace-- ************************************CREATE TABLESPACE LATTRTS IN LDAPR10


-- *****************************-- Create the LDAP 4K tablespace-- *****************************CREATE TABLESPACE MISCTS IN LDAPR10

SEGSIZE 4USING STOGROUP SYSDEFLTBUFFERPOOL BP0;

-- *********************************-- Create the LDAP search tablespace-- *********************************CREATE TABLESPACE SEARCHTS IN LDAPR10


-- *********************************-- Create the LDAP replica tablespace-- *********************************CREATE TABLESPACE REPTS IN LDAPR10


-- *****************************-- Create the LDAP descendants tablespace-- *****************************

CREATE TABLESPACE DESCTS IN LDAPR10USING STOGROUP SYSDEFLTBUFFERPOOL BP0;

-- *********************-- Create the DB2 tables-- *********************

-- **************************-- Create the DIR_ENTRY table-- **************************CREATE TABLE LDAPSRV.DIR_ENTRY (

EID DECIMAL(15 , 0) NOT NULL,PEID DECIMAL(15 , 0),ENTRY_SIZE INTEGER,

LEVEL INTEGER,ACLSRC DECIMAL(15 , 0),ACLPROP CHAR(1),OWNSRC DECIMAL(15 , 0),OWNPROP CHAR(1),CREATE_TIMESTAMP TIMESTAMP,MODIFY_TIMESTAMP TIMESTAMP,DN_TRUNC CHAR(32) FOR BIT DATA,DN VARCHAR(512) FOR BIT DATA,ENTRYDATA LONG VARCHAR FOR BIT DATA,PRIMARY KEY( EID ) )

IN LDAPR10.ENTRYTS;





-- ******************************-- Create the DIR_LONGENTRY table-- ******************************CREATE TABLE LDAPSRV.DIR_LONGENTRY (

EID DECIMAL(15 , 0) NOT NULL,SEQ INTEGER NOT NULL,ENTRYDATA LONG VARCHAR FOR BIT DATA,PRIMARY KEY( EID, SEQ ) )

IN LDAPR10.LENTRYTS;-- *****************************-- Create the DIR_LONGATTR table-- *****************************CREATE TABLE LDAPSRV.DIR_LONGATTR (

EID DECIMAL(15 , 0) NOT NULL,ATTR_ID INTEGER NOT NULL,VALUENUM INTEGER NOT NULL,SEQ INTEGER NOT NULL,ATTRDATA LONG VARCHAR FOR BIT DATA,PRIMARY KEY( EID, ATTR_ID, VALUENUM, SEQ ) )

IN LDAPR10.LATTRTS;

-- *****************************-- Create the DIR_MISC table-- *****************************CREATE TABLE LDAPSRV.DIR_MISC (

NEXT_EID DECIMAL(15 , 0),NEXT_ATTR_ID INTEGER,DB_VERSION CHAR(10),DB_CREATE_VERSION CHAR(10) )

IN LDAPR10.MISCTS;

-- **************************-- Create the DIR_CACHE table-- **************************CREATE TABLE LDAPSRV.DIR_CACHE (

CACHE_NAME CHAR(25) NOT NULL,MODIFY_TIMESTAMP TIMESTAMP NOT NULL,PRIMARY KEY( CACHE_NAME, MODIFY_TIMESTAMP ) )

IN LDAPR10.MISCTS;

-- ***************************-- Create the DIR_ATTRID table-- ***************************CREATE TABLE LDAPSRV.DIR_ATTRID (

ATTR_ID INTEGER,ATTR_NOID VARCHAR(200) NOT NULL,PRIMARY KEY( ATTR_NOID ) )

IN LDAPR10.MISCTS;

-- *************************-- Create the DIR_DESC table-- *************************CREATE TABLE LDAPSRV.DIR_DESC (

DEID DECIMAL(15 , 0) NOT NULL,AEID DECIMAL(15 , 0) NOT NULL,PRIMARY KEY( DEID, AEID ) )

IN LDAPR10.DESCTS;

-- ***************************-- Create the DIR_SEARCH table-- ***************************CREATE TABLE LDAPSRV.DIR_SEARCH (

EID DECIMAL(15 , 0) NOT NULL,ATTR_ID INTEGER NOT NULL,VALUE CHAR(32) FOR BIT DATA,LVALUE LONG VARCHAR FOR BIT DATA )





IN LDAPR10.SEARCHTS;

-- *****************************-- Create the DIR_REGISTER table-- *****************************CREATE TABLE LDAPSRV.DIR_REGISTER (

ID INTEGER NOT NULL,SRV VARCHAR(125) NOT NULL,

PRIMARY KEY( ID, SRV ) )IN LDAPR10.MISCTS;

-- *****************************-- Create the DIR_PROGRESS table-- *****************************CREATE TABLE LDAPSRV.DIR_PROGRESS (

ID INTEGER NOT NULL,PRG VARCHAR(125) NOT NULL,SRV VARCHAR(125) NOT NULL,PRIMARY KEY( ID, PRG, SRV ) )

IN LDAPR10.MISCTS;

-- ***************************-- Create the DIR_CHANGE table-- ***************************CREATE TABLE LDAPSRV.DIR_CHANGE (

ID INTEGER NOT NULL,TYPE INTEGER NOT NULL,LONGENTRY_SIZE INTEGER,DIN VARCHAR(512) NOT NULL,LDIF LONG VARCHAR NOT NULL,PRIMARY KEY( ID ) )

IN LDAPR10.REPTS;

-- *******************************-- Create the DIR_LONGCHANGE table-- *******************************CREATE TABLE LDAPSRV.DIR_LONGCHANGE (

ID INTEGER NOT NULL,SEQ INTEGER NOT NULL,

LDIF LONG VARCHAR,PRIMARY KEY( ID, SEQ ) )IN LDAPR10.REPTS;

-- ***********************************-- Commit all the above SQL statements-- ***********************************COMMIT;

Sample DB2 index script for SPUFI

--*********************************************************************/--* This file contains sample code. IBM PROVIDES THIS CODE ON AN */--* ’AS IS’ BASIS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS */--* OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES */--* OF MERCHANT ABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */--*********************************************************************/---- Use the following statements to create your LDAP Server DB2-- indexes in SPUFI. See the instructions below for more information.---- **************************-- DataBase Owner Information-- **************************-- Change the LDAPSRV to the MVS database owner id. This ID will be the-- highlevel qualifier for the tables. This value should correspond-- with the value chosen in the LDAP Server DB2 database and tablespace





-- SPUFI script.---- *************************-- Storage Group Information-- *************************-- Change the SYSDEFLT to the storage group you want to contain the-- LDAP DB2 indexes. Use SYSDEFLT to choose the default storage group.-- NOTE: The values provided below for PRIQTY and SECQTY probably need

-- to be modified depending on the projected size of the Directory-- information to be stored.---- *************************-- Miscellaneous Information-- *************************-- All indexes have been defined DEFER YES, which means they need to be-- recovered at some point. It is suggested to do the recovery after-- the database has been populated for databases with large amounts of-- data. Use of this option is strictly optional though.---- To NOT use the DEFER YES option, simply remove DEFER YES globally.--

-- ****************************-- Create the DIR_ENTRY indexes-- ****************************CREATE UNIQUE INDEX LDAPSRV.DIR_ENTRYX0 ON LDAPSRV.DIR_ENTRY( EID )

USING STOGROUP SYSDEFLTDEFER YES;

CREATE INDEX LDAPSRV.DIR_ENTRYX1 ON LDAPSRV.DIR_ENTRY( PEID, EID )USING STOGROUP SYSDEFLTDEFER YES;

CREATE INDEX LDAPSRV.DIR_ENTRYX2 ON LDAPSRV.DIR_ENTRY( EID, DN_TRUNC )USING STOGROUP SYSDEFLTDEFER YES;

CREATE INDEX LDAPSRV.DIR_ENTRYX3 ON LDAPSRV.DIR_ENTRY( DN_TRUNC, EID )USING STOGROUP SYSDEFLTDEFER YES;

-- ********************************-- Create the DIR_LONGENTRY indexes-- ********************************CREATE UNIQUE INDEX LDAPSRV.DIR_LONGENTRYX1

ON LDAPSRV.DIR_LONGENTRY( EID, SEQ )USING STOGROUP SYSDEFLTDEFER YES;

-- *******************************-- Create the DIR_LONGATTR indexes-- *******************************CREATE UNIQUE INDEX LDAPSRV.DIR_LONGATTRX1

ON LDAPSRV.DIR_LONGATTR( EID, ATTR_ID, VALUENUM, SEQ )USING STOGROUP SYSDEFLTDEFER YES;

-- ****************************-- Create the DIR_CACHE indexes-- ****************************CREATE UNIQUE INDEX LDAPSRV.DIR_CACHEX1

ON LDAPSRV.DIR_CACHE( CACHE_NAME, MODIFY_TIMESTAMP )USING STOGROUP SYSDEFLTDEFER YES;

-- *****************************-- Create the DIR_ATTRID indexes-- *****************************CREATE UNIQUE INDEX LDAPSRV.DIR_ATTRIDX1





ON LDAPSRV.DIR_ATTRID( ATTR_NOID )USING STOGROUP SYSDEFLTDEFER YES;

-- ***************************-- Create the DIR_DESC indexes-- ***************************CREATE UNIQUE INDEX LDAPSRV.DIR_DESCX1

ON LDAPSRV.DIR_DESC( DEID, AEID )USING STOGROUP SYSDEFLTDEFER YES;

-- *****************************-- Create the DIR_SEARCH indexes-- *****************************CREATE INDEX LDAPSRV.DIR_SEARCHX1

ON LDAPSRV.DIR_SEARCH( ATTR_ID, VALUE, EID )USING STOGROUP SYSDEFLTDEFER YES;

CREATE INDEX LDAPSRV.DIR_SEARCHX2ON LDAPSRV.DIR_SEARCH( EID, ATTR_ID )USING STOGROUP SYSDEFLT CLUSTERDEFER YES;

-- *******************************-- Create the DIR_REGISTER indexes-- *******************************CREATE UNIQUE INDEX LDAPSRV.DIR_REGISTERX1

ON LDAPSRV.DIR_REGISTER( ID, SRV )USING STOGROUP SYSDEFLTDEFER YES;

-- *******************************-- Create the DIR_PROGRESS indexes-- *******************************CREATE UNIQUE INDEX LDAPSRV.DIR_PROGRESSX1

ON LDAPSRV.DIR_PROGRESS( ID, PRG, SRV )USING STOGROUP SYSDEFLT

DEFER YES;

-- *****************************-- Create the DIR_CHANGE indexes-- *****************************CREATE UNIQUE INDEX LDAPSRV.DIR_CHANGEX1 ON LDAPSRV.DIR_CHANGE( ID )

USING STOGROUP SYSDEFLTDEFER YES;

-- *********************************-- Create the DIR_LONGCHANGE indexes-- *********************************CREATE UNIQUE INDEX LDAPSRV.DIR_LONGCHANGEX1

ON LDAPSRV.DIR_LONGCHANGE( ID, SEQ )USING STOGROUP SYSDEFLT

DEFER YES;-- ***********************************-- Commit all the above SQL statements-- ***********************************COMMIT;

Sample CLI bind batch job

//DSNTIJCL JOB (DB2),// ’PGMRNAME’,// CLASS=A,MSGCLASS=H,MSGLEVEL=(1,1),





// REGION=4M//*//*********************************************************************///* This file contains sample code. IBM PROVIDES THIS CODE ON AN *///* ’AS IS’ BASIS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS *///* OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES *///* OF MERCHANT ABILITY OR FITNESS FOR A PARTICULAR PURPOSE. *///*********************************************************************/

//*********************************************************************///* JOB NAME = DSNTIJCL *///* DESCRIPTIVE NAME = INSTALLATION JOB STREAM *///* LICENSED MATERIALS - PROPERTY OF IBM *///* 5655-DB2 *///* (C) COPYRIGHT 1982, 1997 IBM CORP. ALL RIGHTS RESERVED. *///* STATUS = VERSION 5 *///* FUNCTION = SAMPLE CLI BIND *///* PSEUDOCODE = BINDCLI STEP BIND CLI DEFAULT PACKAGES AND PLAN *///* DEPENDENCIES = CLI MUST BE INSTALLED *///* MEMBER DSNCLIQR CAN ONLY BE BOUND SUCCESSFULLY TO DRDA SERVERS *///* THAT SUPPORT QUERY RESULT SET SQL (I.E. DESCRIBE PROCEDURE). *///* CURRENTLY THAT IS DB2 FOR OS/390 V5. *///* *///* NOTES = *///* BEFORE RUNNING THIS JOB: *///* - CHANGE ALL OCCURRENCES OF DSN5 TO THE PREFIX OF YOUR DB2 V5.1 *///* SDSNLOAD AND SDSNDBRM DATA SETS *///* - CHANGE THE SYSTEM(DSN5) STATEMENT TO MATCH YOUR DB2 V5.1 SSID *///* *///* CLI CAN BE BOUND TO REMOTE SERVERS BY INCLUDING THE LOCATION NAME.*///* *///* FOR REMOTE SERVERS OTHER THAN DB2 FOR OS/390, ALSO ADD THE *///* APPROPRIATE BIND PACKAGE MEMBER STATEMENTS, LISTED BELOW, *///* BASED ON THE SERVER TYPE: *///* BIND PACKAGE (<COMMON SERVER V1 LOCATION NAME>.DSNAOCLI) - *///* MEMBER(DSNCLIV1) *///* BIND PACKAGE (<COMMON SERVER V2 LOCATION NAME>.DSNAOCLI) - *///* MEMBER(DSNCLIV2) *///* BIND PACKAGE (<AS400 LOCATION NAME>.DSNAOCLI) - *///* MEMBER(DSNCLIAS) */

//* BIND PACKAGE (<SQLDS LOCATION NAME>.DSNAOCLI) - *///* MEMBER(DSNCLIVM) *///* ALSO INCLUDE ANY ADDED PACKAGE NAMES TO THE PKLIST KEYWORD OF *///* BIND PLAN STATEMENT FOLLOWING THE BIND PACKAGE STATEMENTS. *///* *///*********************************************************************///JOBLIB DD DISP=SHR,// DSN=DB2710.SDSNLOAD//BINDCLI EXEC PGM=IKJEFT01,DYNAMNBR=20//DBRMLIB DD DISP=SHR,// DSN=DB2710.SDSNDBRM//SYSTSPRT DD SYSOUT=*//SYSPRINT DD SYSOUT=*//SYSUDUMP DD SYSOUT=*//SYSTSIN DD *

DSN SYSTEM(DSN5)BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLICS) ISOLATION(CS)BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLINC) ISOLATION(NC)BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIRR) ISOLATION(RR)BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIRS) ISOLATION(RS)BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIUR) ISOLATION(UR)BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIC1)BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIC2)BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIF4)BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIMS)BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIQR)





BIND PLAN(DSNACLI) -PKLIST(DSNAOCLI.DSNCLICS -

DSNAOCLI.DSNCLINC -DSNAOCLI.DSNCLIRR -DSNAOCLI.DSNCLIRS -DSNAOCLI.DSNCLIUR -DSNAOCLI.DSNCLIC1 -DSNAOCLI.DSNCLIC2 -

DSNAOCLI.DSNCLIF4 -DSNAOCLI.DSNCLIMS -DSNAOCLI.DSNCLIQR )

END/*

Sample CLI initialization file; This is a comment line...;/*********************************************************************/;/* This file contains sample code. IBM PROVIDES THIS CODE ON AN */;/* ’AS IS’ BASIS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS */;/* OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES */

;/* OF MERCHANT ABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */;/*********************************************************************/; Example COMMON stanza;; The MVSDEFAULTSSID option indicates what DB2; subsystem should be used for interacting with; DB2 tables. This value is installation dependent.; It is assumed to be DSN5 for this example.[COMMON]MVSDEFAULTSSID=DSN5; Example SUBSYSTEM stanza for DSN5 subsystem;; NOTE: the PLANNAME option below must match the; plan name that was specified when running the; DSNTIJCL batch job to create the plan. It is; assumed to be DSNACLI for this example.[DSN5];MVSATTACHTYPE=CAFMVSATTACHTYPE=RRSAFPLANNAME=DSNACLI; Example DATA SOURCE stanza;; The DATA SOURCE name is installation dependent.; It is assumed to be LOC1 for this example.[LOC1]AUTOCOMMIT=0CONNECTTYPE=1









Appendix D. Common Criteria

A Common Criteria (CC) evaluated system is a system that has been evaluatedaccording to the Common Criteria, an internationally recognized ISO standard (ISO

15408) for the assurance evaluation of IT products. IBM Tivoli Access Manager,Version 4.1 with fix pack 5 installed, contains the technology to meet therequirements of the CC assurance level EAL3+. The system configuration thatmeets these requirements is referred to as a CC evaluated system in this guide.

Note: For late-breaking updates to this appendix, including certification status andplatforms used in the CC evaluation, see the IBM Tivoli Access Manager,Version 4.1, fix pack 5 readme file.

The evaluation was performed on the specific configuration described in thissection. Changing this configuration leads to a non-evaluated system. This,however, does not mean that the security of the system is reduced. It only meansthat this customized configuration is not covered by the evaluation.

This appendix explains the constraints of a system that has to meet therequirements of a CC evaluation. The IBM Tivoli Access Manager, Version 4.1, CCevaluated system includes the following Tivoli Access Manager systems:

Policy server (pdmgrd)with the following components installed:




v IBM Global Security Kit (GSKit)

WebSEAL server (webseald)with the following components installed:


v Tivoli Access Manager WebSEAL server


v IBM Global Security Kit (GSKit)

The following sections describe the way that these components and the operationalenvironment must be configured to attain a CC-compliant system.

Security policy for Tivoli Access Manager

The CC configuration of Tivoli Access Manager is based on a security policy thatmust be respected to achieve and maintain a secure operation.

Base security policyThe systems must be installed and operated in access-controlled facilities that onlyauthorized administrators have access to. The platforms that Tivoli Access Managerserver components run on must be secured accordingly, allowing access only toauthorized administrators.

Following is a non-exclusive list of security policy statements, that must befulfilled to operate Tivoli Access Manager in a way compatible with the CC.




v Only users authorized to work with the information on the systems are granteduser IDs on the system.

v Administrators and users must use high quality passwords (as random aspossible and not affiliated with the user or the organization).

v Users and administrators must not disclose their passwords to others.

v Administrators must be trustworthy and diligent and work according to the

guidance provided by the system documentation.v Passwords generated for users of the system by administrators must be

transmitted in a secure fashion to the users.

v An administrator using a remote terminal or remote workstation to connect tothe policy server for administration needs to ensure that the remote terminal orworkstation are in a secured environment and managed securely. Management isperformed by setting up a secured connection to communicate with theoperating system on the policy server. There the administrator calls the pdadmincommand line interface and authenticates himself.

System security policyIn addition to the base security policy described in “Base security policy” on

page 199, the systems and networks used for operating Tivoli Access Managerneed to fulfill additional policy statements as follows:

v The machines on which Tivoli Access Manager is deployed must be dedicatedTivoli Access Manager machines. (Tivoli Access Manager applications must bethe only applications running on the underlying operating systems).

Note: All operating system services must be switched off, especially networkedservices that are non-essential for running, managing, and administeringTivoli Access Manager.

v The operating system must be configured by trained and trustworthy personnel.

v The operating system must provide an exact time to the Tivoli Access Managerapplications.

v Tivoli Access Manager configuration files and log/audit files must be protectedusing operating system access control mechanisms.

v LDAP access must be performed using SSL, Version 3, or TLS, Version 1.

v The LDAP server must perform user identification and authentication inaddition to performing access control on the entries it provides.

Additional management and administration issues and mechanisms of theunderlying operating systems are out of the scope of this appendix.

Tivoli Access Manager network policyThe following list describes the communication profile of each component. Thiscommunication profile must be enforced by the network environment to operate

Tivoli Access Manager in a secure way.

Generally, the networks have to be configured in a way that WebSEAL is theenforcement point for the resource access policy. That means that there is no otherway for a user to access the resources protected by Tivoli Access Manager.Management and administration mechanisms of the operating system must be inline with this rule.

v Policy server (pdmgrd)

– Tivoli Access Manager communication

– LDAP to the registry

Common Criteria




v WebSEAL server (webseald)

– For external users, HTTPS only

– HTTPS to backend resources

– Tivoli Access Manager communication for authorization, database replication,management and auditing

– LDAP to the registry

The following diagram gives an overview of the network policy:

Note: This policy does not imply any particular network setup. According to bestpractices, internal and external networking interfaces must be clearlyseparated, yielding HTTPS access for external users only. Any other networkservice must not be accessible from external networks.

The implemented network security policy must restrict client access to the HTTPSport to a controlled client community. For example, a company internal networkwith a known and controlled user and client community protected againstunauthorized access from external networks.

Enabling polling for security policy database updatesTo enable polling for updates of the security policy database, set the followingparameter in the [aznapi-configuration] stanza of the webseald.conf file:

cache-refresh-interval = enable

This parameter ensures that WebSEAL polls for potential updates of the securitypolicy database every 600 seconds and, subsequently, replicates the security policydatabase if changes occur. For more information on WebSEAL security settings andsecurity policy database replication, see the IBM Tivoli Access Manager WebSEAL

Administration Guide and the IBM Tivoli Access Manager Base Administration Guide.

Assumptions on the behavior of usersEach secure system has areas, where its security is based on an assumption (andtherefore trust). The security of Tivoli Access Manager is based on the followingassumptions regarding the behavior of external users:

v Cryptographic key generation on the client side is performed securely, thusyielding strong cryptographic keys.

v The user’s private keys used for authentication and key exchange with TivoliAccess Manager are stored securely and are protected against unauthorized useand access.

Common Criteria

Appendix D. Common Criteria 201



v Users are not hostile and trying to deliberately attack the security functions (thatis, they are trying to circumvent the system’s policy). They also carefully protecttheir authentication information within their operating environment.

Should any of these assumptions no longer be true, the administrator must beaware that access on the behalf of the user in question is possible, because anyattacker can successfully impersonate that user.

CC evaluation compliant installation and configuration

The CC evaluation covers security configuration options listed only in thisappendix. Installation and configuration requirements are as follows:

v Ensure that you are using ″clean″ systems that do not have previous versions of Tivoli Access Manager installed. You are not allowed to upgrade from an olderrelease to the current fix pack and then use this upgraded system as a basis foran evaluated configuration.

v The pdmgrd and webseald systems must be installed on separate machines.

v Tivoli Access Manager components were evaluated using the same operatingsystem. Mixed configurations were not evaluated, for example, both pdmgrd

and webseald were installed on AIX machines.v Web Portal Manager (WPM) is not supported in the evaluated configuration.

Only the pdadmin command line interface and the C API are supported.

v Only LDAP is supported for access to the directory server. Active Directory orother protocols are not supported.

v LDAP replicas are not supported.

v Hardware encryption devices are not supported.

v Only English language support was evaluated.

v It is recommended that you use easy installation programs, if supported for yourparticular platform. If easy installation is not supported, ensure that you follownative installation instructions and refer to the fix pack readme file for anylast-minute updates.

v All WebSEAL systems are configured to operate independently from each otherand are only connected to the central policy server. Therefore, load balancingand failover configurations of WebSEAL systems are not supported in theevaluated configuration.

Installing Tivoli Access ManagerThe CC-compliant installation of Tivoli Access Manager base components isdescribed in this guide; installation of WebSEAL components is described in theIBM Tivoli Access Manager WebSEAL Installation Guide.

After the initial installation of Tivoli Access Manager components, additionalconfiguration steps are necessary to achieve a CC compliant state.

AttentionThe steps described are specified as a delta to the installation defaultconfiguration of the Tivoli Access Manager components. If any other changes tothe default configuration are made, the system no longer maintains theevaluated configuration.

Common Criteria







Securing WebSEALThe evaluated configuration supports only HTTPS access to WebSEAL. Thefollowing configuration directives in webseald.conf ensure this:

[server]http = nohttps = yes

It is recommended, though not required, that WebSEAL uses the standard HTTPSport as follows:

[server]https-port = 443

The evaluated configuration does not include SSL, Version 2; only SSL, Version 3,and TLS, Version 1, are supported:

[ssl]disable-ssl-v2 = yesdisable-ssl-v3 = nodisable-tls-v1 = no

Note: Connections from WebSEAL to the backend servers must be SSL based (SSL,

Version 3 or TLS, Version 1). WebSEAL does not rewrite the URLs accordingto the junction when SSL and non-SSL is mixed.

Configuring WebSEAL authentication mechanismsThe evaluated configuration restricts the use of a user authentication mechanism tothe following subset:

v Certificate based authentication

v User ID and password-based authentication

Therefore, the following configuration parameters have to be set in webseald.conf:

[ba]ba-auth = https

[forms]forms-auth = https

[certificate]accept-client-certs = optional

[authentication-mechanisms]cert-ssl = ssl_client_side_certificate_authentication_library

Selecting the supported cipher suitesThe following SSL, Version 3 / TLS, Version 1, cipher suites must be used in theevaluated configuration:

v SSL_RSA_WITH_RC4_128_SHA

v SSL_RSA_WITH_RC4_128_SHA

v SL_RSA_WITH_3DES_EDE_CBC_SHA

The following parameters must be set in webseald.conf:

[ssl-qop]ssl-qop-mgmt = yes

[ssl-qop-mgmt-default]default = RC4-128default = DES-168

Common Criteria




Configuring auditingThe event log mechanism allows various targets for the log and audit entries.

On webseald or pdmgrd, the following entries must be placed in the configurationfile in the [aznapi-configuration] stanza:

logcfg = audit.azn:file path=audit_file,log_id=audit,flush_interval=1,rollover_size=10000000,buffer_size=0,queue_size=1,hi_water=1

logcfg = audit.authn:file log_id=auditlogcfg = audit.mgmt:file log_id=auditlogcfg = audit.http:file log_id=audit

where audit_file is the fully qualified path of the audit log file.

Note: The configuration directive must be entered on one line. The line breaks arefor readability purposes only. For more information on the event loggingand auditing see the IBM Tivoli Access Manager Base Administration Guide.

This example sends all audit events from all the audit categories to one audit logfile. This file will grow up to 10,000,000 bytes before a new log file is created. Atimestamp is appended to the old file.

The administrator needs to ensure that there is always enough space in the filesystem into which the audit trail is written. This example creates an audit trail forall the subclasses that support audit.

Other WebSEAL functionsTo ensure that any unwanted functionality is switched off, the followingparameters must be changed:

[ltpa]ltpa-cache-enabled = no

Login policyTo conform to the CC requirements, use the pdadmin command to change thedefault login policy for user and administrative IDs as follows:

policy set max-login-failures 3

This ensures that the login policy is applied after three consecutive failed attemptsand not after ten attempts (the default). Note that you do not need to change thedefault penalty of 180 seconds.

Note: More than one WebSEAL server instance can be configured at one time.Each instance presents an additional entry point through which an attackercan guess passwords. When a large number of instances are configured, caremust be taken to maintain optimal levels of password security. In thesecases, other WebSEAL security settings should be adjusted. For example,increasing the default penalty for consecutive failed attempts greatly extendsthe time necessary for an attacker to conduct a brute force password attack.

To maintain a CC configuration when WebSEAL security settings are notmodified from the values specified in this appendix, it is recommended tonot add more than four WebSEAL instances.

Common Criteria




For more information on WebSEAL security settings, see the IBM Tivoli Access Manager WebSEAL Administration Guide.

Password policyTo conform to the CC requirements, use the pdadmin command to change thedefault password policy as follows:

policy set password-spaces no

Cryptographic key managementThe evaluation of Tivoli Access Manager also covers the cryptographic keygeneration process. This means that the security status of the keys, that aregenerated by the Tivoli Access Manager utilities (mgrsslcfg, bassslcfg, andsvrsslcfg), were verified. Note that user generated certificates (for example, for theWebSEAL server certificate) must have at least a key length of 1024 bits. For moreinformation about WebSEAL certificate management, see the IBM Tivoli Access

Manager WebSEAL Administration Guide.

CC-compliant configuration files

The following configuration files were used in the CC evaluation of Tivoli AccessManager. For descriptions of these files, including stanza and parameterinformation, see the IBM Tivoli Access Manager Base Administrator’s Guide. For thewebseald.conf file, consult the IBM Tivoli Access Manager WebSEAL Administrator’sGuide.

v ivmgrd.conf

v ldap.conf

v pd.conf

v webseald.conf

Common Criteria
















Common Criteria




Appendix E. Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION ″AS IS″ WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.




Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreement

between us.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources.

IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrates programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have not

been thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing application

programs conforming to IBM’s application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.




Some code distributed with the product is from third parties, which havealternative licensing terms. These terms are reproduced below.

XML Parser Toolkit License

Copyright © 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the ″Software″), to deal in theSoftware without restriction, including without limitation the rights to use, copy,modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,and to permit persons to whom the Software is furnished to do so, subject to thefollowing conditions:

The above copyright notice and this permission notice shall be included in allcopies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED ″AS IS″, WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIESOF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT.

IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLEFOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN ANACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGSIN THE SOFTWARE.

Pluggable Authentication Module License

Copyright © 1995 by Red Hat Software, Marc Ewing Copyright (c) 1996-8, AndrewG. Morgan <[email protected]>

All rights reserved

Redistribution and use in source and binary forms, with or without modification,are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, and theentire permission notice in its entirety, including the disclaimer of warranties.

2. Redistributions in binary form must reproduce the above copyright notice, thislist of conditions and the following disclaimer in the documentation and/orother materials provided with the distribution.

3. The name of the author may not be used to endorse or promote productsderived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED ″AS IS″’ AND ANY EXPRESS OR IMPLIEDWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLEFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ONANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,

Appendix E. Notices 209



OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAYOUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE.

Apache Axis Servlet

Copyright ©2002 The Apache Software Foundation. All rights reserved.


1. Redistributions of source code must retain the above copyright notice, this listof conditions and the following disclaimer.


3. The end-user documentation included with the redistribution, if any, mustinclude the following acknowledgment: ″This product includes softwaredeveloped by the Apache Software Foundation (http://www.apache.org/).″Alternately, this acknowledgment may appear in the software itself, if and

wherever such third-party acknowledgments normally appear.4. The names ″Apache Forrest″ and ″Apache Software Foundation″ must not be

used to endorse or promote products derived from this software without priorwritten permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called ″Apache″, nor may″Apache″ appear in their name, without prior written permission of theApacheSoftware Foundation.

THIS SOFTWARE IS PROVIDED ``AS IS’’ AND ANY EXPRESSED OR IMPLIEDWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE

FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIALDAMAGES (INCLU- DING, BUT NOT LIMITED TO, PROCUREMENT OFSUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OFLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OFTHE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OFSUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the ApacheSoftware Foundation, please see http://www.apache.org/.

JArgs command line option parsing suite for Java

Copyright ©2001, Stephen Purcell All rights reserved.


1. Redistributions of source code must retain the above copyright notice, this listof conditions and the following disclaimer.





3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software withoutspecific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS ″AS IS″ AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BELIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ONANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAYOUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

POSSIBILITY OF SUCH DAMAGE.

Java DOM implementation

Copyright © 2000-2002 Brett McLaughlin & Jason Hunter. All rightsreserved.Redistribution and use in source and binary forms, with or withoutmodification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this listof conditions, and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, thislist of conditions, and the disclaimer that follows these conditions in thedocumentation and/or other materials provided with the distribution.

3.The name

″ JDOM

″must not be used to endorse or promote products derivedfrom this software without prior written permission. For written permission,

please contact [email protected].

4. Products derived from this software may not be called ″ JDOM″, nor may″ JDOM″ appear in their name, without prior written permission from the

JDOM Project Management ([email protected]).

5. In addition, we request (but do not require) that you include in the end-userdocumentation provided with the redistribution and/or in the software itself anacknowledgement equivalent to the following: ″This product includes softwaredeveloped by the JDOM Project (http://www.jdom.org/).″

6. In addition, we request (but do not require) that you include in the end-userdocumentation provided with the redistribution and/or in the software itself an

acknowledgement equivalent to the following:″

This product includes softwaredeveloped by the JDOM Project (http://www.jdom.org/).″ Alternatively, theacknowledgment may be graphical using the logos available athttp://www.jdom.org/images/logos.

THIS SOFTWARE IS PROVIDED ``AS IS’’ AND ANY EXPRESSED OR IMPLIEDWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE JDOM AUTHORS ORTHE PROJECT CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

Appendix E. Notices 211



(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTEGOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESSINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OFTHIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the JDOM Project and was originally created by Brett McLaughlin([email protected]) and Jason Hunter ([email protected]). For more information onthe JDOM Project, please see http://www.jdom.org/.

Trademarks

The following terms are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both:

AIXDB2IBMIBM logoMVSOS/390SecureWayTivoliTivoli logoUniversal DatabaseWebSpherezSeriesz/OS

Lotus, Lotus Notes, and Notes are trademarks of Lotus Development Corporationand/or IBM Corporation.

Domino is a trademark of International Business Machines Corporation and LotusDevelopment Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Sun Microsystems, Inc. in the United States and other countries.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all

Java-based trademarks and logos are trademarks or registered trademarks of SunMicrosystems, Inc. in the United States and other countries.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, or service names may be trademarks or service marks of others.




Glossary

A

access control. In computer security, the process of ensuring that the resources of a computer system can

be accessed only by authorized users in authorizedways.

access control groups. Groups to be used for accesscontrol. Each group contains a multivalued attributeconsisting of member distinguished names. Accesscontrol groups have an object class of AccessGroup.

access control list. In computer security, a list that isassociated with an object that identifies all the subjectsthat can access the object and their access rights. Forexample, an access control list is a list that is associated

with a file that identifies the users who can access thefile and identifies the users’ access rights to that file.

access permission. The access privilege that applies tothe entire object. or permissions that apply to attributeaccess classes.

action. An access control list (ACL) permissionattribute.

ACL. See access control list.

administration service. An authorization API runtimeplug-in that can be used to perform administrationrequests on an Access Manager resource manager

application. The admin service will respond to remoterequests from the pdadmin command to perform taskssuch as listing the objects under a particular node inthe protected object tree. Customers may develop theseservices using the Authorization ADK.

attribute list. In Tivoli Access Manager, a linked listthat contains extended information that is used to makeauthorization decisions. Attribute lists consist of a set of keyword = value pairs.

authentication. (1) In computer security, verification of the identity of a user or the user’s eligibility to accessan object. (2) In computer security, verification that a

message has not been altered or corrupted. (3) Incomputer security, a process that is used to verify theuser of an information system or of protected resources.See also multi-factor authentication, network-basedauthentication, andstep-up authentication.

authorization. (1) In computer security, the rightgranted to a user to communicate with or make use of a computer system. (2) The process of granting a usereither complete or restricted access to an object,resource, or function.

authorization service plug-in. A dynamically loadablelibrary (DLL or shared library) that can be loaded by

the Access Manager authorization API runtime client atinitialization time in order to perform operations thatextend a service interface within the Authorization API.The service interfaces that are currently availableinclude Administration, External Authorization,Credentials modification, Entitlements and PACmanipulation interfaces. Customers may develop theseservices using the Authorization ADK.

B

BA. See basic authentication.

basic authentication. A method of authentication that

requires the user to enter a valid user name andpassword before access to a secure online resource isgranted.

bind. To relate an identifier to another object in aprogram; for example, to relate an identifier to a value,an address or another identifier, or to associate formalparameters and actual parameters.

blade. A component that provides application-specificservices and components.

business entitlement. The supplemental attributes of a user credential that describes the fine-grained

conditions that can be used in the authorizationrequests for resources.

C

CA. See certificate authority.

CDAS. See Cross Domain Authentication Service.

CDMF. See Cross Domain Mapping Framework .

certificate. In computer security, a digital documentthat binds a public key to the identity of the certificateowner, thereby enabling the certificate owner to be

authenticated. A certificate is issued by a certificateauthority.

certificate authority (CA). In e-commerce, anorganization that issues certificates. The certificateauthority authenticates the certificate owner’s identityand the services that the owner is authorized to use,issues new certificates, renews existing certificates, andrevokes certificates belonging to users who are nolonger authorized to use them.

CGI. See common gateway interface.




cipher. Encrypted data that is unreadable until it has been converted into plain data (decrypted) with a key.

common gateway interface (CGI). A computerprogram that runs on a Web server and uses theCommon Gateway Interface (CGI) to perform tasks thatare not usually done by a Web server (for example,database access and form processing). A CGI script is a

CGI program that is written in a scripting languagesuch as Perl.

configuration. (1) The manner in which the hardwareand software of an information processing system areorganized and interconnected. (2) The devices andprograms that make up a system, subsystem, ornetwork.

connection. (1) In data communication, an associationestablished between functional units for conveyinginformation. (2) In TCP/IP, the path between twoprotocol applications that provides reliable data streamdelivery service. In the Internet, a connection extends

from a TCP application on one system to a TCPapplication on another system. (3) In systemcommunications, a line over which data can be passed

between two systems or between a system and adevice.

container object. A structural designation thatorganizes the object space into distinct functionalregions.

cookie. Information that a server stores on a clientmachine and accesses during subsequent sessions.Cookies allow servers to remember specific informationabout clients.

credentials. Detailed information, acquired duringauthentication, that describes the user, any groupassociations, and other security-related identityattributes. Credentials can be used to perform amultitude of services, such as authorization, auditing,and delegation.

credentials modification service. An authorizationAPI runtime plug-in which can be used to modify anAccess Manager credential. Credentials modificationservices developed externally by customers are limitedto performing operation to add and remove from thecredentials attribute list and only to those attributesthat are considered modifiable.

cross domain authentication service (CDAS). AWebSEAL service that provides a shared librarymechanism that allows you to substitute the defaultWebSEAL authentication mechanisms with a customprocess that returns a Tivoli Access Manager identity toWebSEAL. See also WebSeal.

cross domain mapping framework (CDMF). Aprogramming interface that allows a developer tocustomize the mapping of user identities and the

handling of user attributes when WebSEALe-Community SSO function are used.

D

daemon. A program that runs unattended to performa standard service. Some daemons are triggered

automatically to perform their task; others operateperiodically.

directory schema. The valid attribute types and objectclasses that can appear in a directory. The attributetypes and object classes define the syntax of theattribute values, which attributes must be present, andwhich attributes may be present for the directory.

distinguished name (DN). The name that uniquelyidentifies an entry in a directory. A distinguished nameis made up of attribute:value pairs, separated bycommas.

digital signature. In e-commerce, data that isappended to, or is a cryptographic transformation of, adata unit and that enables the recipient of the data unitto verify the source and integrity of the unit and torecognize potential forgery.

DN. See distinguished name.

domain. (1) That part of a computer network in whichthe data processing resources are under commoncontrol. (2) See domain name.

domain name. In the Internet suite of protocols, aname of a host system. A domain name consists of asequence of subnames separated by a delimiter

character. For example, if the fully qualified domainname of a host system is ralvm7.vnet.ibm.com, each of the following is a domain name:

v ralvm7.vnet.ibm.com

v vnet.ibm.com

v ibm.com

E

EAS. See External Authorization Service.

encryption. In computer security, the process of transforming data into an unintelligible form in such a

way that the original data either cannot be obtained orcan be obtained only by using a decryption process.

entitlement. A data structure that containsexternalized security policy information. Entitlementscontain policy data or capabilities that are formatted ina way that is understandable to a specific application.

entitlement service. An authorization API runtimeplug-in which can be used to return entitlements froman external source for a principal or set of conditions.Entitlements are normally application specific data that




will be consumed by the resource manager applicationin some way or added to the principal’s credentials foruse further on in the authorization process. Customersmay develop these services using the AuthorizationADK.

external authorization service. An authorization APIruntime plug-in that can be used to make application

or environment specific authorization decisions as partof the Access Manager authorization decision chain.Customers may develop these services using theAuthorization ADK.

F

file transfer protocol (FTP). In the Internet suite of protocols, an application layer protocol that usesTransmission Control Protocol (TCP) and Telnetservices to transfer bulk-data files between machines orhosts.

Gglobal signon (GSO). A flexible single sign-onsolution that enables the user to provide alternativeuser names and passwords to the back-end Webapplication server. Global signon grants users access tothe computing resources they are authorized to use — through a single login. Designed for large enterprisesconsisting of multiple systems and applications withinheterogeneous, distributed computing environments,GSO eliminates the need for users to manage multipleuser names and passwords. See also single signon.

GSO. See global signon.

H

host. A computer that is connected to a network (suchas the Internet or an SNA network) and provides anaccess point to that network. Also, depending on theenvironment, the host may provide centralized controlof the network. The host can be a client, a server, or

both a client and a server simultaneously.

HTTP. See Hypertext Transfer Protocol.

hypertext transfer protocol (HTTP). In the Internetsuite of protocols, the protocol that is used to transferand display hypertext documents.

I

Internet protocol (IP). In the Internet suite of protocols, a connectionless protocol that routes datathrough a network or interconnected networks and actsas an intermediary between the higher protocol layersand the physical network.

Internet suite of protocols. A set of protocolsdeveloped for use on the Internet and published asRequests for Comments (RFCs) through the InternetEngineering Task Force (IETF).

interprocess communication (IPC). A method forallowing a program to handle many user requests atthe same time via the creation and management of

individual program processes running concurrently inan operating system.

IP. See Internet Protocol.

IPC. See Interprocess Communication.

J

junction. An HTTP or HTTPS connection between afront-end WebSEAL server and a back-end Webapplication server. Junctions logically combine the Webspace of the back-end server with the Web space of theWebSEAL server, resulting in a unified view of theentire Web object space. A junction allows WebSEAL toprovide protective services on behalf of the back-endserver. WebSEAL performs authentication andauthorization checks on all requests for resources beforepassing those requests across a junction to the back-endserver. Junctions also allow a variety of single sign-onsolutions between a client and the junctioned back-endapplication.

K

key. In computer security, a sequence of symbols thatis used with a cryptographic algorithm for encrypting

or decrypting data. See private key and public key.

key database file. See key ring.

key file. See key ring.

key pair. In computer security, a public key and aprivate key. When the key pair is used for encryption,the sender uses the public key to encrypt the message,and the recipient uses the private key to decrypt themessage. When the key pair is used for signing, thesigner uses the private key to encrypt a representationof the message, and the recipient uses the public key todecrypt the representation of the message for signature

verification.

key ring. In computer security, a file that containspublic keys, private keys, trusted roots, and certificates.

L

LDAP. See Lightweight Directory Access Protocol.

lightweight directory access protocol (LDAP). Anopen protocol that (a) uses TCP/IP to provide access todirectories that support an X.500 model and (b) does

Glossary 215



not incur the resource requirements of the morecomplex X.500 Directory Access Protocol (DAP).Applications that use LDAP (known asdirectory-enabled applications) can use the directory asa common data store and for retrieving informationabout people or services, such as e-mail addresses,public keys, or service-specific configurationparameters. LDAP was originally specified in RFC1777. LDAP version 3 is specified in RFC 2251, and theIETF continues work on additional standard functions.Some of the IETF-defined standard schemas for LDAPare found in RFC 2256.

lightweight third party authentication (LTPA). Anauthentication framework that allows single sign-onacross a set of Web servers that fall within an Internetdomain.

LTPA. See lightweight third party authentication.

M

management server. Obsolete. See policy server.

metadata. Data that describes the characteristics of stored data.

migration. The installation of a new version or releaseof a program to replace an earlier version or release.

multi-factor authentication. A protected object policy(POP) that forces a user to authenticate using two ormore levels of authentication. For example, the accesscontrol on a protected resource can require that theusers authenticate with both user name/password anduser name/token passcode. See also protected object

policy.

multiplexing proxy agent (MPA). A gateway thataccommodates multiple client access. These gatewaysare sometimes known as Wireless Access Protocol(WAP) gateways when clients access a secure domainusing a WAP. Gateways establish a single authenticatedchannel to the origin server and ″tunnel″ all clientrequests and responses through this channel.

N

network-based authentication. A protected object

policy (POP) that controls access to objects based on theinternet protocol (IP) address of the user. See also protected object policy.

P

PAC. See privilege attribute certificate.

permission. The ability to access a protected objectsuch as a file or directory. The number and meaning of permissions for an object are defined by the accesscontrol list.

policy. A set of rules that are applied to managedresources.

policy data. Includes both password strength policydata and login data.

policy server. The Tivoli Access Manager server thatmaintains the location information about other servers

in the secure domain.

polling. A channel access method (CAM) protocolwhere a request for data is made. In a master/slavescenario, the master queries each slave device in turnas to whether it has any data to transmit. If the slaveanswers yes then the device is permitted to transmit itsdata. If the slave answers no then the master moves onand polls the next slave device. The process is repeatedcontinuously. For Tivoli Access Manager, the WebSEALserver can be configured to regularly poll the masterauthorization (policy) database for update information.

POP. See protected object policy.

portal. An integrated Web site that dynamicallyproduces a customized list of Web resources, such aslinks, content, or services, available to a specific user,

based on the access permissions for the particular user.

privilege attribute certificate. Describes a container of data, defined externally to the Tivoli Access Managersecure domain, that contains a principal’sauthentication and authorization attributes as well ascapabilities.

privilege attribute certificate service. (1) In TivoliAccess Manager, the privilege attribute certificateservice is used to encode or decode a Tivoli Access

Manager credential to or from a format that istransmissable in a text-only environment. The format isa combination of ASN1 and MIME encoding. Theservice is built-in to the Tivoli Access Managerauthorization API. (2) An authorization API runtimeclient plug-in which translates a PAC of apredetermined format in to an Access Managercredential, and vice-versa. These services could also beused to package or marshall an Access Managercredential for transmission to other members of thesecure domain. Customers may develop these servicesusing the Authorization ADK.

protected object policy (POP). A type of security

policy that dictates additional conditions for accessing aprotected resource after a successful ACL policy check.Examples of POPs include time-of-day access andquality of protection level.

protected object space. The virtual objectrepresentation of actual system resources that is usedfor applying ACLs and POPs and used by theauthorization service.

private key. In computer security, a key that is knownonly to its owner. Contrast with public key.




public key. In computer security, a key that is madeavailable to everyone. Contrast with private key.

Q

quality of protection. The level of data security,determined by a combination of authentication,

integrity, and privacy conditions.

R

registry. (1) The datastore that maintains the accountinformation for users and groups that are allowed toparticipate in the secure domain. (2) A database thatcontains system configuration information regardingthe user, the hardware, and the programs andapplications that are installed.

replica. A server that contains a copy of the directoryor directories of another server. Replicas back upservers in order to enhance performance or responsetimes and to ensure data integrity.

resource object. The representation of an actualnetwork resource, such as as a service, file, andprogram.

response file. A file that contains a set of predefinedanswers to questions asked by a program and that isused instead of entering those values one at a time.

role activation. The process of applying the accesspermissions to a role.

role assignment. The process of assigning a role to a

user, such that the user has the appropriate accesspermissions for the object defined for that role.

routing file. An ASCII file that contains commandsthat control the configuration of messages.

RSA encryption. A system for public-keycryptography used for encryption and authentication. Itwas invented in 1977 by Ron Rivest, Adi Shamir, andLeonard Adleman. The system’s security depends onthe difficulty of factoring the product of two largeprime numbers.

run time. The time period during which a computerprogram is executing. A runtime environment is an

execution environment.

S

scalability. The ability of a network system to respondto increasing numbers of users who access resources.

schema. The set of statements, expressed in a datadefinition language, that completely describe thestructure of a database.

secure domain. The group of users, systems, andresources that share common services and usuallyfunction with a common purpose.

secure sockets layer (SSL). A security protocol thatprovides communication privacy. SSL enablesclient/server applications to communicate in a way thatis designed to prevent eavesdropping, tampering, and

message forgery. SSL was developed by NetscapeCommunications Corp. and RSA Data Security, Inc.

security management. The management disciplinethat addresses an organization’s ability to control accessto applications and data that are critical to its success.

self-registration. The process by which a user canenter required data and become a registered TivoliAccess Manager user, without the involvement of anadministrator.

service. Work performed by a server. A service can bea simple request for data to be sent or stored (as with

file servers, HTTP servers, e-mail servers, and fingerservers), or it can be more complex work such as thatof print servers or process servers.

silent installation. An installation that does not sendmessages to the console but instead stores messagesand errors in log files. Also, a silent installation can useresponse files for data input. See also response file.

single signon (SSO). The ability of a user to logononce and access multiple applications without havingto logon to each application separately. See also globalsignon.

SSL. See Secure Sockets Layer.

SSO. See Single Signon.

step-up authentication. A protected object policy(POP) that relies on a preconfigured hierarchy of authentication levels and enforces a specific level of authentication according to the policy set on a resource.The step-up authentication POP does not force the userto authenticate using multiple levels of authenticationto access any given resource but requires the user toauthenticate at a level at least as high as that required

by the policy protecting a resource.

suffixes. A distinguished name that identifies the top

entry in a locally held directory hierarchy. Because of the relative naming scheme used in LightweightDirectory Access Protocol (LDAP), this suffix applies toevery other entry within that directory hierarchy. Adirectory server can have multiple suffixes, eachidentifying a locally held directory hierarchy.

T

Tivoli Access Manager for Business Integration. ATivoli Access Manager blade, which provides

Glossary 217



comprehensive security services for IBM MQSeries. Itextends the MQSeries environment to supportend-to-end security across queues.

Tivoli Access Manager for Operating Systems. ATivoli Access Manager blade, which provides thesecurity engine for the Tivoli Identity Director product.The security engine intercepts operating system calls

requiring authorization checks, such as for file access.

token. (1) In a local area network, the symbol of authority passed successively from one data station toanother to indicate the station temporarily in control of the transmission medium. Each data station has anopportunity to acquire and use the token to control themedium. A token is a particular message or bit patternthat signifies permission to transmit. (2) In local areanetworks (LANs), a sequence of bits passed from onedevice to another along the transmission medium.When the token has data appended to it, it becomes aframe.

trusted root. In the Secure Sockets Layer (SSL), thepublic key and associated distinguished name of acertificate authority (CA).

U

uniform resource identifier (URI). The method usedto identify the locations of content on the Internet. TheURL (uniform resource locator) is a particular form of aURI that identifies a Web page address. A URI typicallydescribes (a) the mechanism used to access the resource(for example, HTTP, HTTPS, FTP), (b) the specificcomputer where the resource is stored (for example,

www.webserver.org), and the specific name of theresource on the computer (for example.../products/images/serv.jpg).

uniform resource locator (URL). A sequence of characters that represent information resources on acomputer or in a network such as the Internet. Thissequence of characters includes (a) the abbreviatedname of the protocol used to access the informationresource and (b) the information used by the protocolto locate the information resource. For example, in thecontext of the Internet, these are abbreviated names of some protocols used to access various informationresources: http, ftp, gopher, telnet, and news; and thisis the URL for the IBM home page:http://www.ibm.com.

URI. See uniform resource identifier.

URL. See uniform resource locator.

user. Any person, organization, process, device,program, protocol, or system that uses a serviceprovided by others.

user registry. See registry.

V

virtual hosting. The capability of a Web server thatallows it to appear as more than one host to theInternet.

W

Web Portal Manager (WPM). A Web-based graphicalapplication used to manage Tivoli Access Manager Baseand WebSEAL security policy in a secure domain. Analternative to the pdadmin command line interface, thisGUI enables remote administrator access and enablesadministrators to create delegated user domains andassign delegate administrators to these domains.

WebSEAL. A Tivoli Access Manager blade. WebSEALis a high performance, multi-threaded Web server thatapplies a security policy to a protected object space.WebSEAL can provide single sign-on solutions andincorporate back-end Web application server resources

into its security policy.

WPM. See Web Portal Manager.




Index

Special characters.kdb 159

Aaccess control lists (ACLs)

attaching during LDAP server configuration 17activity log 48, 74, 87AIX

installingGSKit 43 IBM Directory client 43Tivoli Access Manager components 44

uninstalling components from 49authentication

server 157, 161 server and client 157, 161, 172

authority, certificate 159, 173authorization ADK

uninstalling 55, 75, 87authorization server

uninstalling 55, 75, 87

CCDs

for Web Portal Manager 5certificate

authority 159, 173 personal 158, 159, 173self-signed 159, 174 server 163, 164

code setsfile directories 16language support 16

commandsdmt 22

componentsSee IBM Global Security Toolkit 4See Web Portal Manager 5

configuration options 179, 181configuring

IBM Directory server 18IBM WebSphere Application Server 47

considerationssilent installation 149

creating a self-signed certificate 159, 174

DDCE registry, migrating from 38, 39, 176, 177directory entries 17Directory Information Tree (DIT) 17Directory Management Tool (DMT) 22distinguished name/suffix, GSO 17

Eeasy installation

configuration options 179, 181entries, directory 17extracting a self-signed certificate 159, 174

Ffiles

gsk5ikm.exe 158, 170, 173, 174httpd.conf 19 key database 170, 172key database (.kdb) 158key database file (.kdb) 159response 149 schema 17

Gglobal signon (GSO)

description 17 distinguished name/suffix 17, 21

graphical user interfaces (GUIs)Server Administration 20Web Administration 161

gsk5ikm file 158, 170, 173, 174GSO

See global signon 17

HHP-UX

installingGSKit 53 IBM Directory client 53Tivoli Access Manager components 54

uninstalling from 56httpd.conf file 19

IIBM Developer Toolkit 74IBM Directory

clientenabling SSL 169uninstalling 55, 75, 87

serverconfiguring 18 enabling SSL 157

IBM Global Security Toolkitdescription 4 uninstalling 55, 75, 87

IBM JDK 1.2.2 74iKeyman key management utility

creating a key database file 170description 4 enabling SSL 158

installationresponse files 149




installingIBM WebSphere Application Server 47

internationalizationcode sets 16languages supported 10locale variables 14locale variants 15message catalogs 15

iPlanet Directory Serverenabling SSL 162, 164product documentation 24

Kkey database file 158, 170, 172key file 162key ring 162

LLANG variable

purpose 14 UNIX 14

Windows 15 language settings, modifying 14language support

code sets 16locale names

UNIX 14 Windows 15

locale variables 14locale variants, implementing 15message catalogs 15overview 10

LDAP registry, migrating from 38, 39, 176, 177LDAP servers

configuring 17 enabling SSL 160

locale namesUNIX 14 Windows 15

locale variants 15log

activity 48, 74, 87

Mmanagement server

uninstalling 55, 75, 87message catalog

internationalization 15 language directories 15

metadata 17

migrationpolicy server 38, 39, 176, 177

Nnaming context 17native installation

configuration 179, 181 NLSPATH variable

use of 15

Ooptions

configuration 179, 181 overview

IBM Global Security Toolkit 4LDAP server configuration 17

Ppersonal certificate 158, 159, 173policy server

migration 38, 39, 176, 177ports

default 185 WebSEAL 19

RRegional setting, for Windows 14registry

See DCE registry 38, 39, 176, 177See LDAP registry 38, 39, 176, 177

related publications xiiremoving

See uninstalling 55, 75, 87response files

description 149 syntax 150

root 17 runtime

configuration 179, 180, 182, 184, 185runtime environment

uninstalling 55, 75, 87

Sschema files 17

secAuthority=Default 17, 20, 26Secure Sockets Layer

IBM Global Security Toolkit 4Secure Sockets Layer (SSL)

enabling 157 enabling access on the LDAP server 160enabling for iPlanet Directory Server 162enabling on IBM Directory client 169enabling on iPlanet Directory Server 164testing 171, 176

self-signed certificate 159, 174Server Administration interface 20server and client authentication 157, 161, 172server authentication 157, 161server certificate 163, 164

signer certificatecertificate

signer 171, 175 silent installation

considerations 149 response files 149

Solarisinstalling

GSKit 69 IBM Directory client 69Tivoli Access Manager components 70

uninstalling from 76




SSLSee Secure Sockets Layer 4

stanzas 150 suffix 17 suffixes 20 syntax

response file 150

Ttext encoding

See code sets 16

Uunconfiguring

UNIX 56, 75 Unicode 16 uninstalling components

from AIX 49from HP-UX 56from Solaris 76from Windows 88

Tivoli Access Manager 55, 75, 87UNIX

language support 14UNIX, unconfiguring components 56, 75upgrading

IBM JDK 1.2.2 74UTF-8 encoding 16

Vvariables

LANGUNIX 14 Windows 15

locale variables 14NLSPATH

use of 15variants, language locales 15

WWeb Administration interface 161Web Portal Manager 5Windows

installingGSKit 79 IBM Directory client 79Tivoli Access Manager 81

language support 15

uninstalling components from 88

Index 221








Printed in USA