Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
IBM
Tivoli
Access
Manager
Upgrade
Guide
Version
5.1
White
Paper
���
IBM
Tivoli
Access
Manager
Upgrade
Guide
Version
5.1
White
Paper
���
Note
Before
using
this
information
and
the
product
it
supports,
read
the
information
in
Appendix
B,
“Notices,”
on
page
167.
First
Edition
(December
2003)
This
edition
applies
to
version
5,
release
1,
modification
0
of
IBM
Tivoli
Access
Manager
(product
number
5724-C08)
and
to
all
subsequent
releases
and
modifications
until
otherwise
indicated
in
new
editions.
©
Copyright
International
Business
Machines
Corporation
2003.
All
rights
reserved.
US
Government
Users
Restricted
Rights
–
Use,
duplication
or
disclosure
restricted
by
GSA
ADP
Schedule
Contract
with
IBM
Corp.
White
Paper
Contents
Preface
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Release
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Base
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Web
security
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Developer
references
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Technical
supplements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
Related
publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
IBM
Global
Security
Kit
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
IBM
Tivoli
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
IBM
DB2
Universal
Database
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
IBM
WebSphere
Application
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
IBM
Tivoli
Access
Manager
for
Business
Integration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
.
.
.
.
.
.
.
.
.
.
.
.
. xi
IBM
Tivoli
Access
Manager
for
Operating
Systems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xi
IBM
Tivoli
Identity
Manager
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xii
Accessing
publications
online
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xii
Accessibility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xii
Contacting
software
support
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xii
Conventions
used
in
this
book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiii
Typeface
conventions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiii
Operating
system
differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiii
Chapter
1.
Introduction
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
Scenario
1:
Large
user
base
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
Scenario
2:
Small
user
base
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 3
Scenario
3:
Using
a
registry
other
than
IBM
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
Supported
platforms,
including
required
patches
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 6
Chapter
2.
Upgrading
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 13
AIX:
Upgrading
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 13
AIX:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 13
AIX:
Upgrading
the
policy
server
using
a
single
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 14
AIX:
Upgrading
the
policy
server
using
two
systems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 15
AIX:
Retiring
the
original
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 18
HP-UX:
Upgrading
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
HP-UX:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
HP-UX:
Upgrading
the
policy
server
using
a
single
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
HP-UX:
Upgrading
the
policy
server
using
two
systems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
HP-UX:
Retiring
the
original
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
Linux
on
zSeries:
Upgrading
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
Linux
on
zSeries:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
Linux
on
zSeries:
Upgrading
the
policy
server
using
a
single
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
Linux
on
zSeries:
Upgrading
the
policy
server
using
two
systems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
Linux
on
zSeries:
Retiring
the
original
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
Solaris:
Upgrading
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
Solaris:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
Solaris:
Upgrading
the
policy
server
using
a
single
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 31
Solaris:
Upgrading
the
policy
server
using
two
systems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
Solaris:
Retiring
the
original
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
Windows:
Upgrading
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
Windows:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
Windows:
Upgrading
the
policy
server
using
a
single
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 37
Windows:
Upgrading
the
policy
server
using
two
systems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 39
Windows:
Retiring
the
original
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 41
White
Paper
©
Copyright
IBM
Corp.
2003
iii
Chapter
3.
Upgrading
an
authorization
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 43
AIX:
Upgrading
an
authorization
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 43
HP-UX:
Upgrading
an
authorization
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 45
Linux
on
zSeries:
Upgrading
an
authorization
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 47
Solaris:
Upgrading
an
authorization
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 48
Windows:
Upgrading
an
authorization
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 50
Chapter
4.
Upgrading
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 53
AIX:
Upgrading
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 53
AIX:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 53
AIX:
Upgrading
WebSEAL
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 54
HP-UX:
Upgrading
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 57
HP-UX:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 57
HP-UX:
Upgrading
WebSEAL
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 58
Linux
on
xSeries:
Upgrading
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 62
Linux
on
xSeries:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 62
Linux
on
xSeries:
Upgrading
WebSEAL
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 62
Linux
on
zSeries:
Upgrading
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 65
Linux
on
zSeries:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 65
Linux
on
zSeries:
Upgrading
WebSEAL
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 65
Solaris:
Upgrading
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 69
Solaris:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 69
Solaris:
Upgrading
WebSEAL
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 70
Windows:
Upgrading
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 73
Windows:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 73
Windows:
Upgrading
WebSEAL
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 74
Chapter
5.
Upgrading
a
runtime
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 79
AIX:
Upgrading
a
runtime
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 79
HP-UX:
Upgrading
a
runtime
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 80
Linux
on
zSeries:
Upgrading
a
runtime
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 82
Solaris:
Upgrading
a
runtime
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 84
Windows:
Upgrading
a
runtime
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 85
Chapter
6.
Upgrading
a
Java
runtime
environment
system
.
.
.
.
.
.
.
.
.
.
.
.
. 89
AIX:
Upgrading
a
Java
runtime
environment
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 89
HP-UX:
Upgrading
a
Java
runtime
environment
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 90
Linux
on
zSeries:
Upgrading
a
Java
runtime
environment
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 92
Solaris:
Upgrading
a
Java
runtime
environment
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 93
Windows:
Upgrading
a
Java
runtime
environment
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 94
Chapter
7.
Upgrading
a
development
(ADK)
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 97
AIX:
Upgrading
a
development
(ADK)
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 97
HP-UX:
Upgrading
a
development
(ADK)
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 98
Linux
on
zSeries:
Upgrading
a
development
(ADK)
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 100
Solaris:
Upgrading
a
development
(ADK)
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 101
Windows:
Upgrading
a
development
(ADK)
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 103
Chapter
8.
Upgrading
a
plug-in
for
Web
Servers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 105
Chapter
9.
Upgrading
a
Web
Portal
Manager
system
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 107
Chapter
10.
Upgrading
IBM
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 109
AIX:
Upgrading
IBM
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 109
AIX:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 109
AIX:
Upgrading
from
IBM
SecureWay
Directory,
Version
3.2.1
or
3.2.2
.
.
.
.
.
.
.
.
.
.
.
.
.
. 110
AIX:
Upgrading
from
IBM
Tivoli
Directory
Server,
Version
4.1
or
5.1
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 112
Upgrading
from
IBM
Directory
Server
4.1
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 112
Upgrading
from
IBM
Directory
Server
5.1
with
DB2
8.1,
32-bit
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 113
White
Paper
iv
IBM
Tivoli
Access
Manager:
Upgrade
Guide
Upgrading
from
IBM
Directory
Server
5.1
with
DB2
7.2
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 115
HP-UX:
Upgrading
IBM
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 118
HP-UX:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 118
HP-UX:
Upgrading
from
IBM
Directory
Server,
Version
4.1
or
5.1
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 119
Linux:
Upgrading
IBM
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 120
Linux:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 120
Linux:
Upgrading
from
SecureWay
Directory
Version
3.2.1
or
3.2.2
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 121
Linux:
Upgrading
from
IBM
Tivoli
Directory
Server,
Version
4.1
or
5.1
.
.
.
.
.
.
.
.
.
.
.
.
.
. 123
Solaris:
Upgrading
IBM
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 124
Solaris:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 124
Solaris:
Upgrading
from
SecureWay
Directory,
Version
3.2.1
or
3.2.2
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 125
Solaris:
Upgrading
from
IBM
Tivoli
Directory
Server,
Version
4.1
or
5.1
.
.
.
.
.
.
.
.
.
.
.
.
.
. 128
Windows:
Upgrading
IBM
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 128
Windows:
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 128
Windows:
Upgrading
from
IBM
SecureWay
Directory,
Version
3.2.1
or
3.2.2
.
.
.
.
.
.
.
.
.
.
.
. 130
Windows:
Upgrading
from
IBM
Tivoli
Directory
Server,
Version
4.1
or
5.1
.
.
.
.
.
.
.
.
.
.
.
.
. 132
Upgrading
Tivoli
Access
Manager
when
using
IBM
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 133
Windows:
Upgrading
Tivoli
Access
Manager
when
using
IBM
Directory
Server
.
.
.
.
.
.
.
.
.
.
. 133
UNIX:
Upgrading
Tivoli
Access
Manager
when
using
IBM
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
. 134
Migrating
a
network
of
replication
servers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 135
Chapter
11.
Restoring
a
system
to
its
prior
level
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 139
Restoring
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 139
AIX:
Restoring
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 139
HP-UX:
Restoring
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 139
Linux:
Restoring
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 140
Linux
for
zSeries:
Restoring
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 141
Solaris:
Restoring
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 141
Windows:
Restoring
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 142
Restoring
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 143
AIX:
Restoring
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 143
HP-UX:
Restoring
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 144
Linux:
Restoring
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 145
Linux
on
zSeries:
Restoring
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 146
Solaris:
Restoring
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 147
Windows:
Restoring
a
WebSEAL
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 148
Appendix
A.
Upgrade
utilities
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 151
ivrgy_tool
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 152
pdbackup
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 154
pdconfig
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 162
pdjrtecfg
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 163
Appendix
B.
Notices
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 167
Trademarks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 168
Glossary
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 171
Index
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 177
White
Paper
Contents
v
White
Paper
vi
IBM
Tivoli
Access
Manager:
Upgrade
Guide
Preface
IBM®
Tivoli®
Access
Manager
(Tivoli
Access
Manager)
is
the
base
software
that
is
required
to
run
applications
in
the
Access
Manager
product
suite.
It
enables
the
integration
of
Access
Manager
applications
that
provide
a
wide
range
of
authorization
and
management
solutions.
Sold
as
an
integrated
solution,
these
products
provide
an
access
control
management
solution
that
centralizes
network
and
application
security
policy
for
e-business
applications.
Note:
IBM
Tivoli
Access
Manager
is
the
new
name
of
the
previously
released
software
entitled
Tivoli
SecureWay®
Policy
Director.
Also,
for
users
familiar
with
the
Tivoli
SecureWay
Policy
Director
software
and
documentation,
the
term
management
server
is
now
referred
to
as
policy
server.
This
white
paper
explains
how
to
upgrade
Tivoli
Access
Manager
Base
and
Web
Security
software
from
a
Version
3.8,
3.9,
or
4.1
level
to
Version
5.1.
Publications
Review
the
descriptions
of
the
Tivoli
Access
Manager
library,
the
prerequisite
publications,
and
the
related
publications
to
determine
which
publications
you
might
find
helpful.
After
you
determine
the
publications
you
need,
refer
to
the
instructions
for
accessing
publications
online.
Additional
information
about
the
IBM
Tivoli
Access
Manager
for
e-business
product
itself
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/
The
Tivoli
Access
Manager
library
is
organized
into
the
following
categories:
v
“Release
information”
v
“Base
information”
v
“Web
security
information”
on
page
viii
v
“Developer
references”
on
page
viii
v
“Technical
supplements”
on
page
ix
Release
information
v
IBM
Tivoli
Access
Manager
for
e-business
Read
This
First
(GI11-4155-00)
Provides
information
for
installing
and
getting
started
using
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Release
Notes
(GI11-4156-00)
Provides
late-breaking
information,
such
as
software
limitations,
workarounds,
and
documentation
updates.
Base
information
v
IBM
Tivoli
Access
Manager
Base
Installation
Guide
(SC32-1362-00)
Provides
installation,
configuration,
and
removal
instructions
for
the
Tivoli
Access
Manager
Base
software.
This
book
is
a
subset
of
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
and
is
intended
for
use
with
White
Paper
©
Copyright
IBM
Corp.
2003
vii
http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/
other
Tivoli
Access
Manager
products,
such
as
IBM
Tivoli
Access
Manager
for
Business
Integration
and
IBM
Tivoli
Access
Manager
for
Operating
Systems.
v
IBM
Tivoli
Access
Manager
Base
Administration
Guide
(SC32-1360-00)
Describes
the
concepts
and
procedures
for
using
Tivoli
Access
Manager
services.
Provides
instructions
for
performing
tasks
from
the
Web
Portal
Manager
interface
and
by
using
the
pdadmin
command.
Web
security
information
v
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
(SC32-1361-00)
Provides
installation,
configuration,
and
removal
instructions
for
the
Tivoli
Access
Manager
Base
and
Web
Security
software.
This
book
is
a
superset
of
IBM
Tivoli
Access
Manager
Base
Installation
Guide.
v
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide
(SC32-1359-00)
Provides
background
material,
administrative
procedures,
and
technical
reference
information
for
using
WebSEAL
to
manage
the
resources
of
your
secure
Web
domain.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Application
Server
Integration
Guide
(SC32-1368-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
IBM
WebSphere®
Application
Server.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Edge
Server
Integration
Guide
(SC32-1367-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
the
IBM
WebSphere
Edge
Server
application.
v
IBM
Tivoli
Access
Manager
for
e-business
Plug-in
for
Web
Servers
Integration
Guide
(SC32-1365-00)
Provides
installation
instructions,
administration
procedures,
and
technical
reference
information
for
securing
your
Web
domain
using
the
plug-in
for
Web
servers.
v
IBM
Tivoli
Access
Manager
for
e-business
BEA
WebLogic
Server
Integration
Guide
(SC32-1366-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
BEA
WebLogic
Server.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
(SC32-1364-00)
Provides
an
overview
of
the
tasks
related
to
integrating
Tivoli
Access
Manager
and
Tivoli
Identity
Manager
and
explains
how
to
use
and
install
the
Provisioning
Fast
Start
collection.
Developer
references
v
IBM
Tivoli
Access
Manager
for
e-business
Authorization
C
API
Developer
Reference
(SC32-1355-00)
Provides
reference
material
that
describes
how
to
use
the
Tivoli
Access
Manager
authorization
C
API
and
the
Tivoli
Access
Manager
service
plug-in
interface
to
add
Tivoli
Access
Manager
security
to
applications.
v
IBM
Tivoli
Access
Manager
for
e-business
Authorization
Java
Classes
Developer
Reference
(SC32-1350-00)
White
Paper
viii
IBM
Tivoli
Access
Manager:
Upgrade
Guide
Provides
reference
information
for
using
the
Java™
language
implementation
of
the
authorization
API
to
enable
an
application
to
use
Tivoli
Access
Manager
security.
v
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference
(SC32-1357-00)
Provides
reference
information
about
using
the
administration
API
to
enable
an
application
to
perform
Tivoli
Access
Manager
administration
tasks.
This
document
describes
the
C
implementation
of
the
administration
API.
v
IBM
Tivoli
Access
Manager
for
e-business
Administration
Java
Classes
Developer
Reference
(SC32-1356-00)
Provides
reference
information
for
using
the
Java
language
implementation
of
the
administration
API
to
enable
an
application
to
perform
Tivoli
Access
Manager
administration
tasks.
v
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Developer
Reference
(SC32-1358-00)
Provides
administration
and
programming
information
for
the
cross-domain
authentication
service
(CDAS),
the
cross-domain
mapping
framework
(CDMF),
and
the
password
strength
module.
Technical
supplements
v
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
(SC32-1354-00)
Provides
information
about
the
command
line
utilities
and
scripts
provided
with
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
Error
Message
Reference
(SC32-1353-00)
Provides
explanations
and
recommended
actions
for
the
messages
produced
by
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide
(SC32-1352-00)
Provides
problem
determination
information
for
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Performance
Tuning
Guide
(SC32-1351-00)
Provides
performance
tuning
information
for
an
environment
consisting
of
Tivoli
Access
Manager
with
the
IBM
Tivoli
Directory
server
as
the
user
registry.
Related
publications
This
section
lists
publications
related
to
the
Tivoli
Access
Manager
library.
The
Tivoli
Software
Library
provides
a
variety
of
Tivoli
publications
such
as
white
papers,
datasheets,
demonstrations,
redbooks,
and
announcement
letters.
The
Tivoli
Software
Library
is
available
on
the
Web
at:
http://www.ibm.com/software/tivoli/library/
The
Tivoli
Software
Glossary
includes
definitions
for
many
of
the
technical
terms
related
to
Tivoli
software.
The
Tivoli
Software
Glossary
is
available,
in
English
only,
from
the
Glossary
link
on
the
left
side
of
the
Tivoli
Software
Library
Web
page
http://www.ibm.com/software/tivoli/library/
IBM
Global
Security
Kit
Tivoli
Access
Manager
provides
data
encryption
through
the
use
of
the
IBM
Global
Security
Kit
(GSKit),
Version
7.
GSKit
is
included
on
the
IBM
Tivoli
Access
Manager
Base
CD,
the
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
CDs,
and
the
IBM
Tivoli
Access
Manager
Directory
Server
CDs
for
supported
platforms.
White
Paper
Preface
ix
http://www.ibm.com/software/tivoli/library/http://www.ibm.com/software/tivoli/library/
The
GSKit
package
provides
the
iKeyman
key
management
utility,
gsk7ikm,
which
is
used
to
create
key
databases,
public-private
key
pairs,
and
certificate
requests.
The
following
document
is
available
on
the
Tivoli
Information
Center
Web
site
in
the
same
section
as
the
IBM
Tivoli
Access
Manager
product
documentation:
v
IBM
Global
Security
Kit
Secure
Sockets
Layer
and
iKeyman
User’s
Guide
(SC32-1363-00)
Provides
information
for
network
or
system
security
administrators
who
plan
to
enable
SSL
communication
in
their
Tivoli
Access
Manager
environment.
IBM
Tivoli
Directory
Server
IBM
Tivoli
Directory
Server,
Version
5.2,
is
included
on
the
IBM
Tivoli
Access
Manager
Directory
Server
CD
for
the
desired
operating
system.
Note:
IBM
Tivoli
Directory
Server
is
the
new
name
for
the
previously
released
software
known
as:
v
IBM
Directory
Server
(Version
4.1
and
Version
5.1)
v
IBM
SecureWay
Directory
Server
(Version
3.2.2)
IBM
Directory
Server
Version
4.1,
IBM
Directory
Server
Version
5.1,
and
IBM
Tivoli
Directory
Server
Version
5.2
are
all
supported
by
IBM
Tivoli
Access
Manager
Version
5.1.
Additional
information
about
IBM
Tivoli
Directory
Server
can
be
found
at:
http://www.ibm.com/software/network/directory/library/
IBM
DB2
Universal
Database
IBM
DB2®
Universal
Database™
Enterprise
Server
Edition,
Version
8.1
is
provided
on
the
IBM
Tivoli
Access
Manager
Directory
Server
CD
and
is
installed
with
the
IBM
Tivoli
Directory
Server
software.
DB2
is
required
when
using
IBM
Tivoli
Directory
Server
as
the
user
registry
for
Tivoli
Access
Manager.
Additional
information
about
DB2
can
be
found
at:
http://www.ibm.com/software/data/db2/
IBM
WebSphere
Application
Server
IBM
WebSphere
Application
Server,
Version
5.0.2,
is
included
on
the
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
CD
for
the
desired
operating
system.
WebSphere
Application
Server
enables
the
support
of
the
Web
Portal
Manager
interface
and
the
IBM
Tivoli
Directory
Server
Web
Administration
Tool.
Additional
information
about
IBM
WebSphere
Application
Server
can
be
found
at:
http://www.ibm.com/software/webservers/appserv/infocenter.html
IBM
Tivoli
Access
Manager
for
Business
Integration
IBM
Tivoli
Access
Manager
for
Business
Integration,
available
as
a
separately
orderable
product,
provides
a
security
solution
for
IBM
MQSeries®,
Version
5.2,
and
IBM
WebSphere
MQ
for
Version
5.3
messages.
IBM
Tivoli
Access
Manager
for
Business
Integration
allows
WebSphere
MQSeries
applications
to
send
data
with
privacy
and
integrity
by
using
keys
associated
with
sending
and
receiving
applications.
Like
WebSEAL
and
IBM
Tivoli
Access
Manager
for
Operating
Systems,
IBM
Tivoli
Access
Manager
for
Business
Integration,
is
one
of
the
resource
managers
that
use
the
services
of
IBM
Tivoli
Access
Manager.
White
Paper
x
IBM
Tivoli
Access
Manager:
Upgrade
Guide
http://www.ibm.com/software/network/directory/library/http://www.ibm.com/software/data/db2/http://www.ibm.com/software/webservers/appserv/infocenter.html
Additional
information
about
IBM
Tivoli
Access
Manager
for
Business
Integration
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
Business
Integration
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Administration
Guide
(SC23-4831-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Problem
Determination
Guide
(GC23-1328-00)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Release
Notes
(GI11-0957-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First
(GI11-4202-00)
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers,
available
as
part
of
IBM
Tivoli
Access
Manager
for
Business
Integration,
provides
a
security
solution
for
WebSphere
Business
Integration
Message
Broker,
Version
5.0
and
WebSphere
Business
Integration
Event
Broker,
Version
5.0.
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
operates
in
conjunction
with
Tivoli
Access
Manager
to
secure
JMS
publish/subscribe
applications
by
providing
password
and
credentials-based
authentication,
centrally-defined
authorization,
and
auditing
services.
Additional
information
about
IBM
Tivoli
Access
Manager
for
WebSphere
Integration
Brokers
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
WebSphere
Integration
Brokers,
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
Administration
Guide
(SC32-1347-00)
v
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
Release
Notes
(GI11-4154-00)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First
(GI11-4202-00)
IBM
Tivoli
Access
Manager
for
Operating
Systems
IBM
Tivoli
Access
Manager
for
Operating
Systems,
available
as
a
separately
orderable
product,
provides
a
layer
of
authorization
policy
enforcement
on
UNIX
systems
in
addition
to
that
provided
by
the
native
operating
system.
IBM
Tivoli
Access
Manager
for
Operating
Systems,
like
WebSEAL
and
IBM
Tivoli
Access
Manager
for
Business
Integration,
is
one
of
the
resource
managers
that
use
the
services
of
IBM
Tivoli
Access
Manager.
Additional
information
about
IBM
Tivoli
Access
Manager
for
Operating
Systems
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/
White
Paper
Preface
xi
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
Operating
Systems
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Installation
Guide
(SC23-4829-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide
(SC23-4827-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Problem
Determination
Guide
(SC23-4828-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Release
Notes
(GI11-0951-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Read
Me
First
(GI11-0949-00)
IBM
Tivoli
Identity
Manager
IBM
Tivoli
Identity
Manager
Version
4.5,
available
as
a
separately
orderable
product,
enables
you
to
centrally
manage
users
(such
as
user
IDs
and
passwords)
and
provisioning
(that
is
providing
or
revoking
access
to
applications,
resources,
or
operating
systems.)
Tivoli
Identity
Manager
can
be
integrated
with
Tivoli
Access
Manager
through
the
use
of
the
Tivoli
Access
Manager
Agent.
Contact
your
IBM
account
representative
for
more
information
about
purchasing
the
Agent.
Additional
information
about
IBM
Tivoli
Identity
Manager
can
be
found
at:
http://www.ibm.com/software/tivoli/products/identity-mgr/
Accessing
publications
online
The
publications
for
this
product
are
available
online
in
Portable
Document
Format
(PDF)
or
Hypertext
Markup
Language
(HTML)
format,
or
both
in
the
Tivoli
software
library:
http://www.ibm.com/software/tivoli/library
To
locate
product
publications
in
the
library,
click
the
Product
manuals
link
on
the
left
side
of
the
library
page.
Then,
locate
and
click
the
name
of
the
product
on
the
Tivoli
software
information
center
page.
Product
publications
include
release
notes,
installation
guides,
user’s
guides,
administrator’s
guides,
and
developer’s
references.
Note:
To
ensure
proper
printing
of
publications,
select
the
Fit
to
page
check
box
in
the
Adobe
Acrobat
window
(which
is
available
when
you
click
File
→
Print).
Accessibility
Accessibility
features
help
a
user
who
has
a
physical
disability,
such
as
restricted
mobility
or
limited
vision,
to
use
software
products
successfully.
With
this
product,
you
can
use
assistive
technologies
to
hear
and
navigate
the
interface.
You
also
can
use
the
keyboard
instead
of
the
mouse
to
operate
all
features
of
the
graphical
user
interface.
Contacting
software
support
Before
contacting
IBM
Tivoli
Software
Support
with
a
problem,
refer
to
the
IBM
Tivoli
Software
Support
site
by
clicking
the
Tivoli
support
link
at
the
following
Web
site:
http://www.ibm.com/software/support/
White
Paper
xii
IBM
Tivoli
Access
Manager:
Upgrade
Guide
http://www.ibm.com/software/tivoli/products/identity-mgr/http://www.ibm.com/software/tivoli/library/http://www.ibm.com/software/support/
If
you
need
additional
help,
contact
software
support
by
using
the
methods
described
in
the
IBM
Software
Support
Guide
at
the
following
Web
site:
http://techsupport.services.ibm.com/guides/handbook.html
The
guide
provides
the
following
information:
v
Registration
and
eligibility
requirements
for
receiving
support
v
Telephone
numbers,
depending
on
the
country
in
which
you
are
located
v
A
list
of
information
you
should
gather
before
contacting
customer
support
Conventions
used
in
this
book
This
reference
uses
several
conventions
for
special
terms
and
actions
and
for
operating
system-dependent
commands
and
paths.
Typeface
conventions
The
following
typeface
conventions
are
used
in
this
reference:
Bold
Lowercase
commands
or
mixed
case
commands
that
are
difficult
to
distinguish
from
surrounding
text,
keywords,
parameters,
options,
names
of
Java
classes,
and
objects
are
in
bold.
Italic
Variables,
titles
of
publications,
and
special
words
or
phrases
that
are
emphasized
are
in
italic.
Monospace
Code
examples,
command
lines,
screen
output,
file
and
directory
names
that
are
difficult
to
distinguish
from
surrounding
text,
system
messages,
text
that
the
user
must
type,
and
values
for
arguments
or
command
options
are
in
monospace.
Operating
system
differences
This
book
uses
the
UNIX
convention
for
specifying
environment
variables
and
for
directory
notation.
When
using
the
Windows
command
line,
replace
$variable
with
%variable%
for
environment
variables
and
replace
each
forward
slash
(/)
with
a
backslash
(\)
in
directory
paths.
If
you
are
using
the
bash
shell
on
a
Windows
system,
you
can
use
the
UNIX
conventions.
White
Paper
Preface
xiii
http://techsupport.services.ibm.com/guides/handbook.html
White
Paper
xiv
IBM
Tivoli
Access
Manager:
Upgrade
Guide
Chapter
1.
Introduction
The
process
of
upgrading
Tivoli
Access
Manager
to
Version
5.1
requires
you
to
consider
the
interdependencies
between
the
various
Tivoli
Access
Manager
components
and
other
software
components,
on
which
the
system
depends.
For
example,
a
user
logging
into
WebSEAL
might
interact
with
the
WebSEAL
component
directly,
but
for
the
authentication
to
complete,
WebSEAL
must
be
able
to
communicate
with
the
authentication
server
(for
example,
LDAP).
Being
mindful
of
this
interdependency
helps
maintain
service
continuity
during
the
upgrade.
This
guide
takes
a
system-level
approach
to
the
upgrade
process
by
considering
the
interaction
of
the
various
components
present
in
a
production
environment.
While
there
are
many
different
ways
to
deploy
Tivoli
Access
Manager
components,
this
guide
presents
specific
scenarios,
which
account
for
a
large
proportion
of
Tivoli
Access
Manager
deployments.
No
additional
hardware
is
required;
however,
in
some
cases,
additional
machines
can
reduce
the
risks
involved
in
the
upgrade.
Carefully
review
the
scenarios
and
determine
the
one,
which
best
matches
your
deployment.
If
your
environment
does
not
exactly
match
a
scenario,
you
may
mix
and
match
between
them,
using
the
procedures
that
correspond
to
your
configuration.
In
any
case,
you
should
create
your
own
internal
upgrade
guide
based
on
the
procedures
in
this
white
paper
and
enhance
it
with
the
details
of
your
own
environment.
Your
custom
upgrade
guide
should
include
enough
detail
to
complete
the
upgrade
and
should
be
thoroughly
tested
in
a
lab
environment
before
applied
in
a
live
production
environment.
The
following
list
provides
suggestions
for
the
type
of
information
to
include
in
your
custom
upgrade
guide:
v
Hostnames/IP
addresses
of
servers
v
Components
installed
on
the
servers
v
Networking
devices,
such
as
firewalls
and
load
balancers
v
How
to
add/remove
WebSEAL
servers
to/from
the
load
balancers
v
How
to
access
the
machines
v
Exact
commands
to
execute
for
each
step
of
each
procedure
Scenario
1:
Large
user
base
The
key
issue
to
consider
in
this
scenario
involves
the
ldap_host1
system—a
single
system
that
functions
as
both
the
policy
server
and
the
primary
LDAP
server
(IBM
Directory
Server).
Because
these
servers
share
the
same
LDAP
client
(IBM
Directory),
and
because
only
one
version
of
IBM
Directory
client
can
be
installed
on
a
single
system,
you
cannot
upgrade
one
server
without
upgrading
the
other.
Rather
than
impact
the
active
policy
server,
the
following
‘two
server’
upgrade
procedure
installs
a
second
V5.1
policy
server
on
ldap_host2
(LDAP
server
peer).
If
you
do
not
want
to
use
an
IBM
Directory
Server
peer
for
this
purpose,
you
can
simply
introduce
an
additional
server
to
act
as
the
new
policy
server.
Conditions:
v
Service
must
remain
available
during
migration.
v
Tivoli
Access
Manager
user
accounts
number
in
the
millions.
White
Paper
©
Copyright
IBM
Corp.
2003
1
v
You
must
be
able
to
fall
back
to
a
previous
version
in
the
event
of
failure
with
minimal
downtime
(this
precludes
restoring
from
tape
backup).
v
If
absolutely
necessary,
you
will
provide
additional
hardware
to
support
the
upgrade
process.
IBM
Directory
Server
Primary
Peer:
Indicates
the
server,
against
which
the
policy
server
is
configured.
This
system
also
provides
authentication
services
for
the
WebSEAL
servers.
Other
IBM
Directory
Server
Peers:
Indicates
the
backup
servers
for
the
policy
server.
Also
provides
authentication
services
for
the
WebSEAL
servers.
1.
Upgrade
IBM
Directory
Server
on
ldap_host2.
To
do
so,
follow
these
steps:
a.
Review
“Migrating
a
network
of
replication
servers”
on
page
135.
b.
Upgrade
IBM
Directory
Server.
For
instructions,
see
Chapter
10,
“Upgrading
IBM
Directory
Server,”
on
page
109.
c.
Test
that
IBM
Directory
Server
is
up
and
running
using
the
following
command:
ldapsearch
-h
ldap_host2
-s
base
–p
port
objectclass=*
If
the
last
line
from
the
output
of
the
ldapsearch
command
(ibm-slapdisconfigurationmode)
is
set
to
TRUE,
this
indicates
that
there
was
a
problem
during
the
migration
and
the
server
started
in
configuration
mode.
Examine
the
ibmslapd.log
for
errors.
If
no
specific
error
is
given,
try
restarting
IBM
Directory
Server.
d.
Verify
that
replication
still
works
by
creating
a
new
Tivoli
Access
Manager
user
on
the
primary
peer
(ldap_host1)
and
verify
that
it
gets
replicated
to
this
server.2.
Upgrade
the
policy
server
using
the
two
system
approach
with
ldap_host2
as
the
new
system
and
ldap_host1
as
the
original
system.
After
the
upgrade
is
complete,
ldap_host2
will
host
IBM
Tivoli
Directory
Server,
Version
5.2,
and
Tivoli
Access
Manager
Policy
Server,
Version
5.1.
The
other
servers
still
have
the
older
versions
of
the
software.
Note:
Maintain
the
original
policy
server
until
the
other
Tivoli
Access
Manager
components
have
been
upgraded.
This
allows
for
the
option
of
restoring
the
original
version
should
the
need
arise.
At
this
time,
it
is
important
to
note
that
any
policy
modification
resulting
in
an
update
to
one
policy
server
must
also
be
made
on
the
other
one.
This
means
that
new
ACLs
and
other
policy-related
configurations
should
be
performed
on
both
the
new
and
the
old
system
while
the
two
systems
are
running
in
parallel.
White
Paper
2
IBM
Tivoli
Access
Manager:
Upgrade
Guide
3.
Upgrade
the
WebSEAL
servers
(webseal_host1,
webseal_host2,
webseal_host3).
The
WebSEAL
servers
are
still
configured
to
use
the
policy
server
residing
on
ldap_host1.
However,
because
there
is
backward
compatibility
between
the
5.1
policy
server
and
previous
versions
of
WebSEAL,
you
can
configure
the
two
WebSEAL
servers
to
use
the
new
policy
server.
This
offers
a
risk-free
way
of
moving
over
to
the
new
policy
server.
If,
for
some
reason,
a
WebSEAL
server
does
not
function
properly
with
the
new
policy
server,
simply
point
it
back
to
the
old
one.
Changing
which
policy
server
WebSEAL
uses
involves
changing
the
master-host
entry
in
the
WebSEAL
configuration
file
(described
in
detail
in
the
WebSEAL
upgrade
procedure).
Another
item
to
consider
concerns
user
activity
on
the
system
during
your
upgrade.
If
you
plan
to
upgrade
a
WebSEAL
server
while
users
are
trying
to
access
the
system,
you
must
isolate
each
WebSEAL
server
before
you
upgrade
it.
To
do
so,
change
the
port
on
which
the
WebSEAL
server
listens
or
configure
your
load
balancer
so
that
it
does
not
route
traffic
to
the
WebSEAL
server.
The
following
steps
should
be
applied
to
each
WebSEAL
server
in
succession.
a.
If
required,
isolate
the
WebSEAL
server
from
customer
use
by
changing
the
listening
port
or
by
reconfiguring
your
load
balancer.
b.
Upgrade
WebSEAL.
For
instructions,
see
Chapter
4,
“Upgrading
a
WebSEAL
server,”
on
page
53.
c.
If
you
have
other
instances
of
WebSEAL
on
this
host,
start
them
in
the
same
manner
as
you
did
the
default
instance
cd
/opt/pdweb/bin
./webseald
-config
etc/webseald-instance.conf
-foreground
d.
If
you
took
measures
to
isolate
the
WebSEAL
server
from
customer
use,
reverse
those
measures
now
and
then
restart
WebSEAL.4.
After
the
WebSEAL
servers
have
been
upgraded,
you
have
at
least
one
instance
of
each
Tivoli
Access
Manager
component
running
the
new
version
of
the
software.
You
may
keep
this
configuration
up
and
running
until
you
feel
that
the
new
version
is
stable
enough
to
rely
on
completely.
When
you
are
ready
to
make
the
switch,
retire
the
original
policy
server
(ldap_host1).
For
instructions,
see
information
about
retiring
the
original
policy
server
in
Chapter
2
on
page
13.
5.
Upgrade
IBM
LDAP
on
ldap_host1
and
ldap_host3.
To
do
so,
repeat
step
1
on
page
2.
Scenario
2:
Small
u