Tivoli Access Manager Enterprise Single Sign-Onpublib.boulder.ibm.com/tividd/td/ITAMfESSO/SC32...An X.509 Certificate for SSL must be obtained from a Certificate Authority. A Trusted

Tivoli® Access Manager for Enterprise Single Sign-On

Provisioning Adapter Installation and Setup Guide

Version 6.0

SC32-2004-00

��

Tivoli® Access Manager for Enterprise Single Sign-On

Provisioning Adapter Installation and Setup Guide

Version 6.0

SC32-2004-00

��

Note:

Before using this information and the product it supports, read the information in “Notices,” on page 21.

First Edition (September 2006)

This edition applies to version 6, release 0, modification 0 of IBM Tivoli Access Manager for Enterprise Single

Sign-On (product number 5724-N70) and to all subsequent releases and modifications until otherwise indicated in

new editions.

© Copyright International Business Machines Corporation 2006. All rights reserved.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract

with IBM Corp.

TAM E-SSO: Provisioning Adapter Installation and Setup Guide

Table of Contents Welcome to TAM E-SSO: Provisioning Adapter ............................................. 2 Installation Overview................................................................................... 2 System Requirements and Supported Applications ...................................... 3

Minimum System Requirements ................................................................... 3 Software Requirements............................................................................... 3

Installation Steps......................................................................................... 5 Upgrade Notes ........................................................................................... 16 Uninstalling TAM E-SSO: Provisioning Adapter........................................... 16 Reference and Troubleshooting.................................................................. 17

Customization Notes..................................................................................17 Installation and Configuration Notes ............................................................19


Welcome to TAM E-SSO: Provisioning Adapter IBM Tivoli Access Manager for Enterprise Single Sign-On: Provisioning Adapter (TAM E-SSO: Provisioning Adapter) provides the ability for an administrator to automatically provision TAM E-SSO with a user’s ID and password by using a provisioning system. An administrator is able to add, modify and delete IDs and passwords for particular applications within the provisioning system and have the changes reflected in TAM E-SSO. From the provisioning system, all usernames and passwords inside of TAM E-SSO can also be deleted so that a user’s access to all protected applications is eliminated.

Installation Overview TAM E-SSO: Provisioning Adapter is installed as an add-on component to IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO). TAM E-SSO must be installed prior to installing TAM E-SSO: Provisioning Adapter. TAM E-SSO automatically recognizes TAM E-SSO: Provisioning Adapter once it is installed. The following is a brief overview of the steps that must be taken in order to successfully install TAM E-SSO: Provisioning Adapter. Each step is explained in detail in the Installation Steps section. If you are upgrading from TAM E-SSO: Provisioning Adapter 5.0, please refer to the Upgrade Notes.

• Review System Requirements

• Install TAM E-SSO: Provisioning Adapter Server o Installing the Server o Create or identify a User Account for Anonymous Logon o Enable SSL

• Install TAM E-SSO: Provisioning Adapter Client CLI (optional)

• Install TAM E-SSO: Provisioning Adapter Client (Support for TAM E-SSO

Agent) o Set CycleInterval Registry Key

2


System Requirements and Supported Applications Unless otherwise indicated, the information in this section applies to the TAM E-SSO: Provisioning Adapter Server.

Minimum System Requirements In order for TAM E-SSO: Provisioning Adapter to install and function properly, your system must meet at least the following requirements.

Pentium III class processor at 900MHZ

512MB RAM

Disk Space: a complete Installation requires ~3MB

o TAM E-SSO: Provisioning Adapter Support for SSO Agent requires < 1 MB of additional disk space.

Software Requirements In order for TAM E-SSO: Provisioning Adapter to install and function properly, your system must have the following applications installed:

Internet Explorer 6.0 or higher with 128-bit encryption or Mozilla Firefox 1.0+

Microsoft® .NET Framework 2.0 (installed by TAM E-SSO: Provisioning Adapter setup)

Microsoft Web Services Enhancements 3.0 (WSE 3.0) (installed by TAM E-SSO: Provisioning Adapter setup)

TAM E-SSO: Provisioning Adapter Support for TAM E-SSO Agent In order for the TAM E-SSO: Provisioning Adapter support for the TAM E-SSO Agent to function properly, TAM E-SSO version 5.0+ must be installed.

TAM E-SSO: Provisioning Adapter Server In order for TAM E-SSO: Provisioning Adapter Server to function properly, your system must have the following applications installed:

Microsoft Windows® 2000 Server or Windows Server 2003

Microsoft Internet Information Server version 5.0 or later (6.x recommended)

Microsoft Active Directory®, Microsoft ADAM, Sun Directory Server, or IBM LDAP Directory

Microsoft SQL Server 2000, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2005 Express Edition, or Microsoft SQL Server 2005 (only required if using Event Logging)

IIS Requirements: Microsoft Internet Information Server (IIS), version 5.0 or later. TAM E-SSO: Provisioning Adapter uses the IIS Web server to provide a browser-based interface for user enrollment, general setup and administrative tasks.


Notes: If Active Directory or ADAM is used, the anonymous account used in IIS must

have Administrative privileges and the server must be joined to the domain. If you are running Windows 2000 SP4, make sure that the ASPNET account

(or IWAM_Machine if ASPNET does not exist) has the privilege to impersonate a client after authentication. Please refer to http://support.microsoft.com/kb/821546 for more information.

TAM E-SSO: Provisioning Adapter Repository Requirements: TAM E-SSO: Provisioning Adapter can use any the following as the repository:

o Microsoft Active Directory or Active Directory Application Mode (ADAM). The Active Directory server or ADAM instance (that is, Active Directory running as a user service) can be on any server and in the same domain.

o Sun Directory Server o IBM LDAP Directory

Installer Requirements To install TAM E-SSO: Provisioning Adapter, you need to have Administrative privileges for the PM/IIS server. You need to provide the following information to configure a Directory server:

host Name of the server hosting the Directory server instance.

port Port number of Directory server instance.

name1[,name2,name3] Distinguished name of the Directory server domain root.

Certificate Requirements

An X.509 Certificate for SSL must be obtained from a Certificate Authority.

A Trusted Root CA Certificate should also be downloaded from your Certificate Authority into the list of trusted root CA’s on the local computer.

For more information see the Enable SSL section.

A certificate setup guide is provided with the TAM E-SSO: Provisioning Adapter documentation suite. If you do not have a certificate authority set up and want to use Microsoft Certificate Services to obtain certificates, please refer to the TAM E-SSO: Provisioning Adapter Certificate Setup Guide which walks you though obtaining the necessary certificates using Microsoft Certificate Services.

4

http://support.microsoft.com/kb/821546


Installation Steps Follow these steps to install and configure TAM E-SSO: Provisioning Adapter.

Step 1: Review System Requirements Make sure you have carefully reviewed the system requirements on the previous page.

Step 2: Install TAM E-SSO: Provisioning Adapter Server Complete all the steps in this section to install and configure the TAM E-SSO: Provisioning Adapter server.

• Step 2a: Installing the Server

• Step 2b: Create or identify a User Account for Anonymous Logon

• Step 2c: Enable SSL

Step 2a. Installing the Server Follow these steps to install and configure the TAM E-SSO: Provisioning Adapter Server.

1. Close all programs.

2. Open the TAM E-SSO PA directory on the CD-ROM.

3. Double-click the TAM E-SSO PA Server.exe file to begin the installation.

4. The Welcome Panel appears. Click Next.

5. The License Agreement panel appears. Read the license agreement carefully. Click the I accept the terms in the license agreement button and click Next to continue.

6. The Customer Agreement Panel appears. Enter your User Name, Organization name, and select who to Install this application for: All Users or Only for you. Click Next.

7. The Setup Type Panel appears. Select Complete or Custom. Complete installs all program files. Custom allows you to choose what program files are installed and the location. Custom installations are only recommended for advanced users. Click Next.

8. TAM E-SSO: Provisioning Adapter is ready to be installed. Click Install. Wait for the installation to complete. When it is done, click Finish.

Step 2b. Create or Identify a User Account for Anonymous Logon

A dedicated Anonymous User account through which TAM E-SSO: Provisioning Adapter users and administrators access TAM E-SSO: Provisioning Adapter Web Services must be created or identified. This Anonymous User account should be a member of the Administrators group.


Note: Because the default Anonymous User account in IIS, IUSR_MACHINE_NAME, is not a member of the Administrator group, you must create or choose a domain user account that is an Administrator; this will allow the account to perform these tasks: 1. Change the web service account to use from the management console. 2. Read from and write to the directory service (if AD or ADAM). 3. Write to the local-machine registry (HKLM). To create a new user account or assign Administrator rights to an existing account, use the Active Directory Users and Computers console (for an Active Directory domain) or the Computer Management console (for non-AD domains).

The user account you create or choose is specified as the Anonymous User dialog of the Services tool during this step.

1. Click Start, point to Program Files, point to Administrative Tools, and click Internet Information Services.

2. Locate the TAM E-SSO: Provisioning Adapter Console node in the tree, right-click on it, and click Properties.

3. Click the Directory Security tab and click the Edit button next to Anonymous Access.

4. Check the Anonymous Access checkbox and type in the username and password of the anonymous user. The anonymous user must have local Administrative access.

Note: By default, the TAM E-SSO: Provisioning Adapter Management Console is not restricted. Any user with a credential in the backend storage can log in. If you want to restrict access to a particular group, please see the Additional Security Settings in the TAM E-SSO: Provisioning Adapter Administrator Guide. Give the IIS anonymous account access to ADAM

Note: This step only applies to ADAM users. Use the account chosen in Step 2b.

1. Click Start, point to Program Files, point to ADAM, and then click ADAM Tools Command Prompt.

2. Type:

"dsacls [\\SERVER:PORT\DISTINGUISHED_NAME] /g [USER]:ga /i:t"

For example:

"dsacls \\localhost:50000\ou=pm,dc=passlogix,dc=com /g PLX\PMWeb:ga /i:t"

3. To make sure the account was given access, type:

"dsacls \\SERVER:PORT\DISTINGUISHED_NAME"

The output shows the security information for the directory object. The TAM E-SSO: Provisioning Adapter Anonymous Account should appear in the list with full access.

6


Give the ASPNET account additional privileges

Note: The following step is for Windows 2000 Users only.

You must give ASPNET the “Act as part of the operating system” privilege:

1. Open the MMC console by clicking Start > Run. Type mmc and then click OK. The Microsoft Management Console opens.

2. On the File menu, click Add/Remove Snap-in.

3. On the Standalone tab, click Add.

4. In the Add Standalone Snap-in dialog, highlight Group Policy and click Add.

5. On the Group Policy dialog, select Local Computer and click Finish. Click OK.

Note: If you are installing the TAM E-SSO: Provisioning Adapter Console on a box that is a domain controller, instead of selecting Local Computer, click Browse and search for Default Domain Controller Policy. In the next step, in the MMC, Default Domain Controller Policy will appear instead of Local Computer Policy.

6. In the MMC, click the + sign to expand Local Computer Policy, and continue expanding Computer Configuration > Windows Settings > Security Settings > Local Policies. Double-click on User Rights Assignment.

7. Double-click Act as part of the operating system and click the Add User or Group button.

8. Select the ASPNET account and click OK. Click OK again.

Step 2c. Enable SSL

An X.509 Certificate for SSL must be obtained from a trusted Certificate Authority. This trusted CA must be installed in the list of trusted Root CAs.

The certificate must be valid for the current date and must contain the name of the website (machine name).

The following instructions assume that these certificates are available at known locations. Notes: The following articles from the Microsoft Web site can be referred to for information on installing certificates and setting up SSL: How to: Obtain an X.509 Certificate http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wse/html/1011e2ed-f3b0-4f3b-a5b7-8e1d8ae476d8.asp How to: Set Up SSL on a Web Server http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod30.asp


If you use Microsoft Certificate Services to obtain the X.509 certificate, choose a Server Authentication Certificate. Also, enable the Mark keys as exportable and Use local machine store options under the Key Options section.

1. Go to Control Panel Internet Information Services. Right click the v-GO PM Service web site. Select Properties.

2. Click the Directory Security tab and under Secure Communications, click Server Certificate.

8


3. The Web Server Certificate Wizard appears. This is where we will generate a request for a certificate. Click Next.

4. Select Assign an existing certificate and click Next.


5. Highlight the certificate to assign and click Next.

6. The default SSL port is 443. Leave the default and click Next.

7. Review the summary of your request. Click Next.

8. Click Finish.

9. The Directory Security tab will still be open. Under Secure Communications, click Edit.

10


10. On the Secure Communications dialog, check Require secure channel (SSL) and Require 128-bit encryption. Click OK to close the dialog.

11. On the Internet Information Services Tree (see screen in Step 1), select v-GO PM Console. Right click and select Properties. To enable SSL for the Console, repeat Steps 2 - 10. The next two steps ensure the Console can communicate with the Web service.

12. Select the ASP.NET tab (on the v-GO PM Console Properties dialog). Make

sure the ASP.NET version is set to 2.0.x. (Please note that if it was not set to 2.0, click Apply after changing the setting). Click Edit Configuration.


13. Under Application Settings, select localhost.UP and click Edit.

14. In the Value field, change the prefix of the URL to https. The console will now communicate over SSL with the Web service.

12


Step 3: Install the TAM E-SSO: Provisioning Adapter Client CLI

Note: This installation step is optional. The TAM E-SSO: Provisioning Adapter Client CLI/SDK is supplied as an integration component for Provisioning Solutions. The TAM E-SSO: Provisioning Adapter Server provides a Web service which allows integration with other 3rd party provisioning systems. The TAM E-SSO: Provisioning Adapter CLI is used to communicate with this Web service. It can be used as a traditional scripting tool or if preferred, the SDK library can be used to develop more complex integration solutions and connectors for the TAM E-SSO: Provisioning Adapter Server. Follow these steps to install and configure the TAM E-SSO: Provisioning Adapter CLI. For more information on the CLI syntax and usage, please refer to the TAM E-SSO: Provisioning Adapter CLI Guide.



3. Double-click the TAM E-SSO PA Client SDK.exe file to begin the installation.


5. The License Agreement panel appears. Read the license agreement carefully. Click the I accept the terms in the license agreement button and click Next to continue.

6. The Customer Agreement Panel appears.

7. Enter your User Name, Organization name, and select who to Install this application for: All Users or Only for you. Click Next.

8. The Setup Type Panel appears. Select Complete or Custom. Complete installs all program files. Custom allows you to choose what program files are installed and the location. Custom installations are only recommended for advanced users. To install the Java CLI, the custom panel must be chosen. Installation choices for the Java CLI are for JDK 1.4 or 1.5.

9. Once you select the proper setup options, click Next.

10. TAM E-SSO: Provisioning Adapter is ready to be installed. Click Install.

11. Wait for the installation to complete. When it is done, click Finish.


Step 4: Install TAM E-SSO: Provisioning Adapter Support for TAM E-SSO Agent Follow these steps to install and configure the TAM E-SSO: Provisioning Adapter Support for TAM E-SSO Agent.



3. Double-click the TAM E-SSO PA Client.exe file to begin the installation.


5. The License Agreement panel appears. Read the license agreement carefully.

Click the I accept the terms in the license agreement button and click

Next to continue.

6. TAM E-SSO: Provisioning Adapter is ready to be installed. Click Install.

7. Wait for the installation to complete. When it is done, click Finish.

14


Step 4a. Set CycleInterval Registry Key

In order for TAM E-SSO: Provisioning Adapter to function properly, the TAM E-SSO agent must synchronize to retrieve the provisioning instructions from the directory. When deploying, one of the decisions that must be made is the synchronization interval. The CycleInterval registry key is used to force synchronization to occur on a regular interval. If this is not set to a non-zero value, synchronization only occurs on some user action. This would not be the desired behavior with TAM E-SSO: Provisioning Adapter. It is recommended that this key is set to some value, for example 15 minutes. This would guarantee that the provisioning instructions get pulled down from the directory within 15 minutes (or whatever interval is set) of when they are put there by the TAM E-SSO: Provisioning Adapter Server. The CycleInterval registry key can be set through the TAM E-SSO Console: 1. Open the TAM E-SSO Administrative Console by clicking Start, point to

Programs Passlogix TAM E-SSO and click TAM E-SSO Console.

Expand TAM E-SSO, Global Agent Settings, expand Live, and click Synchronization.

Set the Interval for automatic re-sync setting to the desired value.

2. Click Tools Write Global Agent Settings to HKLM.

The Apply Settings dialog appears. Click Yes.


Note: This only applies to running TAM E-SSO agents. If a user doesn't have TAM E-SSO running, the provisioning instructions are not processed until the user starts TAM E-SSO. Processing the provisioning instructions requires that the user be authenticated to TAM E-SSO. If the user isn't authenticated to TAM E-SSO (for example, the timeout expired) then an authentication UI is presented and the synchronization process is blocked until the user authenticates.

Upgrade Notes If you are upgrading from TAM E-SSO: Provisioning Adapter 5.0, perform these steps: TAM E-SSO: Provisioning Adapter Server: Follow the instructions in the Install TAM E-SSO: Provisioning Adapter Server section. After running the installer, you must reset IIS and make sure that the anonymous accounts are still set. TAM E-SSO: Provisioning Adapter Agent: Before installing, shut down Agent. Follow the instructions in the Install TAM E-SSO: Provisioning Adapter Client (Support for TAM E-SSO Agent) section. After running the installer, restart the Agent.

Uninstalling TAM E-SSO: Provisioning Adapter Follow these steps to uninstall TAM E-SSO: Provisioning Adapter.

1. Click Start, point to Settings, and then click Control Panel.

2. Open Add/Remove Programs.

3. Select IBM Tivoli Access Manager for Enterprise Single Sign-On: Provisioning Adapter and click Remove.

4. Follow the prompts to uninstall TAM E-SSO: Provisioning Adapter.

5. Repeat Steps 3 and 4 for TAM E-SSO: Provisioning Adapter Agent for TAM E-SSO and TAM E-SSO: Provisioning Adapter Client CLI.

16


Reference and Troubleshooting

Customization Notes

Creating default access pages You can create HTML pages to provide end users with easy web access to TAM E-SSO: Provisioning Adapter Administrative Console. Here is an example of the HTML markup for an end user access page: <html> <head> <title>v-GO PM Console</title> <style> body { font-family:Verdana; font-size:12px; text-align:Center } h1 { font-size: 18px } </style> </head> <body> <h1>v-GO Provisioning Manager</h1>  <p> <a href="http://YOURHOST/v-GO PM Console/overview.aspx"> v-GO PM Administrative Console </a> </p> </body> </html> You can then create and distribute desktop shortcuts or Internet Explorer favorites to access this page. You can also make your access page the default (home) page for the host Web server ("yourHost," in the example URLs above). To do this, follow these steps:

1. Open IIS Manager.

2. Right-click the Default Web Site, and choose Properties from the shortcut menu.

3. Click the Documents tab.

4. Make sure the Enable default content page option is checked (note the name of the first-listed default page) then click OK.


5. Place your access page in the root folder of the default Web site and rename it as the default content page. Note the link URL can now be relative to the root (e.g., href="v-GO PM Console").

1. Use these URLs in an access page or shortcut to access Administrative Console functions; again substitute you host server name for "YOURHOST":

<a href="http://YOURHOST/v-GO PM Console/overview.aspx">Overview</a> <a href="http://YOURHOST/v-GO PM Console/storage.aspx">Storage Settings</a> <a href="http://YOURHOST/v-GO PM Console/users.aspx">Users</a> <a href="http://YOURHOST/v-GO PM Console/eventLog.aspx">Event Log</a> <a href="http://YOURHOST/v-GO PM Console/report.aspx">Report</a>

18


Installation and Configuration Notes Please review the following installation and configuration notes:

o TAM E-SSO: Provisioning Adapter does not support File Sync

o Multiple Locators require an Entlist at each locator site

o Using AD/ADAM and IIS Web Services on different servers

o Windows Installer Error 1720

o Internet Security settings (Windows 2003 users)

o Internet Security settings (Windows Domain and Citrix MetaFrame users)

Multiple Locators require an Entlist at each locator site If two users are stored in different containers, a matching application configuration list (entlist) must exist in each locator site in order for provisioning to work down to the client. The matching entlists must exist under both containers that store the user credentials.

Using AD/ADAM and IIS Web Services on different servers If IIS and Active Directory (or the ADAM-instance) are on different computers, then you must provide the IIS Web services with a user account that is in the same domain as (or a trusted domain of) AD/ADAM, and that is provided with read/write access to the directory.

Windows Installer Error 1720 Error 1720 occurs during TAM E-SSO: Provisioning Adapter client software installation when the logged-on user does not have sufficient rights to install software on the workstation. You must log on to workstation as a user with Administrator rights or contact support personnel.

Internet Security settings (Windows 2003 users) The default settings for Windows 2003 Internet Security are more stringent than those for Windows 2000 and XP. If Internet Explorer Enhanced Security Configuration is enabled (on by default in Windows 2003), you must add the TAM E-SSO: Provisioning Adapter Web Console URL to the workstation's Trusted Sites Internet Zone or the Local Intranet Zone in order to use TAM E-SSO: Provisioning Adapter without issues.

Internet Security settings (Windows Domain and Citrix MetaFrame® users) In order for Windows domain users and Citrix MetaFrame users to access TAM E-SSO: Provisioning Adapter, you must add the TAM E-SSO: Provisioning Adapter Web service to the workstation's Local Intranet zone.

Appendix. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM® representative for information on the

products and services currently available in your area. Any reference to an IBM

product, program, or service is not intended to state or imply that only that IBM

product, program, or service may be used. Any functionally equivalent product,

program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify the

operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter

described in this document. The furnishing of this document does not give you

any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY 10504-1785

U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM

Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any other

country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER

EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS

FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or

implied warranties in certain transactions, therefore, this statement may not apply

to you.

This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be

incorporated in new editions of the publication. IBM may make improvements

and/or changes in the product(s) and/or the program(s) described in this

publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for

convenience only and do not in any manner serve as an endorsement of those Web

sites. The materials at those Web sites are not part of the materials for this IBM

product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it

believes appropriate without incurring any obligation to you.

© Copyright IBM Corp. 2006 21

Licensees of this program who wish to have information about it for the purpose

of enabling: (i) the exchange of information between independently created

programs and other programs (including this one) and (ii) the mutual use of the

information which has been exchanged should contact:

IBM Corporation

2ZA4/101

11400 Burnet Road

Austin, TX 78758

U.S.A.

Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.

The licensed program described in this information and all licensed material

available for it are provided by IBM under terms of the IBM Customer Agreement,

IBM International Program License Agreement, or any equivalent agreement

between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may

vary significantly. Some measurements may have been made on development-level

systems and there is no guarantee that these measurements will be the same on

generally available systems. Furthermore, some measurements may have been

estimated through extrapolation. Actual results may vary. Users of this document

should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.

IBM has not tested those products and cannot confirm the accuracy of

performance, compatibility or any other claims related to non-IBM products.

Questions on the capabilities of non-IBM products should be addressed to the

suppliers of those products.

Trademarks

The following terms are trademarks or registered trademarks of International

Business Machines Corporation in the United States, other countries, or both:

AIX

DB2

developerWorks

eServer

IBM

iSeries

Lotus

Passport Advantage

pSeries

RACF

Rational

Redbooks

Tivoli

WebSphere

zSeries

Microsoft®, Windows®, Windows NT®, and the Windows logo are trademarks of

Microsoft Corporation in the United States, other countries, or both.

22 IBM Tivoli Access Manager for Enterprise Single Sign-On: Provisioning Adapter Installation and Setup Guide

Intel®, Intel Inside® (logos), MMX and Pentium® are trademarks of Intel

Corporation in the United States, other countries, or both.

UNIX® is a registered trademark of The Open Group in the United States and

other countries.

Linux® is a trademark of Linus Torvalds in the U.S., other countries, or both.

Java™ and all Java-based trademarks are trademarks of Sun

Microsystems, Inc. in the United States, other countries, or

both.

Other company, product, and service names may be trademarks or service marks

of others.

Appendix. Notices 23

24 IBM Tivoli Access Manager for Enterprise Single Sign-On: Provisioning Adapter Installation and Setup Guide

��

Printed in USA

SC32-2004-00