Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-1155-05/en_US/PDF/ont46.pdf · Tivoli ® Identity Manager Oracle Database Adapter for Windows Installation

Tivoli® Identity Manager

Oracle Database Adapter for Windows Installation and Configuration Guide

Version 4.6

SC32-1155-05

��

Tivoli® Identity Manager

Oracle Database Adapter for Windows Installation and Configuration Guide

Version 4.6

SC32-1155-05

��

Note:

Before using this information and the product it supports, read the information in Appendix C, “Notices,” on page 63.

Sixth Edition (June 2005)

This edition applies to version 4.6 of this adapter and to all subsequent releases and modifications until otherwise

indicated in new editions.

© Copyright International Business Machines Corporation 2003, 2005. All rights reserved.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract

with IBM Corp.

Contents

Preface . . . . . . . . . . . . . . . v

Who should read this book . . . . . . . . . v

Publications and related information . . . . . . v

Tivoli Identity Manager library . . . . . . . v

Prerequisite Product Publications . . . . . . vii

Related Publications . . . . . . . . . . viii

Accessing publications online . . . . . . . viii

Accessibility . . . . . . . . . . . . . . viii

Support information . . . . . . . . . . . ix

Conventions used in this book . . . . . . . . ix

Typeface conventions . . . . . . . . . . ix

Operating system differences . . . . . . . . x

Definitions for HOME and other directory

variables . . . . . . . . . . . . . . . x

Chapter 1. Overview of the Oracle

Database adapter . . . . . . . . . . . 1

Features of the adapter . . . . . . . . . . . 1

Chapter 2. Installing and configuring the

Oracle Database adapter . . . . . . . 3

Prerequisites . . . . . . . . . . . . . . 3

Installing the adapter . . . . . . . . . . . 4

Importing the adapter profile into the Tivoli Identity

Manager Server . . . . . . . . . . . . . 6

Importing the adapter profile . . . . . . . . 6

Creating an Oracle Database service . . . . . . 6

Configuring the adapter . . . . . . . . . . 8

Chapter 3. Configuring the Oracle

Database adapter for IBM Tivoli Identity

Manager . . . . . . . . . . . . . . 9

Starting the adapter configuration tool . . . . . . 9

Viewing configuration settings . . . . . . . . 10

Changing protocol configuration settings . . . . 10

Configuring event notification . . . . . . . . 13

Setting event notification triggers . . . . . . 16

Modifying an event notification context . . . . 17

Changing the configuration key . . . . . . . 19

Changing activity logging settings . . . . . . . 19

Changing registry settings . . . . . . . . . 21

Modifying non-encrypted registry settings . . . 21

Modifying encrypted registry settings . . . . 21

Changing advanced settings . . . . . . . . . 22

Viewing statistics . . . . . . . . . . . . 23

Changing code page settings . . . . . . . . 23

Accessing help and additional options . . . . . 24

Chapter 4. Oracle services

modifications . . . . . . . . . . . . 27

Accessing the service configuration tool main menu 27

Viewing current Oracle services . . . . . . . 27

Adding a new Oracle service . . . . . . . . 28

Example of adding an Oracle service . . . . . 29

Modifying an Oracle service . . . . . . . . . 29

Example of modifying an Oracle service . . . . 30

Removing an Oracle service . . . . . . . . . 30

Example of removing an Oracle service . . . . 31

Testing an Oracle connection . . . . . . . . 31

Example of testing an Oracle connection . . . . 32

Chapter 5. Configuring SSL

authentication for the Oracle Database

adapter . . . . . . . . . . . . . . 33

Overview of SSL and digital certificates . . . . . 33

Private keys, public keys, and digital certificates 34

Self-signed certificates . . . . . . . . . . 34

Certificate and key formats . . . . . . . . 35

The use of SSL authentication . . . . . . . . 35

Configuring certificates for SSL authentication . . . 36

Configuring certificates for one-way SSL

authentication . . . . . . . . . . . . 36

Configuring certificates for two-way SSL

authentication . . . . . . . . . . . . 37

Configuring certificates when the adapter

operates as an SSL client . . . . . . . . . 38

Managing SSL certificates using CertTool . . . . 39

Starting CertTool . . . . . . . . . . . 39

Generating a private key and certificate request 41

Installing the certificate . . . . . . . . . 42

Installing the certificate and key from a PKCS12

file . . . . . . . . . . . . . . . . 42

Viewing the installed certificate . . . . . . . 43

Installing a CA certificate . . . . . . . . . 43

Viewing CA certificates . . . . . . . . . 43

Deleting a CA certificate . . . . . . . . . 43

Viewing registered certificates . . . . . . . 44

Registering a certificate . . . . . . . . . 44

Unregistering a certificate . . . . . . . . 44

Exporting a certificate and key to PKCS12 file . . 45

Chapter 6. Customizing the Oracle

Database adapter . . . . . . . . . . 47

Copy the OracleProfile.jar file and extract the files 47

Create a new JAR file and install the new attributes

on the Tivoli Identity Manager Server . . . . . 48

Managing passwords when restoring accounts . . . 48

Chapter 7. Upgrading the Oracle

Database adapter or the ADK . . . . . 51

Upgrading the Oracle Database adapter . . . . . 51

Upgrading the ADK . . . . . . . . . . . 51

Log files . . . . . . . . . . . . . . 52

Chapter 8. Uninstalling the Oracle

Database adapter . . . . . . . . . . 53

© Copyright IBM Corp. 2003, 2005 iii

Appendix A. Adapter attributes . . . . 55

Attribute descriptions . . . . . . . . . . . 55

Attributes by Oracle Database Adapter actions . . 56

Database Login Add . . . . . . . . . . 57

Database Login Change . . . . . . . . . 57

Database Login Delete . . . . . . . . . . 57

Database Login Suspend . . . . . . . . . 58

Database Login Restore . . . . . . . . . 58

Reconciliation . . . . . . . . . . . . 58

Appendix B. Support information . . . 59

Searching knowledge bases . . . . . . . . . 59

Search the information center on your local

system or network . . . . . . . . . . . 59

Search the Internet . . . . . . . . . . . 59

Obtaining fixes . . . . . . . . . . . . . 60

Contacting IBM Software Support . . . . . . . 60

Determine the business impact of your problem 61

Describe your problem and gather background

information . . . . . . . . . . . . . 61

Submit your problem to IBM Software Support 61

Appendix C. Notices . . . . . . . . . 63

Trademarks . . . . . . . . . . . . . . 64

Index . . . . . . . . . . . . . . . 67

iv IBM Tivoli Identity Manager: Oracle Database Adapter for Windows Installation and Configuration Guide

Preface

The IBM® Tivoli® Identity Manager Oracle Database Adapter (Oracle Database

Adapter) enables connectivity between the Tivoli Identity Manager Server and a

network of systems running the Oracle database. After the adapter is installed and

configured, Tivoli Identity Manager manages access to Oracle database resources

with your site’s security system. This book describes how to install and configure

the Oracle Database Adapter.

Note: The program that is used to connect the managed resource to the Tivoli

Identity Manager Server is now called an adapter. The term adapter replaces

the previously used term agent. The user interface used to configure the

adapter still uses the term agent.

Who should read this book

This book is intended for Oracle database security administrators responsible for

installing software on their site’s computer systems. Readers are expected to

understand Windows®® and Oracle database concepts. The person completing the

Oracle Database Adapter installation procedure must also be familiar with their

site system standards and needs to have appropriate Windows and Oracle

experience and knowledge. Readers should be able to perform routine Windows

and Oracle system and security administration tasks.

Publications and related information

Read the descriptions of the Tivoli Identity Manager library. To determine which

additional publications you might find helpful, read the “Prerequisite Product

Publications” on page vii and the “Related Publications” on page viii. After you

determine the publications you need, refer to the instructions in “Accessing

publications online” on page viii.

Tivoli Identity Manager library

The publications in the Tivoli Identity Manager technical documentation library are

organized into the following categories:

v Release information

v Online user assistance

v Server installation and configuration

v Problem determination

v Technical supplements

v Adapter installation and configuration

Release Information:

v IBM Tivoli Identity Manager Release Notes

Provides software and hardware requirements for Tivoli Identity Manager, and

additional fix, patch, and other support information.

v IBM Tivoli Identity Manager Documentation Read This First Card

Lists the Tivoli Identity Manager publications.

Online user assistance:

© Copyright IBM Corp. 2003, 2005 v

Provides online help topics and an information center for all Tivoli Identity

Manager administrative tasks. The information center includes information that

was previously provided in the IBM Tivoli Identity Manager Configuration Guide and

the IBM Tivoli Identity Manager Policy and Organization Administration Guide.

Server installation and configuration:

IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere

Environments provides installation and configuration information for Tivoli Identity

Manager.

Configuration information that was previously provided in the IBM Tivoli Identity

Manager Configuration Guide is now included in either the installation guide or in

the IBM Tivoli Identity Manager Information Center.

Problem determination:

IBM Tivoli Identity Manager Problem Determination Guide provides problem

determination, logging, and message information for the Tivoli Identity Manager

product.

Technical supplements:

The following technical supplements are provided by developers or by other

groups who are interested in this product:

v IBM Tivoli Identity Manager Performance Tuning Guide

Provides information needed to tune Tivoli Identity Manager Server for a

production environment, available on the Web at:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z product list, and then, click the Tivoli Identity

Manager link. Browse the information center for the Technical Supplements

section.

v Redbooks and white papers are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

Browse to the Self Help section, in the Learn category, and click the Redbooks

link.

v Technotes are available on the Web at:

http://www.redbooks.ibm.com/redbooks.nsf/tips/

v Field guides are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

v For an extended list of other Tivoli Identity Manager resources, search the

following IBM developerWorks Web address:

http://www.ibm.com/developerworks/

Adapter installation and configuration:

The Tivoli Identity Manager Server technical documentation library also includes

an evolving set of platform-specific installation documents for the adapter

components of a Tivoli Identity Manager Server implementation. Locate adapters

on the Web at:

vi IBM Tivoli Identity Manager: Oracle Database Adapter for Windows Installation and Configuration Guide


http://www-306.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html





http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home

Click Support & downloads. Browse to the Downloads and drivers. Click the link

for the current inventory of adapters.

Skills and training:

The following additional skills and technical training information were available at

the time that this manual was published:

v Virtual Skills Center for Tivoli Software on the Web at:

http://www.cgselearning.com/tivoliskills/

v Tivoli Education Software Training Roadmaps on the Web at:

http://www.ibm.com/software/tivoli/education/eduroad_prod.html

v Tivoli Technical Exchange on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html

Prerequisite Product Publications

To use the information in this book effectively, you must have knowledge of the

products that are prerequisites for Tivoli Identity Manager Server. Publications are

available from the following locations:

v Oracle database

– http://www.oracle.com/technology/documentationv Operating systems

– IBM AIX®

http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm

– Sun Solaris

http://docs.sun.com/db?q=solaris+9

– Red Hat Linux®

http://www.redhat.com/docs/

– Microsoft® Windows Server 2003

http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers

– IBM DB2®

- Support: http://www.ibm.com/software/data/db2/udb/support.html

- Information center:

http://publib.boulder.ibm.com/infocenter/db2help/index.jsp

- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main

- DB2 product family: http://www.ibm.com/software/data/db2

- Fix packs:

http://www.ibm.com/software/data/db2/udb/support/downloadv8.html

- System requirements:

http://www.ibm.com/software/data/db2/udb/sysreqs.html– Oracle

http://www.oracle.com/technology/documentation/index.html

http://otn.oracle.com/tech/index.html

Preface vii



http://www.cgselearning.com/tivoliskills/

http://www.ibm.com/software/tivoli/education/eduroad_prod.html



http://www.oracle.com/technology/documentation/

http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm

http://docs.sun.com/db?q=solaris+9

http://www.redhat.com/docs/

http://www.microsoft.com/windowsserver2003/proddoc/default.mspx

http://www.ibm.com/software/data/db2/udb/support.html

http://publib.boulder.ibm.com/infocenter/db2help/index.jsp

http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main

http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main

http://www.ibm.com/software/data/db2

http://www.ibm.com/software/data/db2/udb/support/downloadv8.html

http://www.ibm.com/software/data/db2/udb/sysreqs.html

http://www.oracle.com/technology/documentation/index.html

http://otn.oracle.com/tech/index.html

http://otn.oracle.com/tech/linux/index.html

– Microsoft SQL Server 2000

http://www.msdn.com/library/

http://www.microsoft.com/sql/v Directory server applications

– IBM Directory Server http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm http://www.ibm.com/software/network/directory

– Sun ONE Directory Server

http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52v WebSphere Application Server

Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/

v WebSphere embedded messaging

http://www.ibm.com/software/integration/wmq/

v IBM HTTP Server

http://www.ibm.com/software/webservers/httpservers/library.html

Related Publications

Information that is related to Tivoli Identity Manager Server is available in the

following publications:

v The Tivoli Software Library provides a variety of Tivoli publications such as

white papers, datasheets, demonstrations, redbooks, and announcement letters.

The Tivoli Software Library is available on the Web at:

http://www.ibm.com/software/tivoli/literature/

v The Tivoli Software Glossary includes definitions for many of the technical terms

related to Tivoli software. The Tivoli Software Glossary is available from the

Glossary link of the Tivoli Software Library Web page at:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

Accessing publications online

IBM posts publications for this and all other Tivoli products, as they become

available and whenever they are updated, to the Tivoli software information center

Web site. Access the Tivoli software information center at the following Web

address:


Click the I character in the A-Z list, and then click the Tivoli Identity Manager

link to access the product library.

Note: If you print PDF documents on other than letter-sized paper, set the option

in the File → Print window that allows Adobe Reader to print letter-sized

pages on your paper.

Accessibility

The product documentation includes the following features to aid accessibility:

viii IBM Tivoli Identity Manager: Oracle Database Adapter for Windows Installation and Configuration Guide

http://otn.oracle.com/tech/linux/index.html

http://www.msdn.com/library/

http://www.microsoft.com/sql/

http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm

http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm

http://www.ibm.com/software/network/directory

http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52

http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp

http://www.redbooks.ibm.com/

http://www.ibm.com/software/integration/wmq/

http://www-3.ibm.com/software/webservers/httpservers/library.html

http://www.ibm.com/software/tivoli/literature/

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm


v Documentation is available in convertible PDF format to give the maximum

opportunity for users to apply screen-reader software.

v All images in the documentation are provided with alternative text so that users

with vision impairments can understand the contents of the images.

Support information

If you have a problem with your IBM software, you want to resolve it quickly. IBM

provides the following ways for you to obtain the support you need:

v Searching knowledge bases: You can search across a large collection of known

problems and workarounds, Technotes, and other information.

v Obtaining fixes: You can locate the latest fixes that are already available for your

product.

v Contacting IBM Software Support: If you still cannot solve your problem, and

you need to work with someone from IBM, you can use a variety of ways to

contact IBM Software Support.

For more information about these ways to resolve problems, see Appendix B,

“Support information,” on page 59.

Conventions used in this book

This reference uses several conventions for special terms and actions and for

operating system-dependent commands and paths.

Typeface conventions

This guide uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwise

difficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spin

buttons, fields, folders, icons, list boxes, items inside list boxes,

multicolumn lists, containers, menu choices, menu names, tabs, property

sheets), labels (such as Tip:, and Operating system considerations:)

v Keywords and parameters in text

Italic

v Words defined in text

v Emphasis of words (words as words)

v New terms in text (except in a definition list)

v Variables and values you must provide

Monospace

v Examples and code examples

v File names, programming keywords, and other elements that are difficult

to distinguish from surrounding text

v Message text and prompts addressed to the user

v Text that the user must type

v Values for arguments or command options

Preface ix

Operating system differences

This guide uses the UNIX® convention for specifying environment variables and

for directory notation.

When using the Windows command line, replace $variable with %variable% for

environment variables and replace each forward slash (/) with a backslash (\) in

directory paths. The names of environment variables are not always the same in

Windows and UNIX. For example, %TEMP% in the Windows operating system is

equivalent to $tmp in a UNIX operating system.

Note: If you are using the bash shell on a Windows system, you can use the UNIX

conventions.

Definitions for HOME and other directory variables

The following table contains the default definitions that are used in this guide to

represent the HOME directory level for various product installation paths. You can

customize the installation directory and HOME directory for your specific

implementation. If this is the case, you need to make the appropriate substitution

for the definition of each variable represented in this table.

The value of path varies for these operating systems:

v Windows: drive:\Program Files

v AIX: /usr

v Other UNIX: /opt

Path Variable Default Definition Description

DB_INSTANCE_HOME Windows:

path\IBM\SQLLIB

UNIX:

v AIX, Linux: /home/dbinstancename

v Solaris: /export/home/dbinstancename

The directory that

contains the

database for Tivoli

Identity Manager.

x IBM Tivoli Identity Manager: Oracle Database Adapter for Windows Installation and Configuration Guide


LDAP_HOME v For IBM Directory Server Version 5.2

Windows:

path\IBM\LDAP

UNIX:

– AIX, Linux: path/ldap

– Solaris: path/IBMldaps

path/IBM/LDAP

v For IBM Directory Server Version 6.0

Windows:

path\IBM\LDAP\V6.0

UNIX:

path/IBM/LDAP/V6.0

– AIX, Solaris

– Linux: opt/ibm/ldap/V6.0

v For Sun ONE Directory Server

Windows:

path\Sun\MPS

UNIX:

/var/Sun/mps

The directory that

contains the

directory server

code.

IDS_instance_HOME For IBM Directory Server Version 6.0

Windows:

drive\

ibmslapd-instance_owner_name

The value of drive might be C:\ on

Windows systems. An example of

instance_owner_name might be ldapdb2.

For example, the log file might be

C:\idsslapd-ldapdb2\logs\ibmslapd.log.

UNIX:

INSTANCE_HOME/idsslapd-instance_name

On Linux and AIX systems, the default

home directory is the

/home/instance_owner_name directory. On

Solaris systems, for example, the directory

is the /export/home/ldapdb2/idsslapd-ldapdb2 directory.

The directory that

contains the IBM

Directory Server

Version 6.0 instance.

HTTP_HOME Windows:

path\IBMHttpServer

UNIX:

path/IBMHttpServer

The directory that

contains the IBM

HTTP Server code.

Preface xi


ITIM_HOME Windows:

path\IBM\itim

UNIX:

path/IBM/itim

The base directory

that contains the

Tivoli Identity

Manager code,

configuration, and

documentation.

WAS_HOME Windows:

path\WebSphere\AppServer

UNIX:

path/WebSphere/AppServer

The WebSphere

Application Server

home directory

WAS_MQ_HOME Windows:

path\ibm\WebSphere MQ

UNIX:

path/mqm

The directory that

contains the

WebSphere MQ

code.

WAS_NDM_HOME Windows:

path\WebSphere\DeploymentManager

UNIX:

path/WebSphere/DeploymentManager

The home directory

on the deployment

manager

Tivoli_Common_Directory Windows:

path\ibm\tivoli\common\CTGIM

UNIX:

path/ibm/tivoli/common/CTGIM

The central location

for all

serviceability-related

files, such as logs

and first-failure

capture data

xii IBM Tivoli Identity Manager: Oracle Database Adapter for Windows Installation and Configuration Guide

Chapter 1. Overview of the Oracle Database adapter

An adapter is a program that provides an interface between a managed resource

and the Tivoli Identity Manager Server. Adapters might or might not reside on the

managed resource and the Tivoli Identity Manager Server manages access to the

resource by using your security system. Adapters function as trusted virtual

administrators on the target platform, performing such tasks as creating login IDs,

suspending IDs, and performing other functions administrators normally run

manually. The adapter runs as a service, independent of whether or not a user is

logged on to the Tivoli Identity Manager Server.

The IBM Tivoli Identity Manager Oracle Database Adapter enables connectivity

between the Tivoli Identity Manager Server and a system running the Oracle

database. This installation guide provides the basic information that you need to

install and configure the Oracle Database Adapter. This chapter provides an

overview of the adapter and the features of the adapter.

Features of the adapter

You can use the Oracle Database Adapter to automate the following administrative

tasks:

v Creating an Oracle Database account.

v Modifying Oracle Database accounts.

v Deleting Oracle Database accounts.

v Suspending Oracle Database accounts.

v Restoring Oracle Database accounts.

v Reconciling Oracle Database accounts with Tivoli Identity Manager accounts.

© Copyright IBM Corp. 2003, 2005 1

2 IBM Tivoli Identity Manager: Oracle Database Adapter for Windows Installation and Configuration Guide

Chapter 2. Installing and configuring the Oracle Database

adapter

Installing and configuring the Oracle Database Adapter involves several steps that

you must complete in the appropriate sequence. Review the prerequisites before

you begin the installation process. You can also create an account on the managed

resource for the adapter to use.

Prerequisites

Table 1 identifies hardware, software, and authorization prerequisites to install the

Oracle Database Adapter. Verify that all of the prerequisites have been met before

installing the Oracle Database Adapter.

Table 1. Prerequisites for installing the Oracle Database adapter

System v A 32-bit x86-based microprocessor.

v A minimum of 256 MB of memory.

v A minimum of 300 MB of free disk space.

Operating System v Windows 2000

v Windows 2003

v Windows XP

Oracle Database v Oracle Database 8i

v Oracle Database 9i

v Oracle Database 10g

Note: The adapter supports Oracle Database versions 8i,

9i, and 10g running on any platform that can be accessed

by the Oracle Client Software.

Oracle Client Software One of the following versions of Oracle Client software

must be installed on the same system where the Oracle

adapter is running:

v Oracle Client 8i

v Oracle Client 9i

v Oracle Client 10g


Table 1. Prerequisites for installing the Oracle Database adapter (continued)

Oracle Service Account For every Oracle instance that the adapter manages, you

must provide an Oracle account and password. The

Oracle account must have the following Oracle privileges

and roles:

v GRANT ANY PRIVILEGE

v GRANT ANY ROLE

v CREATE SESSION

v CREATE USER

v ALTER USER

v ALTER SYSTEM

v DROP USER

v SELECT ANY TABLE

v SELECT ANY DICTIONARY

For Oracle 9i and 10g, the following additional Oracle

privileges and roles must be granted to the Adapter

Oracle account:

v SELECT ON SYS.DBA_USERS

v SELECT ON SYS.DBA_SYS_PRIVS

v SELECT ON SYS.DBA_ROLE_PRIVS

v SELECT ON SYS.DBA_TS_QUOTAS

v SELECT ON SYS.DBA_ROLES

v SELECT ON SYS.DBA_PROFILES

v SELECT ON SYS.DBA_TABLESPACES

Network Connectivity v TCP/IP network

v For security purposes, IBM recommends installing the

adapter on a Windows NT File System (NTFS).

System Administrator

Authority

The person completing the Oracle Database Adapter

installation procedure must have system administrator

authority to complete the steps in this chapter.

The installer should have the ability to create Oracle

Service Accounts as described above.

Tivoli Identity Manager Server Version 4.6

Installing the adapter

The Tivoli Identity Manager Oracle Database Adapter installation files are available

for download from the IBM Web site. Contact your IBM account representative for

the Web address and download instructions.

In order to install the adapter, complete the following steps:

1. Download the Oracle Database Adapter installation compressed file from the

IBM Web site.

2. Extract the contents of the file into a temporary directory and navigate to that

directory.

3. Start the installation program using the setup.exe file in the temporary

directory. For example, select Run... from the Start menu, and type

C:\Temp\Setup.exe in the Open field.

4. On the Welcome window, click Next.


5. On the License Agreement window, review the license agreement and decide if

you accept the terms of the license. If you do, select Accept and then click

Next.

6. On the Select Destination Directory window, specify where you want to install

the adapter in the Directory Name field. You can accept the default location, or

click Browse to specify a different directory. Then, click Next.

7. On the Oracle Service Names window, type the following information: Oracle

service name, Oracle account name, and Oracle account password. Then click

Next.

Oracle instances must be defined in order for the adapter to work properly. The

service names are case sensitive.

Oracle Service Name

The service name for the database instance the adapter manages.

Oracle Account

The name of the Oracle service account the adapter uses to manage the

Oracle instance.

Account Password

The Oracle service account password

Note: You may add additional service names for the adapter to manage after

the installation is completed. See Chapter 3, “Configuring the Oracle

Database adapter for IBM Tivoli Identity Manager,” on page 9 and

Chapter 4, “Oracle services modifications” for more information about

adding, modifying, and deleting managed instances.

8. On the Installation Summary window, click Next to begin the installation.

9. On the Installation Completed window, click Finish to exit the program.

Figure 1. Select Destination Directory window

Chapter 2. Installing and configuring the Oracle Database adapter 5

Importing the adapter profile into the Tivoli Identity Manager Server

Before you can add an adapter as a service to the Tivoli Identity Manager Server,

the server must have an adapter profile to recognize the adapter as a service. The

files that are packaged with the Oracle Database Adapter include the adapter JAR

file, OracleProfile.jar. Using the Import feature of the Tivoli Identity Manager

Server, you can import the adapter profile into the server as a service profile.

The OracleProfile.jar file includes all of the files that are needed to define the

adapter schema, account form, service form and profile properties.

Importing the adapter profile

An adapter profile defines the types of resources that the Tivoli Identity Manager

Server can manage. You must import the adapter profile into the Tivoli Identity

Manager Server before using the Oracle Database Adapter. The profile is used to

create a Oracle Database Adapter service on the Tivoli Identity Manager Server

and to communicate with the adapter.

Before you begin to import the adapter profile, verify that the following conditions

are met:

v The Tivoli Identity Manager Server must be installed and running.

v You must have root or Administrator authority on the Tivoli Identity Manager

Server.

In order to import the adapter profile, complete the following steps:

1. Log in to the Tivoli Identity Manager Server using an account that has the

authority to perform administrative tasks.

2. On the Main Menu Navigation Bar, select the Configuration tab.

3. On the Configuration window, select Import/Export → Import tabs.

4. On the Import window, in the File to Upload field, type the location of the

OracleProfile.jar file, or click Browse to locate the file.

5. Click the Import data into Identity Manager link to import the adapter profile

into the Tivoli Identity Manager Server.

v If the adapter profile is imported successfully, the following message is

displayed:

Profile installation complete.

v If the adapter profile is not imported successfully, the following message is

displayed:

Profile installation failed.

When you import the adapter profile, if you receive an error related to the

schema, the trace.log file will contain information about that error. The

trace.log file location is specified by the handler.file.fileDir property that

is defined in the Tivoli Identity Manager enRoleLogging.properties file,

which is installed in the Tivoli Identity Manager \data directory.

Creating an Oracle Database service

After the adapter profile is imported into the Tivoli Identity Manager Server, you

must create a provisioning service to allow Tivoli Identity Manager to

communicate with the adapter.

In order to create a provisioning service, complete the following steps:


1. Log in to the Tivoli Identity Manager Server using an account that has the

authority to perform administrative tasks.

2. On the Main Menu Navigation Bar, click the Provisioning tab.

3. On the Provisioning window, click the Manage Services tab.

4. On the Manage Services window, click Add.

5. From the list of service types, select Oracle DB Profile, and then click

Continue. The Oracle DB Adapter service form is displayed. The service form

contains the following fields:

Service Name

Specify a name that defines this Oracle Database service on the Tivoli

Identity Manager Server. Service Name is a required field.

Description

Specify an optional description for this service.

URL Specify the location and port number of the Oracle Database Adapter.

The port number is defined in the protocol configuration using the

agentCfg program. For additional information about protocol

configuration settings, see “Changing protocol configuration settings”

on page 10. URL is a required field.

If https is specified as part of the URL, the adapter must be configured

to use SSL authentication. If the adapter is not configured to use SSL

authentication, specify http for the URL. For additional information

about configuring the adapter to use SSL authentication, see Chapter 5,

“Configuring SSL authentication for the Oracle Database adapter,” on

page 33.

User ID

Specify a Directory Access Markup Language (DAML) protocol user

name. The user name is defined in the protocol configuration using the

agentCfg program. For additional information about the protocol

configuration settings, see “Changing protocol configuration settings”

on page 10. User ID is a required field.

Password

Specify the password for the DAML protocol user name. This password

is defined in the protocol configuration using the agentCfg program.

For additional information about the protocol configuration settings, see

“Changing protocol configuration settings” on page 10. Password is a

required field.

Oracle Service

Specify the Oracle Service Name that is managed by this service. For

additional information about the Oracle Service Name, see Chapter 4,

“Oracle services modifications,” on page 27. Oracle Service is a

required field.

Owner

Specify the service owner, if any. Owner is an optional field.

Service Prerequisite

Specify an existing Tivoli Identity Manager service that is a prerequisite

for the Oracle Database service.6. To verify the connection, press Test.

7. To create the service, press Submit.

Chapter 2. Installing and configuring the Oracle Database adapter 7

Configuring the adapter

Once you have installed the Tivoli Identity Manager Oracle Database Adapter and

imported the adapter profile, configuration is required to ensure that it functions

properly.

In order to configure the Oracle Database Adapter, complete the following steps:

1. Start the Oracle Database Adapter service using the Windows Services Tool.

2. Configure DAML to ensure communication with the Tivoli Identity Manager

Server. For more information on configuring DAML, see “Changing protocol

configuration settings” on page 10.

3. Configure the Oracle Database Adapter to communicate with the Tivoli Identity

Manager Server by configuring the adapter for event notification. For more

information on configuring event notification, see “Configuring event

notification” on page 13.

4. For secure communication, install a certificate on the machine where the

adapter resides and on the Tivoli Identity Manager Server. For more

information on installing certificates, see Chapter 5, “Configuring SSL

authentication for the Oracle Database adapter,” on page 33.

5. Use the agentCfg utility to modify the adapter parameters. For more

information on parameter configuration, see Chapter 3, “Configuring the Oracle

Database adapter for IBM Tivoli Identity Manager,” on page 9.

6. Define the Oracle Service Names for the Oracle Database Adapter to manage.

For more information about defining Oracle service names, see Chapter 4,

“Oracle services modifications,” on page 27.

7. Add and then configure the service form on the Tivoli Identity Manager Server.

For more information about adding and configuring a service form, see

“Creating an Oracle Database service” on page 6.

8. Configure the adapter account form. For more information on configuring the

adapter account form, refer to the IBM Tivoli Identity Manager Information Center.


Chapter 3. Configuring the Oracle Database adapter for IBM

Tivoli Identity Manager

Use the adapter configuration program, agentCfg, to view or modify the Oracle

Database Adapter parameters. All changes that you make to parameters with this

tool take effect immediately.

Starting the adapter configuration tool

In order to start the adapter configuration tool, agentCfg, for Oracle Database

Adapter parameters, complete these steps:

1. From the Start Menu, select Programs → Accessories → Command Prompt.

2. At the command prompt, change to the \bin directory for the adapter. For

example, type the following command, if the Oracle Database Adapter is in the

default location:

cd C:\Tivoli\Agents\OracleAgent\bin

3. Type the following command:

agentCfg -agent OracleAgent

You can also use agentCfg to view or change configuration settings from a

remote computer. See the table in “Accessing help and additional options” on

page 24 for procedures on using additional arguments.

4. At the Enter configuration key for Agent ’OracleAgent’ prompt, type the

configuration key for the Oracle Database Adapter.

The default configuration key is agent. You must change the configuration key

once installation completes, to prevent unauthorized access to the configuration

of the adapter. See “Changing protocol configuration settings” on page 10 for

procedures to change the configuration key.

The Main Configuration Menu is displayed.

OracleAgent 4.6 Agent Main Configuration Menu

-------------------------------------------

A. Configuration Settings.

B. Protocol Configuration.

C. Event Notification.

D. Change Configuration Key.

E. Activity Logging.

F. Registry Settings.

G. Advanced Settings.

H. Statistics.

I. Codepage Support.

X. Done.

Select menu option:

From the Main Menu, you can configure the protocol, view statistics, and modify

settings, including configuration, registry, and advanced settings.

Table 2. Options for the main configuration menu

Option Configuration task For more information

A Viewing configuration settings See page 10.


Table 2. Options for the main configuration menu (continued)


B Changing protocol configuration

settings

See page 10.

C Configuring event notification See page 13.

D Changing the configuration key See page 19.

E Changing activity logging settings See page 19.

F Changing registry settings See page 21.

G Changing advanced settings See page 22.

H Viewing statistics See page 23.

I Changing code page settings See page 23.

Viewing configuration settings

The following procedure describes how to view the Oracle Database Adapter

configuration settings.

1. At the Agent Main Configuration Menu, type A. The configuration settings for

the Oracle Database Adapter are displayed. The following screen is an example

of the Oracle Database Adapter configuration settings.

Configuration Settings

-------------------------------------------

Name : OracleAgent

Version : 4.6

ADK Version : 4.65

ERM Version : 4.65

License : NONE

Asynchronous ADD Requests : TRUE (Max.Threads:3)

Asynchronous MOD Requests : TRUE (Max.Threads:3)

Asynchronous DEL Requests : TRUE (Max.Threads:3)

Asynchronous SEA Requests : TRUE (Max.Threads:3)

Available Protocols : DAML

Configured Protocols : DAML

Logging Enabled : TRUE

Logging Directory : C:\Tivoli\Agents\OracleAgentLog

Log File Name : OracleAgent.log

Max. log files : 3

Max.log file size (Mbytes) : 1

Debug Logging Enabled : TRUE

Detail Logging Enabled : FALSE

Press any key to continue

2. Press any key to return to the Main Menu.

Changing protocol configuration settings

The Oracle Database Adapter uses the DAML protocol to communicate with the

Tivoli Identity Manager Server. By default, when the adapter is installed, the

DAML protocol is configured to be used in nonsecure mode. In order to configure

a secure environment, you must configure the DAML protocol to use SSL and

install a certificate. Refer to “Installing the certificate” on page 42 for more

information about installing certificates.


In previous versions of this adapter, you could add and remove protocols.

However, in the latest version of this adapter, the DAML protocol is the only

supported protocol that you can use. Therefore, you will not need to add or

remove a protocol.

In order to configure the DAML protocol for the Oracle Database Adapter,

complete the following steps:

1. At the Agent Main Configuration Menu, type B. The DAML protocol is

configured and available by default for the Oracle Database Adapter.

Agent Protocol Configuration Menu

-----------------------------------

Available Protocols: DAML

Configured Protocols: DAML

A. Add Protocol.

B. Remove Protocol.

C. Configure Protocol.

X. Done

Select menu option

2. At the Agent Protocol Configuration Menu, type C. The DAML Protocol

Properties Menu is displayed.

3. At the DAML Protocol Properties Menu, type C. The protocol properties for the

configured protocol are displayed. The properties on your menu might be

different from the ones shown in the examples.

The following screen is an example of the DAML protocol properties:

DAML Protocol Properties

--------------------------------------------------------------------

A. USERNAME ****** ;Authorized user name.

B. PASSWORD ****** ;Authorized user password.

C. MAX_CONNECTIONS 100 ;Max Connections.

D. PORTNUMBER 45580 ;Protocol Server port number.

E. USE_SSL FALSE ;Use SSL secure connection.

F. SRV_NODENAME 9.38.215.20 ;Event Notif. Server name.

G. SRV_PORTNUMBER 9443 ;Event Notif. Server port number.

H. VALIDATE_CLIENT_CE FALSE ;Require client certificate.

I. REQUIRE_CERT_REG FALSE ;Require registered certificate.

X. Done

Select menu option:

4. Type the letter of the menu option for the protocol property that you want to

configure.

See Table 3 below for additional information about the properties that you can

configure for the DAML protocol.

Table 3. Options for the DAML protocol menu

Option Configuration task

A The following prompt is displayed:

Modify Property ’USERNAME’:

Type a user ID.

This value is the user ID that the Tivoli Identity Manager Server uses to

connect to the adapter.

The default user ID is agent.

Chapter 3. Configuring the Oracle Database adapter for IBM Tivoli Identity Manager 11

Table 3. Options for the DAML protocol menu (continued)


B The following prompt is displayed:

Modify Property ’PASSWORD’:

Type a password.

This value is the password for the user ID that the Tivoli Identity

Manager Server uses to connect to the adapter.

The default password is agent.

C The following prompt is displayed:

Modify Property ’MAX_CONNECTIONS’:

Enter the maximum number of concurrent open connections that the

adapter supports.

The default number is 100.

D The following prompt is displayed:

Modify Property ’PORTNUMBER’:

Type a different port number.

This value is the port number that the Tivoli Identity Manager Server

uses to connect to the adapter. The default port number is 45580.

E The following prompt is displayed:

Modify Property ’USE_SSL’:

Enter TRUE or FALSE to specify whether a secure SSL connection will

be used to connect to or from the adapter.

The default value is FALSE.

You must install a certificate when USE_SSL is set to TRUE. For more

information on certificate installation, see “Installing the certificate” on

page 42.

F The following prompt is displayed:

Modify Property ’SRV_NODENAME’:

Type a server name or an IP address, for example, 9.38.215.20.

This value is the DNS name or IP address of the Tivoli Identity Manager

Server that is used for event notification and asynchronous request

processing.

Note: If your platform supports Internet Protocol version 6 (IPv6)

connections, you can specify an IPv6 server.

G The following prompt is displayed:

Modify Property ’SRV_PORTNUMBER’:

Type a different port number to access the Tivoli Identity Manager

Server.

This value is the port number that the adapter uses to connect to the

Tivoli Identity Manager Server. The default port number is 9443.


Table 3. Options for the DAML protocol menu (continued)


H The following prompt is displayed:

Modify Property ’VALIDATE_CLIENT_CE’:

Type TRUE to require the Tivoli Identity Manager Server to send a

certificate when it communicates with the adapter.

Type FALSE to allow the Tivoli Identity Manager Server to communicate

with the adapter without a certificate. The default value is FALSE.

Notes:

1. If you set this option to TRUE, you must configure options D

through H.

2. The property name is actually VALIDATE_CLIENT_CERT. It is

truncated by agentCfg to fit onto the screen.

3. You must use CertTool to install the appropriate CA certificates and

optionally register the Tivoli Identity Manager Server certificate. For

more information on using CertTool, see “Managing SSL certificates

using CertTool” on page 39.

I The following prompt is displayed:

Modify Property ’REQUIRE_CERT_REG’:

This value only applies when option H is set to TRUE.

Type TRUE to require the client certificate from the Tivoli Identity

Manager Server to be registered with the adapter before it will accept an

SSL connection.

Type FALSE to require the client certificate only be verified against the

list of CA certificates. The default value is FALSE.

For more information on certificates, see Chapter 5, “Configuring SSL

authentication for the Oracle Database adapter,” on page 33.

5. At the prompt, change the value, and press Enter.

The Protocol Properties Menu is displayed with your new settings.

If you do not want to change the value, just press Enter to return to the

Protocol Properties Menu.

6. Repeat steps 4 and 5 to configure as many protocol properties as you need to.

7. At the Protocol Properties Menu, type X to exit the menu.

Configuring event notification

Event notification is a feature of the Oracle Database Adapter that updates the

Tivoli Identity Manager Server at set intervals. Event notification detects changes

that are made on the managed resource and updates the Tivoli Identity Manager

Server with the changes. You can enable event notification if you want to have

updated information from the managed resource sent back to the Tivoli Identity

Manager Server between full reconciliations. Event notification is not intended to

replace reconciliations on the Tivoli Identity Manager Server.

When event notification is enabled, a database of the reconciliation data is kept on

the machine where the adapter is installed. The database is updated with the

changes that are requested by the Tivoli Identity Manager Server and will remain

synchronized with the server. You can specify an interval for the event notification


process to compare the database to data that currently exists on the managed

resource. When the interval has elapsed, any differences between the managed

resource and the database are forwarded to the Tivoli Identity Manager Server and

updated in the local snapshot database.

There are several steps to enabling event notification. These steps assume that the

adapter is communicating successfully with the managed resource and the Tivoli

Identity Manager Server.

First, you must configure the host name, port number, and login information for

the Tivoli Identity Manager Server. In order to identify the server for the DAML

protocol to use, complete the following steps:

1. At the Agent Protocol Configuration Menu, select Configure Protocol. For more

information on configuring a protocol, see “Changing protocol configuration

settings” on page 10.

2. Type the menu option for the SRV_NODENAME property.

3. Specify the IP address or server name that identifies the Tivoli Identity

Manager Server, and press Enter.


4. Type the menu option for the SRV_PORTNUMBER property.

5. Specify the port number that the adapter uses to connect to the Tivoli Identity

Manager Server for event notification and press Enter.


The example menu shows all of the options displayed when Event Notification is

enabled. If Event Notification is disabled, not all of the options are displayed. In

order to set Event Notification for the Tivoli Identity Manager Server, complete the

following steps:

1. At the Agent Main Configuration Menu, type C. The Event Notification Menu is

displayed.

Event Notification Menu

--------------------------------------------------------------

* Reconciliation interval : 1 day(s)

* Next Reconciliation time : 23 hour(s) 56 min(s). 23 sec(s).

* Configured Contexts : Jupiter, dd309

A. Enabled

B. Time interval between reconciliations.

C. Set Processing cache size. (currently: 50 Mbytes)

D. Start event notification now.

E. Set attributes to be reconciled.

F. Reconciliation process priority. (current: 1)

G. Add Event Notification Context.

H. Modify Event Notification Context.

I. Remove Event Notification Context.

J. List Event Notification Contexts.

X. Done

Select menu option:

Note: This menu shows all of the options that are displayed when Event

Notification is enabled. If Event Notification is disabled, all of the

options will not be displayed.

2. Type the letter of the menu option that you want to change.

Option A must be enabled in order for the values of the other options to take

effect.


Press Enter to return to the Agent Event Notification Menu without changing

the value.

Table 4. Options for the event notification menu


A If this option is enabled, the adapter updates the Tivoli Identity Manager

Server with changes to the adapter at regular intervals.

When the option is set to:

v Disabled, pressing the A key changes to enabled

v Enabled, pressing the A key changes to disabled

Type A to toggle between the options.


Enter new interval

([ww:dd:hh:mm:ss])

Type a different reconciliation interval. For example,

[00:01:00:00:00]

Note: This value is the interval to wait once event notification completes

before it is run again. The event notification process is resource

intensive, therefore this value must not be set to run too frequently.


Enter new cache size[5]:

Type a different value to change the processing cache size.

D If this option is selected, event notification is started.

E The Event Notification Entry Types Menu is displayed. See “Setting

event notification triggers” on page 16 for more information.

F The following prompt is displayed:

Enter new thread priority [1-10]:

Type a different thread value to change the event notification process

priority.

Note: Setting the thread priority to a lower value reduces the impact

that the event notification process has on the performance of the adapter.

A lower value might also cause event notification to take longer.

G The following prompt is displayed:

Context name:

Type the new context name, and press Enter. The new context is added.

H A menu listing the available contexts is displayed. See “Modifying an

event notification context” on page 17 for more information.

I The Remove Context Menu is displayed. Select the context to remove.

The following prompt is then displayed:

Delete context context1? [no]:

Press Enter to exit without deleting the context, or type Yes and press

Enter to delete the context.


Table 4. Options for the event notification menu (continued)


J The Event Notification Contexts are displayed in the following format:

Context Name : Context1

Target DN :

erservicename=context1,o=IBM,

ou=IBM,dc=com

--- Attributes for search request ---

{search attributes listed}

-----------------------------------------------

3. If you changed the value for options B, C, E, or F, press Enter. The other

options are automatically changed when you type the corresponding letter of

the menu option.

The Event Notification Menu is displayed with your new settings.

Setting event notification triggers

By default, all attributes are queried for value changes. Certain attributes that

change frequently (for example, password age or last successful logon) must be

omitted.

1. At the Event Notification Menu, type E. The Event Notification Entry Types

Menu is displayed.

Event Notification Entry Types

-------------------------------------------

A. USER

B. GROUP

X. Done

Select menu option:

The USER and GROUP types will not appear in the above menu until the

following conditions have been met:

a. Event notification has been enabled

b. A context has been created and configured

c. A full reconciliation has been run2. Type A for a list of the attributes returned during a user reconciliation, or type B

for attributes returned during a group reconciliation.

The Event Notification Attribute Listing for the selected reconciliation type is

displayed. The default setting lists all attributes that the adapter supports. The

example below lists example attributes, and might differ from the list that is

displayed on your machine.

Event Notification Attribute Listing

-------------------------------------

(a) **erPassword (b) **erOracleTblSpcQuota (c) **erOracleAuthenticationType

(d) **erUid (e) **erOracleServiceName (f) **erOracleEDefaultTableSpace

(g) **erOracleProfile (h) **erOracleTemporaryTableSpace (i) **erOracleSysPriv

(j) **erOracleRole (k) **erOracleExpirePwd (l) **erOracleGlobalName

(p)rev page 1 of 3 (n)ext

-----------------------------

X. Done

Select menu option:

3. Type the corresponding letter of the menu option for the attribute to exclude

from an event notification.


Attributes that are marked with two asterisks (**) are returned during the event

notification. Attributes that are not marked with asterisks are not returned

during the event notification.

Modifying an event notification context

An event notification context corresponds to a service on the Tivoli Identity

Manager Server. Some adapters support multiple services. One Oracle Database

Adapter can have several Tivoli Identity Manager services, by specifying a

different base point for each service.

The base point for the Oracle Database Adapter is the point in the directory server

that is used as the root for the adapter. This point can be an organizational unit

(OU) or domain container (DC) base point. Because the base point is an optional

value, if a value is not specified, the adapter uses the default domain of the

machine on which it is installed.

You can have multiple event notification contexts, but you must have at least one

adapter. In the example screen below, note that Context1, Context2, and Context3

are three different contexts, all having a different base point.

In order to modify an event notification context, complete the following steps:

1. At the Event Notification Menu, type H. The Modify Context Menu is

displayed.

Modify Context Menu

------------------------------

A. Context1

B. Context2

C. Context3

X. Done

Select menu option:

2. Type the letter of the menu option that you want to modify. The Modify

Context Menu for the selected context is displayed.

A. Set attributes for search

B. Target DN:

C. Delete Baseline Database

X. Done

Select menu option:

Table 5. Options for the modify context menu


A Adding search attributes for event notification See page 17.

B Configuring the target DN for event notification

contexts

See page 18.

C Removing the baseline database for event

notification contexts

See page 19.

Adding search attributes for event notification

For some adapters, you might need to specify an attribute-value pair for one or

more contexts. These attribute-value pairs, which are defined by completing the

steps below, serve multiple purposes:

v When multiple services are supported by a single adapter, each service needs to

specify one or more attributes to differentiate it from the other services.


v The search attributes are passed to the event notification process, once the event

notification interval has occurred or is started manually. For each context, a full

search request is sent to the adapter. Additionally, the attributes specified for

that context are passed to the adapter.

v When the Tivoli Identity Manager Server initiates a reconciliation process, the

adapter replaces the local database that represents this service with the new

database.

In order to add search attributes, complete the following steps:

1. At the Modify Context Menu for the context, type A. The Reconciliation

Attribute Passed to Agent Menu is displayed.

Reconciliation Attributes Passed to Agent for Context: Context1

----------------------------------------------------

----------------------------------------------------

A. Add new attribute

B. Modify attribute value

C. Remove attribute

X. Done

Select menu option:

The Oracle Database Adapter requires the erOracleServiceName attribute to be

specified for each context. The value of the erOracleServiceName attribute must

be set to the Oracle Service Name defined on the Tivoli Identity Manager

Service Form.

2. Type the letter of the menu option that you want to change.

The supported attribute names will be displayed with two asterisks (**) in front

of each name. When you type the letter of an attribute, it will toggle the

asterisks on and off. Attributes without asterisks will not be updated during an

event notification.

The Reconciliation Attributes Passed to Agent Menu is displayed with the

changes displayed.

Configuring the target DN for event notification contexts

The target DN field holds the unique name of the service that receives event

notification updates.

In order to configure the target DN, complete the following steps:

1. At the Modify Context Menu for the context, type B.

2. At the Enter Target DN prompt, type the target DN for the context, and press

Enter. The target DN for the event notification context must be in the following

format:

erservicename=erservicename,o=organizationname,ou=tenantname,rootsuffix

Each element of the DN is defined as follows:

Table 6. DN elements and definitions

Element Definition

erservicename Specifies the name of the target service

o Specifies the name of the organization

ou Specifies the name of the tenant in which

the organization is in

rootsuffix Specifies the root of the directory tree


The Modify Context Menu is displayed with the new target DN listed.

Removing the baseline database for event notification contexts

This option is only available once a context is created and a reconciliation is run on

the context to create a Baseline Database file.

At the Modify Context Menu for the context, type C. The Modify Context Menu is

displayed with the Delete Baseline Database option removed.

Changing the configuration key

You use the configuration key as a password to access the configuration tool for

the adapter.

In order to change the Oracle Database Adapter configuration key, complete the

following steps:

1. At the Main Menu prompt, type D.

2. Change the value of the configuration key, and press Enter.

Press Enter to return to the Main Configuration Menu without changing the

configuration key. The default configuration key is agent. Make sure that you

choose passwords that cannot be easily guessed.

The following message is displayed:

Configuration key successfully changed.

The configuration program exits, and the Main Menu prompt is displayed.

Changing activity logging settings

When you enable logging, Oracle Database Adapter maintains a dated log file of

all transactions, OracleAgent.log. By default, the log file is in the \log directory.

In order to change the Oracle Database Adapter activity logging settings, complete

the following steps:

1. At the Main Menu prompt, type E.

The Agent Activity Logging Menu is displayed. The following example shows

the default activity logging settings.

Agent Activity Logging Menu

-------------------------------------

A. Activity Logging (Enabled).

B. Logging Directory (current: C:\Tivoli\Agents\OracleAgentLog).

C. Activity Log File Name (current: OracleAgent.log).

D. Activity Logging Max. File Size ( 1 mbytes)

E. Activity Logging Max. Files ( 3 )

F. Debug Logging (Enabled).

G. Detail Logging (Disabled).

H. Base Logging (Disabled).

I. Thread Logging (Disabled).

X. Done

Select menu option:

2. Type the letter of the Activity Logging Menu option that you want to change.

Option A must be enabled in order for the values of the other options to take

effect.

Press Enter to return to the Agent Activity Logging Menu without changing the

value.


Table 7. Options for the activity logging menu


A Set this option to enabled to have the adapter maintain a dated log file

of all transactions.


v Disabled, pressing the A key changes to enabled

v Enabled, pressing the A key changes to disabled

Type A to toggle between the options.


Enter log file directory:

Type a different value for the logging directory, for example, C:\Log.

When the logging option is enabled, details about each access request

are stored in the logging file that is in this directory.


Enter log file name:

Type a different value for the log file name. When the logging option is

enabled, details about each access request are stored in the logging file.

D The following prompt is displayed:

Enter maximum size of log files (mbytes):

Type a new value, for example, 10. The oldest data is archived when the

log file reaches the maximum file size. File size is measured in

megabytes. It is possible for the activity log file size to exceed disk

capacity.

E The following prompt is displayed:

Enter maximum number of log files to retain:

Type a new value up to 100, for example, 5. The adapter automatically

deletes the oldest activity logs beyond the specified limit.

F If this option is set to enabled, the adapter includes the debug

statements in the log file of all transactions.


v Disabled, pressing the F key changes the value to enabled

v Enabled, pressing the F key changes the value to disabled

Type F to toggle between the options.

G If this option is set to enabled, the adapter maintains a detailed log file

of all transactions. The detail logging option must be used for diagnostic

purposes only. Detailed logging enables more messages from the adapter

and might increase the size of the logs.


v Disabled, pressing the G key changes the value to enabled

v Enabled, pressing the G key changes the value to disabled

Type G to toggle between the options.


Table 7. Options for the activity logging menu (continued)


H If this option is set to enabled, the adapter maintains a log file of all

transactions in the Adapter Development Kit (ADK) and library files.

Base logging will substantially increase the size of the logs.


v Disabled, pressing the H key changes the value to enabled

v Enabled, pressing the H key changes the value to disabled

Type H to toggle between the options.

I If this option is enabled, the log file will contain thread IDs, in addition

to a date and timestamp on every line of the file.


v Disabled, pressing the I key changes the value to enabled

v Enabled, pressing the I key changes the value to disabled

Type I to toggle between the options.

3. Press Enter if you changed the value for option B, C, D, or E. The other options

are changed automatically when you type the corresponding letter of the menu

option.

The Agent Activity Logging Menu is displayed with your new settings.

Changing registry settings

In order to change the Oracle Database Adapter registry settings, complete the

following steps:

1. At the Main Menu, type F. The Registry Menu is displayed.

OracleAgent 4.6 Agent Registry Menu

-------------------------------------------

A. Modify Non-encrypted registry settings.

B. Modify encrypted registry settings.

C. Multi-instance settings.

X. Done

Select menu option:

2. See the following procedures on modifying registry settings.

Modifying non-encrypted registry settings

The Oracle Adapter non-encrypted registry settings are used to store the Oracle

service names that the adapter manages. Refer to Chapter 4, “Oracle services

modifications,” on page 27for information about how to configure additional

Oracle service names.

Modifying encrypted registry settings

The Oracle Database Adapter encrypted registry settings are used to store the

password of the Oracle service names that the adapter manages. Refer to

Chapter 4, “Oracle services modifications,” on page 27for information about how

to configure additional Oracle service names.


Changing advanced settings

You can change the Oracle Database Adapter thread count settings for the

following types of requests:

v System Login Add

v System Login Change

v System Login Delete

v Reconciliation

These settings determine the maximum number of requests that the Oracle

Database Adapter processes concurrently. In order to change these settings,


1. At the Main Menu prompt, type G.

The Advanced Settings Menu is displayed. The following example shows the

default thread count settings.

OracleAgent 4.6 Advanced Settings Menu

-------------------------------------------

A. Single Thread Agent (current:TRUE)

B. ADD max. thread count. (current:3)

C. MODIFY max. thread count. (current:3)

D. DELETE max. thread count. (current:3)

E. SEARCH max. thread count. (current:3)

F. Allow User EXEC procedures (current:FALSE)

G. Archive Request Packets (current:FALSE)

H. UTF8 Conversion support (current:TRUE)

I. Pass search filter to agent (current:FALSE)

J. Thread Priority Level (1-10) (current:4)

X. Done

Select menu option:

2. Type the letter of the menu option of the advanced setting that you want to

change. For a description of each option, see Table 8.

Table 8. Options for the advanced settings menu

Option Description

A Forces the adapter to allow only one request at a time.

The default value is TRUE.

B Controls how many simultaneous ADD requests can run at one time.

The default value is 3.

C Controls how many simultaneous MODIFY requests can run at one time.


D Controls how many simultaneous DELETE requests can run at one time.


E Controls how many simultaneous SEARCH requests can run at one time.


F Determines whether the adapter allows pre- and post-exec functions.

Enabling this option is a potential security risk.

The default value is FALSE.

G This option is no longer supported.

H This option is no longer supported.


Table 8. Options for the advanced settings menu (continued)

Option Description

I Currently, this adapter does not support processing filters directly. This

option must always be FALSE.

J Sets the thread priority level for the adapter.


3. Change the value, and press Enter.

The Advanced Settings Menu is displayed with your new settings.

Viewing statistics

In order to view an event log for the Oracle Database Adapter, complete the

following steps:

1. At the Main Menu prompt, type H.

The activity history for the adapter is displayed.

OracleAgent 4.6 Agent Request Statistics

--------------------------------------------------------------------

Date Add Mod Del Ssp Res Rec

-----------------------------------------------------------------

11/15/02 000001 000000 000000 000000 000000 000001

-----------------------------------------------------------------

X. Done

2. Type X to return to the Main Configuration Menu.

Changing code page settings

In order to list the supported code page information for the Oracle Database

Adapter, the adapter must be running. Run the following command to view the

code page information:

agentCfg -agent [adapter_name] -codepages

In order to change the code page settings for the Oracle Database Adapter,


1. At the Main Menu prompt, type I.

The Code Page Support Menu for the adapter is displayed.

OracleAgent 4.6 Codepage Support Menu

-------------------------------------------

* Configured codepage: US-ASCII

-------------------------------------------

*

*******************************************

* Restart Agent After Configuring Codepages

*******************************************

A. Codepage Configure.

X. Done

Select menu option:


2. Type A to configure a code page.

Note: The OracleAgent code page uses unicode, therefore this option is not

applicable.

3. Type X to return to the Main Configuration Menu.

Accessing help and additional options

In order to access the agentCfg help menu and use the help arguments, complete


1. At the Main Menu prompt, type X. The command prompt is displayed, and

you are in the \bin directory.

2. Type agentCfg -help at the prompt to view the help menu.

The following list of possible commands is displayed:

-version ; Show version

-hostname < value> ; Target nodename to connect to (Default:Local host IP address)

-findall ; Find all agents on target node

-list ; List available agents on target node

-agent <value> ; Name of agent

-tail ; Display agent’s activity log

-schema ; Display agent’s attribute schema

-portnumber <value>; Specified agent’s TCP/IP port number

-netsearch <value> ; Lookup agents hosted on specified subnet

-confidencetest ; Confidence test

-setup ; Confidence test setup

-help ; Display this help screen

Table 9 describes each argument.

Table 9. Arguments and descriptions for the agentCfg help command

Argument Description

-version Use this argument to display the version of the agentCfg tool.

-hostname <value> Use the -hostname argument with any of the following

arguments to specify a different host:

v -findall

v -list

v -tail

v -agent

Enter a host name or IP address as the value.

-findall Use this argument to search and display all port addresses

between 44970 and 44994 and their assigned adapter names.

This option will timeout on unused port numbers, so it might

take several minutes to complete.

Add the -hostname argument to search a remote host.

-list Use this argument to display the adapters that are installed

on the local host of the Oracle Database Adapter. By default,

the first time you install an adapter, it is either assigned to

port address 44970 or to the next available port number. All

subsequently installed adapters are then assigned to the next

available port address. Once an unused port is found, the

listing stops.

Use the -hostname argument to search a remote host.


Table 9. Arguments and descriptions for the agentCfg help command (continued)

Argument Description

-agent <value> Use this argument to specify the adapter that you want to

configure. Enter an adapter name as the value. Use this

argument with the -hostname argument to modify the

configuration setting from a remote host. You can also use

this argument with the -tail argument.

-tail Use this argument with the -agent argument to display the

activity log for an adapter. Add the -hostname argument to

display the log file for an adapter on a different host.

-schema This option is no longer supported.

-portnumber <value> Use this argument with the -agent argument to specify the

port number that is used for connections for the agentCfg

tool.

-netsearch <value> Use this argument with the -findall argument to display all

active adapters on the system. You must specify a subnet

address as the value.

-confidencetest Use this argument to run a test to add, modify, search, and

delete a request to the adapter. The confidence test allows

you to test the connection between the adapter and the

Oracle database. This allows you to verify that the adapter

can connect to Oracle database without the Tivoli Identity

Manager Server.

-setup Use this argument, along with the −confidence argument, to

configure the confidence test.

-help Use this argument to display the Help information for the

agentCfg command.

3. Type agentCfg and one or more of the supported arguments at the prompt.

You must type agentCfg before every argument to run the adapter

configuration tool.

Type agentCfg -list to list all of the adapters on the local host IP address.

Note that the port address for the Tivoli Identity Manager Server is 44970. The

output is similar to the following output:

Agent(s) installed on node ’127.0.0.1’

-----------------------

OracleAgent (44970)

Type agentCfg -agent OracleAgent to display the Main Menu of the agentCfg

tool, which is used to view or modify the Oracle Database Adapter parameters.

Type agentCfg -list -hostname 192.9.200.7 to list the adapters on a host

whose IP address is 192.9.200.7. The output is similar to the following output:

Agent(s) installed on node ’192.9.200.7’

------------------

OracleAgent (44970)

Type agentCfg -agent OracleAgent -hostname 192.9.200.7 to display the Main

Menu of the agentCfg tool for a host whose IP address is 192.9.200.7. Use the

menu options to view or modify the Oracle Database Adapter parameters.



Chapter 4. Oracle services modifications

This chapter describes how to use the provided service configuration program to

view or modify Oracle Services. In order for the modification with this tool to take

effect immediately, you must restart the Oracle Database adapter.

Note: The names of the Oracle Services used must be valid names of Oracle

Services within the Oracle Client Network Configuration.

Accessing the service configuration tool main menu

The following procedure describes how to access the Main Menu of the serviceCfg

tool for Oracle Database Adapter parameters:

1. Log in to the Oracle Database Adapter account.

2. Change the directory to the Oracle Database Adapter \bin directory.

# cd C:\Tivoli\Agents\OracleAgentbin

3. Type serviceCfg and press Enter.

The Main Menu appears.

IBM Oracle Agent Services Utility.

-------------------------------------------

1) Display current Oracle Services.

2) Add a new Oracle Service.

3) Modify an Oracle Service.

4) Remove an Oracle Service.

5) Test Oracle Connection.

0) Exit.

Enter Option:

From the Main Menu, select one of the options to perform the following tasks:

v For option 1, see “Viewing current Oracle services”

v For option 2, see “Adding a new Oracle service” on page 28

v For option 3, see “Modifying an Oracle service” on page 29

v For option 4, see “Removing an Oracle service” on page 30

v For option 5, see “Testing an Oracle connection” on page 31

Type 0 to return to the Main Menu.

Viewing current Oracle services

In order to view the current Oracle Service, complete the following steps:

1. At the Main Menu prompt, type 1.

The current Oracle Services for the Oracle Database Adapter appear. The

following is a sample of the Oracle Service settings:



-------------------------------------------

Display Current Services.

Available Oracle Services 1 through 10

OraService1=sugar:plum

OraService2=peach:blossom

OraService3=apple:cider

OraService4=orange:juice

N)next; P)previous; X)exit; -->

2. At the Display Current Services menu, type the menu letter for the action that

you want to perform and press Enter.

Table 10. View option descriptions


N List next ten Oracle Services

P List previous ten Oracle Services

Adding a new Oracle service

In order to add a new Oracle Service, complete the following steps:


The Add a new Oracle Service menu appears.

2. At the Oracle Service Name prompt, type the new Oracle service name and

press Enter.

The following prompt is displayed:

.....Oracle Account:

3. At the .....Oracle Account prompt, type the Oracle service account name and

press Enter.

This is the name of the Oracle Administration Account.


....Account password:

4. At the ....Account password prompt, type the Oracle service account password

and press Enter.

This is the password of the Oracle Administration Account.


...Verify password:

5. At the ...Verify password prompt, type the Oracle service account password

again and press Enter.


Hit any key to continue

6. At the Hit any key to continue prompt, press any key to continue.

The Main Menu appears.


Example of adding an Oracle service

The following is a sample script that will add a new Oracle Service:


------------------------------------------------

Adding ’OracService1’.

Oracle Service Name: bart

.....Oracle Account: maggie

.....Account Password:

.....Verify Password:

Added Service ’bart’ with Account ’maggie’, Version ’8’.


Modifying an Oracle service

In order to modify an Oracle Service, complete the following steps:


The Modify Service menu appears.


----------------------------------------

Modify Service.






N)next; P)previous; M)modify; X)exit; -->

2. At the Modify Service menu, type the menu letter for the action that you want

to perform and press Enter.

Table 11. Modify option descriptions




M Modify an Oracle Service

3. Type the number of the Oracle Service you want to modify and press Enter.


Enter the OraService number to modify :

4. At the Enter the OraService number to modify prompt, accept the default

service name or type a new and press Enter.


Oracle Service Name [sugar]:

5. At the Oracle Service Name prompt, accept the default value or type a new

service account name and press Enter.


.....Oracle Account [fairy]:

6. At the .....Oracle Account prompt, accept the default value or type a new

account name and press Enter.


.....Account Password :

7. At the .....Account Password prompt, type the Oracle Service account password

and press Enter.

Chapter 4. Oracle services modifications 29


.....Verify Password :

8. At the .....Verify Password prompt, type the Oracle administrator account

password again and press Enter.



9. At the Hit any key to continue prompt, press any key to continue.

The Modify an Oracle Service menu appears with the new values listed.

Example of modifying an Oracle service

The example below is a script that modifies an Oracle Service:


----------------------------------------

Modify Service.


OraService1= plum:system

OraService2= peach:oradba

OraService3= palm:es300

OraService4= basswood:oradba

N)next; P)previous; M)modify; X)exit; --> M

Enter the OraService number to modify : 1

Oracle Service Name [plum]:

.....Oracle Account [system]: itim

.....Account Password:

.....Verify Password:

Update Service ’plum’ with Account ’itim’, Version ’8’.

Hit any key to continue.

Removing an Oracle service

In order to remove an Oracle Service, complete the following steps:


The Remove Service menu appears.

IBM Oracle Agent Services Utility

---------------------------------------------

Remove Service






N)next; P)previous; R)remove; X)exit; -->

2. At the Remove Service menu, type the menu letter for the action that you want

to perform and press Enter.

Table 12. Remove option descriptions




R Remove an Oracle Service

3. Type the number of the Oracle Service you want to remove and press Enter.



Enter the OraService number to delete :

4. At the Enter the OraService number to delete prompt, type Y and press Enter.


Are you sure [Y/N]:

5. At the Are you sure [Y/N] prompt, type Y to delete the Service or N to cancel.

If you choose Y, the Oracle Service that you selected will be deleted.

Example of removing an Oracle service

The example below is a script that removes an Oracle Service:


-----------------------------------------------

Remove Service.






N)next; P)previous; R)remove; X)exit; --> r

Enter the OraService number to delete : 1

Removing ’OraService1’...

service name : ’sugar’

account : ’plum’

Are you sure [Y/N]: y

Testing an Oracle connection

In order to test an Oracle Service connection, complete the following steps:


The Test Oracle Service connection menu appears.


---------------------------------------------

Test Oracle connection.






N)next; P)previous; T)test connection; X)exit; -->

2. At the Test Oracle connection menu, type the menu letter for the action that

you want to perform and press Enter.

Table 13. Test option descriptions




T Test an Oracle Service connection

3. Type the number of the Oracle Service that you want to test and press Enter.


Enter the OraService number to test :

4. At the Enter the OraService number to test prompt, enter the number of the

Oracle Service that you want to test.

If the test is successful, the following message appears:

Chapter 4. Oracle services modifications 31

Connection SUCCESSFUl to ’OraService1 : sugar’ .

5. At the Hit any key to continue prompt, press any key to continue..

The Test Oracle connection menu appears.

Example of testing an Oracle connection

The example below is a script that tests an Oracle connection:


----------------------------------------

Test Oracle connection.






N)next; P)previous; T)test connection; X)exit; --> t

Enter the OraService number to test: 1

Connection SUCCESSFUL to ’OraService1 : sugar’ .

Hit any key to continue.


Chapter 5. Configuring SSL authentication for the Oracle

Database adapter

In order to establish a secure connection between a Tivoli Identity Manager

adapter and the Tivoli Identity Manager Server, you must configure the adapter

and the server to use the Secure Sockets Layer (SSL) authentication with the

default communication protocol, DAML. By configuring the adapter for SSL, you

ensure that the Tivoli Identity Manager Server verifies the identity of the adapter

before a secure connection is established.

You can configure SSL authentication for connections that originate from the Tivoli

Identity Manager Server or from the adapter. Typically, the Tivoli Identity Manager

Server initiates a connection to the adapter in order to set or retrieve the value of a

managed attribute on the adapter. However, depending on the security

requirements of your environment, you might need to configure SSL authentication

for connections that originate from the adapter. For example, if the adapter uses

events to notify the Tivoli Identity Manager Server of changes to attributes on the

adapter, you can configure SSL authentication for Web connections that originate

from the adapter to the Web server used by the Tivoli Identity Manager Server.

In a production environment, you need to enable SSL security; however, for testing

purposes you might want to disable SSL. If an external application that

communicates with the adapter (such as the Tivoli Identity Manager Server) is set

to use server authentication, you must enable SSL on the adapter to verify the

certificate that the application presents.

This chapter presents an overview of SSL authentication, certificates, and how to

enable SSL authentication using the CertTool utility.

Overview of SSL and digital certificates

When you deploy Tivoli Identity Manager in an enterprise network, you must

secure communication between the Tivoli Identity Manager Server and the

software products and components with which the server communicates. The

industry-standard SSL protocol, which uses signed digital certificates from a

certificate authority (CA) for authentication, is used to secure communication in a

Tivoli Identity Manager deployment. Additionally, SSL provides encryption of the

data exchanged between the applications. Encryption makes data transmitted over

the network intelligible only to the intended recipient.

Signed digital certificates enable two applications connecting in a network to

authenticate each other’s identity. An application acting as an SSL server presents

its credentials in a signed digital certificate to verify to an SSL client that it is the

entity it claims to be. An application acting as an SSL server can also be configured

to require the application acting as an SSL client to present its credentials in a

certificate, thereby completing a two-way exchange of certificates. Signed

certificates are issued by a third-party certificate authority for a fee. Some utilities,

such as those provided by OpenSSL, can also issue signed certificates.

A certificate-authority certificate (CA certificate) must be installed to verify the

origin of a signed digital certificate. When an application receives another

application’s signed certificate, it uses a CA certificate to verify the originator of


the certificate. A certificate authority can be well-known and widely used by other

organizations, or it can be local to a specific region or company. Many applications,

such as Web browsers, are configured with the CA certificates of well−known

certificate authorities to eliminate or reduce the task of distributing CA certificates

throughout the security zones in a network.

Private keys, public keys, and digital certificates

Keys, digital certificates, and trusted certificate authorities are used to establish and

verify the identities of applications.

SSL uses public key encryption technology for authentication. In public key

encryption, a public key and a private key are generated for an application. Data

encrypted with the public key can only be decrypted using the corresponding

private key. Similarly, the data encrypted with the private key can only be

decrypted using the corresponding public key. The private key is

password-protected in a key database file so that only the owner can access the

private key to decrypt messages that are encrypted using the corresponding public

key.

A signed digital certificate is an industry-standard method of verifying the

authenticity of an entity, such as a server, client, or application. In order to ensure

maximum security, a certificate is issued by a third-party certificate authority. A

certificate contains the following information to verify the identity of an entity:

Organizational information

This section of the certificate contains information that uniquely identifies

the owner of the certificate, such as organizational name and address. You

supply this information when you generate a certificate using a certificate

management utility.

Public key

The receiver of the certificate uses the public key to decipher encrypted

text sent by the certificate owner to verify its identity. A public key has a

corresponding private key that encrypts the text.

Certificate authority’s distinguished name

The issuer of the certificate identifies itself with this information.

Digital signature

The issuer of the certificate signs it with a digital signature to verify its

authenticity. This signature is compared to the signature on the

corresponding CA certificate to verify that the certificate originated from a

trusted certificate authority.

Web browsers, servers, and other SSL-enabled applications generally accept as

genuine any digital certificate that is signed by a trusted certificate authority and is

otherwise valid. For example, a digital certificate can be invalidated because it has

expired or the CA certificate used to verify it has expired, or because the

distinguished name in the digital certificate of the server does not match the

distinguished name specified by the client.

Self-signed certificates

You can use self-signed certificates to test an SSL configuration before you create

and install a signed certificate issued by a certificate authority. A self-signed

certificate contains a public key, information about the owner of the certificate, and

the owner’s signature. It has an associated private key, but it does not verify the

origin of the certificate through a third-party certificate authority. Once you


generate a self-signed certificate on an SSL server application, you must extract it

and add it to the certificate registry of the SSL client application.

This procedure is the equivalent of installing a CA certificate that corresponds to a

server certificate. However, you do not include the private key in the file when

you extract a self-signed certificate to use as the equivalent of a CA certificate.

Use a key management utility to generate a self-signed certificate and a private

key, to extract a self-signed certificate, and to add a self-signed certificate.

Where and how you choose to use self-signed certificates depends on your security

requirements. In order to achieve the highest level of authentication between

critical software components, do not use self-signed certificates, or use them

selectively. For example, you can choose to authenticate applications that protect

server data with signed digital certificates, and use self-signed certificates to

authenticate Web browsers or Tivoli Identity Manager adapters.

If you are using self-signed certificates, in the following procedures you can

substitute a self-signed certificate for a certificate and CA certificate pair.

Certificate and key formats

Certificates and keys are stored in files with the following formats:

.pem format

A privacy-enhanced mail (.pem ) format file begins and ends with the

following lines:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

A .pem file format supports multiple digital certificates, including a

certificate chain. If your organization uses certificate chaining, use this

format to create CA certificates.

.arm format

An .arm file contains a base-64 encoded ASCII representation of a

certificate, including its public key, but not its private key. An .arm file

format is generated and used by the IBM Key Management utility.

.der format

A .der file contains binary data. A .der file can only be used for a single

certificate, unlike a .pem file, which can contain multiple certificates.

.pfx format (PKCS12)

A PKCS12 file is a portable file that contains a certificate and a

corresponding private key. This format is useful for converting from one

type of SSL implementation to a different implementation. For example,

you can create and export a PKCS12 file using the IBM Key Management

utility, then import the file to another machine using the CertTool utility.

The use of SSL authentication

When you start the adapter, the available connection protocols are loaded. The

DAML protocol is the only available protocol that supports the use of SSL

authentication. You can specify to use the DAML SSL implementation.

The DAML SSL implementation uses a certificate registry to store private keys and

certificates. The location of the certificate registry is managed internally by the

Chapter 5. Configuring SSL authentication for the Oracle Database adapter 35

CertTool key and certificate management tool; therefore, you do not specify the

location of the registry when you perform certificate management tasks.

For more information on the DAML protocol, see “Changing protocol

configuration settings” on page 10.

Configuring certificates for SSL authentication

Use the following procedures to configure the adapter for one-way or two-way SSL

authentication using signed certificates. In order to perform these procedures, use

the CertTool utility.

Configuring certificates for one-way SSL authentication

In this scenario, the Tivoli Identity Manager Server and the Tivoli Identity Manager

adapter are set to use SSL. Client authentication is not set on either application.

The Tivoli Identity Manager Server operates as the SSL client and initiates the

connection. The adapter operates as the SSL server and responds by sending its

signed certificate to the Tivoli Identity Manager Server. The Tivoli Identity

Manager Server uses the CA certificate that is installed to validate the certificate

sent by the adapter.

In Figure 2, Application A operates as the Tivoli Identity Manager Server, and

Application B operates as the Tivoli Identity Manager adapter.

In order to configure one-way SSL, perform the following tasks for each

application:

1. On the adapter, complete these steps:

a. Start the CertTool utility.

b. In order to configure the SSL-server application with a signed certificate

issued by a certificate authority:

1) Create a certificate signing request (CSR) and private key. This step

creates the certificate with an embedded public key and a separate

private key and places the private key in the PENDING_KEY registry

value.

2) Submit the CSR to the certificate authority using the instructions

supplied by the CA. When you submit the CSR, specify that you want

the root CA certificate returned with the server certificate.2. On the Tivoli Identity Manager Server, complete one of these steps:

Hello

Tivoli Identity ManagerServer (SSL client)

KeystoreCA

CertificateA

1

Send Certificate B

Tivoli Identity Manageradapter (SSL server)C

CertificateA

Verify

Figure 2. One-way SSL authentication (server authentication)


v If you are configuring the use of a signed certificate issued by a well-known

CA, ensure that the Tivoli Identity Manager Server has stored the root

certificate of the CA (CA certificate) in its keystore. If the keystore does not

contain the CA certificate, extract the CA certificate from the adapter and add

it to the keystore of the server.

v If you are configuring the use of self-signed certificates:

– If you generated the self-signed certificate on the Tivoli Identity Manager

Server, the certificate is already installed in its keystore.

– If you generated the self-signed certificate using the key management

utility of another application, extract the certificate from that application’s

keystore and add it to the keystore of the Tivoli Identity Manager Server.

Configuring certificates for two-way SSL authentication

In this scenario, the Tivoli Identity Manager Server and the Tivoli Identity Manager

adapter are set to use SSL and the adapter is set to use client authentication. Once

sending its certificate to the Tivoli Identity Manager Server, the adapter requests

identity verification from the server, which sends its signed certificate to the

adapter. Both applications are configured with signed certificates and

corresponding CA certificates.

In Figure 3, the Tivoli Identity Manager Server operates as Application A, and the

Tivoli Identity Manager adapter operates as Application B.

The following procedure assumes that you have already configured the adapter

and Tivoli Identity Manager Server for one-way SSL authentication using the

procedure described in “Configuring certificates for one-way SSL authentication”

on page 36. Therefore, if you are using signed certificates from a CA:

v The adapter is configured with a private key and a signed certificate that was

issued by a CA.

v The Tivoli Identity Manager Server is configured with the CA certificate of the

CA that issued the signed certificate of the adapter.

In order to complete the certificate configuration for two-way SSL, perform the

following tasks:

CHello

KeystoreCA

CertificateA

CertificateB

CertificateA

CACertificate

B

Send Certificate A

Tivoli Identity Manageradapter (SSL server) C

Tivoli Identity ManagerServer (SSL client)

Send Certificate AVerify

Verify

Send Certificate B

Figure 3. Two-way SSL authentication (client authentication)


1. On the Tivoli Identity Manager Server, create a CSR and private key, obtain a

certificate from a CA, install the CA certificate, install the newly signed

certificate, and extract the CA certificate to a temporary file.

2. On the adapter, add the CA certificate that was extracted from the keystore of

the Tivoli Identity Manager Server to the adapter.

When you have finished the two-way certificate configuration, each application has

its own certificate and private key and the CA certificate of the CA that issued the

certificates for each application.

Configuring certificates when the adapter operates as an SSL

client

In this scenario, the adapter operates as an SSL client in addition to operating as

an SSL server. This scenario applies if the adapter initiates a connection to the Web

server (used by the Tivoli Identity Manager Server) to send an event notification.

For example, the adapter initiates the connection and the Web server responds by

presenting its certificate to the adapter.

Figure 4 illustrates how a Tivoli Identity Manager adapter operates as an SSL sever

and an SSL client. When communicating with the Tivoli Identity Manager Server,

the adapter sends its certificate for authentication. When communicating with the

Web server, the adapter receives the certificate of the Web server.

If the Web Server is configured for two-way SSL authentication, it verifies the

identity of the adapter, which sends its signed certificate to the Web server (not

shown in the illustration). In order to enable two-way SSL authentication between

the adapter and Web server, use the following procedure:

1. Configure the Web server to use client authentication.

2. Follow the procedure for creating and installing a signed certificate on the Web

server.

3. Install the CA certificate on the adapter using the CertTool utility.

4. Add the CA certificate corresponding to the signed certificate of the adapter to

the Web server.

TivoliIdentityManagerAdapter

TivoliIdentityManagerServer

CA Certificate ACertificate ACA Certificate C

Certificate C

Web server

A B

C

Hello

Certificate A

Hello

Certificate C

Figure 4. Tivoli Identity Manager adapter operating as an SSL server and an SSL client


For more information on configuring certificates when the adapter initiates a

connection to the Web server (used by the Tivoli Identity Manager Server) to send

an event notification, see the Tivoli Identity Manager Information Center.

Managing SSL certificates using CertTool

The procedures in this section describe how to use the CertTool utility to manage

private keys and certificates.

This section includes instructions for performing the following tasks:

v “Starting CertTool.”

v “Generating a private key and certificate request” on page 41.

v “Installing the certificate” on page 42.

v “Installing the certificate and key from a PKCS12 file” on page 42.

v “Viewing the installed certificate” on page 43.

v “Viewing CA certificates” on page 43.

v “Installing a CA certificate” on page 43.

v “Deleting a CA certificate” on page 43.

v “Viewing registered certificates” on page 44.

v “Registering a certificate” on page 44.

v “Unregistering a certificate” on page 44.

Starting CertTool

In order to start the certificate configuration tool, CertTool, for the Oracle Database

Adapter, complete these steps:

1. Select Programs from the Start menu, select Accessories, and then select

Command Prompt.

2. In the Microsoft Windows DOS Command Prompt window, change to the bin

directory for the adapter. For example, if the Oracle Database Adapter directory

is in the default location, type the following command:

cd C:\Tivoli\Agents\OracleAgent\bin

3. Type CertTool -agent OracleAgent at the prompt. The Main Menu is

displayed:

Main menu - Configuring agent: OracleAgent

------------------------------

A. Generate private key and certificate request

B. Install certificate from file

C. Install certificate and key from PKCS12 file

D. View current installed certificate

E. List CA certificates

F. Install a CA certificate

G. Delete a CA certificate

H. List registered certificates

I. Register certificate

J. Unregister a certificate

K. Export certificate and key to PKCS12 file

X. Quit

Choice:


From the Main Menu, you can generate a private key and certificate request, install

and delete certificates, register and unregister certificates, and list certificates. The

following sections summarize the purpose of each group of options.

The first set of options (A through D) allows you to generate a CSR and install the

returned signed certificate on the adapter.

A. Generate private key and certificate request

Generate a CSR and the associated private key that is sent to the certificate

authority. For more information on option A, see “Generating a private key

and certificate request” on page 41.

B. Install certificate from file

Install a certificate from a file. This file must be the signed certificate

returned by the CA in response to the CSR that is generated by option A.

For more information on option B, see “Installing the certificate” on page

42.

C. Install certificate and key from a PKCS12 file

Install a certificate from a PKCS12 format file that includes both the public

certificate and a private key. If options A and B are not used to obtain a

certificate, the certificate that you use must be in PKCS12 format. For more

information on option C, see “Installing the certificate and key from a

PKCS12 file” on page 42.

D. View current installed certificate

View the certificate that is installed on the system. For more information

on option D, see “Viewing the installed certificate” on page 43.

The second set of options enable you to install root CA certificates on the adapter.

A CA certificate is used by the Tivoli Identity Manager adapter to validate the

corresponding certificate presented by a client, such as the Tivoli Identity Manager

Server.

E. List CA certificates

Show the installed CA certificates. The adapter only communicates with

Tivoli Identity Manager Servers whose certificates are validated by one of

the installed CA certificates.

F. Install a CA certificate

Install a new CA certificate so that certificates generated by this CA can be

validated. The CA certificate file can either be in X.509 or PEM encoded

formats. For more information on how to install a CA certificate, see

“Installing a CA certificate” on page 43.

G. Delete a CA certificate

Remove one of the installed CA certificates. For more information on how

to delete a CA certificate, see “Deleting a CA certificate” on page 43.

The remaining options (H through K) apply to adapters that must authenticate the

application (for example, the Tivoli Identity Manager Server or the Web server) to

which the adapter is sending information. These options enable you to register

certificates on the adapter. For Tivoli Identity Manager Version 4.5 or earlier, the

signed certificate of the Tivoli Identity Manager Server must be registered with an

adapter to enable client authentication on the adapter. If you do not intend to

upgrade an existing adapter to use CA certificates for client authentication, the

signed certificate presented by the Tivoli Identity Manager Server must be

registered with the adapter.


If you configure the adapter to use event notification, or client authentication is

enabled in DAML, then you must install the CA certificate corresponding to the

signed certificate of the Tivoli Identity Manager Server using the Install a CA

certificate option, option F.

H. List registered certificates

List all registered certificates that will be accepted for communications. For

more information on listing registered certificates, see “Viewing registered

certificates” on page 44.

I. Register a certificate

Register a new certificate. The certificate to be registered be in Base 64

encoded X.509 format or PEM. For more information on registering

certificates, see “Registering a certificate” on page 44.

J. Unregister a certificate

Unregister (remove) a certificate from the registered list. For more

information on unregistering certificates, see “Unregistering a certificate”

on page 44.

K. Export certificate and key to PKCS12 file

Export a previously installed certificate and private key. You will be

prompted for the filename and a password for encryption. For more

information on exporting a certificate and key to a PKCS12 file, see

“Exporting a certificate and key to PKCS12 file” on page 45.

Generating a private key and certificate request

A certificate signing request is an unsigned certificate that is a text file. When you

submit an unsigned certificate to a certificate authority, the CA signs the certificate

with the private digital signature that is included in their corresponding CA

certificate. When the CSR is signed, it becomes a valid certificate. A CSR contains

information about your organization, such as the organization name, country, and

the public key for your Web server.

In order to generate a CSR file, complete these steps:

1. At the Main Menu of the CertTool, type A. The following message and prompt

are displayed:

Enter values for certificate request (press enter to skip value)

-------------------------------------------------------------------------

2. At the Organization prompt, type your organization name, and press Enter.

3. At the Organizational Unit prompt, type the organizational unit, and press

Enter.

4. At the Agent Name prompt, type the name of the adapter you are requesting

a certificate for, and press Enter.

5. At the Email prompt, type the e-mail address for the contact person for this

request, and press Enter.

6. At the State prompt, type the state in which the adapter resides (if the adapter

is in the United States), and press Enter. Some certificate authorities do not

accept two letter abbreviations for states, so you must type the full name of

the state.

7. At the Country prompt, type the country in which the adapter resides, and

press Enter.

8. At the Locality prompt, type the name of the city in which the adapter

resides, and press Enter.


9. At the Accept these values prompt, type Y to accept the values displayed, or

type N to re-enter the values, and press Enter.

The private key and certificate request are generated once the values are

accepted.

10. At the Enter name of file to store PEM cert request prompt, type the name of

the file that you want to use to store the values you specified during the

previous steps, and press Enter.

11. Press Enter to continue. The certificate request and input values are written to

the file you specified, and the Main Menu is displayed again.

You can now request a certificate from a trusted CA by sending the .pem file that

you just generated to a certificate authority vendor.

Example of certificate signing request

Your CSR file will look similar to the following example:

-----BEGIN CERTIFICATE REQUEST-----

MIIB1jCCAT8CAQAwgZUxEjAQBgNVBAoTCWFjY2VzczM2MDEUMBIGA1UECxMLZW5n

aW5lZXJpbmcxEDAOBgNVBAMTB250YWdlbnQxJDAiBgkqhkiG9w0BCQEWFW50YWdl

bnRAYWNjZXNzMzYwLmNvbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju

aWExDzANBgNVBAcTBklydmluZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA

mR6AcPnwf6hLLc72BmUkAwaXcebtxCoCnnTH9uc8VuMHPbIMAgjuC4s91hPrilG7

UtlbOfy6X3R3kbeR8apRR9uLYrPIvQ1b4NK0whsytij6syCySaFQIB6V7RPBatFr

6XQ9hpsARdkGytZmGTgGTJ1hSS/jA6mbxpgmttz9HPECAwEAAaAAMA0GCSqGSIb3

DQEBAgUAA4GBADxA1cDkvXhgZntHkwT9tCTqUNV9sim8N/U15HgMRh177jVaHJqb

N1Er46vQSsOOOk4z2i/XwOmFkNNTXRVl9TLZZ/D+9mGZcDobcO+lbAKlePwyufxK

Xqdpu3d433H7xfJJSNYLYBFkrQJesITqKft0Q45gIjywIrbctVUCepL2

-----END CERTIFICATE REQUEST-----

Installing the certificate

Once you receive your certificate from your trusted CA, you install it in the

registry of the adapter. In order to install the certificate, complete these steps:

1. If you received the certificate as part of an e-mail message, copy the text of the

certificate to a text file, and copy that file to the bin directory for the adapter.

For example,

C:\Tivoli\Agents\OracleAgent\bin

2. At the Main Menu of the CertTool, type B. The following prompt is displayed:

Enter name of certificate file:

-------------------------------------------------------------------------

3. At the Enter name of certificate file prompt, type the full path to the

certificate file, and press Enter.

The certificate is installed in the registry for the adapter, and the Main Menu is

displayed again.

Installing the certificate and key from a PKCS12 file

If you do not use the CertTool utility to generate a CSR to obtain a certificate, you

must install both the certificate and private key, which must be stored in a PKCS12

file. The CA might send a password−protected file, or PKCS12 file (a file with the

.pfx extension), which includes both the certificate and private key. In order to

install the certificate from this PKCS12 file, complete these steps:

1. Copy the PKCS12 file to the bin directory for the adapter. For example,

C:\Tivoli\Agents\OracleAgent\bin

2. At the Main Menu for the CertTool, type C. The following prompt is displayed:

Enter name of PKCS12 file:

-------------------------------------------------------------------------


3. At the Enter name of PKCS12 file prompt, type the name of the PKCS12 file

that has the certificate and private key information, and press Enter. For

example, DamlSrvr.pfx.

4. At the Enter password prompt, type the password to access the file, and press

Enter.

The certificate and private key are installed in the adapter registry, and the Main

Menu is displayed.

Viewing the installed certificate

In order to list the certificate that is installed on your system, at the Main Menu of

CertTool, type D.

The installed certificate is listed, and the Main Menu is displayed. The following

example lists an installed certificate:

The following certificate is currently installed.

Subject: c=US,st=California,l=Irvine,o=DAML,cn=DAML Server

Installing a CA certificate

If you are using client authentication, you need to install a CA certificate. The CA

certificate you install is issued by a certificate authority vendor.

In order to install a CA certificate that was extracted into a temporary file,


1. At the Main Menu prompt, type F (Install a CA certificate).



2. At the Enter name of certificate file prompt, type the name of the certificate

file, such as DamlCACerts.pem, and press Enter.

The certificate file is opened, and the following prompt is displayed:

[email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng

Install the CA? (Y/N)

3. At the Install the CA prompt, type Y to install the certificate, and press Enter.

The certificate file is installed in the CACerts.pem file.

Viewing CA certificates

CertTool only installs one certificate and one private key. In order to list the CA

certificate that is installed on the adapter, type E at the Main Menu prompt.

The installed CA certificates are displayed and the Main Menu is displayed. The

following example lists an installed CA certificate:

Subject: o=IBM,ou=SampleCACert,cn=TestCA

Valid To: Wed Jul 26 23:59:59 2006

Deleting a CA certificate

In order to delete a CA certificate from the adapter directories, complete the

following steps:

1. At the Main Menu prompt, type G.

A list of all CA certificates installed on the adapter is displayed.

0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng

1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support

Enter number of CA certificate to remove:


2. At the Enter number of CA certificate to remove prompt, type the number of

the CA certificate that you want to remove, and press Enter.

The CA certificate is deleted from the CACerts.pem file, and the Main Menu is

displayed.

Viewing registered certificates

Only requests that present a registered certificate will be accepted by the adapter

when client validation is enabled.

In order to view a list of all registered certificates available to the adapter, at the

Main Menu prompt, type H.

The registered certificates are displayed and the Main Menu is displayed. The

following example lists registered certificates:



Registering a certificate

In order to register a certificate for the adapter, complete the following steps:

1. At the Main Menu prompt, type I.



2. At the Enter name of certificate file prompt, type the name of the certificate

file that you want to register, and press Enter.

The subject of the certificate is displayed, and a prompt is displayed, for

example:


Register this CA? (Y/N)

3. At the Register this CA prompt, type Y to register the certificate, and press

Enter.

The certificate is registered to the adapter, and the Main Menu is displayed.

Unregistering a certificate

In order to unregister a certificate for the adapter, complete the following steps:

1. At the Main Menu prompt, type J.

The registered certificates are displayed. The following example lists registered

certificates:



2. Type the number of the certificate file that you want to unregister, and press

Enter.

The subject of the selected certificate is displayed, and a prompt is displayed,

for example:


Unregister this CA? (Y/N)

3. At the Unregister this CA prompt, type Y to unregister the certificate, and

press Enter.

The certificate is removed from the registered certificate list for the adapter, and

the Main Menu is displayed.


Exporting a certificate and key to PKCS12 file

In order to export a certificate and key to a PKCS12 file for the adapter, complete


1. At the Main Menu prompt, type K.


Enter name of PKCS12 file:

2. At the Enter name of PKCS12 file prompt, type the name of the PKCS12 file

for the installed certificate or private key, and press Enter.

3. At the Enter Password prompt, type the password for the PKCS12 file, and

press Enter.

4. At the Confirm Password prompt, type the password again, and press Enter.

The certificate or private key is exported to the PKCS12 file, and the Main

Menu is displayed.



Chapter 6. Customizing the Oracle Database adapter

You can update the Oracle Database Adapter JAR file, OracleProfile.jar, to make

changes to the adapter schema, account form, service form, and profile properties.

In order to make such updates, you must extract the files from the JAR file, make

changes to the necessary files, and repackage the JAR file with the updated files.

Complete these steps to customize the Oracle Database Adapter profile:

1. Copy the JAR file to a temporary directory and extract the files. For more

information on extracting the files, see “Copy the OracleProfile.jar file and

extract the files.”

2. Make the appropriate file changes.

3. Install the new attributes on the Tivoli Identity Manager Server. For more

information on updating this file, see “Create a new JAR file and install the

new attributes on the Tivoli Identity Manager Server” on page 48.

Copy the OracleProfile.jar file and extract the files

The profile JAR file, OracleProfile.jar, is included in the Oracle Database Adapter

compressed file that you downloaded from the IBM Web site. The OracleProfile.jar

file contains the following files:

v CustomLabels.properties

v erOracleAccount.xml

v erOracleDAMLService.xml

v resource.def

v schema.dsml

v xforms.xml

You can modify these files to customize your environment.

When you finish updating the profile JAR file, install it on the Tivoli Identity

Manager Server. For more information on the profile installation, see “Importing

the adapter profile into the Tivoli Identity Manager Server” on page 6.

In order to modify the OracleProfile.jar file, complete the following steps:

1. Log on to the system where the Oracle Database Adapter is installed.

2. On the Start menu, click Programs → Accessories → Command Prompt.

3. Copy the OracleProfile.jar file into a temporary directory.

4. Extract the contents of` the OracleProfile.jar file into the temporary directory by

running the following command:

cd c:\temp

jar -xvf OracleProfile.jar

The jar command will create the c:\temp\OracleProfile directory.

5. Edit the appropriate file.


Create a new JAR file and install the new attributes on the Tivoli

Identity Manager Server

Once you modify the schema.dsml and CustomLabels.properties files, you must

import these files, and any other files that were modified for the adapter, into the

Tivoli Identity Manager Server for the changes to take effect.

In order to install the new attributes, complete the following steps:

1. Create a new JAR file using the files in the \temp directory by running the

following commands:

cd c:\temp

jar -cvf OracleProfile.jar OracleProfile

2. Import the OracleProfile.jar file into the Tivoli Identity Manager Application

Server. For more information on importing the file, see “Importing the adapter

profile” on page 6.

3. Stop and start the directory server.

4. Stop and start the Oracle Database Adapter service for the changes to take

effect.

Managing passwords when restoring accounts

When a person’s accounts are restored from being previously suspended, you are

prompted to supply a new password for the reinstated accounts. However, there

are circumstances when you might want to circumvent this behavior.

The password requirement to restore an account on Oracle database falls into two

categories: allowed and required. How each restore action interacts with its

corresponding managed resource depends on either the managed resource, or the

business processes that you implement. Certain resources will reject a password

when a request is made to restore an account. In this case, you can configure Tivoli

Identity Manager to forego the new password requirement. You can set the Oracle

Database Adapter to require a new password when the account is restored, if your

company has a business process in place that dictates that the account restoration

process must be accompanied by resetting the password.

In the resource.def file, you can define whether or not a password is required as a

new protocol option. When you import the adapter profile, if an option is not

specified, the adapter profile importer determines the correct restoration password

behavior from the schema.dsml and xforms.xml files. Adapter profile components

also enable remote services to find out if you discard a password that is entered by

the user in a situation where multiple accounts on disparate resources are being

restored. In this scenario, only some of the accounts being restored might require a

password. Remote services will discard the password from the restore action for

those managed resources that do not require them.

In order to configure the Oracle Database Adapter to not prompt for a new

password when restoring accounts:

1. Stop the Tivoli Identity Manager Server.

2. Extract the files from the OracleProfile.jar file. For more information on

customizing the adapter profile file, see “Copy the OracleProfile.jar file and

extract the files” on page 47.

3. Change to the \OracleProfile directory, where the resource.def file has been

created.


4. Edit the resource.def file to add the new protocol options, for example:

<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_REQUIRED_ON_RESTORE" Value = "TRUE"/>

<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_ALLOWED_ON_RESTORE" Value = "FALSE"/>

By adding the two options in the example above, you are ensuring that you

will not be prompted for a password when an account is restored.

5. Create a new OracleProfile.jar file using the resource.def file and import the

adapter profile file into the Tivoli Identity Manager Server. For more

information, refer to “Create a new JAR file and install the new attributes on

the Tivoli Identity Manager Server” on page 48.

6. Start the Tivoli Identity Manager Server again.

Note: If you are upgrading an existing adapter profile, the new adapter profile

schema will not be reflected immediately. You need to stop and start the

Tivoli Identity Manager Server in order to refresh the cache and therefore

the adapter schema. For more information on upgrading an existing adapter,

see “Upgrading the Oracle Database adapter” on page 51.

Chapter 6. Customizing the Oracle Database adapter 49


Chapter 7. Upgrading the Oracle Database adapter or the ADK

You can either upgrade the Oracle Database Adapter or the Adapter Development

Kit (ADK). The ADK is the base component of the adapter. While all adapters have

the same ADK, the remaining adapter functionality is specific to the managed

resource.

You can perform an adapter upgrade to migrate your current adapter installation

to a newer version, for example version 4.4 to version 4.6. Upgrading the adapter,

as opposed to reinstalling it, will allow you to keep your configuration settings.

Additionally, you will not have to uninstall the current adapter and install the

newer version.

However, if a code fix has been made to the ADK, instead of upgrading the entire

adapter, you can upgrade just the ADK to the newer version.

Upgrading the Oracle Database adapter

During an upgrade, in order to maintain all of your current configuration settings,

as well as the certificate and private key, do not uninstall the old version of the

adapter before installing the new version. During the install, specify the same

installation directory where the previous adapter was installed. For more

information on how to install the adapter, see Chapter 2, “Installing and

configuring the Oracle Database adapter,” on page 3.

If you currently have version 4.4 or 4.5 of the Oracle Database Adapter installed,

and you want version 4.6, an upgrade of the adapter is necessary. Upgrading the

adapter involves several steps that you must complete in the appropriate sequence.

In order to upgrade an existing adapter, complete the following steps:

1. Stop the Oracle Database Adapter service.

2. Install the new version of the adapter.

When the upgraded adapter starts for the first time, new log files will be created,

replacing the old files.

Upgrading the ADK

The ADK consists of the runtime library, filtering and event notification

functionality, protocol settings, and logging information. The remainder of the

adapter is comprised of the Add, Modify, Delete, and Search functions. While all

adapters have the same ADK, the remaining functionality is specific to the

managed resource.

You can use the ADK upgrade program to update the ADK portion of the adapters

that are currently installed on a machine. This allows you to install just the ADK,

and not the entire adapter. As part of the ADK upgrade, the ADK library and the

DAML protocol library are updated. In addition, the agentCfg and CertTool

binaries are updated.


Prior to upgrading the ADK files, the upgrade program checks the current version

of the ADK. If the current level is higher than what you are attempting to install, a

warning message is displayed.

In order to upgrade the Oracle Database Adapter ADK, complete the following

steps:

1. Download the ADK upgrade program compressed file from the IBM Web site.

2. Extract the contents of the compressed file into a temporary directory.


4. Start the upgrade program using the adkinst_win32.exe file in the temporary

directory. For example, select Run from the Start menu, and type

C:\TEMP\adkinst_win32.exe in the Open field.

If no adapter is installed, you will receive the following error message, and the

program exits:

No Agent Installed - Cannot Install ADK.

5. On the Welcome window, click Next.

6. On the Software License Agreement window, review the license agreement and

decide if you accept the terms of the license. If you do, click Accept.

7. On the Installation Information window, click Next to begin the installation.

8. On the Install Completed window, click Finish to exit the program.

Log files

Logging entries are stored in the <ADKVersion>Installer.log and

<ADKVersion>Installeropt.log files, where <ADKVersion> is the version of the ADK.

For example, ADK46Installer.log and ADK46Installeropt.log. These files are

created in the folder where you run the installation program.


Chapter 8. Uninstalling the Oracle Database adapter

Before you remove the adapter, inform your users that the Oracle Database

Adapter will be unavailable and removed from the system. If the server is taken

offline, Oracle Database Adapter requests that are not completed will not be

recoverable when the server is back online.

In order to remove the Oracle Database Adapter, complete these steps:


2. Open Windows Explorer and run <adapter_directory>\_uninst\uninstaller.exe,

where adapter_directory is the directory where the adapter was installed.

3. In the Welcome window, click Next.

4. In the Oracle Database Adapter uninstallation summary window, click Next.

5. Click Finish.

Inspect the adapter directory for Oracle Database Adapter directories,

subdirectories, and files to verify that the uninstallation is complete. The

instance of the Oracle Database Adapter that was uninstalled should no longer

appear in the Services window.



Appendix A. Adapter attributes

As part of the adapter implementation, a dedicated account for Tivoli Identity

Manager to access the Oracle database is created on the Oracle database. The

Oracle Database Adapter consists of files and directories that are owned by the

Tivoli Identity Manager account. These files establish communication with the

Tivoli Identity Manager Server.

Attribute descriptions

The Tivoli Identity Manager Server communicates with the Oracle Database

Adapter using attributes that are included in transmission packets that are sent

over a network. The combination of attributes, included in the packets, depends on

the type of action that the Tivoli Identity Manager Server requests from the Oracle

Database Adapter.

Table 14 is an alphabetical listing of the attributes that are used by the Oracle

Database Adapter. The table gives a brief description and the data type for the

value of the attribute.

Table 14. Attributes, descriptions, and data types.

Directory server attribute Description Data type

erOracleAuthenticationType Specifies how the user is authenticated

by the Oracle Database. There are

three authentication methods:

LOCAL

User authentication is

performed by the local Oracle

databases.

EXTERNAL


performed by the Operating

System.

GLOBAL


performed by the Network.

String

erOracleExpirePwd Specifies when the password expires. If

set to true, the account password

expires immediately.

Boolean

erOracleGlobalName Specifies the external name if

authentication is set to GLOBAL

String

erPassword Specifies the password for the user Binary

erOracleProfile Specifies the name of the user profile String


Table 14. Attributes, descriptions, and data types. (continued)

Directory server attribute Description Data type

erOracleTblSpcQuota Specifies the amount of space allocated

for the user in a tablespace

xM on <tablespace name>

xK on <tablespace name>

x on <tablespace name>

UNLIMITED on <tablespace name>

Where x in numeric value > 0

M is for megabyte

K is for kilobyte

UNLIMITED is for no limit

Any valid tablespace name defined in

the Oracle database.

String

erOracleRole Specifies the role assigned to the user

Any valid role defined in the Oracle

Database.

String

erOracleServiceName Specifies the Oracle service name,

which is defined by the Oracle Client

Network Configuration. The adapter

uses this value to connect to the Oracle

Database.

String

erOracleSysPriv Specifies if a user has the right to

perform a particular database

operation or class of database

operations.

Any valid System Privilege defined in

the Oracle database.

String

erOracleDefaultTableSpace Specifies the default name for the table

space allocated for the user.

String

erOracleTemporaryTableSpace Specifies the name of the temporary

table space allocated for the user.

String

erUid Specifies the user ID

The user ID must be created based on

the rules described in the Oracle SQL

Reference .

String

Attributes by Oracle Database Adapter actions

The following lists are typical Oracle Database Adapter actions by their functional

transaction group. The lists include more information about required and optional

attributes sent to the Oracle Database Adapter to complete that action.


Database Login Add

A System Login Add is a request to create a new user account in the domain with

the specified attributes.

Table 15. Add request attributes

Required attribute Optional attribute

erUid

erOracleServiceName

erOracleAuthenticationType

erOracleExpirePwd

erOracleGlobalName

erPassword

erOracleProfile

erOracleTblSpcQuota

erOracleRole

erOracleSysPriv

erOracleDefaultTableSpace

erOracleTemporaryTableSpace

Database Login Change

A System Login Change is a request to change one or more attributes for the

specified users.

Table 16. Change request attributes


erUid

erOracleServiceName

erOracleAuthenticationType

erOracleExpirePwd

erOracleGlobalName

erPassword

erOracleProfile

erOracleTblSpcQuota

erOracleRole

erOracleSysPriv

erOracleDefaultTableSpace

erOracleTemporaryTableSpace

Database Login Delete

A System Login Delete is a request to remove the specified user from the Active

Directory.

Appendix A. Adapter attributes 57

Table 17. Delete request attributes


erUid

erOracleServiceName

None

Database Login Suspend

A System Login Suspend is a request to disable a user account. The user is neither

removed nor are their attributes modified.

Table 18. Suspend request attributes


erUid

erOracleServiceName

erAccountStatus

None

Database Login Restore

A System Login Restore is a request to activate a user account that was previously

suspended. Once an account is restored, the user can access the system with the

same attributes as those before the Suspend function was called.

Table 19. Restore request attributes


erUid

erOracleServiceName

erAccountStatus

None

Reconciliation

The Reconciliation request synchronizes user account information between Tivoli

Identity Manager and the adapter.

Table 20. Reconciliation request attributes


erOracleServiceName None


Appendix B. Support information

This section describes the following options for obtaining support for IBM

products:

v “Searching knowledge bases”

v “Obtaining fixes” on page 60

v “Contacting IBM Software Support” on page 60

Searching knowledge bases

If you have a problem with your IBM software, you want it resolved quickly. Begin

by searching the available knowledge bases to determine whether the resolution to

your problem is already documented.

Search the information center on your local system or

network

IBM provides extensive documentation that can be installed on your local

computer or on an intranet server. You can use the search function of this

information center to query conceptual information, instructions for completing

tasks, reference information, and support documents.

Search the Internet

If you cannot find an answer to your question in the information center, search the

Internet for the latest, most complete information that might help you resolve your

problem. To locate Internet resources for your product, open one of the following

Web sites:

v IBM Tivoli Identity Manager Performance Tuning Guide

Provides information needed to tune Tivoli Identity Manager Server for a

production environment, available on the Web at:


Click the I character in the A-Z product list, and then, click the Tivoli Identity

Manager link. Browse the information center for the Technical Supplements

section.

v Redbooks and white papers are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

Browse to the Self Help section, in the Learn category, and click the Redbooks

link.

v Technotes are available on the Web at:


v Field guides are available on the Web at:


v For an extended list of other Tivoli Identity Manager resources, search the

following IBM developerWorks Web address:









Obtaining fixes

A product fix might be available to resolve your problem. You can determine what

fixes are available for your IBM software product by checking the product support

Web site:

1. Go to the IBM Software Support Web site

(http://www.ibm.com/software/support).

2. Under Products support pages A to Z, select the letter for your product name.

3. In the list of specific products, click IBM Tivoli Identity Manager.

4. Under Self help, you find a list of fixes, fix packs, and other service updates

for your product.

5. Click the name of a fix to read the description and optionally download the fix.

To receive weekly e-mail notifications about fixes and other news about IBM

products, follow these steps:

1. From the support page for any IBM product, click My support in the upper-left

corner of the page.

2. If you have already registered, skip to the next step. If you have not registered,

click register in the upper-right corner of the support page to establish your

user ID and password.

3. Sign in to My support.

4. On the My support page, click Edit profiles in the left navigation pane, and

scroll to Select Mail Preferences. Select a product family and check the

appropriate boxes for the type of information you want.

5. Click Submit.

6. For e-mail notification for other products, repeat Steps 4 and 5.

For more information about types of fixes, see the Software Support Handbook

(http://techsupport.services.ibm.com/guides/handbook.html).

Contacting IBM Software Support

IBM Software Support provides assistance with product defects.

Before contacting IBM Software Support, your company must have an active IBM

software maintenance contract, and you must be authorized to submit problems to

IBM. The type of software maintenance contract that you need depends on the

type of product you have:

v For IBM distributed software products (including, but not limited to, Tivoli,

Lotus, and Rational products, as well as DB2 and WebSphere products that run

on Windows or UNIX operating systems), enroll in Passport Advantage in one

of the following ways:

– Online: Go to the Passport Advantage Web page

(http://www.lotus.com/services/passport.nsf/WebDocs/

Passport_Advantage_Home) and click How to Enroll

– By phone: For the phone number to call in your country, go to the IBM

Software Support Web site

(http://techsupport.services.ibm.com/guides/contacts.html) and click the

name of your geographic region.v For IBM eServer software products (including, but not limited to, DB2 and

WebSphere products that run in zSeries, pSeries, and iSeries environments), you

can purchase a software maintenance agreement by working directly with an

IBM sales representative or an IBM Business Partner. For more information


http://www.ibm.com/software/support

http://techsupport.services.ibm.com/guides/handbook.html



http://techsupport.services.ibm.com/guides/contacts.html

about support for eServer software products, go to the IBM Technical Support

Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).

If you are not sure what type of software maintenance contract you need, call

1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to

the contacts page of the IBM Software Support Handbook on the Web

(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of

your geographic region for phone numbers of people who provide support for

your location.

Follow the steps in this topic to contact IBM Software Support:

1. Determine the business impact of your problem.

2. Describe your problem and gather background information.

3. Submit your problem to IBM Software Support.

Determine the business impact of your problem

When you report a problem to IBM, you are asked to supply a severity level.

Therefore, you need to understand and assess the business impact of the problem

you are reporting. Use the following criteria:

Severity 1 Critical business impact: You are unable to use the program,

resulting in a critical impact on operations. This condition

requires an immediate solution.

Severity 2 Significant business impact: The program is usable but is

severely limited.

Severity 3 Some business impact: The program is usable with less

significant features (not critical to operations) unavailable.

Severity 4 Minimal business impact: The problem causes little impact on

operations, or a reasonable circumvention to the problem has

been implemented.

Describe your problem and gather background information

When explaining a problem to IBM, be as specific as possible. Include all relevant

background information so that IBM Software Support specialists can help you

solve the problem efficiently. To save time, know the answers to these questions:

v What software versions were you running when the problem occurred?

v Do you have logs, traces, and messages that are related to the problem

symptoms? IBM Software Support is likely to ask for this information.

v Can the problem be re-created? If so, what steps led to the failure?

v Have any changes been made to the system? (For example, hardware, operating

system, networking software, and so on.)

v Are you currently using a workaround for this problem? If so, please be

prepared to explain it when you report the problem.

Submit your problem to IBM Software Support

You can submit your problem in one of two ways:

v Online: Go to the ″Submit and track problems″ page on the IBM Software

Support site (http://www.ibm.com/software/support/probsub.html). Enter

your information into the appropriate problem submission tool.

Appendix B. Support information 61

http://www.ibm.com/servers/eserver/techsupport.html


http://www.ibm.com/software/support/probsub.html

v By phone: For the phone number to call in your country, go to the contacts page

of the IBM Software Support Handbook on the Web

(http://techsupport.services.ibm.com/guides/contacts.html) and click the name

of your geographic region.

If the problem you submit is for a software defect or for missing or inaccurate

documentation, IBM Software Support creates an Authorized Program Analysis

Report (APAR). The APAR describes the problem in detail. Whenever possible,

IBM Software Support provides a workaround for you to implement until the

APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the

IBM product support Web pages daily, so that other users who experience the

same problem can benefit from the same resolutions.

For more information about problem resolution, see Searching knowledge bases

and Obtaining fixes.



Appendix C. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM representative for information on the

products and services currently available in your area. Any reference to an IBM

product, program, or service is not intended to state or imply that only that IBM

product, program, or service may be used. Any functionally equivalent product,

program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify the

operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter

described in this document. The furnishing of this document does not give you

any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY 10504-1785

U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM

Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any other

country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER

EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS

FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or

implied warranties in certain transactions, therefore, this statement may not apply

to you.

This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be

incorporated in new editions of the publication. IBM may make improvements

and/or changes in the product(s) and/or the program(s) described in this

publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for

convenience only and do not in any manner serve as an endorsement of those Web

sites. The materials at those Web sites are not part of the materials for this IBM

product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it

believes appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purpose

of enabling: (i) the exchange of information between independently created

programs and other programs (including this one) and (ii) the mutual use of the

information which has been exchanged should contact:

IBM Corporation

2ZA4/101

11400 Burnet Road

Austin, TX 78758

U.S.A.

Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.

The licensed program described in this information and all licensed material

available for it are provided by IBM under terms of the IBM Customer Agreement,

IBM International Program License Agreement, or any equivalent agreement

between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may

vary significantly. Some measurements may have been made on development-level

systems and there is no guarantee that these measurements will be the same on

generally available systems. Furthermore, some measurements may have been

estimated through extrapolation. Actual results may vary. Users of this document

should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.

IBM has not tested those products and cannot confirm the accuracy of

performance, compatibility or any other claims related to non-IBM products.

Questions on the capabilities of non-IBM products should be addressed to the

suppliers of those products.

Trademarks

The following terms are trademarks or registered trademarks of International

Business Machines Corporation in the United States, other countries, or both:

IBM

IBM logo

AIX

DB2

Novell

SecureWay

Tivoli

Tivoli logo

Universal Database

WebSphere

Lotus is a registered trademark of Lotus Development Corporation and/or IBM

Corporation.

Domino is a trademark of International Business Machines Corporation and Lotus

Development Corporation in the United States, other countries, or both.


Microsoft, Windows, Windows NT, and the Windows logo are trademarks of

Microsoft Corporation in the United States, other countries, or both.

Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation

in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other

countries.

Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.

Sun, Sun Microsystems, and the Sun Logo are trademarks or registered trademarks

of Sun Microsystems, Inc. in the United States and other countries.

Java and all Java-based trademarks are trademarks of Sun

Microsystems, Inc. in the United States, other countries, or

both.

Other company, product, and service names may be trademarks or service marks

of others.

Appendix C. Notices 65


Index

Aaccessibility

pdf format, for screen-reader software ix

statement for documentation viii

text, alternative for document images ix

activity logging 19

adapterADK upgrade 51

attributesby adapter action 56

descriptions 55

configuration steps 8

customization steps 47

features 1

installation overview 1

profile purpose 6

removal 53

upgrade 51

adapter configuration toolSee agentCfg

adapter overview 1

ADK46Installer.log file 52

ADK46Installeropt.log file 52

administrator authority 4

agentCfgarguments 24

changing adapter parametersconfiguration key 19

protocol settings 11

registry settings 21

request processing 22

menusactivity logging 19

advanced settings 22

event notification 14

help 24

Main Configuration 9

Protocol Configuration 10

registry 21

viewing configuration settings 10

attributesby Oracle Database Adapter action

add 57

change 57

delete 57

reconciliation 58

restore 58

suspend 58

descriptions 55

Bbooks

see publications viii

Ccertificate authority

definition 33

certificate signing request (CSR) 42

certificatesCA

available functions 40

deleting 43

installing 43

viewing installed 43

certificate management toolsSee CertTool

definition 33

examplescertificate signing request (CSR) 42

install 42

installationfrom file 42

sample 42

key formats 35

overview 33

private keys and digital certificates 34

protocol configuration toolSee CertTool

register 40

registeredregistering 44

removing 44

viewing 44

request 41

self-signed 34

viewinginstalled 43

registered 44


viewing registered 44

CertToolCA certificate

deleting 43

installing 43

viewing 43

certificateinstall 42

register 40

request 41


viewing registered 44

changing adapter parametersaccessing 35, 39

options 40

client authentication 40

install certificate 42

private key, generating 41

registered certificateregistering 44

removing 44

viewing 44

character sets, supported 22

client authentication 37

client validation, SSL 38

configurationkey

changing with agentCfg 19

default value 9, 19

purpose 9


configuration (continued)settings


default value 10

viewing with agentCfg 10

SSL 36

contextbaseline database 19

deleting 15

listing 16

modifying 17

search attributes 17

target DN 18

conventionsHOME directory

Tivoli_Common_Directory xii

DB_INSTANCE_HOME x

HTTP_HOME xi

ITIM_HOME xii

LDAP_HOME xi

WAS_HOME xii

WAS_MQ_HOME xii

WAS_NDM_HOME xii

typeface ix

UNIX variable, directory notation x

used in this document ix

CSRdefinition 41

file, generating 41

customer supportsee Software Support 60

DDAML protocol

configuring with agentCfg 11

encryptiondefault value 11

type 11

options 11

properties, changing with agentCfgoptions 11

password 12

portnumber 12

require_cert_reg 13

srv_nodename 12

srv_portnumber 12

username 11

validate_client_ce 13

SSL authentication 35

DB_INSTANCE_HOMEDB2 UDB installation directory x

definition x

debug logdefault value 19

enable/disable with agentCfg 19

purpose 20

detail logdefault value 19

enable/disable with agentCfg 19

purpose 20

directoryDB_INSTANCE_HOME x

HTTP_HOME xi

installationDB2 UDB x

IBM Directory Server xi

directory (continued)installation (continued)

IBM HTTP Server xi

WebSphere Application Server base product xii

WebSphere Application Server Network Deployment

product xii

WebSphere MQ xii

installation for Sun ONE Directory Server xi

ITIM_HOME xii

LDAP_HOME xi

names, UNIX notation x

WAS_HOME xii

WAS_MQ_HOME xii

WAS_NDM_HOME xii

disabilities, using documentation viii

documentsrelated viii

Tivoli Identity Manager library v

Eenable/disable with agentCfg 19

encrypted registry settings 21

encryptionDAML protocol

default value 11

type 11

SSL 33, 34

environment variableUNIX notation x

event notificationcache size 15


contextbaseline database 19

deleting 15

listing 16

modifying 17

search attributes 17

target DN 18

enable/disable 15

reconciliationattributes 15

context 15

intervals 15

modifying 15

process priority 15

starting manually 15

Ffixes, obtaining 60

Hhelp menu for agentCfg 24

accessing with -help command 24

home directoriesDB_INSTANCE_HOME x

HTTP_HOME xi

ITIM_HOME xii

LDAP_HOME xi

WAS_HOME xii

WAS_MQ_HOME xii

WAS_NDM_HOME xii


HTTP_HOMEdefinition xi

IBM HTTP Server installation directory xi

Iimport

adapter profile 6, 48

PKCS12 file 35

information centers, searching to find software problem

resolution 59

installationcertificate 42

directoryDB2 UDB x

IBM Directory Server xi

IBM HTTP Server xi

Sun ONE Directory Server xi

WebSphere Application Server base product xii


product xii

WebSphere MQ xii

profile 6

uninstall 53

installation prerequisitesadministrator authority 4

network connectivity 4

operating system 3

Oracle client software 3

Oracle database software 3

Oracle service account 4

system 3

Tivoli Identity Manager Server 4

Internet, searching to find software problem resolution 59, 60

ITIM_HOMEdefinition xii

directory xii

Kknowledge bases, searching to find software problem

resolution 59

LLDAP_HOME

definition xi

IBM Directory Server installation directory xi

Sun ONE Directory Server installation directory xi

logsactivity settings, changing 10

ADK46Installer.log file 52

ADK46Installeropt.log file 52

debug 19

detail 19

directory, changing with agentCfg 20

display using agentCfg 25

enable/disable, changing with agentCfg 20

file name, changing with agentCfg 19

settings, changing with adapterCfg 20

settings, changing with agentCfglog file name 20

max file size 20

settings, default values 19

statistics 23

trace.log file 6

logs (continued)view events 10

viewing statistics 23

Mmanuals

see publications viii

Nnetwork connectivity 4

non-encrypted registry settings 21

Oonline publications

accessing viii

operating system prerequisites 3

Ppassword protected file

See PKCS12 file

passwordschanging configuration key 19

configuration key, default value 9, 19

passwords, changing with agentCfgDAML protocol 12

path names, notation x

pdf format, for screen-reader software ix

PKCS12 filecertificate and key installation 42

export certificate and key 45

portnumberchanging with agentCfg 11

portnumber, changing with agentCfg 12

private keydefinition 33

private key, generating 41

problem determinationdescribing problem for IBM Software Support 61

determining business impact for IBM Software Support 61

submitting problem to IBM Software Support 61

properties, changing with agentCfg 11

protocolDAML

configuring with agentCfg 11

encryption default value 11

encryption type 11

properties, changing with agentCfg 11

SSLoverview 33

server-to-adapter configuration 36

two-way configuration 37, 38

public key 34

publicationsaccessing online viii

related viii

Tivoli Identity Manager library v

Rreconciliation

attributes 15, 58

Index 69

reconciliation (continued)context 15

intervals 15

modifying 15

process priority 15

registry settingsencrypted 21

non-encrypted 21

require_cert_reg, changing with agentCfg 13

restoring accountspassword requirements 48

Sself-signed certificate 34

Software Supportcontacting 60

describing problem for IBM Software Support 61

determining business impact for IBM Software Support 61

submitting problem to IBM Software Support 61

srv_nodename, changing with agentCfg 12

srv_portnumber, changing with agentCfg 12

SSLcertificate installation 33

certificate signing request 41

encryption 33

key formats 35

overview 33

private keys and digital certificates 34

self-signed certificates 34

server-to-adapter configuration 36

two-way configuration 37, 38

SSL implementations, DAML protocol 35

system prerequisites 3

Ttext, alternative for document images ix

thread count settingschanging with agentCfg 22

default values 22

maximum concurrent requests 22

reconciliation requests 22

system login add requests 22

system login change requests 22

system login delete requests 22

Tivoli Identity Manager Adaptercommunication with the server 37, 38

SSL communication 37, 38

Tivoli Identity Manager Servercommunication with the adapter 36

configuring event notification 14

importing adapter profile 6

SSL communication 36

Tivoli Identity Manager Serverprerequisites 4

Tivoli software information center viii

Tivoli_Common_Directorydefinition xii

trace.log file 6

two-way configurationSSL

client 37

client and server 38

typeface conventions ix

Uuninstallation 53

updatingadapter profile 47

upgradeadapter 51

adapter profile 6

ADK 51

username, changing with agentCfg 11

UTF8 support 22

Vvalidate_client_ce, changing with agentCfg 13

WWAS_HOME

definition xii

WebSphere Application Server base installation

directory xii

WAS_MQ_HOMEdefinition xii

WebSphere MQ installation directory xii

WAS_NDM_HOMEdefinition xii


installation directory xii

western European character set, support 22


��

Program Number:

Printed in USA

SC32-1155-05

Documents

Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-1155-05/en_US/PDF/ont46.pdf · Tivoli ® Identity Manager Oracle Database Adapter for Windows Installation