Server Installation Guide on Windows 2000 using WebSphere

Transcription

1 IBM Tivoli Identity Manager Server Installation Guide on Windows 2000 using WebSphere Version SC

2

3 IBM Tivoli Identity Manager Server Installation Guide on Windows 2000 using WebSphere Version SC

4 Note: Before using this information and the product it supports, read the information in Appendix H, Notices, on page 131. Second Edition (September 2003) This edition applies to version of Tivoli Identity Manager and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Preface vii Who Should Read This Book vii Publications vii Tivoli Identity Manager Server Library.... vii Prerequisite Product Publications viii Related Publications viii Accessing Publications Online ix Accessibility ix Contacting Software Support ix Conventions Used in This Book ix Installation Directory Conventions x Chapter 1. Introduction Hardware and Software Requirements Product Compact Discs Chapter 2. Configuration Overview... 3 WebSphere Application Server Terminology Single-Server Configurations Cluster Configurations for Tivoli Identity Manager. 6 Tivoli Identity Manager Server Tiers Single-cluster Configuration Functional Cluster Configuration Java Message Service and Other Server Processes 10 WebSphere Environment Limitations using Tivoli Identity Manager Chapter 3. Database Configuration IBM DB2 Configuration Ensuring Communication and Configuring the Server Configuring the IBM DB2 JDBC Driver Configuring IBM DB2 Version 7.1 and 7.2 for a JDBC Type 2 Driver Example: Expanding Values for DB Oracle Installation and Configuration for Tivoli Identity Manager Preparing to Install Oracle on AIX Preparing to Install Oracle on Solaris Preparing to Install Oracle on Windows Configuring Oracle after Installation SQL Server 2000 Configuration Preparing to Install SQL Server Configuring SQL Server 2000 after Installation.. 20 Chapter 4. Directory Server Configuration IBM Directory Server Configuration Specify the Suffix for Tivoli Identity Manager.. 24 Configure the Referential Integrity Plug-in for Tivoli Identity Manager Restart the Directory Server Create the LDAP Suffix Object Using Version 5.1 and WebSphere Application Server on the Same Computer Sun ONE Directory Server Configuration Chapter 5. Single-server Installation: Tivoli Identity Manager Server Before You Begin Resolving Port Problems Information Worksheet for Single-Server Installation 34 Database Information Directory Server Information WebSphere Application Server Information for Single-Server Installation WebSphere Embedded Messaging Server and Client IBM HTTP Server Information Tivoli Identity Manager Information Installing Tivoli Identity Manager Server Navigate Initial Welcome and Licensing Windows Select the Installation Type and Installation Directory Select the Database Complete the Windows for a Single-server Installation Specify WebSphere Global Security Specify an Encryption Key and Read the Pre-Installation Summary Installation Progress and Additional Configuration Activities Logs and Directories for Single-Server Installation 52 Complete Security Configuration Using runconfig after Installing Tivoli Identity Manager Optionally Installing a Language Pack Testing Tivoli Identity Manager Server Communication Server-Agent Communication Chapter 6. Cluster Installation: Tivoli Identity Manager Server Before You Begin Resolving Port Problems Creating Clusters Using Network Deployment Manager Information Worksheet for Cluster Installation Database Information Directory Server Information WebSphere Application Server Information for Cluster Installation Tivoli Identity Manager Information Installing Tivoli Identity Manager Server Navigate Initial Welcome and Licensing Windows Copyright IBM Corp iii

6 Select the Installation Type and Default Installation Directory Select the Database Complete the Sequence for Cluster Installation 67 Specify WebSphere Global Security Specify an Encryption Key and Read the Pre-Installation Summary Installation Progress and Additional Configuration Activities Logs and Directories for Cluster Installation.. 80 Complete Security Configuration Using runconfig after Installing Tivoli Identity Manager Optionally Installing a Language Pack Optionally, Define HTTP Session Persistence.. 82 Verify Transaction Service Settings Update the Web Server Plug-in Start Clusters Testing Tivoli Identity Manager Server Communication Server-Agent Communication Adding or Removing Cluster Members Expanding a Cluster Using a New Computer.. 84 Expanding a Cluster Using the Same Computer 85 Removing a Cluster Member Appendix A. Compact Discs Recommended WebSphere Interim Fix PQ77521 Not on CDs Language Packs CD Base Code Solaris CD for Tivoli Identity Manager using WebSphere Application Server Base Code Solaris CD for Tivoli Identity Manager for non-ibm Application Servers Supplemental Solaris CD Supplemental Solaris CD Supplemental Solaris CD Supplemental Solaris CD Base Code AIX CD for Tivoli Identity Manager using WebSphere Application Server Base Code AIX CD for Tivoli Identity Manager for non-ibm Application Servers Supplemental AIX CD Supplemental AIX CD Supplemental AIX CD Base Code HP-UX CD for Tivoli Identity Manager for non-ibm Application Servers Base Code Windows 2000 CD for Tivoli Identity Manager using WebSphere Application Server Base Code Windows 2000 CD for Tivoli Identity Manager for non-ibm Application Servers Supplemental Windows 2000 CD Supplemental Windows 2000 CD Supplemental Windows 2000 CD Supplemental Windows 2000 CD Appendix B. Software and Hardware Requirements on Windows Minimum Windows Operating System and Hardware Requirements for Tivoli Identity Manager using WebSphere Databases for Tivoli Identity Manager Server using WebSphere Directory Servers for Tivoli Identity Manager Server using WebSphere Tivoli Identity Manager Server Prerequisites for WebSphere and HTTP Servers Supported Web Browsers Appendix C. Preparing the WebSphere Environment Preparing for WebSphere Application Server Installation Ensuring Solaris Kernel Settings for WebSphere Embedded Messaging Server and Client Using an Existing WebSphere MQ Version Validating Availability of Port Configuring Tivoli Identity Manager Clusters Installing WebSphere Application Server Network Deployment Installing IBM HTTP Server and WebSphere Web Server Plugin Generating the WebSphere Web Server Plugin Configuration File Installing Base on Each Node Add Nodes to a Cell Create a Cluster Ensure that Network Deployment Manager and Node Agents are Running Configuring WebSphere Application Server Transaction Service Settings Appendix D. Security Considerations 105 Security for WebSphere Configuring Security for Single-Node Deployment Configuring Security for Multi-Node Deployment Disabling J2EE Security Alternatives in Configuring the HTTP Server Appendix E. Upgrading from Tivoli Identity Manager 4.3 to Tivoli Identity Manager Before You Begin Upgrading from Tivoli Identity Manager 4.3 Using WebLogic to Tivoli Identity Manager 4.5 Using WebLogic Installing Tivoli Identity Manager Version 4.5 using WebSphere Application Server Configuring the New Installation Appendix F. Upgrading from Tivoli Identity Manager Version 4.4.x to Before You Begin Upgrading a Single-Server Configuration Upgrading Tivoli Identity Manager 4.4.x to iv IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

7 Upgrading a Cluster Configuration Upgrading Tivoli Identity Manager 4.4.x to 4.5 for the Network Deployment Manager System. 122 Upgrading Tivoli Identity Manager 4.4.x to 4.5 for the Member System Appendix G. Uninstalling Tivoli Identity Manager Before You Begin Steps to Uninstall Tivoli Identity Manager Appendix H. Notices Trademarks Glossary Index Contents v

8 vi IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

9 Preface Who Should Read This Book Publications The IBM Tivoli Identity Manager Installation Guide on Windows 2000 using WebSphere describes how to install and configure the Tivoli Identity Manager Server on a Windows 2000 Server to manage resources from a central location. This manual is intended for system and security administrators who install, maintain, or administer software on their site s computer systems. Readers are expected to understand system and security administration concepts. Additionally, the reader should understand administration concepts for the following: v Directory server v Database server v WebSphere embedded messaging support v WebSphere Application Server or WebLogic v IBM HTTP Servers Read the descriptions of the Tivoli Identity Manager library, the prerequisite publications, and the related publications to determine which publications you might find helpful. After you determine the publications you need, refer to the instructions for accessing publications online. Tivoli Identity Manager Server Library The publications in the Tivoli Identity Manager Server library are: v Online user assistance for Tivoli Identity Manager Provides integrated online help topics for all Tivoli Identity Manager administrative tasks. v Separate versions of Tivoli Identity Manager Server Installation Guide on either UNIX or Windows, using either WebSphere or WebLogic. Use the version appropriate for your site. Provides installation information for Tivoli Identity Manager. v Tivoli Identity Manager Policy and Organization Administration Guide Provides topics for Tivoli Identity Manager administrative tasks. v Tivoli Identity Manager Server Configuration Guide Provides configuration information for single-server and cluster Tivoli Identity Manager configurations. v Tivoli Identity Manager End User Guide Provides beginning user information for Tivoli Identity Manager. v Tivoli Identity Manager Release Notes Provides software and hardware requirements for Tivoli Identity Manager, and additional fix, patch, and other support information. v Tivoli Identity Manager Troubleshooting Guide Provides additional problem solving information for the Tivoli Identity Manager product. Copyright IBM Corp vii

10 Prerequisite Product Publications To use the information in this book effectively, you must have knowledge of the products that are prerequisites for Tivoli Identity Manager. Publications are available from the following locations: v WebSphere Application Server v v v v Note: The following brief list of Redbooks describes installing and configuring WebSphere Application Server and providing additional security. Although the list was current when this publication went to production, publications may become obsolete. Contact your customer representative for a recommended list of resource information. IBM WebSphere Application Server V5.0 System Management and Configuration, an IBM Redbook IBM WebSphere Application Server V5.0 Security, an IBM Redbook Database servers IBM DB2 Oracle Microsoft SQL Server Directory server applications IBM Directory Server Sun ONE Directory Server WebSphere embedded messaging support (or IBM MQSeries) Web Proxy Server IBM HTTP Server Related Publications Information related to Tivoli Identity Manager Server is available in the following publications: v v The Tivoli Software Library provides a variety of Tivoli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available, in English only from the Glossary link on the left side of the Tivoli Software Library Web page: viii IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

11 Accessibility Accessing Publications Online The IBM publications for this product are available online in Portable Document Format (PDF) or Hypertext Markup Language (HTML) format, or both at the Tivoli Software Library: Contacting Software Support To locate product publications in the library, click the Product manuals link on the left side of the Library page. Then, locate and click the name of the product on the Tivoli Software Information Center page. Product publications include release notes, installation guides, user s guides, administrator s guides, and developer s references. Note: To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is available when you click File Print). The product documentation includes the following features to aid accessibility: v Documentation is available in both HTML and PDF formats to give the maximum opportunity for users to apply screen-reader software. v All images in the documentation are provided with alternative text so that users with vision impairments can understand the contents of the images. Before contacting IBM Tivoli Software support with a problem, refer to the IBM Tivoli Software support Web site at: If you need additional help, contact software support using the methods described in the IBM Software Support Guide at the following Web site: This guide provides the following information: v Registration and eligibility requirements for receiving support v Telephone numbers, depending on the country in which you are located v A list of information you should gather before contacting customer support Conventions Used in This Book This reference uses several conventions for special terms and actions and for operating system-dependent commands and paths. The following typeface conventions are used in this book: Bold Bold text indicates selectable window buttons, field entries, and commands appearing in this manual except from within examples or the contents of files. Preface ix

12 Monospace italic Text in monospace type indicates the contents of files, file names or the output from commands. Italic text indicates context-specific values such as: v path names v file names v user names v group names v system parameters v environment variables Installation Directory Conventions This publication uses the following conventions to specify default directories: {ITIM_HOME} The default installation directory for Tivoli Identity Manager {WAS_HOME} The default installation directory for WebSphere Application Server {WAS_NDM_HOME} The default installation directory for WebSphere Application Server Network Deployment x IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

13 Chapter 1. Introduction This manual describes installing, initially configuring, and verifying the Tivoli Identity Manager Server on either a single-server or cluster configuration. Use the installation documentation that matches the operating system and Web application on your system. There is also a Tivoli Identity Manager Server Installation Guide for UNIX using WebSphere. Major steps to install and begin to use the Tivoli Identity Manager Server vary depending on whether installation is for a single-server or cluster configuration, and whether a pre-existing WebSphere Application Server is used. An overview of steps includes the following: 1. Determining whether your configuration should be a single server or requires a more scalable cluster or functional cluster solution, described in Chapter 2, Configuration Overview, on page Installing and configuring a database described in Chapter 3, Database Configuration, on page Installing and configuring a directory server, described in Chapter 4, Directory Server Configuration, on page For a single-server configuration, installing Tivoli Identity Manager Server, described in Chapter 5, Single-server Installation: Tivoli Identity Manager Server, on page For a cluster configuration, doing the following: v v Installing and configuring prerequisite WebSphere Application Server support described in Appendix C, Preparing the WebSphere Environment, on page 97. Creating clusters and installing Tivoli Identity Manager Server, described in Chapter 6, Cluster Installation: Tivoli Identity Manager Server, on page 57. Note: You must manually install the required fix packs for a cluster configuration. Hardware and Software Requirements Product Compact Discs For a list of software and hardware requirements, see Appendix B, Software and Hardware Requirements on Windows, on page 93. The Tivoli Identity Manager Server product is provided on a series of compact discs (CDs). For help obtaining the CDs, contact IBM Support. For a list of the CDs and their contents, see Appendix A, Compact Discs, on page 87. Copyright IBM Corp

14 2 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

15 Chapter 2. Configuration Overview Tivoli Identity Manager servers in a WebSphere Application Server environment are organized in either a single-server configuration or a cluster configuration. This section provides a brief, high-level description of configuration options and an overview of their implementation sequences. Subsequent chapters provide greater implementation detail. Notes: 1. Sample configurations in this chapter require a number of prior planning activities before taking the steps that install and configure this product. For additional documentation that describes planning to meet your business needs, contact your customer representative. 2. For additional information about the WebSphere Application Server products, refer to additional documentation cited in Prerequisite Product Publications on page viii. 3. Fix packs are required for most middleware that Tivoli Identity Manager uses. For more information, see Appendix B, Software and Hardware Requirements on Windows, on page 93. WebSphere Application Server Terminology The following terms describe elements in WebSphere Application Server configurations: cell The administrative domain that a Deployment Manager manages. A cell is a logical grouping of nodes that enables common administative activities in a WebSphere Application Server distributed environment. A cell can have one or many clusters. node A node is a logical group of one or more application servers on a physical computer. The node name is unique within the cell. A node name usually is identical to the host name for the computer. That is, a node usually corresponds to a physical computer system with a distinct IP address. application server The application server is the primary component of WebSphere. The server runs a Java virtual machine, providing the runtime environment for the application s code. The application server provides containers that specialize in enabling the execution of specific Java application components. Network Deployment Manager The administrative process used to provide a centralized management view and control for all elements in a WebSphere Application Server distributed cell, including the management of clusters. The Network Deployment Manager is responsible for the contents of the repositories on each of the nodes. The Network Deployment Manager manages this through communication with node agent processes on each node of the cell. node agent A node agent manages all managed processes on a WebSphere Application Server on a node by communicating with the Network Deployment Manager to coordinate and synchronize the configuration. A node agent Copyright IBM Corp

16 Single-Server Configurations performs management operations on behalf of the Network Deployment Manager. The node agent represents the node in the management cell. Node agents are installed with WebSphere Application Server base, but are not required until the node is added to a cell in a Network Deployment environment. cluster A logical grouping of one or more functionally identical application server processes. A cluster provides ease of deployment, configuration, workload balancing, and fallback redundancy. A cluster is a collection of servers working together as a single system to ensure that mission-critical applications and resources remain available to clients. Clusters provide scalability. For more information, refer to additional documentation that customer support may provide that describes vertical and horizontal clustering in the WebSphere Application Server distributed environment. cluster member An instance of a WebSphere Application Server in a cluster. WebSphere Web Server plug-in The WebSphere Web Server plug-in is a component installed onto an HTTP server to take incoming requests and transport them to the appropriate Web container in a cluster. The behavior of the plug-in is governed by the plugin-cfg.xml file. The plug-in allows the Web server to communicate requests for dynamic content, such as servlets, to the application server. A single-server configuration might install WebSphere Application Server base and other required applications on one physical computer. The Tivoli Identity Manager Server provides both user interface and workflow processing. 4 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

17 WebSphere base Tivoli Identity Manager Server HTTP Server Web Server plugin Directory Server Tivoli Identity Manager Database Figure 1. Single-server configuration on one physical computer The configuration on one computer requires the following: v A database to store transactional information v A directory server v WebSphere Application Server base v Tivoli Identity Manager Server v An HTTP server such as IBM HTTP Server and a WebSphere Web Server plug-in. For a basic definition of WebSphere Web Server plug-in, see WebSphere Application Server Terminology on page 3. For more information on configuring the WebSphere Web Server plug-in, see Alternatives in Configuring the HTTP Server on page 111. Optionally, you can install the instance of WebSphere Application Server base and Tivoli Identity Manager Server on one physical computer and install all other required applications on one or more additional computers. Note: For additional manual configuration steps required if you install IBM Directory Server version 5.1 on the same computer that has WebSphere Application Server, see Using Version 5.1 and WebSphere Application Server on the Same Computer on page 27. Chapter 2. Configuration Overview 5

18 HTTP Server WebSphere base JDBC driver Web Server plugin Tivoli Identity Manager Server Directory Server Tivoli Identity Manager Database Figure 2. Single-server configuration on multiple physical computers The computer that has the Tivoli Identity Manager Server requires the following: v WebSphere Application Server base v A JDBC driver (the database client) The additional computers have the following: v A database to store transactional information v A directory server v An HTTP server such as IBM HTTP Server and the WebSphere Web Server plug-in For more information, see Chapter 5, Single-server Installation: Tivoli Identity Manager Server, on page 31. Cluster Configurations for Tivoli Identity Manager Cluster configurations for Tivoli Identity Manager specify one of the following: v Single-cluster Configuration on page 7 v Functional Cluster Configuration on page 8 For more information on configuring clusters, see Creating Clusters Using Network Deployment Manager on page 59. For release levels and fix pack specifications, see Appendix B, Software and Hardware Requirements on Windows, on page 93. Notes: 1. In the following illustrations, each box shape represents one WebSphere node on one physical computer. It is recommended that only one node be created on one computer. 2. If you install IBM Directory Server version 5.1 on the same computer that has WebSphere Application Server, see Using Version 5.1 and WebSphere Application Server on the Same Computer on page 27 for additional manual steps that are required. 6 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

19 Tivoli Identity Manager Server Tiers As provided by Tivoli Identity Manager Server, a tier is a subset of functions, such as the functions that handle user interface activity or the functions that handle workflow activity. Tivoli Identity Manager Server can be installed as a multi-tiered server that enables you to allocate the function provided by each tier to separate clusters in a functional cluster configuration. The Tivoli Identity Manager Server provides the following tiers: User Interface (UI) Provides the user interface processing function, including the dialogs and forms that enable a variety of users to work with function that Tivoli Identity Manager Server provides. For information about the user interface, refer to the Tivoli Identity Manager Policy and Organization Administration Guide. Workflow (WF) Provides workflow processing function. A workflow is the process by which a request is approved, rejected, or sent for completion. For information on workflow processing, refer to the Tivoli Identity Manager Policy and Organization Administration Guide. Installation options include the following: v Single server v Single cluster or functional cluster: In a single-cluster installation, both tiers are installed on every application server in a cluster member. Each cluster member functions as the equivalent of a Tivoli Identity Manager single server. In a functional cluster, the user interface (UI) tier is installed on a cluster and the workflow (WF) tier is installed on another cluster. Combining the functionalities of the two clusters provides the full function of Tivoli Identity Manager. Single-cluster Configuration A configuration for a single cluster specifies a group of WebSphere application servers. Both the Tivoli Identity Manager user interface tier and workflow tier run on the same WebSphere Application Server on every node in the cluster. The configuration specifies the Network Deployment Manager on one computer. The remaining applications are configured on additional computers. Chapter 2. Configuration Overview 7

20 WebSphere Network Deployment Manager JDBC driver HTTP Server Web Server plugin WebSphere base JDBC driver WebSphere base JDBC driver Tivoli Identity Manager Database WebSphere Application Server (ITIM) WebSphere Application Server (ITIM) WebSphere Application Server (ITIM) Tivoli Identity Manager Cluster Directory Server Tivoli Identity Manager Cell Figure 3. Single-cluster configuration on multiple physical computers The following describes the configuration: v On the computer that has the Network Deployment Manager, install the following: WebSphere Network Deployment Manager A JDBC driver (the database client) v On each cluster member, install the following: WebSphere Application Server Tivoli Identity Manager Server. Installed in this configuration, the Tivoli Identity Manager Server provides combined user interface and workflow tiers. A JDBC driver (the database client) v On one or more additional computers that are not in the cluster, install the following: A database to store transactional information A directory server An HTTP server such as IBM HTTP Server and a WebSphere Web Server plug-in. For more information on this server, refer to documentation that IBM HTTP Server provides. For a basic definition of WebSphere Web Server plug-in, see WebSphere Application Server Terminology on page 3. For more information on configuring the WebSphere Web Server plug-in, see Alternatives in Configuring the HTTP Server on page 111. Functional Cluster Configuration A configuration for a functional cluster places the Network Deployment Manager on one computer. The remaining applications are configured in separate clusters on additional computers. The Tivoli Identity Manager Server UI tier is configured on 8 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

21 the nodes in one cluster and the WF tier is configured on the nodes in another, separate cluster. WebSphere Network Deployment Manager JDBC driver HTTP Server Web Server plugin WebSphere base JDBC driver WebSphere Application Server ( ITIM UI ) WebSphere base JDBC driver WebSphere Application Server ( ITIM WF ) Tivoli Identity Manager Database WebSphere Application Server ( ITIM UI ) WebSphere Application Server ( ITIM WF ) Directory Server WebSphere Application Server ( ITIM UI ) WF Cluster UI Cluster Tivoli Identity Manager Cell Figure 4. Functional Cluster Configuration The following describes the configuration: v On the computer that has the Network Deployment Manager, install the following: WebSphere Network Deployment Manager A JDBC driver (the database client) v On each member of the each cluster, install the following: WebSphere Application Server Tivoli Identity Manager Server Within the user interface cluster, instances of the Tivoli Identity Manager Server provide only user interface processing. Within the workflow cluster, instances of the Tivoli Identity Manager Server provide only workflow processing. A JDBC driver (the database client) v On one or more additional computers that are not in a cluster, install the following: A database to store transactional information A directory server IBM HTTP Server and a WebSphere Web Server plug-in Chapter 2. Configuration Overview 9

22 Java Message Service and Other Server Processes Additional server processes run in a WebSphere Application Server environment, such as the Java Message Service (termed the jmsserver process, also the JMS server) that provides the WebSphere embedded messaging support. Note: WebSphere embedded messaging support is required to enable Tivoli Identity Manager to exchange information with other applications, sending and receiving data as messages. For more information, refer to WebSphere Application Server documentation that describes WebSphere embedded messaging support or WebSphere MQ. WebSphere Environment Limitations using Tivoli Identity Manager To use Tivoli Identity Manager most effectively in a WebSphere environment, observe the following limitations: v v v v Tivoli Identity Manager assumes that a cluster is homogeneous with respect to operating system. To avoid problems with secure communication and certificate configuration, it is recommended that you do not use more than one operating system type within a Tivoli Identity Manager cluster. In a functional cluster, do not place cluster members from the User Interface and the Workflow clusters on the same computer. If there are multiple instances of WebSphere Application Server on the same computer, only servers from one of these instances can be Tivoli Identity Manager cluster members. WebSphere Application Server permits you to install both the Network Deployment Manager and a cluster member on the same computer. Ensure that the computer has the required memory, speed, and available space to meet the additional load. 10 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

23 Chapter 3. Database Configuration IBM DB2 Configuration This chapter describes configuring a database for use with Tivoli Identity Manager Server. For more information on supported database releases and required patches, see Appendix B, Software and Hardware Requirements on Windows, on page 93. For more information on IBM DB2, refer to documentation available at Notes: 1. The IBM DB2 settings described in this chapter are initial settings that require runtime adjustment. 2. This chapter refers to the IBM DB2 runtime client as a type 2 Java Database Connectivity driver. In subsequent mention, the term used is the JDBC driver. This section describes the following: v IBM DB2 Configuration v Oracle Installation and Configuration for Tivoli Identity Manager on page 16 v SQL Server 2000 Configuration on page 20 You must log on to the IBM DB2 server as Administrator to complete the following steps: v Ensuring Communication and Configuring the Server v Configuring the IBM DB2 JDBC Driver on page 14 Ensuring Communication and Configuring the Server To prepare the IBM DB2 server, do the following: v Ensure TCP/IP Communication v Configure the IBM DB2 Server on page 12 Ensure TCP/IP Communication Before you begin, confirm TCP/IP communication on the IBM DB2 server. Do the following: Note: These steps assume the configuration uses multiple computers, one of which has the IBM DB2 server. If the database is on the same computer as the IBM DB2 server, it is not necessary to configure TCP/IP communication. 1. Open an IBM DB2 command window by clicking Start > Run and typing db2cmd. 2. Run the following command in the DB2 command window: db2set -all DB2COMM 3. If a tcpip entry (indicating TCP/IP communication) is not in the list returned by the db2set -all DB2COMM command, run the following command, including tcpip and any other values that were returned in the list that the command provided. db2set DB2COMM=tcpip,<values_from_db2set_command> Copyright IBM Corp

24 For example, if the db2set -all DB2COMM command returned values such as npipe and ipxspx in the list, specify these values again when you run the db2set command the second time: db2set DB2COMM=tcpip,npipe,ipxspx Configure the IBM DB2 Server To configure the server, do the following: 1. Create a database with a name such as itimdb for Tivoli Identity Manager and a bufferpool named enrolebp. Note: The database name is any name you specify. The bufferpool name must be enrolebp. a. Open an IBM DB2 command window by clicking Start > Run and typing db2cmd. b. In the command window, execute these commands to create the database: db2 create db itimdb using codeset UTF-8 territory US db2 update db cfg for itimdb using applheapsz heapvalue db2 update db cfg for itimdb using app_ctl_heap_sz 512 where heapvalue is an integer in kilobytes such as 1024 representing the number of 4K pages. Note: Set applheapsz to a value that is approximately half the value of the real memory in the computer that has the database, taking into consideration the demands other applications may make for memory. c. Configure the service name for the instance for remote JDBC driver access. For example, enter the following: db2 update dbm cfg using svcename <service_name> where <service_name> is a value such as DB2_db2inst1. d. Ensure the appropriate service name is added to following file: v UNIX: /etc/services v Windows: %SYSTEMROOT%\system32\drivers\etc\services For example, enter the following: db2 get dbm cfg Values can be similar to the following: v DB2_db2inst1: 50000/tcp v DB2_db2inst1i: 50001/tcp You are required to enter the port number that corresponds to the service name. e. Enter the following command to confirm the connection. If the connection is successful, database connection information will be returned: db2 connect to itimdb f. Create the bufferpool: db2 create bufferpool enrolebp size -1 pagesize 32k 2. Ensure that the Repeatable Read attribute is turned on with the setting DB2_RR_TO_RS=YES. Do the following: a. Type the following: db2set -all 12 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

25 b. Examine the response to ensure that DB2_RR_TO_RS=YES is present. c. If the entry is not found, type the following to set the value to YES: db2set DB2_RR_TO_RS=YES d. Retype the following to verify the setting now exists: db2set -all 3. Restart IBM DB2. db2stop # (Note: Do a "db2 force application all" if entering db2stop fails) db2start Create a User Named enrole on the IBM DB2 Server On the IBM DB2 server, create a user named enrole. Do the following: v On AIX, do the following as root: 1. Start the System Management tool using smit or smitty. 2. Select Security & Users > Users > Add a User. 3. In the User Name field, type enrole. 4. Press Enter to create the user and return to the Users screen. 5. Select Change a User s Password. 6. At the prompt for the User s Name, type a value that you define such as enrole. You have now assigned the enrole user ID with a password of enrole. 7. At the prompt to change the user s password, type the password that you defined earlier for the database user. 8. Exit the System Management tool. 9. Test the user access. Telnet to the computer on which the IBM DB2 server is running. Ensure you can log on with the new user ID without encountering a password reset. v On Solaris, do the following as root: 1. Start the admintool. 2. Click Browse > Users from the task bar. 3. Click Edit > Add. 4. On the Add User dialog, type enrole in the User Name field. On the Password Select menu, select Normal Password. 5. On the Set User Password dialog, enter the password and verify. Click OK. 6. Set the path in the Home Directory field to a path such as /export/home/enrole. Click OK. 7. Click File > Exit from the task bar to exit. 8. Test the user access. Telnet to the computer on which the IBM DB2 server is running. Ensure that you can log on with the new user ID without encountering a password reset. v On Windows 2000, do the following as Administrator: 1. Access the Computer Management tool by clicking Start > Settings > Control Panel > Administrative Tools > Computer Management. 2. Click Local Users and Groups > Users. Note: The enrole user does not need to be added to any group. 3. Select Action > New User. 4. In the username field, type enrole. 5. In the password field, type a password for the database user. 6. Clear the User must change password at next login option. Chapter 3. Database Configuration 13

26 7. Check the Password never expires check box. 8. Click Create. Create a User Named enrole on each Computer in the Cluster On each computer that will be part of the Tivoli Identity Manager cluster, create a user named enrole. No special privileges are required for this user. Ensure that a password change is not required at the next logon and that the password never expires. Configuring the IBM DB2 JDBC Driver IBM DB2 requires a type 2 Java Database Connectivity driver (JDBC driver) as the database client. The JDBC driver is used to connect a Java-based application to an IBM DB2 database that is running on either the same machine or a remote machine. In a clustered deployment of Tivoli Identity Manager, the JDBC driver enables all the Tivoli Identity Manager servers to communicate with the data source and share information. For more information, refer to IBM DB2 documentation. Notes: 1. The JDBC driver that IBM DB2 product installs is called the IBM DB2 runtime client. 2. To ensure that database connections are correctly released on Intel platforms, use TCP sockets. Do not use named pipes as the connection method on the IBM DB2 client. The named pipes method has a limit of the number of connections that cause Tivoli Identity Manager database errors. Assuming that IBM DB2 is not installed on the target computer, you must install and configure the JDBC driver and required fix pack on the following targets. For more information, see Appendix B, Software and Hardware Requirements on Windows, on page 93. v The computer that has the Network Deployment Manager v Each cluster member on which you expect to install Tivoli Identity Manager Server v On the computer that has a single-server installation, where IBM DB2 is remote. On each target, do the following: 1. Install and configure the JDBC driver and the required fix pack. 2. Catalog the database by taking the following steps: a. Open an IBM DB2 command window. Click Start > Run and type db2cmd. b. In the command window on the client, execute this command on one line: db2 catalog tcpip node db2node_hostname remote db2server_hostname server service-name portnumber where: node db2node_hostname A local alias for the node to be cataloged. It is the host name of the computer on which the database resides. This user-defined value represents the internal IBM DB2 node name. remote db2server_hostname Host name of the node on which IBM DB2 resides. The host name is the name of the node that is known to the TCP/IP network. For example, the name is db2server2host. 14 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

27 server service-name portnumber Specifies the service name or the port number of the server database manager instance. The default value of the IBM DB2 port number is Locate the current port number in the %SYSTEMROOT%\system32\drivers\etc\services file on the computer on which the IBM DB2 server resides. The port number on the client and the server must match. If a port number is specified, no service name needs to be specified in the local TCP/IP services file. c. Enter the following command to catalog the database: db2 catalog database itimdb as itimdb at node db2node_hostname 3. To test that cataloging was successful, enter the following: db2 connect to itimdb Configuring IBM DB2 Version 7.1 and 7.2 for a JDBC Type 2 Driver Note: IBM DB2 Fix Pack 3 will migrate IBM DB2 Version 7.1 to Version 7.2. For more information on the currently required fix pack, refer to Appendix B, Software and Hardware Requirements on Windows, on page 93. For IBM DB2 version 7.1 and version 7.2, you must manually configure the JDBC type 2 driver. Do the following on the IBM DB2 server: 1. Ensure that you are logged on as the IBM DB2 Administrator. 2. Configure IBM DB2 to use the JDBC type 2 driver, as follows: a. Stop all IBM DB2 services. b. Bring up a Windows command prompt and run <IBM DB2 install directory>\java12\usejdbc2.bat where <IBM DB2 install directory> is replaced by the directory into which you installed IBM DB2. c. Restart all IBM DB2 services. Example: Expanding Values for DB2 An example of setting larger values for IBM DB2 is the following: db2 update database configuration for itimdb using dbheap 1200 db2 update database configuration for itimdb using applheapsz 2048 db2 update database configuration for itimdb using maxappls 60 db2 update database configuration for itimdb using app_ctl_heap_sz 1024 db2 alter bufferpool ibmdefaultbp size db2 alter bufferpool enrolebp size If the value of applheapsz is too small, out of memory errors might occur when a large number of users are loaded. For example, a log file might contain the statement: Not enough storage available for processing the sql statements. To provide additional storage space, change the IBM DB2 application heap size to a larger value. su - db2inst1 db2 force applications all db2stop db2 terminate db2 update db cfg for itimdb using applheapsz 2048 db2start Chapter 3. Database Configuration 15

28 Note: On Windows, open a db2cmd window to enter the commands. Oracle Installation and Configuration for Tivoli Identity Manager This section describes pre-installation procedures and post-installation configuration steps for an installation of Oracle within a framework of Tivoli Identity Manager. In all cases, refer to the Oracle 8i Installation Guide for complete information. Note: When you install Oracle, you must include the JServer option as part of the install. If you choose a typical Oracle install, JServer is included. If you choose to perform a custom Oracle install, ensure that JServer is selected as an option for installation. Preparing to Install Oracle on AIX Complete the following procedures prior to installing Oracle on an AIX system: 1. Log in to the AIX system as root. 2. Ensure that the AIX system has the following filesets installed: v bos.adt.base v bos.adt.libm The Oracle product installation links with local libraries to create Oracle executables. Without the filesets, the links will fail and Oracle will not install or run correctly. You can install these filesets from the AIX developer s toolkit CD. 3. Verify that your system meets or exceeds the free disk space requirements for the following directories: v /usr: 3GB v /var: 300 MB v /tmp: 2GB For AIX, the default Oracle installation directory is /usr. Notes: a. To determine disk space availability, enter the following command: df - Ivk Output values are in units of 1024 bytes. b. To change the size of /usr or /var directories using SMIT or SMITTY, navigate the following windows: System Storage Management > File Systems > Add/Change/Show/Delete File Systems > Journaled File Systems > Change/Show Characteristics of a Journaled File System > /usr > SIZE of file system (in 512 byte blocks). 4. Create a CD-ROM filesystem, if not already present, using the SMITTY utility: a. Type $ mkdir /cdrom from the console or command line. b. Type $ smitty crcdrfs from the console or command line. The following menu appears: 16 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

29 Add a CDROM File System Type or select values in entry fields. Press Enter AFTER making all desired changes. [Entry Fields] * DEVICE name + * MOUNT POINT [] Mount AUTOMATICALLY at system restart? no + c. Select a CD-ROM drive by pressing F4, selecting a drive, and pressing Enter. d. Hit Enter again to create the filesystem. Exit SMITTY with F10 when the creation command completes. e. Mount the cdrom directory with the following command: mount /cdrom 5. Create mount points to use with Oracle databases: $ mkdir /u01 $ mkdir /u02 6. Set permissions for the mount points to allow the Oracle user account to write to them during the installation: $ chmod 777 /u01 $ chmod 777 /u02 7. Use SMIT to create two groups; a user group named dba and a user group named oper. 8. Use SMIT to create a new user called oracle. Complete the following steps for the new user account. a. Set the Primary GROUP of the account to the dba group you created. b. Set the HOME directory of the account to /home/oracle. c. Set the login shell (Initial PROGRAM) to /bin/sh. The Oracle account will run the installer. This account must be used only for installing and maintaining Oracle. 9. Check that a file path of /usr/lbin exists and is included in the PATH for the Oracle user account. This path can be set by editing /home/oracle/.profile. 10. Create the oratab file by executing the oratab.sh script located in the orainst directory of the CD. $./oratab.sh 11. Sign on to the system as the oracle user: $ su - oracle 12. View the umask settings for the oracle account. $ umask The umask should be set to 022. If the account s umask is not set to 022, set it with the following command: $ umask Edit.profile and add the following environment variable settings: ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE ORACLE_HOME=$ORACLE_BASE/product/8.1.7; export ORACLE_HOME LIBPATH=$ORACLE_HOME/lib; export LIBPATH LD_LIBRARY_PATH=$ORACLE_HOME/lib:$ORACLE_HOME/network/lib; export LD_LIBRARY_PATH ORACLE_SID=or1; export ORACLE_SID ORACLE_TERM=vt100; export ORACLE_TERM Make sure that the oracle user s PATH includes $ORACLE_HOME/bin, /bin and /usr/bin. If it does not, add them to.profile. Chapter 3. Database Configuration 17

30 14. Source the profile using the following command: $../.profile 15. Run rootpre.sh to ready the machine for install from /cdrom: $./rootpre.sh You are now ready to begin the Oracle installation. Preparing to Install Oracle on Solaris Complete the following procedures prior to installing Oracle on a Solaris system: 1. Log in to the Solaris system as root. 2. Ensure that the kernel parameters set for the system meet or exceed values required for the installation. Refer to the Oracle 8i Installation Guide for more information. 3. Create mount points to use with Oracle databases: $ mkdir /u01 $ mkdir /u02 4. Start the admintool utility from a console, using the following command: # admintool 5. In the Admintool window, click Browse > Groups. The Admintool:Groups window opens. 6. In the Admintool:Groups window, click Edit > Add. The Admintool:Add Group window opens. 7. Create two groups; a user group named dba and a user group named oinstall. 8. In the Admintool:Groups window, click Browse > Users. The Admintool:Users window opens. 9. Use admintool to create a new user called oracle. Complete the following steps for the new user account. a. Set the Primary Group of the account to the oinstall group you created. b. Set the Secondary Group of the account to the dba group you created. c. Ensure that the radio button beside the Create Home Directory field is selected. In the Path field, enter /export/home/oracle as the home directory for the user oracle. d. Set the Login Shell to /bin/sh. The Oracle installer must be run under this account. This account will be used only for installing and maintaining Oracle. 10. Sign on to the system as the oracle user: # su - oracle View the umask settings for the oracle account. $ umask The umask should be set to 022. If the account s umask is not set to 022, set it with the following command: $ umask 022 Also modify.profile to reflect the change. 11. Add the following to /export/home/oracle/.profile for the oracle account: ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE ORACLE_HOME=$ORACLE_BASE/product/8.1.7; export ORACLE_HOME ORACLE_SID=or1; export ORACLE_SID 18 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

31 ORACLE_DOC=$ORACLE_HOME/doc; export ORACLE_DOC ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data; export ORA_NLS33 PATH=$ORACLE_HOME/bin:/usr/bin:/usr/local/bin:/usr/ccs/bin:/usr/ucb:/usr/openwin/bin:. If you require /usr/ucb in your search path make sure it is listed after /usr/ccs/bin in the PATH setting. 12. Source the profile using the following command: $../.profile You are now ready to begin the Oracle installation. Refer to the appropriate Oracle documentation and install the software. After a successful installation, return to the configuration instructions contained in this section. Preparing to Install Oracle on Windows Complete the following procedures prior to installing Oracle on a Windows system: 1. Verify that your system meets or exceeds the system requirements listed in the Oracle 8i Installation Guide for the type of installation you intend to perform. 2. Log in to the Windows system with the Administrator account that you will use for the installation. You are now ready to begin the Oracle installation. Configuring Oracle after Installation There are several post-installation tasks that must be completed to configure Oracle for use in a Tivoli Identity Manager framework. 1. Verify that the following line exists in the init.ora file: compatible= Create a database for use with Tivoli Identity Manager. The following is a sample SQL script that can be used to create your database. The values in the script should be changed to match your site s requirements. -- Create database CREATE DATABASE sample CONTROLFILE REUSE LOGFILE /u01/oracle/sample/redo01.log SIZE 1M REUSE, /u01/oracle/sample/redo02.log SIZE 1M REUSE, /u01/oracle/sample/redo03.log SIZE 1M REUSE, /u01/oracle/sample/redo04.log SIZE 1M REUSE DATAFILE /u01/oracle/sample/system01.dbf SIZE 10M REUSE AUTOEXTEND ON NEXT 10M MAXSIZE 200M CHARACTER SET UTF8; -- Create another (temporary) system tablespace CREATE ROLLBACK SEGMENT rb_temp STORAGE (INITIAL 100 k NEXT 250 k); -- Alter temporary system tablespace online before proceeding ALTER ROLLBACK SEGMENT rb_temp ONLINE; -- Create additional tablespaces RBS: For rollback segments -- USERs: Create user sets this as the default tablespace -- TEMP: Create user sets this as the temporary tablespace CREATE TABLESPACE rbs DATAFILE /u01/oracle/sample/sample.dbf SIZE 5M REUSE AUTOEXTEND ON NEXT 5M MAXSIZE 150M; CREATE TABLESPACE users DATAFILE /u01/oracle/sample/users01.dbf SIZE 3M REUSE AUTOEXTEND ON NEXT 5M MAXSIZE 150M; CREATE TABLESPACE temp DATAFILE /u01/oracle/sample/temp01.dbf SIZE 2M REUSE AUTOEXTEND ON NEXT 5M MAXSIZE 150M; -- Create rollback segments. Chapter 3. Database Configuration 19

32 CREATE ROLLBACK SEGMENT rb1 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs; CREATE ROLLBACK SEGMENT rb2 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs; CREATE ROLLBACK SEGMENT rb3 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs; CREATE ROLLBACK SEGMENT rb4 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs; -- Bring new rollback segments online and drop the temporary system one ALTER ROLLBACK SEGMENT rb1 ONLINE; ALTER ROLLBACK SEGMENT rb2 ONLINE; ALTER ROLLBACK SEGMENT rb3 ONLINE; ALTER ROLLBACK SEGMENT rb4 ONLINE; ALTER ROLLBACK SEGMENT rb_temp OFFLINE; DROP ROLLBACK SEGMENT rb_temp ; 3. Increase the value for Oracle connections from the default of 50 to a value of 150 by editing the PROCESSES parameter of the $ORACLE_HOME/dbs/init.ora file. Note: Oracle connection requirements will vary greatly between enterprises. Set your connection value to a value appropriate for your environment. 4. Increase the Oracle tablespace from the default to the maximum amount available using the alter sql command. SQL Server 2000 Configuration SQL> alter database datafile <location of DBF file>\enrole1_data_001.dbf resize 500m SQL> alter database datafile <Oracle db location of DBF file>\enrole1_idx_001.dbf resize 500m This section describes pre-installation procedures and post-installation configuration steps for an installation of Microsoft SQL Server 2000 for use with Tivoli Identity Manager. In all cases, refer to SQL Server 2000 installation documentation for complete information. Preparing to Install SQL Server 2000 Complete the following procedures prior to installing SQL Server 2000 on a Windows system: 1. Ensure that you have the latest SQL Server 2000 service packs installed. 2. Log in to the Windows system with an Administrator account before launching the SQL Server installation. You are now ready to begin the SQL Server installation. Configuring SQL Server 2000 after Installation There are several post-installation tasks that must be completed to configure SQL Server 2000 for use in a Tivoli Identity Manager framework. 1. Launch the MS SQL Server Enterprise Manager. 2. Ensure that the mixed-mod authentication is enabled. a. Select Tools > SQL Server Configuration Properties... b. On the Security tab, ensure that SQL Server and Windows Authentication is selected. 3. Create a new database. a. Using the navigational tree, navigate to Microsoft SQL Servers > SQL Server group > (local) Windows NT > Databases. 20 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

33 b. Right-click the Databases node and select New Database. The Database Properties window appears. c. On the General tab, supply itimdb as a value for the Name field. d. On the Data Files tab, supply the following information: v Initial File Size (MB): 20 v Check the check box for Automatically grow file. v Select the radio button for Unrestricted file growth. e. On the Transaction Log tab, supply the following information: v Initial File Size (MB): 20 v Check the check box for Automatically grow file. v Select the radio button for Unrestricted file growth. f. Click OK. Chapter 3. Database Configuration 21

34 22 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

35 Chapter 4. Directory Server Configuration This chapter describes configuring the directory server. The steps assume that you previously installed the directory server and are ready to configure the directory server for Tivoli Identity Manager use. Notes: 1. IBM Directory Server Version 5.1 can install an instance of IBM DB2. Ensure that you do not install two instances of IBM DB2. For more information, refer to documentation for IBM Directory Server at For more information on supported directory servers, see Appendix B, Software and Hardware Requirements on Windows, on page If IBM Directory Server Version 5.1 was previously installed, there may be an unregistered instance of WebSphere Express, causing potential port conflicts. For more information, see Using Version 5.1 and WebSphere Application Server on the Same Computer on page 27. Choose one of the following: v IBM Directory Server Configuration v Sun ONE Directory Server Configuration on page 28 IBM Directory Server Configuration This section describes configuring the IBM Directory Server. The following steps refer to these variables: dirserver_installdir Directory in which you installed IBM Directory Server. For example: v AIX: /usr/ldap/ v Solaris: IBM Directory Server Version 4.1: /opt/ibmldapc/ IBM Directory Server Version 5.1: /opt/ldap/ v Windows: c:\program Files\IBM\ldap cd_installdir Directory on the CD. To locate the correct CD for your environment, see the CD1 description in Appendix A, Compact Discs, on page 87. versionspecific_slapd v IBM Directory Server Version 4.1 uses slapd as the command, and slapd32.conf as the file. v IBM Directory Server Version 5.1 uses ibmslapd as the command, and ibmslapd.conf as the file. my_suffix Any value that you define for the Tivoli Identity Manager suffix, such as com. To configure the IBM Directory Server, do the following: 1. Specify the Suffix for Tivoli Identity Manager on page 24 Copyright IBM Corp

36 2. Configure the Referential Integrity Plug-in for Tivoli Identity Manager 3. Restart the Directory Server on page Create the LDAP Suffix Object on page 26 Specify the Suffix for Tivoli Identity Manager To specify the suffix for Tivoli Identity Manager, log on to the IBM Directory Server system and perform the following steps: 1. Stop the IBM Directory Server before editing the versionspecific_slapd.conf file. The IBM Directory Server reads that file during initialization and replaces the file when IBM Directory Server terminates. 2. Edit the following file: v UNIX: <dirserver_installdir>/etc/versionspecific_slapd.conf v Windows: <dirserver_installdir>\etc\versionspecific_slapd.conf 3. Locate the line that reads: ibm-slapdsuffix: cn=localhost 4. Add a line below it that reads: ibm-slapdsuffix: dc=my_suffix where my_suffix is a value for the suffix that you define for Tivoli Identity Manager. 5. For the next step in the configuration, see Configure the Referential Integrity Plug-in for Tivoli Identity Manager. Configure the Referential Integrity Plug-in for Tivoli Identity Manager You can configure the referential integrity plug-in before or after you install Tivoli Identity Manager. To find the files appropriate for your environment, search CD 2 described in Appendix A, Compact Discs, on page 87. Locate the following directory: v AIX: DelRef/aix/ v SUN: DelRef/sun/ v Windows: DelRef\nt\ Locate the appropriate file: v libdelref Referential integrity plug-in library file for Tivoli Identity Manager v timdelref Tivoli Identity Manager configuration file To configure the referential integrity plug-in, do the following: 1. Copy the following plug-in library file for Tivoli Identity Manager from CD 2: v AIX: libdelref.a v Solaris: libdelref.so v Windows: libdelref.dll to the following directory server directory: v UNIX: <dirserver_installdir>/lib v Windows: <dirserver_installdir>\bin 2. Copy the Tivoli Identity Manager configuration file named timdelref.conf from the appropriate CD directory to the following directory server directory: 24 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

37 v UNIX: <dirserver_installdir>/etc v Windows: <dirserver_installdir>\etc 3. Modify the following directory server file: v UNIX: <dirserver_installdir>/etc/versionspecific_slapd.conf v Windows: <dirserver_installdir>\etc\versionspecific_slapd.conf Follow these steps: a. Search for this line in the file: ibm-slapdplugin: database path_to_rdbmfilename rdbm_backend_init where path_to_rdbmfilename has the value: v AIX: /lib/libback-rdbm.a v Solaris: /lib/libback-rdbm.so v Windows: /bin/libback-rdbm.dll b. Add the following on one line immediately below the previous line: v AIX: v v ibm-slapdplugin: preoperation <dirserver_installdir>/lib/libdelref.a DeleteReferenceInit file=<dirserver_installdir>/etc/timdelref.conf dn=dc=my_suffix Solaris: ibm-slapdplugin: preoperation <dirserver_installdir>/lib/libdelref.so DeleteReferenceInit file=<dirserver_installdir>/etc/timdelref.conf dn=dc=my_suffix Windows: ibm-slapdplugin: preoperation "<dirserver_installdir>/bin/libdelref.dll" DeleteReferenceInit file="<dirserver_installdir>\etc\timdelref.conf" dn=dc=my_suffix Note: To specify the path to the timdelref.dll and the timdelref.conf files on Windows, ensure that you enclose the value in double quote marks. Additionally, specify the path to the timdelref.dll file with a forward slash. 4. Restart the directory server. For more information, see Restart the Directory Server. Restart the Directory Server To stop and restart the IBM Directory Server, do the following: v Windows: Enter the following commands: net stop "IBM Directory Server version" net start "IBM Directory Server version" where version is one of the following IBM Directory Server versions: V4.1 V5.1 Alternatively, do the following: 1. Click Start > Settings > Control Panel > Administrative Tools > Services. 2. Right-click IBM Directory Server version. 3. On the pop-up menu, click Stop and then click Start. Chapter 4. Directory Server Configuration 25

38 v 4. Determine if the referential integrity plug-in is reconfigured. Examine the dirserver_installdir\var\versionspecific_slapd.log file for a message similar to the following: Plugin of type PREOPERATION is successfully loaded from c:/program Files/IBM/ldap/bin/libdelref.dll UNIX: 1. Enter the following: ps -ef grep versionspecific_slapd 2. Note the process ID (PID) number returned in the results of the previous command. 3. Enter the following to end the process: kill <PID> where <PID> is replaced by the PID value that was returned earlier. 4. Ensure that the process has ended by repeating the ps -ef grep versionspecific_slapd command until the process is not listed in the results of the command. 5. Restart the directory server to ensure that the new settings take effect. Enter the following command: versionspecific_slapd 6. Determine if the referential integrity plug-in is reconfigured. Examine the dirserver_installdir/var/ldap/versionspecific_slapd.log file for a message similar to the following: Plugin of type PREOPERATION is successfully loaded from /usr/ldap/lib/libdelref.a Create the LDAP Suffix Object You must specify the suffix and restart the directory server before you create the LDAP suffix object for Tivoli Identity Manager. To create the LDAP suffix object, do one of the following: v Command line: Create an LDIF file such as suffix.ldif that is similar to the following: dn: dc=my_suffix dc: my_suffix objectclass: top objectclass: domain v Use the ldapadd command to add the suffix. For example, enter the following on one line: <dirserver_installdir>/bin/ldapadd -i <full_path_to_suffix.ldif> -D <ldap_admin> -w <ldap_admin_password> LDAP administrative console: Create the suffix object with the value of objectclass set to domain. Use one of the following: IBM Directory Server version 4.1: Directory Management tool IBM Directory Server version 5.1: Administration console For example, use the IBM Directory Server version 5.1 Web administration console as follows: 1. Click Directory Management > Add an Entry. 2. Select domain as the Structural Object Class. Click Next. 3. Do not add Auxiliary Object Classes. Click Next. 4. For Relative DN, add dc=my_suffix. 5. For Required Attributes, add my_suffix. 26 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

39 6. Click Finish. 7. Click Directory Management > Manage Entries. The suffix dc=my_suffix should be listed with an object class of domain. Using Version 5.1 and WebSphere Application Server on the Same Computer If IBM Directory Server version 5.1 previously exists, its installation might have included WebSphere Express, which might not be registered on the target system. If you use Tivoli Identity Manager to install WebSphere Application Server on the same computer, the installation does not detect the instance of WebSphere Express. WebSphere Express and WebSphere Application Server will compete for the same set of ports. Before installing Tivoli Identity Manager and WebSphere Application Server, you must eliminate any potential port conflicts with WebSphere Express. The WebSphere Application Server uses the following default port settings: v HTTP Transport (port 1): 9080 v HTTP Transport (SSL, port 2): 9443 v HTTP Transport (port 3): 9090 v HTTP Transport (port 4): 9043 v Bootstrap/rmi port: 2809 v Simple Object Access Protocol (SOAP) connector port: 8880 Use a text editor to change each default port that WebSphere Express uses to an unused port. For example, do the following: v Modify each of the HTTP Transport port numbers in the following files: dirserver_installdir\appsrv\config\cells\defaultnode\nodes\defaultnode\servers\server1\server.xml dirserver_installdir\appsrv\config\cells\defaultnode\virtualhosts.xml Replace the following HTTP Transport port numbers with unused port numbers: v Bootstrap/rmi port: 2809 Locate the line containing the port number 2809 and replace it with an unused port number. The line is in the following file: dirserver_installdir\appsrv\config\cells\defaultnode\nodes\defaultnode\serverindex.xml v SOAP connector port: 8880 Locate the line containing the port number 8880 and replace it with an unused port number. The line is in the following file: dirserver_installdir\appsrv\config\cells\defaultnode\nodes\defaultnode\serverindex.xml Chapter 4. Directory Server Configuration 27

40 Sun ONE Directory Server Configuration Note: In the following statements, my_suffix is any value for the suffix that you define for Tivoli Identity Manager, such as com. To configure the Sun ONE Directory Server, do the following: 1. Start the iplanet Console. The iplanet Console login dialog window appears. 2. Verify the port number in the Administration URL, type in your password, and click OK. 3. Go to your Directory Server in the console tree and click Open. 4. Select the Configuration tab. 5. Right-click Data in the directory server tree on the Configuration tab, and click New Root Suffix. The Create new root suffix dialog window appears. 6. Type dc=my_suffix in the New suffix text field on the Create new root suffix dialog window. 7. Type the desired database name in the Database name text field. For example, type the following: itimdb 8. Select the Create associated database automatically check box if it is not selected and click OK. The Confirmation Needed dialog window appears. 9. On the Confirmation Needed dialog window, click Yes. The Directory Server console reappears. 10. Select the Directory tab. 11. Right-click the name of the directory server in the directory server tree. A pop-up menu appears. 12. Select dc=my_suffix under New Root Object in the pop-up menu. The New Object dialog window appears. 13. Select domain and click OK. The Property Editor dialog window for dc=my_suffix appears. 14. Click OK in the Property Editor dialog window. The Directory Server console reappears. 15. Select the Tasks tab and click Restart the Directory Server. The Sun ONE Directory Server is now set up. 16. Increase the memory cache available for the Tivoli Identity Manager Server by completing the following procedures: a. Open the directory server console and click the Configuration tab. b. Expand the Data node in the directory tree and click the Database Settings tab. c. Click the LDBM Plug-in Settings tab. d. Set the Maximum Cache Size setting to an appropriate value based on your hardware s physical memory. If Sun ONE Directory Server is installed on its own machine, it is recommended that this value be set to 75% of the system s available memory. 28 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

41 e. Click Save. f. Expand the Tivoli Identity Manager application node. For example, this could be dc=com. g. Select the database object in the Tivoli Identity Manager application node and click the Database Settings tab. h. Set the Memory available for cache setting to an appropriate value based on your hardware s physical memory. If Tivoli Identity Manager is the only application using this directory, it is recommended that this value be set to 60% of the Maximum Cache Size set on the LDBM Plug-in Settings tab. i. Click Save. j. Click the Tasks tab and restart the directory server. Chapter 4. Directory Server Configuration 29

42 30 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

43 Chapter 5. Single-server Installation: Tivoli Identity Manager Server Before You Begin This chapter describes tasks that install and configure the Tivoli Identity Manager Server in a single-server configuration. On a computer on which WebSphere Application Server base is not previously installed, the single-server installation process will automatically install the following applications and fix packs based on the following conditions: v WebSphere Application Server base WebSphere Application Server, Fix Pack 2, and the APARS listed in Appendix B, Software and Hardware Requirements on Windows, on page 93 are automatically installed if any of the following do not exist on the target system: WebSphere Application Server Version 5.0 or lower WebSphere Application Server Network Deployment v IBM HTTP Server IBM HTTP Server is installed if IBM HTTP Server does not exist, or if a version lower than exists. v WebSphere embedded messaging support v Tivoli Identity Manager Server Note: If WebSphere Application Server 5.0 is already installed, the Tivoli Identity Manager installs only Tivoli Identity Manager Server. For specific application versions and fix packs, see Appendix B, Software and Hardware Requirements on Windows, on page 93. Installation tasks include the following: v Before You Begin v Installing Tivoli Identity Manager Server on page 38 Before you begin, do the following: v Ensure that the following Tivoli Identity Manager prerequisites are running: Table 1. Prerequisite applications Prerequisite For more information, see Database Chapter 3, Database Configuration, on page 11 Directory server Chapter 4, Directory Server Configuration, on page 23 v v Ensure free disk space, virtual memory, and other space requirements are met. For more information, see Appendix B, Software and Hardware Requirements on Windows, on page 93. If the Tivoli Identity Manager installation process installs the WebSphere Application Server, the target system must meet the requirements described in Appendix B, Software and Hardware Requirements on Windows, on page 93 and also in Appendix C, Preparing the WebSphere Environment, on page 97. Copyright IBM Corp

44 v v v v v For additional information on WebSphere requirements, refer to documentation provided by WebSphere Application Server. Ensure you have the correct administrative authority. If not, obtain the authority and restart the system to activate the proper authorization. On Windows, the user must be in the Administrators Group (but not be the Administrator user). The user in the Administrators Group should have the following rights: Act as part of the operating system Log on as a service To determine the user rights that are selected, do the following: 1. Click Start > Control Panel. 2. On the Control Panel, click Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment. 3. Click the appropriate rights to select them. If WebSphere Application Server was previously installed and WebSphere Global Security is already turned on, complete the necessary manual steps after installing Tivoli Identity Manager. For more information on those post-installation steps, see Manual Steps on Single-node Deployments After Installing Tivoli Identity Manager on page 106. For more information on Global Security, refer to documentation provided by WebSphere Application Server. Determine whether instances of the following currently exist on the target computer and take the necessary corrective actions: Do WebSphere Application Server base and Fix Pack 2 already exist? Notes: 1. You must apply the fix pack and interim fix requirements described in Appendix B, Software and Hardware Requirements on Windows, on page 93 either before or after installing Tivoli Identity Manager. 2. The installer will detect the existence of the WebSphere Application Server 5.0 and also Fix Pack 2. If WebSphere Application Server 5.0 exists but Fix Pack 2 does not exist, installation will prompt a warning message, but will not install the Fix Pack 2. Installation will also detect the WebSphere Application Server Network Deployment Fix Pack 2. For more information, see Appendix B, Software and Hardware Requirements on Windows, on page 93. Does WebSphere embedded messaging support already exist? If WebSphere Application Server already exists on the target system, the installation process does not check whether WebSphere embedded messaging support also exists. In this case, if WebSphere embedded messaging support does not exist, run the WebSphere Application Server installation program again to install WebSphere embedded messaging support. If WebSphere Fix Pack 2 has been applied to WebSphere Application Server base, you must run the same Fix Pack to apply patches for the WebSphere embedded messaging support. Verify that the WebSphere Application Server transaction service settings are large enough to handle Tivoli Identity Manager loads for your business processes. See Configuring WebSphere Application Server Transaction Service Settings on page 103 for detailed information on modifying these settings. If you do not modify the settings to handle your business process loads, requests can time out before completing. Ensure you have resolved any port problems, if you have more than one version of WebSphere Application Server installed on the computer. For more information, see Resolving Port Problems on page IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

45 v v On the computer on which Tivoli Identity Manager will be installed, set the appropriate value for your locale to ensure the language format is recognized. Ensure that the WebSphere Application Server Fix Pack 2 is also applied on the computer on which the Web server is installed. Stop the Web Server before installing the fix pack. v Note: There may be several WebSphere Web plug-ins in the configuration, including a WebSphere Web Server plug-in on the computer that has WebSphere Application Server Network Deployment. Complete the information worksheet for your configuration. Resolving Port Problems The following port problems may occur: v Before installing Tivoli Identity Manager, ensure the same SOAP port for WebSphere 5.0 is defined at the following locations: com.ibm.ws.scripting.port in the following file: {WAS_HOME}\properties\wsadmin.properties Port under SOAP_CONNECTOR_ADDRESS of server1 in the following file: {WAS_HOME}\config\cells\<cell_name>\nodes\<node_name>\serverindex.xml If the values are different, correct the port number as follows: 1. Open the wsadmin.properties file. 2. Change the value of com.ibm.ws.scripting.port to the value you find in the serverindex.xml file. v Note: If installation failed because the SOAP port number was incorrect, correct the port specification and rerun the {ITIM_HOME}/bin/runConfig install command. After installation completes, the Tivoli Identity Manager logon process will fail if virtual host port values are different than the values that Tivoli Identity Manager requires. Tivoli Identity Manager requires virtual host port values of 80 and Port 9443 is used if secure communication is enabled. Installing one instance of a WebSphere server on a computer will specify the correct values for the virtual host port numbers that Tivoli Identity Manager expects to use. However, installing a second instance of a WebSphere server such as Network Deployment Manager on the same computer will automatically advance the port numbers specified for the Network Deployment Manager. For example, the virtual host port numbers advance from 80 to 81, and from 9443 to You must reconfigure the port numbers to be the numbers that Tivoli Identity Manager requires. To correct the virtual host port numbers, access the WebSphere administrative console and do the following: 1. Click Environment > Virtual Hosts > Default Host > Host Aliases. 2. Change the virtual host port values to 80 and to Save the configuration to the master repository, selecting Synch Changes with Nodes. 4. Click Update Web Server Plugin and click OK. 5. Restart the cluster. Chapter 5. Single-server Installation: Tivoli Identity Manager Server 33

46 Information Worksheet for Single-Server Installation Collect the following information before you begin the installation: Database Information Collect the following information for the relational database management system: Admin ID The Administrator User ID (the db2instancename as database instance owner) that you created when installing the database. For example, the default for IBM DB2 is the following: v UNIX: db2inst1 v Windows: db2admin For more information, see IBM DB2 Configuration on page 11. Admin Password The password for the Administrator user ID. Database Name Specifies how the Tivoli Identity Manager Server connects to the database. If the database is installed locally, the Database Name is the name of the database. For example, the value of Database Name is itimdb. Ifthe database is installed remotely, the Database Name is the local alias name of the remote database. For more information on using the catalog command to specify the remote database, see Configuring the IBM DB2 JDBC Driver on page 14. Database Type Type of database used for your system. For example, the database is IBM DB2. Credentials for the database: Database User The account that Tivoli Identity Manager Server uses to log in to the database. The user ID is enrole. Note: This user ID cannot be changed. User Password Password for the account that Tivoli Identity Manager Server uses to log in to the database. IP Address IP address of the database server. Not required for IBM DB2. Required for Oracle and SQL Server Port Number Port number of the database server. Not required for IBM DB2. Required for Oracle and SQL Server Additionally, the installation process reports the following Database Pool information. The database pool information determines the number of JDBC 34 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

47 connections that Tivoli Identity Manager Server can open to the database. For more information, refer to the Tivoli Identity Manager Server Configuration Guide. Evaluate the following values in relation to your site needs: Initial Capacity Initial number of JDBC connections that Tivoli Identity Manager Server can open to the database Maximum Capacity Maximum number of JDBC connections that Tivoli Identity Manager Server can open to the database at any one time Login Delay Seconds Time, in seconds, between connections Directory Server Information Collect the following information: Host name Fully-qualified host name of the directory server. For example, identity1.mylab.mydomain.com. Identity Manager DN Location The value such as dc=com that you enter in the Location field must match the suffix (for example, dc=com) that you created when you configured LDAP. For more information, see Chapter 4, Directory Server Configuration, on page 23. Name of your organization The value that you enter in the Name of Your Organization field will be displayed in the organization chart that is displayed on many of the Tivoli Identity Manager graphical user interface screens. This value is typically the more formal name of your company. For example, an organization name is IBM Corporation. Note: You may enter either single-byte character set (ASCII) characters or double-byte character set characters in this field. Default Org Short Name The value that you enter in the Default Org Short Name field will be used internally in IBM Directory Server to represent your organization. This value is typically an abbreviation of your company name. For example, a short name is ibmcorp. Note: Enter only single-byte character set (ASCII) characters in the Default Org Short Name field, such as an identifier in English. Number of hash buckets A hash bucket is used to apportion data items for sorting or lookup purposes. Evaluate the default value (1) in relation to your site needs. Port Port on which the directory server is listening, such as 389. Principal DN The Principal Distinguished Name user ID. For example, cn=root. Chapter 5. Single-server Installation: Tivoli Identity Manager Server 35

48 Password The password of the Principal Distinguished Name user ID that you created when installing the directory server. Additionally, the installation process reports the following LDAP Connection Pool Information fields for a pool of LDAP connections accessible by Tivoli Identity Manager Server. For more information, refer to the Tivoli Identity Manager Server Configuration Guide. Evaluate the following values in relation to your site needs: Max. pool size Maximum number of connections the LDAP Connection Pool can have at any time Initial pool size Initial number of connections created for the LDAP Connection Pool Increment count Number of connections added to the LDAP Connection Pool every time a connection is requested once all connections are in use WebSphere Application Server Information for Single-Server Installation WebSphere Application Server installation for a single-server configuration has the following fields. For more information, see Appendix C, Preparing the WebSphere Environment, on page 97. Administrator user ID Required if WebSphere Application Server is to be installed. This is used to create WebSphere Application Server and IBM HTTP Server services. The user ID must have the following rights or Tivoli Identity Manager installation will fail: v Act as part of the operating system v Log on as a service Administrator password The Administrator user ID password Host name of the workstation Displayed during single-server installation, the valid host name of the physical computer on which WebSphere Application Server base is installed. This field does not appear if WebSphere Application Server base is already installed. Note: If Dynamic Host Configuration Protocol (DHCP) is used to determine the IP address of the computer, do not use the fully qualified host name of the computer. Use only the short name. Installation directory Installation directory for WebSphere Application Server base. For example, the directory is drive:\program Files\WebSphere\AppServer. This field has the following conditions: v Required if Tivoli Identity Manager installation installs WebSphere Application Server base. 36 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

49 v For confirmation purposes, if WebSphere Application Server base is already installed. Node name The user-defined node name is usually specified to be identical to the host name for a physical computer with a fixed IP host address. Port Port on which the WebSphere Application Server is listening. The default is You must ensure that this port is available. This field does not appear if WebSphere Application Server base is already installed. Server Name If WebSphere Application Server was previously installed, this field prompts for the WebSphere Application Server name. This is the WebSphere Application Server to which you deploy Tivoli Identity Manager during a single-server installation. Security settings The following fields appear on the System Configuration Security tab. Encryption (checkbox) Encrypts the password of the database, LDAP, and WebSphere Application Server administrator user identifier in the Tivoli Identity Manager property files. Application Server User Management Enables you to set and confirm the password for the following users: System User The WebSphere Application Server user ID and password. Required only if WebSphere Global Security is on. This is the user ID that has a value such as wasadmin, described in the manual steps in Security for WebSphere on page 105. EJB User A user and password that you must have defined prior to starting installation. Required only if WebSphere Global Security is on. This is the user ID that has a value such as itimadmin, described in the manual steps in Security for WebSphere on page 105. Note: If this field is pre-filled when it appears, the field might contain the value of wasadmin. Change the field to the value of itimadmin. WebSphere Embedded Messaging Server and Client Collect the following information: Installation directory This is the directory in which WebSphere embedded messaging support is installed. Chapter 5. Single-server Installation: Tivoli Identity Manager Server 37

50 IBM HTTP Server Information Collect the following information: Installation directory Displayed during single-server installation. This field appears only if both WebSphere Application Server and IBM HTTP Server are not installed. This is the directory in which IBM HTTP Server is installed. Tivoli Identity Manager Information Note the following information for Tivoli Identity Manager: Encryption key The key can be any word or phrase. The key is used to encrypt Tivoli Identity Manager passwords and other sensitive text. The value is stored in the enrole.properties file as enrole.encryption.password. Logging level Displays how verbose the logs are when tracing system errors. System administrators can select how detailed the log file should be by setting the Logging Level field number between INFO and FATAL. The more severe the logging level, the better the performance of the system because less information is written to the log file. Mail server name SMTP mail servers are supported. The SMTP host is the mail gateway. User ID itim manager The Tivoli Identity Manager user ID. The default value after installation is itim manager. Use this user ID when you log on to Tivoli Identity Manager. Password secret Password for the Tivoli Identity Manager administrator user ID specified as itim manager. The default password immediately after installation is secret. Installing Tivoli Identity Manager Server Note: You will be forced to change the administrator account password when you log on to Tivoli Identity Manager Server. The following flowchart describes the basic sequence of events during installation of Tivoli Identity Manager Server in a single-server configuration: 38 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

51 Install Type? Cluster/ Functional Cluster Cluster Install Single Server Enter installation directory Select database type WebSphere already installed? No WebSphere, HTTP server directories Yes Confirm WebSphere directory Enter node name, server name WebSphere MQ directory WebSphere security? Yes Enter Credential Host name WebSphere node name No Windows Administrator User ID and Password Encryption key Pre-install summary Configure database Configure LDAP Configure System Figure 5. Single-server installation flowchart (Windows) To install the Tivoli Identity Manager Server in a single-server configuration, complete the following steps: 1. Navigate Initial Welcome and Licensing Windows on page 40 Chapter 5. Single-server Installation: Tivoli Identity Manager Server 39

52 2. Select the Installation Type and Installation Directory on page Select the Database on page Complete the Windows for a Single-server Installation on page Specify WebSphere Global Security on page Specify an Encryption Key and Read the Pre-Installation Summary on page Installation Progress and Additional Configuration Activities on page Logs and Directories for Single-Server Installation on page Complete Security Configuration on page Testing Tivoli Identity Manager Server Communication on page 54 Navigate Initial Welcome and Licensing Windows A series of welcome and licensing windows start the installation process. To navigate the initial windows, do the following: 1. Log on to the computer where the Tivoli Identity Manager Server will be installed. Notes: a. You must log on using an account with system administration privileges (Administrator). 2. Insert the Tivoli Identity Manager product CD into the CD-ROM drive. To locate the correct CD for your environment, see Appendix A, Compact Discs, on page Click Start > Run. 4. Type your CD-ROM drive and then type the following command: instw2k-was.exe The Welcome window opens. Figure 6. Welcome window Note: If your logon account does not have permission to execute instw2k-was.exe, you must grant the account permission to execute this file. 5. To change the language that is used only on the installation panels, click the down arrow in the box indicating English and select another language. Click OK. Note: This choice does not select the language pack with which Tivoli Identity Manager application subsequently runs. 40 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

53 The License Agreement window opens. 6. Read the license agreement and decide whether to accept its terms. If you do, click Accept. Click Next. Select the Installation Type and Installation Directory The Choose Installation Type window opens. Figure 7. Choose Installation Type window Do the following: 1. Select the Single Server option, and click Next. The Choose Install Directory window opens. 2. Accept the default installation directory c:\itim45 or select another directory by clicking Choose... Click Next. Select the Database The Choose Database Type window opens. Select one of the following database types and click Next: v IBM DB2 Universal Database v Oracle. For more information, see Oracle Installation and Configuration for Tivoli Identity Manager on page 16. v SQL Server For more information, see SQL Server 2000 Configuration on page 20. Complete the Windows for a Single-server Installation The following sequence occurs for a single-server installation if WebSphere Application Server and IBM HTTP Server are not detected: Note: If the installation detects existing applications, an altered sequence occurs. Chapter 5. Single-server Installation: Tivoli Identity Manager Server 41

54 1. A window requests the installation directories used for WebSphere Application Server, IBM HTTP Server, and the WebSphere embedded messaging server and client. Figure 8. Enter Following Data for Installing WebSphere Application Server window Accept the default directories, or enter alternate directories in which you plan to install WebSphere Application Server and IBM HTTP Server. On Windows, an additional window requests the directory for WebSphere embedded messaging support. Click Next. Note: If a previously-existing WebSphere Application Server at the correct version is detected, an alternate window appears. If a previously existing IBM HTTP Server at the correct version is detected, its field does not appear on this window. 2. A subsequent window prompts for the host name of the workstation, a node name, and the port on which WebSphere Application Server listens. Note: If WebSphere Application Server is already installed, a window will prompt you for the WebSphere node name and WebSphere Application Server name. If DHCP is used to determine the IP address of the computer, do not use the fully qualified host name of the computer. Use only the short name. For example, identity1 is the short name and identity1.tivlab.raleigh.ibm.com is the fully qualified name. 42 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

55 Figure 9. Data for Installing WebSphere Application Server Base window Accept the defaults or modify them appropriately. Click Next. 3. If Tivoli Identity Manager installs the WebSphere Application Server, additional windows describe the prerequisites that WebSphere Application Server requires. Note the requirements. Click OK. 4. A window appears that requests a Windows 2000 Administrator user ID and password. Complete the fields and click OK. Ensure the user ID has the following user rights: v Act as Part of the Operating System v Log on as Service Specify WebSphere Global Security The WebSphere Security window opens. Note: The WebSphere Security and credential windows are displayed only when WebSphere Application Server is already installed. Chapter 5. Single-server Installation: Tivoli Identity Manager Server 43

56 Figure 10. WebSphere Security window If WebSphere Global Security is on, click WebSphere Security Enabled. An additional window requires you to specify the WebSphere Application Server user ID and password. This is the wasadmin user ID described in the manual steps in Security for WebSphere on page 105. Figure 11. WebSphere Administrator Credentials window Provide the user ID and password and click Next. 44 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

57 Specify an Encryption Key and Read the Pre-Installation Summary The Specify the Encryption Key window opens followed by an installation summary window. Figure 12. Specify the Encryption Key window 1. Provide an encryption key, which can be any word or phrase. The key is used to encrypt Tivoli Identity Manager passwords and other sensitive text. The value is stored in the enrole.properties file as enrole.encryption.password. Click Next. The Pre-install Summary window opens, listing components to be installed, the required free disk space, and the installation directory such as c:\itim Ensure that the required disk space is available before continuing, and click Install. If Tivoli Identity Manager installs the WebSphere Application Server, a window appears after an interval of time, and requests the directory that contains the WebSphere Application Server installation binary. 3. Specify the location for the installation files on Windows as mount_point\nt and click Next: A series of installation progress windows open during the interval that installation requires. On a computer that has the minimum required resources, the interval can be significant. Chapter 5. Single-server Installation: Tivoli Identity Manager Server 45

58 Figure 13. Installation progress window Installation Progress and Additional Configuration Activities The installation process installs Tivoli Identity Manager Server over an interval of time. After installation, additional windows automatically open: 1. Initial Configuration of Tivoli Identity Manager Database 2. Initial Configuration of the Directory for Tivoli Identity Manager on page Initial Configuration of Tivoli Identity Manager on page 48 Initial Configuration of Tivoli Identity Manager Database A database configuration window opens for the following configurations: v Single-server v Cluster or functional cluster installation on the computer that has the Network Deployment Manager This configuration activity configures property files and sets up tables in the Tivoli Identity Manager database. Do the following: 1. Enter the appropriate values when the Tivoli Identity Manager Database Configuration window opens. 46 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

59 Figure 14. Database configuration window Note: If you are using Oracle for your database, you must copy the Oracle JDBC driver into the <ITIM_HOME>/lib directory and also into the {WAS_HOME}/installedApps/enrole.ear directory for WebSphere Application Server before continuing with the IBM Tivoli Identity Manager Database Configuration window. A copy of the Oracle JDBC Driver (in the file named classes12.zip) is available on a supplementary CD described in Appendix A, Compact Discs, on page Complete the database configuration fields for the database that Tivoli Identity Manager uses. If the database is IBM DB2, the IP Address and Port Number fields are greyed out. These fields are required for other databases. For example, the value of the Database Name or Alias is an entry such as itimdb. The value of the Admin ID field is one of the following: v UNIX: db2inst1 v Windows: db2admin For more information, see Configure the IBM DB2 Server on page Click Test. When the database test is successful, the User ID and User Password fields on the Database Configuration window become active. 4. Complete the fields with appropriate values and click Continue. Initial Configuration of the Directory for Tivoli Identity Manager A directory server configuration window opens for the following configurations: v Single-server v Cluster or functional cluster installation on the computer that has the Network Deployment Manager Enter the appropriate values to initially configure the directory server to recognize Tivoli Identity Manager. Do the following: Chapter 5. Single-server Installation: Tivoli Identity Manager Server 47

60 1. Enter values for the LDAP Server Information fields. For example, the value of the Host Name field is the fully qualified host name of the computer on which the directory server is running. Figure 15. Directory configuration window 2. Click Test. When the test for a connection to the directory server is successful, the fields in the Identity Manager Directory Information section become active. 3. The value of the Identity Manager DN Location is dc=my_suffix, specifying the suffix for Tivoli Identity Manager. For more information, see Specify the Suffix for Tivoli Identity Manager on page 24. Complete the fields appropriately and click Continue. Initial Configuration of Tivoli Identity Manager For all installation types, use the System Configuration window that the Tivoli Identity Manager Server provides to change values for the database server, the directory server, and other services: 1. The General tab is the first of a series of the System Configuration tabs that are used to configure the Tivoli Identity Manager Server. 48 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

61 Figure 16. General tab window Field values on the General tab will be prefilled. For more information on these fields, refer to system configuration information in the Tivoli Identity Manager Server Configuration Guide. 2. Click the Directory tab. The Directory tab window opens. Figure 17. Directory tab window If necessary, modify the information for the directory server. If this installation is on a cluster member, the information must match the LDAP specification previously made for the Network Deployment Manager. 3. Click the Database tab. The Database tab window opens. Chapter 5. Single-server Installation: Tivoli Identity Manager Server 49

62 Figure 18. Database tab window 4. Provide the Database Name connection information for the Tivoli Identity Manager database. For example, the value of Database Name may be itimdb. The default user ID is enrole. If this installation is on a cluster member, the information must match the database specification previously made for the Network Deployment Manager. 5. Click Logging. The Logging tab window opens. Figure 19. Logging tab window 6. Either accept the default value of WARN or change the values to more or less verbose, depending on site performance considerations. 7. Click the Mail tab. The Mail tab window opens. 50 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

63 Figure 20. Mail tab window 8. Enter required values on the Mail tab and click OK. For more information on these fields, refer to the Tivoli Identity Manager Server Configuration Guide. Notes: a. The value of the Identity Manager Server URL field is the URL of the proxy server (for example, the IBM HTTP Server that is used to log on Tivoli Identity Manager). b. Change the Mail From address to the Tivoli Identity Manager system administrator address for your site. You must change this address, or you will send spam to the address listed. 9. Click UI. The UI tab window opens. Figure 21. UI tab window 10. Either accept the defaults on the UI tab or modify the logo and address information to specify your organization s customized Welcome display and Web address. The List Page Size specifies how many items will be displayed Chapter 5. Single-server Installation: Tivoli Identity Manager Server 51

64 on lists throughout the user interface. For more information, refer to the Tivoli Identity Manager Server Configuration Guide. Click OK. 11. Click Security. The Security tab window opens. Figure 22. Security tab window If WebSphere Global Security is on, and an administrator user ID and password have been entered, these fields are prefilled. The fields are blank if WebSphere Global Security is not on. Notes: a. The initial values for the EJB User and Password fields are the values of the System User and Password fields. You might need to modify the EJB User and Password fields. The length of the EJB user ID must be fewer than 12 characters. b. If you change the value of the EJB user ID or the EJB password on this system configuration Security window, then manual steps are required after Tivoli Identity Manager installation to map the security role to the ITIM user in order to start Tivoli Identity Manager. For more information, see Appendix D, Security Considerations, on page Click OK to complete the system configuration. 13. Additionally, ensure that other values are appropriate to run the configuration that Tivoli Identity Manager and related applications use. Logs and Directories for Single-Server Installation When the system configuration is complete, note the following log locations: Table 2. Install log file names and directories File names dbconfig.stdout ldapconfig.stdout itim45_installer_debug.txt runconfig.stdout (on cluster install) runconfigtmp.stdout (on single server and Network Deployment Manager) Directory {ITIM_HOME}\install_logs 52 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

65 Table 2. Install log file names and directories (continued) File names itim45_install.stdout itim45_install.stderr Directory system root Tivoli_Identity_Manager_InstallLog.log log.txt ihs_log.txt mq_install.log server1/systemout.log itim.log If installation completes successfully, the directory is {ITIM_HOME}. If installation fails, the log file will be on the Windows desktop. {WAS_HOME}\logs For more information on WebSphere Application Server log files, refer to WebSphere Application Server documentation. Complete Security Configuration If you intend to enable J2EE security, do the following: v v Complete the manual steps to complete the mapping and restart J2EE security after installing Tivoli Identity Manager. For more information, see Manual Steps on Single-node Deployments After Installing Tivoli Identity Manager on page 106. Ensure that the was.policy file exists. For more information, see Configuring the was.policy File on page 106. Using runconfig after Installing Tivoli Identity Manager Use the runconfig command after installing Tivoli Identity Manager to complete system configuration for activities such as the following: v v Change the password of the enrole user. Specify password encryption and update Tivoli Identity Manager EJB user IDs and passwords. For more information, see descriptions of tabs on the System Configuration window in Initial Configuration of Tivoli Identity Manager on page 48. For more information on using the runconfig command, see the Tivoli Identity Manager Server Configuration Guide. Optionally Installing a Language Pack After installing Tivoli Identity Manager, if the default language is not English, optionally obtain and mount the language pack CD for the Tivoli Identity Manager Server. Use command line mode to install the language pack. For example, enter the following: java jar itimlp_setup.jar The Tivoli Identity Manager language pack setup program will start. To complete the language pack installation, follow the instructions that appear in the setup program panels. Chapter 5. Single-server Installation: Tivoli Identity Manager Server 53

66 Note: To run the Tivoli Identity Manager language pack setup program, Java runtime environment should be accessible from the command line. Testing Tivoli Identity Manager Server Communication To test whether the database, the directory server, and the Tivoli Identity Manager Server are correctly configured and communicating with each other, do the following: 1. Test the JDBC driver to ensure that it is running: a. Before you begin, ensure that the database server and the WebSphere Application Server are running. For more information on starting the WebSphere Application Server, refer to documentation that the WebSphere Application Server provides. b. Access the WebSphere Application Server administrative console. c. Click Resources > JDBC Providers. Select the target node. d. Select the scope as server, select a target server such as server1, and then click Apply. e. Scroll to the list of JDBC providers and double-click ITIM JDBC Provider. f. Scroll the dialog that appears to view the Additional Properties. Click Data Sources. g. In the Data Sources dialog that appears, click Test Connection. A message appears that indicates the test result. If the test fails, ensure that you sourced the IBM DB2 profile correctly. If you are using IBM DB2 Version 7.1 or 7.2 with the fix packs this product requires, ensure that you ran the usejdbc2 shell script in the shell before starting WebSphere Application Server. Test the connection again. If the connection does not work, verify that the enrole user ID and password are configured correctly. If the IBM DB2 server is remote, ensure that the same IBM DB2 fix pack level is applied to both the database server and the client. Note: Fix Pack 3 will migrate the IBM DB2 Version 7.1 environment to the IBM DB2 Version 7.2 general availability level. For more information, see Appendix B, Software and Hardware Requirements on Windows, on page The single-server installation automatically starts Tivoli Identity Manager Server. If the server is not running, start Tivoli Identity Manager Server and any prerequisite applications. If IBM DB2 is used, ensure that you source the IBM DB2 profile prior to starting the WebSphere Application Server. Click Start > Programs > IBM WebSphere > Application Server v5.0 > Start Server. Alternatively, you can enter the following: {WAS_HOME}\bin\startServer.bat servername For example: {WAS_HOME}\bin\startServer.bat server1 3. Log on to Tivoli Identity Manager. For example, at a browser window, type the following: where hostname is the fully-qualified name or IP address of the computer on which Tivoli Identity Manager Server is running. 54 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

67 Server-Agent Communication Notes: a. Do not start two separate browser sessions from the same client computer. The two sessions are regarded as one session ID, resulting in problems with data. b. If you cannot log on after the Tivoli Identity Manager installation installs both WebSphere Application Server and Tivoli Identity Manager, do the following: 1) Log off and log on the user to the system. 2) Again attempt to log on to Tivoli Identity Manager. 3) If you cannot log on to Tivoli Identity Manager, then reboot the system, which might correct certain environment settings and WebSphere embedded messaging support queue problems. c. If you log on using the single sign-on capability and need to select a language, append /language to the Web site address. For example, enter: For more information on configuring the language default for your Web browser, refer to the Tivoli Identity Manager Server Configuration Guide. 4. Enter the Tivoli Identity Manager administrator user ID ( itim manager ) and password (immediately after installation, the value is secret ). 5. Take the necessary steps to create a user (an ITIM user). For more information, refer to online help or to the Tivoli Identity Manager Policy and Organization Administration Guide. For more information on processes that should be running, refer to the Tivoli Identity Manager Server Configuration Guide. Using the Tivoli Identity Manager system with a Tivoli Identity Manager agent will require production certificates to ensure that secure communication occurs between the Tivoli Identity Manager server and the agent. The Certificate Authority that corresponds to the Tivoli Identity Manager agent s certificate must be located in the {ITIM_HOME}\cert directory. For supported certificate types, refer to the Tivoli Identity Manager Server Configuration Guide and to a specific agent s installation guide for more information. Notes: 1. Install one agent profile at a time, and complete the profile installation before installing another agent profile. Installing multiple profiles at the same time might cause the Tivoli Identity Manager Server to force a reboot. 2. If the default language is not English, before installing the first Tivoli Identity Manager agent, optionally obtain and mount the language pack CD for the Tivoli Identity Manager agents. Use command line mode to install the language pack for the agents on the Tivoli Identity Manager Server: java jar itimlp_agents_setup.jar The Tivoli Identity Manager language pack setup program will start. To complete the language pack installation, follow the instructions that appear in the setup program panels. Note: To run the Tivoli Identity Manager language pack setup program, Java runtime environment should be accessible from the command line. Chapter 5. Single-server Installation: Tivoli Identity Manager Server 55

68 56 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

69 Chapter 6. Cluster Installation: Tivoli Identity Manager Server Before You Begin This chapter describes installing and configuring the Tivoli Identity Manager Server in either a cluster or functional cluster configuration. Before continuing, read WebSphere Environment Limitations using Tivoli Identity Manager on page 10. Notes: 1. In a cluster environment, Tivoli Identity Manager installation does not automatically install WebSphere Application Server. Install and configure the WebSphere components before you install Tivoli Identity Manager on a cluster. 2. Installing Tivoli Identity Manager on clusters must be done sequentially, one computer at a time. 3. For required application versions and fix packs, see Appendix B, Software and Hardware Requirements on Windows, on page 93. Installation tasks include the following: v Before You Begin v Installing Tivoli Identity Manager Server on page 64 Before you begin, do the following: v Determine whether a pre-existing WebSphere Application Server configuration at your site is one of the configurations listed in WebSphere Environment Limitations using Tivoli Identity Manager on page 10. v Complete the steps to construct a WebSphere Application Server cell and one or more clusters, described in Creating Clusters Using Network Deployment Manager on page 59 and also in Configuring Tivoli Identity Manager Clusters on page 98. v Ensure that the following are running: Table 3. Applications that must be running Prerequisite For more information, see: Database Chapter 3, Database Configuration, on page 11 Directory server Chapter 4, Directory Server Configuration, on page 23 Network Deployment Manager Ensure that Network Deployment Manager and WebSphere Application Server node Node Agents are Running on page 102 agents WebSphere Application Server JMS servers This is WebSphere embedded messaging support Note: If WebSphere MQ Version 5.3 previously exists, see Using an Existing WebSphere MQ Version 5.3 on page 97. v v Ensure free disk space and virtual memory requirements are met. For more information, see Appendix B, Software and Hardware Requirements on Windows, on page 93. Ensure you have the correct administrative authority (Administrator). If not, obtain the authority and restart the system to activate the proper authorization. Copyright IBM Corp

70 v v v Ensure you have resolved any port problems. For more information, see Resolving Port Problems. On the computer on which Tivoli Identity Manager will be installed, set the appropriate value for your locale to ensure the language format is recognized. Ensure that the WebSphere Application Server Fix Pack 2 is also applied on the computer on which the Web server is installed. Stop the Web Server before installing the fix pack. v Note: There may be several WebSphere Web plug-ins in the configuration, including a WebSphere Web Server plug-in on the computer that has WebSphere Application Server Network Deployment. Complete the information worksheet for your configuration. Resolving Port Problems The following port problems may occur: v Before installing Tivoli Identity Manager, ensure the same SOAP port for WebSphere 5.0 is defined at the following locations: com.ibm.ws.scripting.port in the following file: {WAS_NDM_HOME}\properties\wsadmin.properties Port under SOAP_CONNECTOR_ADDRESS of server1 in the following file: {WAS_NDM_HOME}\config\cells\<cell_name>\nodes\<node_name>\serverindex.xml If the values are different, correct the port number as follows: 1. Open the wsadmin.properties file. 2. Change the value of com.ibm.ws.scripting.port to the value you find in the serverindex.xml file. v Notes: 1. If installation failed because the SOAP port number was incorrect, correct the port specification and rerun the runconfig command. 2. If both WebSphere Application Server Network Deployment and WebSphere Application Server are installed on the same system, use the port number from the serverindex.xml file that applies to the WebSphere Application Server Network Deployment Manager. After installation completes, the Tivoli Identity Manager logon process will fail if virtual host port values are different than the values that Tivoli Identity Manager requires. Tivoli Identity Manager requires virtual host port values of 80 and Port 9443 is used if secure communication is enabled. Installing one instance of a WebSphere server on a computer will specify the correct values for the virtual host port numbers that Tivoli Identity Manager expects to use. However, installing a second instance of a WebSphere server such as Network Deployment Manager on the same computer will automatically advance the port numbers specified for the Network Deployment Manager. For example, the virtual host port numbers advance from 80 to 81, and from 9443 to You must reconfigure the port numbers to be the numbers that Tivoli Identity Manager requires. To correct the virtual host port numbers, access the WebSphere administrative console and do the following: 1. Click Environment > Virtual Hosts > Default Host > Host Aliases. 58 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

71 2. Change the virtual host port values to 80 and to Save the configuration to the master repository, selecting Synch Changes with Nodes. 4. Click Update Web Server Plugin and click OK. 5. Restart the cluster. Creating Clusters Using Network Deployment Manager Note: For more information on specifying a WebSphere cell, see Configuring Tivoli Identity Manager Clusters on page 98. To create a cluster and populate it with cluster members, do the following using the WebSphere administation console before you begin installing Tivoli Identity Manager: 1. Log on to the Network Deployment Manager administrative console. 2. In the left pane, click Servers > Clusters. 3. Click New. The Create New Cluster dialog appears. 4. Enter a new cluster name. For example, enter ITIM_CLUSTER. Notes: a. If you are creating a functional cluster with multiple clusters, repeat this process and specify a cluster name such as ITIM_UI_CLUSTER for one cluster providing the Tivoli Identity Manager user interface tier, and ITIM_WF_CLUSTER for another cluster providing the Tivoli Identity Manager workflow tier. b. Cluster names are case sensitive. Note: 5. Click Next. The Create New Clustered Servers dialog appears. 6. Assuming you have several cluster members to specify, enter the name of a new cluster member, select its node, and click Apply. A list of cluster members appears at the bottom of the Create New Clustered Servers dialog. Examine the list to ensure that the new cluster member is added. 7. Add additional cluster members by entering the name of each new cluster member and selecting its node. When you are done adding all members, click Next. A Summary dialog appears with a list of cluster members. Examine the summary to ensure that the cluster member names and server names are correct. 8. Click Finish. 9. Click Cluster Topology, expand the tree of the cluster you created, and examine its members. 10. If the cluster is correctly specified, click Clusters and then click Save to save the new cluster to the Network Deployment Manager master repository. For more information on repositories used in a cluster, refer to information provided by Redbooks for WebSphere Application Server. For more information, see Prerequisite Product Publications on page viii. Chapter 6. Cluster Installation: Tivoli Identity Manager Server 59

72 Note: Select Synch changes with Nodes when you save the configuration. 11. Update the Web Server Plugin. To do so, click Environment > Update Web Server Plugin > OK. Information Worksheet for Cluster Installation Collect the following information before you begin the installation: Database Information Collect the following information for the relational database management system: Admin ID The Administrator User ID (the db2instancename as database instance owner) that you created when installing the database. For example, the default for IBM DB2 is the following: v UNIX: db2inst1 v Windows: db2admin For more information, see IBM DB2 Configuration on page 11. Admin Password The password for the Administrator user ID. Database Name Specifies how the Tivoli Identity Manager Server connects to the database. If the database is installed locally, the Database Name is the name of the database. For example, the value of Database Name is itimdb. Ifthe database is installed remotely, the Database Name is the local alias name of the remote database. For more information on using the catalog command to specify the remote database, see Configuring the IBM DB2 JDBC Driver on page 14. Database Type Type of database used for your system. For example, the database is IBM DB2. Credentials for the database: Database User The account that Tivoli Identity Manager Server uses to log in to the database. The user ID is enrole. Note: This user ID cannot be changed. User Password Password for the account that Tivoli Identity Manager Server uses to log in to the database. IP Address IP address of the database server. Not required for IBM DB2. Required for Oracle and SQL Server Port Number Port number of the database server. Not required for IBM DB2. Required for Oracle and SQL Server IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

73 Additionally, the installation process reports the following Database Pool information. The database pool information determines the number of JDBC connections that Tivoli Identity Manager Server can open to the database. For more information, refer to the Tivoli Identity Manager Server Configuration Guide. Evaluate the following values in relation to your site needs: Initial Capacity Initial number of JDBC connections that Tivoli Identity Manager Server can open to the database Maximum Capacity Maximum number of JDBC connections that Tivoli Identity Manager Server can open to the database at any one time Login Delay Seconds Time, in seconds, between connections Directory Server Information Collect the following information: Host name Fully-qualified host name of the directory server. For example, identity1.mylab.mydomain.com. Identity Manager DN Location The value such as dc=com that you enter in the Location field must match the suffix (for example, dc=com) that you created when you configured LDAP. For more information, see Chapter 4, Directory Server Configuration, on page 23. Name of your organization The value that you enter in the Name of Your Organization field will be displayed in the organization chart that is displayed on many of the Tivoli Identity Manager graphical user interface screens. This value is typically the more formal name of your company. For example, an organization name is IBM Corporation. Note: You may enter either single-byte character set (ASCII) characters or double-byte character set characters in this field. Default Org Short Name The value that you enter in the Default Org Short Name field will be used internally in IBM Directory Server to represent your organization. This value is typically an abbreviation of your company name. For example, a short name is ibmcorp. Note: Enter only single-byte character set (ASCII) characters in the Default Org Short Name field, such as an identifier in English. Number of hash buckets A hash bucket is used to apportion data items for sorting or lookup purposes. Evaluate the default value (1) in relation to your site needs. Port Port on which the directory server is listening, such as 389. Chapter 6. Cluster Installation: Tivoli Identity Manager Server 61

74 Principal DN The Principal Distinguished Name user ID. For example, cn=root. Password The password of the Principal Distinguished Name user ID that you created when installing the directory server. Additionally, the installation process reports the following LDAP Connection Pool Information fields for a pool of LDAP connections accessible by Tivoli Identity Manager Server. For more information, refer to the Tivoli Identity Manager Server Configuration Guide. Evaluate the following values in relation to your site needs: Max. pool size Maximum number of connections the LDAP Connection Pool can have at any time Initial pool size Initial number of connections created for the LDAP Connection Pool Increment count Number of connections added to the LDAP Connection Pool every time a connection is requested once all connections are in use WebSphere Application Server Information for Cluster Installation WebSphere Application Server installation for a cluster configuration has the following fields. For more information, see Configuring Tivoli Identity Manager Clusters on page 98. Cluster name The cluster name you created earlier when you constructed the WebSphere Application Server cell. Use one name such as ITIM_CLUSTER for a single cluster. In a functional cluster, use names such as ITIM_UI_CLUSTER and ITIM_WF_CLUSTER. This field is not displayed during single-server installation. Note: Cluster names and other WebSphere identifiers you enter are case sensitive. Installation directory Installation directory for WebSphere Application Server base. For example, the Solaris default directory is /opt/websphere/appserver. This field is for information purposes, if WebSphere Application Server base is already installed. Logging level Displays how verbose the logs are when tracing system errors. System administrators can select how detailed the log file should be by setting the Logging Level field number between INFO and FATAL. The more severe the logging level, the better the performance of the system because less information is written to the log file. Mail server name SMTP mail servers are supported. The SMTP host is the mail gateway. 62 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

75 Security settings The following fields appear on the System Configuration Security tab. Encryption (checkbox) Encrypts the password of the database, LDAP, and WebSphere Application Server administrator user identifier in the Tivoli Identity Manager property files Application Server User Management Enables you to set and confirm the password for the following: System User The WebSphere Application Server user ID and password. Required only if WebSphere Global Security is on. This is the wasadmin user ID described in the manual steps in Security for WebSphere on page 105. EJB User A user and password that you must have defined prior to starting installation. Required only if WebSphere Global Security is on. This is the itimadmin user ID described in the manual steps in Security for WebSphere on page 105. Note: If this field is pre-filled when it appears, the field might contain the value wasadmin. Change the field to the value itimadmin. Tivoli Identity Manager Information Note the following information for Tivoli Identity Manager: Encryption key The key can be any word or phrase. The key is used to encrypt Tivoli Identity Manager passwords and other sensitive text. The value is stored in the enrole.properties file as enrole.encryption.password. Logging level Displays how verbose the logs are when tracing system errors. System administrators can select how detailed the log file should be by setting the Logging Level field number between INFO and FATAL. The more severe the logging level, the better the performance of the system because less information is written to the log file. Mail server name SMTP mail servers are supported. The SMTP host is the mail gateway. User ID itim manager The Tivoli Identity Manager user ID. The default value after installation is itim manager. Use this user ID when you log on to Tivoli Identity Manager. Password secret Password for the Tivoli Identity Manager administrator user ID specified as itim manager. The default password immediately after installation is secret. Note: You will be forced to change the administrator account password when you log on to Tivoli Identity Manager Server. Chapter 6. Cluster Installation: Tivoli Identity Manager Server 63

76 Installing Tivoli Identity Manager Server The following flowchart describes the basic sequence of events during installation of Tivoli Identity Manager Server in a cluster configuration: Not Single Server Install type? Enter ITIM 4.5 installation directory Single Server Single server install Select database type Cluster member ( single cluster ) NDM or cluster member? NDM Enter cluster name (s) Cluster member ( functional ) Specify UI or WF cluster WebSphere security? Yes Enter credential No Confirm WebSphere directory Enter encryption key Enter cluster name (s) Pre-install summary LDAP configuration data Configure database WebSphere security? Yes Enter credential Configure LDAP Configure system No Enter encryption key Pre-install summary Configure System Figure 23. Cluster installation flowchart Install the Tivoli Identity Manager Server in a cluster configuration: 64 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

77 Note: To install Tivoli Identity Manager Server, obtain the correct CD for your environment. For more information, see Appendix A, Compact Discs, on page On the computer that has the Network Deployment Manager. The initial configuration of the database and the directory server for Tivoli Identity Manager occurs during this installation. 2. On each computer that has a cluster member or cluster members. Note: Ensure that you previously completed the steps in Before You Begin on page 57. To install Tivoli Identity Manager Server, do the following: 1. Navigate Initial Welcome and Licensing Windows 2. Select the Installation Type and Default Installation Directory on page Select the Database on page Complete the Sequence for Cluster Installation on page Specify WebSphere Global Security on page Specify an Encryption Key and Read the Pre-Installation Summary on page Installation Progress and Additional Configuration Activities on page Logs and Directories for Cluster Installation on page Complete Security Configuration on page Testing Tivoli Identity Manager Server Communication on page 82 Navigate Initial Welcome and Licensing Windows A series of welcome and licensing windows start the installation process. To navigate the initial windows, do the following: 1. Log on to the computer where the Tivoli Identity Manager Server will be installed. Notes: a. You must log on using an account with system administration privileges (Administrator). 2. Insert the Tivoli Identity Manager product CD into the CD-ROM drive. 3. Click Start > Run. 4. Type your CD-ROM drive and then type the following command: instw2k-was.exe The Welcome window opens. Chapter 6. Cluster Installation: Tivoli Identity Manager Server 65

78 Figure 24. Welcome window Note: If your logon account does not have permission to execute instw2k-was.exe, you must grant the account permission to execute this file. 5. To change the language that is used only on the installation panels, click the down arrow in the box indicating English and select another language. Click OK. Note: This choice does not select the language pack with which Tivoli Identity Manager application subsequently runs. The License Agreement window opens. 6. Read the license agreement and decide whether to accept its terms. If you do, click Accept. Click Next. Select the Installation Type and Default Installation Directory The Choose Installation Type window opens. Figure 25. Choose Installation Type window 66 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

79 1. Select either Cluster or Functional Cluster, and click Next. Note: A subsequent window will appear, allowing you to specify whether the functional cluster is part of a UI or WF tier. The window does not appear if you select the installation type as Cluster. The Important Information window opens. 2. Verify that the WebSphere Network Deployment Manager, and all WebSphere node agents are operational before continuing. For more information, see Ensure that Network Deployment Manager and Node Agents are Running on page 102. Click Next. The Choose Install Directory window opens. 3. Accept the default c:\itim45 installation directory for Tivoli Identity Manager or specify another directory by clicking Choose... and completing its prompts. Click Next. Select the Database The Choose Database Type window opens. Select one of the following database types and click Next: v IBM DB2 Universal Database v Oracle. For more information, see Oracle Installation and Configuration for Tivoli Identity Manager on page 16. v SQL Server For more information, see SQL Server 2000 Configuration on page 20. Complete the Sequence for Cluster Installation The Choose Cluster Node Type window opens. 1. Select a node type. You must install Tivoli Identity Manager first on the computer that has the Network Deployment Manager, and then install Tivoli Identity Manager on cluster members. Chapter 6. Cluster Installation: Tivoli Identity Manager Server 67

80 Figure 26. Choose Cluster Node Type window Note: You can also install both the Network Deployment Manager and a cluster member on the same computer. Ensure that the computer has the required memory, speed, and available space to meet the additional load. The Choose Functional Cluster Membership window opens. Note: The following window appears if you previously specified the installation type as functional cluster. The window does not appear if you previously selected the installation type as cluster. 68 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

81 Figure 27. Choose Functional Cluster Membership window 2. For a functional cluster, select whether this computer is a UI Cluster member or a Workflow Cluster member. Click Next. Note: Do not assign a UI cluster member and a Workflow cluster member to the same computer. A data window appears to request one or more cluster names. 3. For a single (regular) cluster, enter a cluster name such as itim_cluster. Chapter 6. Cluster Installation: Tivoli Identity Manager Server 69

82 Figure 28. WebSphere Application Server Data window (cluster name) Alternatively, the window requests multiple cluster names if the installation type is functional cluster. Figure 29. WebSphere Application Server Data window (Functional Cluster Install) 4. Enter the cluster name or names that you previously defined from the Network Deployment Manager. Click Next. If this installation is for a cluster member, an Input the LDAP Directory Information window appears. 70 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

83 Note: This window does not appear if Tivoli Identity Manager installation is specified for the Network Deployment Manager. Figure 30. LDAP Directory information window 5. From the information worksheet you previously assembled, enter organization data in the fields in the LDAP Directory Information window. For every cluster member, the information must match the LDAP specification that was previously made during the primary Tivoli Identity Manager installation on the Network Deployment Manager. Each cluster member should have the identical information. For more information, see Directory Server Information on page 61. Click Next. Specify WebSphere Global Security The WebSphere Security window opens. Chapter 6. Cluster Installation: Tivoli Identity Manager Server 71

84 Figure 31. WebSphere Security window If WebSphere Global Security is on, click WebSphere Security Enabled. An additional window requires you to specify the WebSphere Application Server user ID and password. This is the wasadmin user ID described in the manual steps in Security for WebSphere on page 105. Figure 32. WebSphere Administrator Credentials window Provide the user ID and password and click Next. 72 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

85 Specify an Encryption Key and Read the Pre-Installation Summary The Specify the Encryption Key window opens followed by an installation summary window. Figure 33. Specify the Encryption Key window 1. Provide an encryption key, which can be any word or phrase. The key is used to encrypt Tivoli Identity Manager passwords and other sensitive text. The value is stored in the enrole.properties file as enrole.encryption.password. Click Next. The Pre-install Summary window opens, listing components to be installed, the required free disk space, and the installation directory such as c:\itim Ensure that the required disk space is available before continuing, and click Install. A series of installation progress windows open during the interval that installation requires. On a computer that has the minimum required resources, the interval can be significant. Chapter 6. Cluster Installation: Tivoli Identity Manager Server 73

86 Figure 34. Installation progress window Installation Progress and Additional Configuration Activities The installation process installs Tivoli Identity Manager Server over an interval of time. After installation, additional windows automatically open: 1. Only during installation on the computer that has the WebSphere Network Deployment Manager, the following windows appear: a. Database configuration. For more information, see Initial Configuration of Tivoli Identity Manager Database. b. Directory server. For more information,see Initial Configuration of the Directory for Tivoli Identity Manager on page During installation on either the computer that has the WebSphere Network Deployment Manager or on a computer that has a cluster member, a system configuration window opens to configure Tivoli Identity Manager. For more information, see Initial Configuration of Tivoli Identity Manager on page 76. Initial Configuration of Tivoli Identity Manager Database A database configuration window opens for the following configurations: v Single-server v Cluster or functional cluster installation on the computer that has the Network Deployment Manager This configuration activity configures property files and sets up tables in the Tivoli Identity Manager database. Do the following: 1. Enter the appropriate values when the Tivoli Identity Manager Database Configuration window opens. 74 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

87 Figure 35. Database configuration window Note: If you are using Oracle for your database, you must copy the Oracle JDBC driver into the <ITIM_HOME>/lib directory and also into the {WAS_HOME}/installedApps/enrole.ear directory for WebSphere Application Server before continuing with the IBM Tivoli Identity Manager Database Configuration window. A copy of the Oracle JDBC Driver (in the file named classes12.zip) is available on a supplementary CD described in Appendix A, Compact Discs, on page Complete the database configuration fields for the database that Tivoli Identity Manager uses. If the database is IBM DB2, the IP Address and Port Number fields are greyed out. These fields are required for other databases. For example, the value of the Database Name or Alias is an entry such as itimdb. The value of the Admin ID field is one of the following: v UNIX: db2inst1 v Windows: db2admin For more information, see Configure the IBM DB2 Server on page Click Test. When the database test is successful, the User ID and User Password fields on the Database Configuration window become active. 4. Complete the fields with appropriate values and click Continue. Initial Configuration of the Directory for Tivoli Identity Manager A directory server configuration window opens for the following configurations: v Single-server v Cluster or functional cluster installation on the computer that has the Network Deployment Manager Enter the appropriate values to initially configure the directory server to recognize Tivoli Identity Manager. Do the following: Chapter 6. Cluster Installation: Tivoli Identity Manager Server 75

88 1. Enter values for the LDAP Server Information fields. For example, the value of the Host Name field is the fully qualified host name of the computer on which the directory server is running. Figure 36. Directory configuration window 2. Click Test. When the test for a connection to the directory server is successful, the fields in the Identity Manager Directory Information section become active. 3. The value of the Identity Manager DN Location is dc=my_suffix, specifying the suffix for Tivoli Identity Manager. For more information, see Specify the Suffix for Tivoli Identity Manager on page 24. Complete the fields appropriately and click Continue. Initial Configuration of Tivoli Identity Manager For all installation types, use the tabs on the System Configuration window that the Tivoli Identity Manager Server provides to change values for the database server, the directory server, and other services: 1. The General tab is the first of a series of System Configuration tabs that are used to configure the Tivoli Identity Manager Server. 76 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

89 Figure 37. General tab window Field values on the General tab will be prefilled. For more information on these fields, refer to system configuration information in the Tivoli Identity Manager Server Configuration Guide. 2. Click the Directory tab. The Directory tab window opens. Figure 38. Directory tab window If necessary, modify the information for the directory server. If this installation is on a cluster member, the information must match the LDAP specification previously made for the Network Deployment Manager. If this installation is on a cluster member, a Test button is visible. Click Test. You should receive a successful connection response window. Click OK to close the window. 3. Click the Database tab. The Database tab window opens. Chapter 6. Cluster Installation: Tivoli Identity Manager Server 77

90 Figure 39. Database tab window 4. Provide the Database Name connection information for the Tivoli Identity Manager database. For example, the value of Database Name may be itimdb. The default user ID is enrole. If this installation is on a cluster member, the information must match the database specification previously made for the Network Deployment Manager. If this installation is on a cluster member, a Test button is visible. Click Test. A successful test activates the remaining fields in the Database Pool Information section. Click OK to close the window. 5. Click Logging. The Logging tab window opens. Either accept the default value of WARN or change the values to more or less verbose, depending on site performance considerations. Figure 40. Logging tab window 6. Click the Mail tab. The Mail tab window opens. 78 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

91 Figure 41. Mail tab window 7. Enter required values on the Mail tab and click OK. For more information on these fields, refer to the Tivoli Identity Manager Server Configuration Guide. Notes: a. The value of the Identity Manager Server URL field is the URL of the proxy server (for example, the IBM HTTP Server that is used to log on Tivoli Identity Manager). b. Change the Mail From address to the Tivoli Identity Manager system administrator address for your site. You must change this address, or you will send spam to the address listed. 8. Click UI. The UI tab window opens. Figure 42. UI tab window 9. Either accept the defaults on the UI tab or modify the logo and address information to specify your organization s customized Welcome display and Web address. The List Page Size specifies how many items will be displayed Chapter 6. Cluster Installation: Tivoli Identity Manager Server 79

92 on lists throughout the user interface. For more information, refer to the Tivoli Identity Manager Server Configuration Guide. Click OK. 10. Click Security. The Security tab window opens. Figure 43. Security tab window If you optionally selected WebSphere Application Server security earlier, these fields are prefilled. The fields are blank if you did not enable WebSphere Application Server security. Notes: a. The initial values for the EJB User and Password fields are the values of the System User and Password fields. You might need to modify the EJB User and Password fields. The length of the EJB user ID must be fewer than 12 characters. b. If you change the value of the EJB user ID or the EJB password on this system configuration Security window, then manual steps are required after Tivoli Identity Manager installation to map the security role to the ITIM user in order to start Tivoli Identity Manager. 11. Click OK to complete the system configuration. 12. Additionally, ensure that other values are appropriate to run the configuration that Tivoli Identity Manager and related applications use. Logs and Directories for Cluster Installation When the system configuration is complete, note the following installation log locations: Table 4. Install log file names and directories File names dbconfig.stdout ldapconfig.stdout itim45_installer_debug.txt runconfig.stdout (on cluster install) runconfigtmp.stdout (on single server and Network Deployment Manager) Directory {ITIM_HOME}/install_logs 80 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

93 Table 4. Install log file names and directories (continued) File names itim45_install.stdout itim45_install.stderr Directory system root Tivoli_Identity_Manager_InstallLog.log If installation completes successfully, the directory is {ITIM_HOME}. If installation fails, the log file will be in the system root (UNIX) on the Windows desktop. v UNIX: system root v Windows: desktop For more information on logs created by the WebSphere Application Server installation, refer to the WebSphere Application Server documentation. Complete Security Configuration If you intend to enable J2EE security, complete the manual steps to complete the mapping and restart J2EE security after installing Tivoli Identity Manager. For more information, see one of the following: v v v Manual Steps on Single-node Deployments After Installing Tivoli Identity Manager on page 106 Manual Steps on a Multi-node Deployment after Installing Tivoli Identity Manager on page 110 Ensure that the was.policy file exists. For more information, see Configuring the was.policy File on page 110. Using runconfig after Installing Tivoli Identity Manager Use the runconfig command after installing Tivoli Identity Manager to complete system configuration for activities such as the following: v v Change the password of the enrole user. Specify password encryption and update Tivoli Identity Manager EJB user IDs and passwords. For more information, see descriptions of tabs on the System Configuration window in Initial Configuration of Tivoli Identity Manager on page 76. For more information on using the runconfig command, see the Tivoli Identity Manager Server Configuration Guide. Optionally Installing a Language Pack After installing Tivoli Identity Manager, if the default language is not English, optionally obtain and mount the language pack CD for the Tivoli Identity Manager Server. Use command line mode to install the language pack. For example, enter the following: java jar itimlp_setup.jar The Tivoli Identity Manager language pack setup program will start. To complete the language pack installation, follow the instructions that appear in the setup program panels. Note: To run the Tivoli Identity Manager language pack setup program, Java runtime environment should be accessible from the command line. Chapter 6. Cluster Installation: Tivoli Identity Manager Server 81

94 Optionally, Define HTTP Session Persistence Optionally, define the HTTP session persistence for the WebSphere Application Server. For more information, refer to HTTP session management documentation in the WebSphere information center. Note: If a WebSphere Application Server subsequently fails in a Tivoli Identity Manager cluster, session persistence makes the failure transparent to the end user. Verify Transaction Service Settings Verify that the WebSphere Application Server transaction service settings are large enough to handle Tivoli Identity Manager loads for your business processes. See Configuring WebSphere Application Server Transaction Service Settings on page 103 for detailed information on modifying these settings. If you do not modify the settings to handle your business process loads, requests can time out before completing. Update the Web Server Plug-in Start Clusters When installation is complete, update the Web Server Plug-in. To do so, access the WebSphere Application Server administrative console and click Environment > Update Web Server Plugin > OK. When installation completes and any required security modification is done, restart the clusters. On the WebSphere administration console, do the following: 1. Click Servers > Clusters. 2. Select the Tivoli Identity Manager cluster. 3. Click Start. Tivoli Identity Manager should start when the cluster starts. Optionally, start a cluster member by running the following at the command prompt of any computer in the cluster: {ITIM_DIR}\bin\win\ssCluster start Notes: 1. Running this command on the computer that has the Network Deployment Manager will start the entire cluster. 2. This command also starts the JMS servers. Optionally, stop a cluster member by running the following at the command prompt of any computer in the cluster: {ITIM_DIR}\bin\win\ssCluster stop Note: Running this command on the computer that has the Network Deployment Manager will stop the entire cluster. Testing Tivoli Identity Manager Server Communication To test whether the database, the directory server, and the Tivoli Identity Manager Server are correctly configured and communicating with each other, do the following: 82 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

95 1. Test the JDBC driver to ensure that the driver is running on a specific cluster member: a. Before you begin, ensure that the database server and the WebSphere Application Server are running. For more information on starting the WebSphere Application Server, refer to documentation that the WebSphere Application Server provides. b. Ensure that you sourced the IBM DB2 profile correctly. If you are using IBM DB2 Version 7.1 or version 7.2 with the fix packs this product requires, ensure that you ran the usejdbc2 shell script in the shell before starting WebSphere Application Server. Test the connection again. If the connection does not work, verify that the enrole user ID and password are configured correctly. If the IBM DB2 server is remote, ensure that the same IBM DB2 fix pack level is applied to both the database server and the client. Note: Fix Pack 3 will migrate the IBM DB2 Version 7.1 environment to the IBM DB2 Version 7.2 general availability level. For more information, see Appendix B, Software and Hardware Requirements on Windows, on page 93. c. Access the WebSphere Application Server administrative console. d. Click Resources > JDBC Providers. Select the target node. e. Click Browse Servers. Select a target server and then click Apply. f. Scroll to the list of JDBC providers and double-click ITIM JDBC Provider. g. Scroll the dialog that appears to the Additional Properties pane. In the Additional Properties pane, click Data Sources. h. In the Data Sources dialog that appears, click Test Connection. A message appears that indicates the test result. 2. Start Tivoli Identity Manager Server and any prerequisite applications. Click Start > Programs > IBM WebSphere > Application Server v5.0 > Start Server. 3. Log on to Tivoli Identity Manager. For example, at a browser window, type the following: where hostname is the fully qualified name or IP address of the computer on which Tivoli Identity Manager Server is running. Notes: a. Do not start two separate browser sessions from the same client computer. The two sessions are regarded as one session ID, resulting in problems with data. b. If you log on using the single sign-on capability and need to select a language, append /language to the Web site address. For example, enter: For more information on configuring the language default for your Web browser, refer to the Tivoli Identity Manager Server Configuration Guide. 4. Enter the Tivoli Identity Manager administrator user ID (itim manager) and password (immediately after installation, the value is secret ). 5. Take the necessary steps to create a user (an ITIM user). For more information, refer to online help or to the Tivoli Identity Manager Policy and Organization Administration Guide. Chapter 6. Cluster Installation: Tivoli Identity Manager Server 83

96 Server-Agent Communication For more information on processes that should be running, refer to the Tivoli Identity Manager Server Configuration Guide. Using the Tivoli Identity Manager system with a Tivoli Identity Manager agent will require production certificates to ensure that secure communication occurs between the Tivoli Identity Manager server and the agent. The Certificate Authority that corresponds to the Tivoli Identity Manager agent s certificate must be located in the {ITIM_HOME}\cert directory. For supported certificate types, refer to the Tivoli Identity Manager Server Configuration Guide and to a specific agent s installation guide for more information. Notes: 1. Install one agent profile at a time, and complete the profile installation before installing another agent profile. Installing multiple profiles at the same time might cause the Tivoli Identity Manager Server to force a reboot. 2. In a cluster configuration, install the agent profile once. For recommendations on where to install the agent profile in a cluster configuration, refer to the agent installation guide for your specific agent. 3. The WebSphere Application Server configuration requires that the drive location for a certificate for an agent be the same drive location under which the Tivoli Identity Manager Server is installed. For example, if you install an agent profile on a cluster member that has the Tivoli Identity Manager Server installed on d:\itim45, then the certificate must reside on the d:\itim45\cert directory. The WebSphere Application Server configuration must also specify the d:\itim45\cert directory. 4. If the default language is not English, before installing the first Tivoli Identity Manager agent, optionally obtain and mount the language pack CD for the Tivoli Identity Manager agents. Use command line mode to install the language pack for the agents on the Tivoli Identity Manager Server: java jar itimlp_agents_setup.jar The Tivoli Identity Manager language pack setup program will start. To complete the language pack installation, follow the instructions that appear in the setup program panels. Note: To run the Tivoli Identity Manager language pack setup program, Java runtime environment should be accessible from the command line. Adding or Removing Cluster Members This section describes adding or removing cluster members. Expanding a Cluster Using a New Computer To add a new cluster member to an existing Tivoli Identity Manager cluster, do the following: Note: These steps expand a cluster using a computer not previously in the WebSphere cell. This is an example of horizontal clustering. 1. Using the WebSphere Application Server administrative console, create the new cluster member. For more information, see Add Nodes to a Cell on page IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

97 2. Using the WebSphere Application Server administrative console, add a new cluster member on the node. For more information, see Create a Cluster on page Run the Tivoli Identity Manager installation process on the new computer, choosing cluster member installation. 4. Update the Web Server Plugin. To do so, access the WebSphere Application Server administrative console and click Environment > Update Web Server Plugin > OK. 5. Using the WebSphere Application Server administrative console, start the new cluster member. Expanding a Cluster Using the Same Computer You can also expand a cluster by adding an additional cluster member on a computer with an existing cluster member. Do the following: 1. On the WebSphere Application Server administrative console, create the new cluster member on the computer that has a previously existing cluster member. Note: This is an example of vertical clustering. 2. Update the Web Server Plugin. To do so, access the WebSphere Application Server administrative console and click Environment > Update Web Server Plugin > OK. 3. Using the WebSphere Application Server administrative console, start the new cluster member. Removing a Cluster Member To remove the only cluster member on a computer, do the following: v v If only one cluster member exists on the computer: 1. Run the Tivoli Identity Manager uninstaller. For more information, see Appendix G, Uninstalling Tivoli Identity Manager, on page On the WebSphere Application Server administrative console, delete the cluster member from the cluster. 3. Update the Web Server Plugin. To do so, access the WebSphere Application Server administrative console and click Environment > Update Web Server Plugin > OK. If there are multiple cluster members (a vertical cluster) on the computer: 1. On the WebSphere Application Server administrative console, delete the cluster member from the cluster. 2. Update the Web Server Plugin. To do so, access the WebSphere Application Server administrative console and click Environment > Update Web Server Plugin > OK. Chapter 6. Cluster Installation: Tivoli Identity Manager Server 85

98 86 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

99 Appendix A. Compact Discs Tivoli Identity Manager Server installation provides the following compact discs (CDs). If you do not have all listed CDs, contact IBM Support. Recommended WebSphere Interim Fix PQ77521 Not on CDs Language Packs CD A recommended interim fix PQ77521 is not provided on the product CDs. The cumulative Messaging Interim Fix for WebSphere Application Server is recommended to correct the MQJMS2013 XA recovery error with WebSphere embedded messaging support. The first lines of the error message are similar to the following: [8/6/03 13:30:54:484 EDT] f341ce J2CXAResource W J2CA0061W: Error creating XA Connection and Resource javax.resource.spi.resourceadapterinternalexception: createqueueconnection failed at com.ibm.ejs.jms.jmscmutils.maptoresourceexception(jmscmutils.java:123) For example, this error can occur when a workflow is running and the WebSphere Application Server stops. The incomplete transactions cannot be recovered. If you apply the interim fix, the data is recovered. To obtain this interim fix, enter the following to access the Web site: The following table itemizes the contents of the language pack CD. Table 5. Contents of Language Pack CD Product language packs File Name itimlp_setup.jar, itimlp_agents_setup.jar Base Code Solaris CD for Tivoli Identity Manager using WebSphere Application Server The following table itemizes the contents of the base code Solaris CD for Tivoli Identity Manager using WebSphere Application Server: Table 6. Contents of base code Solaris CD for Tivoli Identity Manager using WebSphere Application Server Product File Name Tivoli Identity Manager Version 4.5 for instsol-was.bin WebSphere Application Server Documentation ReadMeFirst Docs-ReadMeFirst.pdf Copyright IBM Corp

100 Base Code Solaris CD for Tivoli Identity Manager for non-ibm Application Servers The following table itemizes the contents of the base code Solaris CD for Tivoli Identity Manager using non-ibm Application Servers (WebLogic): Table 7. Contents of base code Solaris CD for Tivoli Identity Manager using WebLogic Product File Name Tivoli Identity Manager Version 4.5 for instsol-wl.bin WebLogic Documentation ReadMeFirst Docs-ReadMeFirst.pdf Supplemental Solaris CD 1 The following table itemizes the contents of supplemental Solaris CD 1: Table 8. Contents of Supplemental Solaris CD 1 Product File Name WebSphere Application Server base Version was50_fp2_solaris.zip 5.0 Fix Pack 2 WebSphere Application Server Network was50_nd_fp2_solaris.zip Deployment Version 5.0 Fix Pack 2 WebSphere Application Server base Version PQ75794.zip interim fix (APAR PQ75794) WebSphere Application Server base and ibmorb.jar WebSphere Application Server Network Deployment Version interim fix (APAR SOV62778) WebSphere Application Server JSP Compile interim fix (APAR PQ77263) PQ77263.zip Supplemental Solaris CD 2 The following table itemizes the contents of supplemental Solaris CD 2: Table 9. Contents of Supplemental Solaris CD 2 Product File Name IBM Directory Server Version 5.1 ids510-solaris-ismp-us.tar IBM Directory Server Version 5.1 Fix Pack 1 FP510S-01.tar.Z IBM Directory Server referential integrity plug-in Tivoli Identity Manager Version 4.5 configuration file DelRef/aix/libdelref.a DelRef/hpux/libdelref.sl DelRef/nt/libdelref.dll DelRef/sun/libdelref.so DelRef/timdelref.conf 88 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

101 Supplemental Solaris CD 3 The following table itemizes the contents of supplemental Solaris CD 3: Table 10. Contents of Supplemental Solaris CD 3 Product File Name IBM DB2 Version 8.1 Fix Pack 2 (32 and 64 Sol-FP2_U tar.Z Bit) Supplemental Solaris CD 4 The following table itemizes the contents of supplemental Solaris CD 4: Table 11. Contents of Supplemental Solaris CD 4 Product File Name Oracle Type 4 JDBC driver classes12.zip Oracle Type 4 JDBC driver license file LI_en Base Code AIX CD for Tivoli Identity Manager using WebSphere Application Server The following table itemizes the contents of the base code AIX CD for Tivoli Identity Manager using WebSphere Application Server: Table 12. Contents of base code AIX CD for Tivoli Identity Manager using WebSphere Application Server Product File Name Tivoli Identity Manager Version 4.5 using instaix-was.bin WebSphere Application Server Documentation ReadMeFirst Docs-ReadMeFirst.pdf Base Code AIX CD for Tivoli Identity Manager for non-ibm Application Servers The following table itemizes the contents of the base code AIX CD for Tivoli Identity Manager using non-ibm application servers (WebLogic): Table 13. Contents of base code AIX CD for Tivoli Identity Manager using WebLogic Product File Name Tivoli Identity Manager Version 4.5 for instaix-wl.bin WebLogic Documentation ReadMeFirst Docs-ReadMeFirst.pdf Supplemental AIX CD 1 Note: Because of size constraints, the Fix Pack 2 for IBM DB2 on AIX is not provided on a supplemental CD. To obtain Fix Pack 2 for IBM DB2 on AIX, access the following FTP site: ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2aix5v8/fixpak/fp2_u486566/ Appendix A. Compact Discs 89

102 or access the following Web site: The following table itemizes the contents of supplemental AIX CD 1: Table 14. Contents of Supplemental AIX CD 1 Product WebSphere Application Server base Version 5.0 Fix Pack 2 WebSphere Application Server Network Deployment Version 5.0 Fix Pack 2 WebSphere Application Server base Version interim fix (APAR PQ75794) WebSphere Application Server base and WebSphere Application Server Network Deployment Version interim fix (APAR SOV62778) WebSphere Application Server JSP Compile interim fix (APAR PQ77263) File Name was50_fp2_aix.zip was50_nd_fp2_aix.zip PQ75794.zip ibmorb.jar PQ77263.zip Supplemental AIX CD 2 The following table itemizes the contents of supplemental AIX CD 2: Table 15. Contents of Supplemental AIX CD 2 Product IBM Directory Server Version 5.1 IBM Directory Server Version 5.1 Fix Pack 1 IBM Directory Server referential integrity plug-in Tivoli Identity Manager Version 4.5 configuration file File Name ids510-aix-ismp-us.tar FP510A-01.tar DelRef/aix/libdelref.a DelRef/hpux/libdelref.sl DelRef/nt/libdelref.dll DelRef/sun/libdelref.so DelRef/timdelref.conf Supplemental AIX CD 3 The following table itemizes the contents of supplemental AIX CD 3: Table 16. Contents of Supplemental AIX CD 3 Product Oracle Type 4 JDBC driver Oracle Type 4 JDBC driver license file File Name classes12.zip LI_en 90 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

103 Base Code HP-UX CD for Tivoli Identity Manager for non-ibm Application Servers The following table itemizes the contents of the base code HP-UX CD for Tivoli Identity Manager for non-ibm application servers (WebLogic): Table 17. Contents of base code HP-UX CD for Tivoli Identity Manager using WebLogic Product File Name Tivoli Identity Manager Version 4.5 using insthpux-wl.bin WebLogic Documentation ReadMeFirst Docs-ReadMeFirst.pdf Base Code Windows 2000 CD for Tivoli Identity Manager using WebSphere Application Server The following table itemizes the contents of the base code Windows 2000 CD for Tivoli Identity Manager using WebSphere Application Server: Table 18. Contents of base code Windows 2000 CD for Tivoli Identity Manager using WebSphere Application Server Product File Name Tivoli Identity Manager Version 4.5 using instw2k-was.exe WebSphere Application Server Documentation ReadMeFirst Docs-ReadMeFirst.pdf Base Code Windows 2000 CD for Tivoli Identity Manager for non-ibm Application Servers The following table itemizes the contents of the base code Windows 2000 CD for Tivoli Identity Manager for non-ibm application servers (WebLogic): Table 19. Contents of base code Windows 2000 CD for Tivoli Identity Manager using WebLogic Product File Name Tivoli Identity Manager Version 4.5 for instw2k-wl.exe WebLogic Documentation ReadMeFirst Docs-ReadMeFirst.pdf Supplemental Windows 2000 CD 1 The following table itemizes the contents of supplemental Windows 2000 CD 1: Table 20. Contents of supplemental Windows 2000 CD 1 Product File Name WebSphere Application Server base Version was50_fp2_win.zip 5.0 Fix Pack 2 WebSphere Application Server Network was50_nd_fp2_win.zip Deployment Version 5.0 Fix Pack 2 Appendix A. Compact Discs 91

104 Table 20. Contents of supplemental Windows 2000 CD 1 (continued) Product File Name WebSphere Application Server base Version PQ75794.zip interim fix (APAR PQ75794) WebSphere Application Server base and ibmorb.jar WebSphere Application Server Network Deployment Version interim fix (APAR SOV62778) WebSphere Application Server JSP Compile interim fix (APAR PQ77263) PQ77263.zip Supplemental Windows 2000 CD 2 The following table itemizes the contents of supplemental Windows 2000 CD 2: Table 21. Contents of supplemental Windows 2000 CD 2 Product File Name IBM Directory Server Version 5.1 ids510-windows-us.zip IBM Directory Server Version 5.1 Fix Pack 1 FP510W-01.zip IBM Directory Server referential integrity plug-in Tivoli Identity Manager Version 4.5 configuration file DelRef\aix\libdelref.a DelRef\hpux\libdelref.sl DelRef\nt\libdelref.dll DelRef\sun\libdelref.so DelRef\timdelref.conf Supplemental Windows 2000 CD 3 The following table itemizes the contents of supplemental Windows 2000 CD 3: Table 22. Contents of supplemental Windows 2000 CD 3 Product File Name IBM DB2 Version 8.1 Fix Pack 2 W2K-FP2.zip Supplemental Windows 2000 CD 4 The following table itemizes the contents of supplemental Windows 2000 CD 4: Table 23. Contents of supplemental Windows 2000 CD 4 Product File Name Oracle Type 4 JDBC driver classes12.zip Oracle Type 4 JDBC driver license file LI_en 92 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

105 Appendix B. Software and Hardware Requirements on Windows This appendix specifies software and hardware requirements for Tivoli Identity Manager Server on Windows using WebSphere Application Server. Minimum Windows Operating System and Hardware Requirements for Tivoli Identity Manager using WebSphere The following table identifies the Windows operating system, patches, and minimum hardware requirements for installation. These values do not include additional runtime requirements. Running more than one server type, such as an application server and database server on a single computer, will require additional hardware resources (more RAM) for that computer. Table 24. Minimum operating system and hardware requirements for Tivoli Identity Manager Operating System Patch Minimum memory, free disk space, and other hardware requirements Windows 2000 Advanced Server Service Pack 3 or later v RAM: 1 GB of memory v Processor: Intel Pentium with a clock speed of 1 GHz or faster v Free disk space: The temp directory must have at least 1.5 GB of free disk space. Additionally, provide 1.1 GB of free disk space for the following: \itim45 directory for Tivoli Identity Manager Server 500 MB WebSphere Application Server 600 MB Databases for Tivoli Identity Manager Server using WebSphere The following table lists databases available for Tivoli Identity Manager Server using WebSphere: Table 25. Databases available for Tivoli Identity Manager Server using WebSphere Database Version and Fix Pack or patch AIX 5.1 Solaris 8 Windows 2000 Advanced Server IBM DB2 Universal Database v 8.1 with Fix Pack 2 U U U Enterprise Edition server¹ v 7.2 with Fix Pack 9 and IBM DB2 runtime client Oracle U U U Microsoft SQL server SQL Server 2000 U Notes: 1. IBM DB2 requires the following minimum free disk space: v Installation requires 1 GB in the directory in which you create the database for Tivoli Identity Manager, such as /home/db2inst1. Copyright IBM Corp

106 Directory Servers for Tivoli Identity Manager Server using WebSphere The following table lists Directory servers available for Tivoli Identity Manager Server using WebSphere: Table 26. Directory servers available for Tivoli Identity Manager Server using WebSphere Directory server Version and Fix Pack or patch AIX Solaris 8 Windows 2000 Advanced Server IBM Directory Server v 5.1 with Fix Pack 1 U U U Sun ONE Directory Server¹ v 4.1 with Fix Pack 2 (Version on Windows NT ) on AIX U on AIX not on Also check the following website: U U Tivoli Identity Manager Server Prerequisites for WebSphere and HTTP Servers The following table lists the WebSphere and HTTP servers for Tivoli Identity Manager Server: Table 27. Tivoli Identity Manager Server prerequisites for WebSphere and HTTP servers Prerequisite Version Fix Pack Interim fix IBM HTTP Server¹ WebSphere Fix Pack 2 WebSphere Application Server base² WebSphere Application Server Network Deployment² Notes: 1. You must bring down the HTTP server before you apply WebSphere Fix Packs. 2. In a cluster environment, ensure that you load the WebSphere Fix Pack on all computers that have the IBM HTTP Server, which might include the computer with WebSphere Application Server Network Deployment. 5.0 WebSphere Fix Pack 2 Apply the following fixes in the order listed: v APAR SOV62778 (See note 3 below.) v APAR PQ75794 v APAR PQ WebSphere Fix Pack 2 Apply the following fix: v APAR SOV62778 (See note 3 below.) 94 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

107 Table 27. Tivoli Identity Manager Server prerequisites for WebSphere and HTTP servers (continued) Prerequisite Version Fix Pack Interim fix 1. IBM HTTP Server is included in WebSphere Application Server installation process. 2. The JDK distributed with WebSphere Application Server is the supported JDK. Use of an independently installed JDK, from IBM or other vendors, is not supported. 3. If you manually install Fix Pack 2 for WebSphere Application Server base, copy the ibmorb.jar file that is on the supplemental CD to the {WAS_HOME}/java/jre/lib/ext directory. On the computer that has WebSphere Application Server Network Deployment, copy the ibmorb.jar file that is on the supplemental CD to the {WAS_NDM_HOME}/java/jre/lib/ext directory.you must contact WebSphere support before copying the file ibmorb.jar if you installed any WebSphere JDK fixes after installing WebSphere 5.0 Fix Pack 2. Supported Web Browsers The following Web browsers are supported on Windows only: v Internet Explorer 5.5 with Service Pack 2 v Internet Explorer 6.0 with Service Pack 1 v Netscape 4.75 Notes: 1. Cookies must be enabled. 2. Do not start two separate browser sessions from the same client computer. The two sessions are regarded as one session ID, resulting in problems with data. 3. For Internet Explorer, ensure that the Java runtime environment (JRE) is specified. Open the browser and click Tools > Internet Options. Click the Advanced tab. Scroll the list of features. Select the check box for an item similar to Use Java 2 V1.3.1_04. Restart the computer. Appendix B. Software and Hardware Requirements on Windows 95

108 96 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

109 Appendix C. Preparing the WebSphere Environment This chapter describes generic steps to create a WebSphere Application Server environment before you install the Tivoli Identity Manager Server on either single-server or cluster configurations. For cluster configurations, the chapter provides steps to install and configure WebSphere Application Server Network Deployment and WebSphere Application Server base. Note: For more information, refer to the WebSphere Application Server installation documentation. Preparing for WebSphere Application Server Installation Before you install WebSphere Application Server, ensure that there is adequate free disk space to unpack the files. For more information, see Appendix B, Software and Hardware Requirements on Windows, on page 93. Ensuring Solaris Kernel Settings for WebSphere Embedded Messaging Server and Client On Solaris, ensure that the following additional kernel settings are specified for the Embedded Messaging server and client: v set shmsys:shminfo_shmmax = v set shmsys:shminfo_shmseg = 1024 v set shmsys:shminfo_shmmni = 1024 v set semsys:seminfo_semaem = v set semsys:seminfo_semmni = 1024 v set semsys:seminfo_semmap = 1026 v set semsys:seminfo_semmns = v set msgsys:msginfo_msgmap = 1026 v set semsys:seminfo_semopm = 100 v set semsys:seminfo_semmnu = 2048 v set semsys:seminfo_semume = 256 v set msgsys:msginfo_msgmax = v set rlim_fd_cur=1024 Using an Existing WebSphere MQ Version 5.3 WebSphere embedded messaging server and client (WebSphere embedded messaging support) are WebSphere 5.0 components that are required by Tivoli Identity Manager. To install these WebSphere components successfully, you must remove IBM MQSeries Version 5.2 if it already exists on the target computer. If WebSphere MQ Version 5.3 exists on the computer, ensure the following WebSphere MQ components are installed before installing the WebSphere embedded messaging support client and server: v WebSphere MQ Version 5.3 with the CSD03 update v The WebSphere MQ features for Server and for Java Messaging Copyright IBM Corp

110 To determine the existing version, run the mqvr utility that WebSphere MQ provides. For more information, refer to WebSphere Application Server installation documentation. Validating Availability of Port 9090 WebSphere Application Server uses port 9090 for its adminstrative console. If the port is being used on the system, you must choose a different and available port for the WebSphere application console. You can test whether the port is being used by entering the following command: netstat -an Configuring Tivoli Identity Manager Clusters The cluster installation and configuration process has the following sequence: 1. Installing WebSphere Application Server Network Deployment 2. Installing IBM HTTP Server and WebSphere Web Server Plugin on page Installing Base on Each Node on page Add Nodes to a Cell on page Ensure that Network Deployment Manager and Node Agents are Running on page 102 Subsequently, you create one or more clusters, described in Creating Clusters Using Network Deployment Manager on page 59. Installing WebSphere Application Server Network Deployment Note: If this is an upgrade, WebSphere Application Server Network Deployment 5.0 can be loaded on the Tivoli Identity Manager 4.4.x primary or secondary server. To install WebSphere Application Server Network Deployment, do the following: 1. Determine whether the computer has adequate memory and free disk space. 2. In advance, obtain the required Fix Pack or APAR, if any. For more information, see Appendix B, Software and Hardware Requirements on Windows, on page Mount the initial product CD. For more information on the product CDs and their contents, see Appendix A, Compact Discs, on page Open the WebSphere Application Server Network Deployment installation program by typing the following: drive:\nt\launchpad.bat.\nt 5. In the initial dialog, accept the license requirements. The installation program checks for prerequisites. For example, it might detect a missing patch such as a font required to display Japanese characters. Refer to documentation provided by the WebSphere Application Server Network Deployment and remedy any missing patch that you determine to be essential. Note: During the prerequisite check, the installation program will detect any previously installed versions of WebSphere Application Server Network Deployment and display a migration and coexistence dialog. If you 98 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

111 would like the two versions of WebSphere Application Server Network Deployment to coexist, select Modify ports for coexistence and then modify the port numbers from the coexistence dialog. At the conclusion of the installation, you must change the port value for the SOAP connection in the wsadmin.properties file located under {WAS_ND_HOME}\properties to match the new port value. 6. Click Next. A dialog appears that allows you to select features for the Network Deployment. 7. Accept the defaults and click Next. A dialog appears that lists the installation destination directory, the required space, and the available space. 8. Accept or modify the default directory, ensure that there is adequate disk space for installation, and click Next. A dialog appears that requests values for node name, host name, and cell name. 9. Accept the defaults, or provide the requested field values. For example: Node Name Accept the default string, or provide a meaningful string that identifies the node. For example: hostname Host Name or IP Address Enter the fully qualified host name or IP address of the target computer. Cell Name Enter a value that identifies the cell. For example, enter: ITIM_CELL_A1 10. Repeatedly click Next to navigate the following dialogs: v Installation summary v Installation progress v Product registration v Completion v Finish 11. Respond to the First Steps dialog, which prompts you to start the server and to run an installation verification test. Use the following Web address to access the Administration console: where networkdeploymenthost is the fully qualified host name of the computer on which you installed WebSphere Application Server Network Deployment. Note: If two versions of WebSphere Application Server Network Deployment coexist, replace the default port number with the port number configured during the installation. 12. Install the required Fix Pack or APAR. Note: Stop the WebSphere Application Server Network Deployment system before you install a Fix Pack or APAR. For more information, see Appendix B, Software and Hardware Requirements on Windows, on page 93. Appendix C. Preparing the WebSphere Environment 99

112 Installing IBM HTTP Server and WebSphere Web Server Plugin To install the IBM HTTP Server and the WebSphere Web Server plug-in, do the following: 1. Mount the initial product CD. For more information on the product CDs and their contents, see Appendix A, Compact Discs, on page Start installation using the WebSphere Application Server base product. 3. Navigate the following installation dialogs, accepting the default settings. 4. Click the check box to accept reconfiguration when an installation dialog provides the following choice: Reconfigure the product to coexist with other versions of itself 5. Navigate through Operating System Level Check and any other dialogs that check prerequisites. 6. Select Custom when a dialog appears that provides the choice. 7. Click Next. A features selection dialog appears. 8. On the features selection dialog, select only the following items: v IBM HTTP Server v WebSphere Web Server plug-in for IBM HTTP Server 9. Click Next. A dialog appears that displays default target directories and values for available and required space. Note: If this installation is intended to coexist with a previous installation, the default installation directory can be used for IBM HTTP Server 5.0 because it differs from the default directory included as part of the IBM HTTP Server 4.0 installation. 10. Accept the default target directories, or modify the target or modify your computer s free disk space. Click Next. A dialog appears that summarizes the features to install and their locations. 11. Repeatedly click Next to navigate through subsequent dialogs that include the following: v Progress reporting v Product registration v Completion 12. Obtain and install the required WebSphere Application Server base Fix Pack that also includes the fix for IBM HTTP Server. For more information, see Appendix B, Software and Hardware Requirements on Windows, on page 93. Generating the WebSphere Web Server Plugin Configuration File Generate the configuration file for the WebSphere Web Server plug-in. You must stop the IBM HTTP Server before installing the patch. Do the following: 1. Log on to the Network Deployment Manager administrative console. 2. From the left pane of the console, click Environment > Update Web Server Plugin > OK to update the Web Server Plugin. This will generate the Web Server Plugin configuration file plugin-cfg.xml in {NDM_HOME}\config\cells. 3. After the Plugin update completes, click Save to save your configuration to the master repository. 100 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

113 Note: Select Synch changes with Nodes when you save the configuration. 4. If the IBM HTTP Server is installed on the computer that has the Network Deployment Manager, verify that the following line exists in the http_server_installdir\conf\httpd.conf configuration file: Note: This step is not required if the IBM HTTP Server and Network Deployment Manager are installed on different computers. WebSpherePluginConfig drive:"\program Files\WebSphere\DeploymentManager\config\cells\plugin-cfg.xml" Installing Base on Each Node Install WebSphere Application Server base, repeating the following steps on each node that is a member of the cell: 1. Start the WebSphere Application Server base installation program. 2. Navigate through the dialogs until you reach a dialog that lists the features to install. Notes: a. During the prerequisite check, the installation program will detect any previously installed versions of WebSphere Application Server base and display a migration and coexistence dialog. If you would like the two versions of WebSphere Application Server base to coexist, select Modify ports for coexistence and then modify the port numbers from the coexistence dialog. At the conclusion of the installation, you must change the port value for the SOAP connection in the wsadmin.properties file located under {WAS_HOME}\AppServer\properties to match the new port value. b. To improve performance and to avoid any potential problems with the operation of the Web console, it is recommended that you do not install the sample applications, the application assembly and deployment tools, and the ant utilities that are included with the WebSphere Application Server. 3. Click Next. A dialog appears that summarizes the features to install. Select what you need from the list. 4. Repeatedly click Next to navigate through subsequent dialogs that include the following: v Progress reporting v Product registration v Completion 5. Install the required Fix Pack. For more information, see Appendix B, Software and Hardware Requirements on Windows, on page Prepare the new node for inclusion into the cell by doing the following: a. Change to the WebSphere bin subdirectory. b. Start the server using the following command: startserver server1 Add Nodes to a Cell Before you begin, ensure that the WebSphere Application Server (server1) is running on the node that you intend to add to a cell. On the Network Deployment Manager administrative console, do the following to add a node to a cell: Appendix C. Preparing the WebSphere Environment 101

114 1. Click System Administration > Cell. 2. On the dialog that appears, click Nodes. 3. Scroll the next dialog and click Nodes at the bottom of the Configuration tab. 4. On the Nodes dialog that appears, click Add Node. Specify the node host name and ports and click OK. A progress dialog appears that reports the node addition. Alternatively, you can add a node to a cell by running the addnode.bat script and then run the startnode.bat script. For example, enter the following on the computer that you want added as a node: drive:"\program Files\WebSphere\AppServer\bin\addNode.bat servernodename 8879" drive:"\program Files\WebSphere\AppServer\bin\startNode.bat" Create a Cluster On the Network Deployment Manager administrative console, do the following to create a cluster: 1. Click Servers > Cluster. 2. On the subsequent dialog, click New. 3. Enter the name of the cluster, select the appropriate server, and click Next. 4. Complete the New Clustered Servers dialog, specifying a cluster member, and click Apply. Repeat the specification for additional cluster members. When the list is complete, click Next. 5. Examine the cluster member summary to ensure that the list of cluster members is correct. Click Finish. 6. Save the configuration to the master repository. Note: Select Synch changes with Nodes when you save the configuration. Ensure that Network Deployment Manager and Node Agents are Running To ensure that the Network Deployment Manager and all WebSphere Application Server node agents are running, do the following: 1. Access the Administration Console on the computer on which Network Deployment Manager is installed by typing the following: To determine the status of the Network Deployment Manager, you can run the following on the computer on which Network Deployment Manager is installed: drive:"\program Files\WebSphere\DeploymentManager\bin\serverStatus.bat" To determine the status of the JMS server, appserver, and node agent, run the following on the computer on which WebSphere Application Server base is installed: drive:"\program Files\WebSphere\AppServer\bin\serverStatus.bat" 2. For each node, determine whether the environment variables for the JDBC driver path and {ITIM_HOME} are defined and correctly specified. On the Network Deployment Manager administration console, click Environment > Manage WebSphere Variables. For example, examine the list of variables to determine if the value of {ITIM_HOME) is correct. 102 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

115 3. Start the node agents, the JMS servers, and the application servers for each cluster member. For example, click Servers > Application Servers. Click the check box for a server such as server1 and click Start. 4. After starting node agents, to ensure that node agents are running, click System Administration > Node Agents. A window opens that displays the node agents and their status. 5. On a browser, enter the Web address for the computer on which the IBM HTTP Server is running. For example, enter: The Tivoli Identity Manager logon panel appears. Log on to the Tivoli Identity Manager application. Configuring WebSphere Application Server Transaction Service Settings Default WebSphere Application Server transaction service settings are too low to handle most standard business process loads. Therefore, these transaction service settings must be modified to prevent transaction time-outs. The default WebSphere Application Server transaction service settings are: v Total transaction lifetime timeout = 120 v Client Inactivity timeout = 60 These values must be increased to a minimum of 1200 and 600, respectively. If you are planning large provisioning tasks, these numbers may have to be set higher. The values can be modified using the WebSphere Application Server administrative console. The following procedures describe how to change the transaction service settings. If you will implement a cluster configuration of Tivoli Identity Manager, you will need to repeat these procedures on each member of the cluster. 1. Log on to the WebSphere Application Server and open the WebSphere Application Server administrative console. 2. Open the Applications Servers branch in the tree on the left side of the console and select the name of your server. 3. Select Transaction Service in the Additional Properties properties section. 4. Modify the values for the Total Transaction Lifetime Timeout and Client Inactivity Timeout settings to match your expected business process load. 5. Click OK to save the changes. Appendix C. Preparing the WebSphere Environment 103

116 104 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

117 Appendix D. Security Considerations Security for WebSphere This section describes additional security you can provide for the environment in which Tivoli Identity Manager runs. Topics include the following: v Security for WebSphere v Alternatives in Configuring the HTTP Server on page 111 When enabled, J2EE security ensures that authenticated users have the necessary permissions to access Tivoli Identity Manager Enterprise Java Bean (EJB) components. Configuring this security component involves configuring an authentication mechanism and a user registry. The manual steps differ, depending on whether the deployment is for a single-node or multi-node configuration. Steps include the following: 1. Manually configure the authentication mechanism and user registry before installing Tivoli Identity Manager. 2. Specifying security user IDs and passwords during Tivoli Identity Manager installation. 3. Manually mapping an administrative user to a Tivoli Identity Manager role after installation. Configuring Security for Single-Node Deployment This section describes manual steps to take to configure J2EE security for a single-node deployment. Manual Steps on Single-Node Deployments before Installing Tivoli Identity Manager To configure the J2EE security component, do the following before Installing Tivoli Identity Manager: Specifying an Administrative User: Do the following to specify an administrative user: 1. Create or select an administrative user in your operating system s user registry. In subsequent examples, the user is called the System User or wasadmin. 2. Create or select another administrative user in your operating system s user registry. In subsequent examples, the user is called the EJB user or itimadmin. Specifying the Authentication Mechanism and User Registry: To specify the authentication mechanism and user registry, do the following: 1. Start the WebSphere administrative server and log in at the console. 2. Click Security > Global Security. 3. Select the following options: v Active Authentication Mechanism: SWAM (Simple WebSphere Authentication Mechanism) v Active User Registry: Local OS 4. Save the configuration changes. Copyright IBM Corp

118 Configuring the Local OS User Registry: To configure the local OS user registry, do the following: 1. Click Security > User Registries > Local OS. 2. Enter the System User user ID (wasadmin) and password. 3. Save the configuration changes. Enabling Security: Enable security. Do the following: 1. Click Security > Global Security. 2. Click Enabled. 3. Optionally, click Enforce Java 2 Security if you want to enable Java 2 security. All applications must support Java 2 security when this option is selected. 4. Save the configuration changes. Running with Security Enabled on Single-node Deployment: To run with security enabled on a single-node deployment, restart the WebSphere administrative server. When starting the administrative server, you might be required to specify the WebSphere administrative user ID and password. For example: {WAS_HOME}\bin\stopServer server1 [-username wasadmin -password wasadminpassword] {WAS_HOME}\bin\startServer server1 [-username wasadmin -password wasadminpassword] Manual Steps on Single-node Deployments After Installing Tivoli Identity Manager To complete configuration of the J2EE security component, do the following after installing Tivoli Identity Manager: Mapping an Administrative User to a Tivoli Identity Manager Role: To map an administrative user to a Tivoli Identity Manager role, do the following: 1. On the WebSphere Application Server administrative console, click Applications > Enterprise Applications. 2. Click enrole. 3. Scroll down and click Map security roles to users/groups from Additional Properties. 4. Select the check box for ITIM_SYSTEM. 5. Click Lookup users. 6. Click Search. 7. Select the EJB User user (itimadmin) from the list. 8. Click OK. 9. Ensure that the Everyone? or All Authenticated? check boxes are NOT selected. Note: To prevent unauthorized access, it is important to disable these check boxes. 10. Save the configuration changes. Configuring the was.policy File: following directory on the node: Ensure that the was.policy file exists in the {WAS_HOME}\config\cells\<cellname>\applications\enRole.ear\deployements\enrole\META-INF This policy file grants to Tivoli Identity Manager the permissions it needs to execute. Although this policy does not impose any restrictions on Tivoli Identity Manager, the enablement of Java 2 security allows security to be enforced in other 106 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

119 applications managed by WebSphere. If the file does not exist, locate and copy the file from the product CD or create the file in the indicated directory. The file contents should be similar to the following: grant codebase "file:;${application}" { permission java.security.allpermission; }; Updating Tivoli Identity Manager Configurations with the System User and EJB User: If you made changes to the System User and EJB User, you must update Tivoli Identity Manager configurations with new values for the System user and EJB user. Do the following: 1. Start the System Configuration program. To do so, type the following: {ITIM_HOME}\bin\runConfig 2. Select the Security tab. The Security tab window opens. Figure 44. Security tab window 3. Update the System User field and its password with the wasadmin user ID that you created in the local OS registry. 4. Update the EJB User field and its password with the itimadmin user ID that you created in the local OS registry. 5. Click OK. Restart Tivoli Identity Manager on a Single-node Deployment: To run with security enabled in a single-node deployment, restart Tivoli Identity Manager and log in when prompted. For example, to restart Tivoli Identity Manager, enter the following: {ITIM_HOME}\bin\itim stop wasadmin wasadminpassword {ITIM_HOME}\bin\itim start wasadmin wasadminpassword Setting the Default Token Timeout Interval: Security uses a token that will expire after an interval of system inactivity. The default is 120 minutes, which might not be large enough to use with Tivoli Identity Manager. Appendix D. Security Considerations 107

120 Note: On some systems, the actual timeout interval might be shorter than the value that is specified. A timeout might prevent you from logging on. When a timeout occurs, you must recycle the Network Deployment Manager, the cluster, and all node agents. To ensure that the token expiration value is large enough to prevent accidental timeouts, do the following: 1. Access the WebSphere Application Server administrative console. 2. Click Security > Authentication > LTPA > Timeout. 3. Set the token expiration interval to a value that exceeds your site s longest anticipated interval of system inactivity. Configuring Security for Multi-Node Deployment This section describes manual steps to take to configure J2EE security for a multi-node deployment. Manual Steps on a Multi-Node Deployment Before Installing Tivoli Identity Manager To configure the J2EE security component, do the following before installing Tivoli Identity Manager: Setting up the LDAP for Multi-node Security: To set up LDAP for multi-node security, do the following: 1. Using the directory server s management tool, create the organization unit ou=wassecurity,dc=com, where com might be your organization s suffix. 2. Create the user, cn=wasadmin,ou=wassecurity,dc=com. In this example, the WebSphere Application Server admin user is specified as the System User (wasadmin). Set the following fields: v sn=wasadmin v uid=wasadmin v userpassword=wasadminpassword 3. Additionally, create the user, cn=itimadmin,ou=wassecurity,dc=com. In this example, the Tivoli Identity Manager admin user is specified as the EJB user (itimadmin). Set the following fields: v sn=itimadmin v uid=itimadmin v userpassword=itimadminpassword Setting up the Authentication Mechanism and User Registry: To set up the authentication mechanism and user registry, do the following: 1. Start the WebSphere administrative server and log in at the console. 2. Click Security > Global Security. 3. Select the following options: v Active Authentication Mechanism: LTPA (Lightweight Third Party Authentication) v Active User Registry: LDAP 4. Save the configuration changes. Configuring the Authentication Mechanism: To configure the authentication mechanism, do the following: 1. Click Security > Authentication Mechanisms > LTPA. 108 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

121 2. Create and confirm a password for the LTPA authentication mechanism. 3. Save the configuration changes. Configuring the LDAP User Registry: To configure the LDAP user registry, do the following: 1. Click Security > User Registries > LDAP. 2. Select the following options: v Server User ID=wasadmin v Server User Password=wasadminpassword v Type=directoryservertype where directoryservertype identifies the directory server such as IBM_Directory_Server. v Host=ITIM LDAP server hostname v Base Distinguished Name (DN): ou=wassecurity,dc=com v Bind Distinguished Name (DN): Enter the bind distinguished name such as cn=root. v Bind Password: Enter the password for the bind distinguished name. v Ignore Case: Check this option 3. Save the configuration changes. Enabling Security: To enable security, do the following: 1. Click Security > Global Security. 2. Click Enabled. 3. Optionally, click Enforce Java 2 Security if you want to enable Java 2 security. All applications must support Java 2 security when this option is selected. 4. Save the configuration changes. Running with Security Enabled in a Multi-node Environment: To run with security enabled, do the following: 1. On the computer with the Network Deployment Manager, enter: {WAS_NDM_HOME}\bin\stopManager [-username wasadmin -password wasadminpassword] {WAS_NDM_HOME}\bin\startManager [-username wasadmin -password wasadminpassword] 2. On other computers with the node agent: {WAS_HOME}\bin\stopNode [-username wasadmin -password wasadminpassword] {WAS_HOME}\bin\startNode [-username wasadmin -password wasadminpassword] 3. Restart the cluster. Do the following: a. Log in to the WebSphere administrative server using the wasadmin user ID and password at the console. b. Click Servers > Clusters. c. Select the cluster. d. Click Stop and then click Start. 4. Restart the JMS server. Do the following: a. Log on to the WebSphere administrative server. b. Click Servers > JMS Servers. c. Select the server. d. Click Stop and then click Start. Appendix D. Security Considerations 109

122 Manual Steps on a Multi-node Deployment after Installing Tivoli Identity Manager To complete configuration of the J2EE security component, do the following after installing Tivoli Identity Manager: Mapping an Administrative User to a Tivoli Identity Manager Role: To map an administrative user to a Tivoli Identity Manager role, do the following: 1. On the WebSphere Application Server administrative console, click Applications > Enterprise Applications. 2. Click enrole. 3. Scroll down and click Map security roles to users/groups from Additional Properties. 4. Select the check box for ITIM_SYSTEM. 5. Click Lookup users. 6. Click Search. 7. Select the EJB user (itimadmin) from the list. 8. Click OK. 9. Ensure that the Everyone? or All Authenticated? check boxes are NOT selected. Note: To prevent unauthorized access, it is important to disable these check boxes. 10. Save the configuration changes. Configuring the was.policy File: Ensure that the was.policy file exists in the following directory on the Network Deployment Manager node: {WAS_NDM_HOME}\config\cells\<cellname>\applications\enRole.ear\deployements\enrole\META-INF This policy file grants to Tivoli Identity Manager the permissions it needs to execute. Although this policy does not impose any restrictions on Tivoli Identity Manager, the enablement of Java 2 security allows security to be enforced in other applications managed by WebSphere. If the file does not exist, locate and copy the file from the product CD or create the file in the indicated directory. The file contents should be similar to the following: grant codebase "file:;${application}" { permission java.security.allpermission; }; Synchronize the WebSphere Application Server Network Deployment configuration with the nodes in the cell. Restart the Tivoli Identity Manager cluster. Restarting Tivoli Identity Manager in a Multi-node Environment: Tivoli Identity Manager, do the following: 1. Click Server > Clusters. 2. Select the check box next to the cluster name. 3. Click Stop. Wait for the cluster to stop and then click Start. To restart Setting the Default Token Timeout Interval: Security uses a token that will expire after an interval of system inactivity. The default is 120 minutes, which might not be large enough to use with Tivoli Identity Manager. 110 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

123 Note: On some systems, the actual timeout interval might be shorter than the value that is specified. A timeout might prevent you from logging on. When a timeout occurs, you must recycle the Network Deployment Manager, the cluster, and all node agents. To ensure that the token expiration value is large enough to prevent accidental timeouts, do the following: 1. Access the WebSphere Application Server administrative console. 2. Click Security > Authentication > LTPA > Timeout. 3. Set the token expiration interval to a value that exceeds your site s longest anticipated interval of system inactivity. Disabling J2EE Security To disable J2EE security using the WebSphere administrative console, do the following: 1. Click Security > Global Security. 2. Uncheck (disable) Security and Java Security. 3. Stop and then start all node agents, JMS servers, and application servers. Alternatives in Configuring the HTTP Server To provide additional security, configure an HTTP server such as the IBM HTTP Server to reside on a computer that is external to the cell once Tivoli Identity Manager is fully installed. This process includes installing the web server, copying several files from the Network Deployment Manager, and configuring the web server to load and configure a WebSphere module at server startup. Appendix D. Security Considerations 111

124 WebSphere Network Deployment Manager JDBC driver HTTP Server Web Server plugin WebSphere base JDBC driver WebSphere Application Server ( ITIM UI ) WebSphere base JDBC driver WebSphere Application Server ( ITIM WF ) Tivoli Identity Manager Database WebSphere Application Server ( ITIM UI ) WebSphere Application Server ( ITIM WF ) Directory Server WebSphere Application Server ( ITIM UI ) WF Cluster UI Cluster Tivoli Identity Manager Cell Figure 45. HTTP Server Configuration for Increased Security The following is an example on a Solaris platform for IBM HTTP Server or Apache. Adapt the following steps for your platform: 1. On the external computer, install and configure the HTTP server. 2. Create a directory under the http_server_dir/conf directory called WebSphere. 3. Copy the following files from the Network Deployment Manager computer to the http_server_dir/conf/websphere directory: v was_deployment_mgr/bin/mod_ibm_app_server_http.so v was_deployment_mgr/config/cells/plugin-cfg.xml v was_deployment_mgr/etc/plugin-key.kdb v was_deployment_mgr/etc/plugin-key.sth 4. On the computer external to the cell, open the plugin-cfg.xml file in the text editor and make the following changes: v Change each instance of the was_deployment_mgr/etc/ directory to the http_server/conf/websphere directory. That is, replace /opt/websphere/deploymentmanager/etc with /opt/ibmhttpserver/conf/websphere. v Change the directory of the http_plugin.log file to http_server/logs. That is, replace /opt/websphere/appserver/logs/http_plugin.log with /opt/ibmhttpserver/logs/http_plugin.log. 5. Use a text editor to open the http_server_home/conf/httpd.conf file directory and add the following lines at the bottom of the file: # WebSphere plugin settings LoadModule ibm_app_server_http_module http_server/conf/websphere/mod_ibm_app_server_http.so WebSpherePluginConfig http_server/conf/websphere/plugin-cfg.xml 112 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

125 For example, enter the following: # WebSphere plugin settings LoadModule ibm_app_server_http_module /opt/ibmhttpserver/conf/websphere/mod_ibm_app_server_http.so WebSpherePluginConfig /opt/ibmhttpserver/conf/websphere /plugin-cfg.xml Note: Ensure that the WebSphere Application Server Fix Pack 2 is also installed on the computer on which the WebSphere Web Server plug-in is installed. Appendix D. Security Considerations 113

126 114 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

127 Appendix E. Upgrading from Tivoli Identity Manager 4.3 to Tivoli Identity Manager 4.5 Before You Begin This section describes upgrading previous data and schema from Tivoli Identity Manager Version 4.3 using WebLogic to Tivoli Identity Manager Version 4.5 using WebSphere Application Server. To complete the migration, an installation of Tivoli Identity Manager Version 4.3 using WebLogic will first have to be upgraded to Tivoli Identity Manager Version 4.5 using WebLogic. This process will upgrade the Tivoli Identity Manager Version 4.3 database and LDAP directory to be compatible with Tivoli Identity Manager Version 4.5. After the initial upgrade, a new installation of Tivoli Identity Manager Version 4.5 using WebSphere Application Server will be installed to a separate installation folder and then configured. Before upgrading from Tivoli Identity Manager version 4.3 to Tivoli Identity Manager version 4.5, do the following: 1. Upgrade and configure any software that is part of the existing Tivoli Identity Manager environment to meet the requirements for the new Tivoli Identity Manager version. This includes migrating or patching databases and directory servers. 2. During upgrade of the directory server, entries within the Tivoli Identity Manager sub-tree are scanned for the string enrole (case-insensitive). If an attribute s value contains the string enrole, that string is changed to itim. This string replacement is done for all attributes except those listed in {ITIM_HOME}\data\enRoleUnchangedAttributes.properties file. Before beginning the upgrade process, export the contents of the Tivoli Identity Manager 4.3 LDAP sub-tree to an LDIF file. Search the LDIF file for the string enrole. If you find attributes that contain values that should not be changed during upgrade, do the following: a. Select No for LDAP Directory Upgrade during the Tivoli Identity Manager 4.5 installation. b. Edit {ITIM_HOME}\data\enRoleUnchangedAttributes.properties file to add the attribute names. c. Invoke the LDAP Directory Upgrade manually. 3. Ensure your directory server is up and running. 4. Back up all current Tivoli Identity Manager information, which includes properties files and configuration settings. These files are located in {ITIM_HOME}\data. 5. Ensure all items in the pending queue are clear and that all recurring scheduled events, such as existing reconciliations, are deleted. Workflow preservation is not supported when upgrading from Tivoli Identity Manager Version 4.3 to Tivoli Identity Manager Version 4.5. Failing to complete this task prior to the upgrade may result in exceptions being thrown as Tivoli Identity Manager Version 4.5 attempts to read recurring or pending events that were created in the previous installation. 6. If you are using Oracle, ensure Oracle and the Oracle listener services are started. Copyright IBM Corp

128 Upgrading from Tivoli Identity Manager 4.3 Using WebLogic to Tivoli Identity Manager 4.5 Using WebLogic This section describes the steps necessary to upgrade a Tivoli Identity Manager 4.3 installation using WebLogic to a Tivoli Identity Manager 4.5 installation using WebLogic. This upgrade must be accomplished before an installation of Tivoli Identity Manager 4.5 using WebSphere Application Server can be performed. 1. Invoke the Tivoli Identity Manager 4.5 WebLogic installer and proceed normally through the installation wizard until the Have you installed BEA Weblogic Server 7.0? dialog appears. 2. Click No. The Do you want to continue the installation? dialog appears. 3. Click Yes. The Where do you plan to install Weblogic Server? dialog appears. 4. Click Next to accept the default WebLogic Server directory. The Choose Install Folder dialog appears. 5. Input the home directory for Tivoli Identity Manager 4.3. The Do you want to upgrade? dialog appears. 6. Click Yes. The Do you want to upgrade the LDAP directory during installation? dialog appears. 7. Click Yes. This will initiate an LDAP directory upgrade. Note: You can choose to upgrade the LDAP directory after the installation by selecting No. After the installation, invoke the ldapupgrade utility located in the bin directory. After the schema update is complete, the Database schema upgrade is complete dialog appears. 8. Click OK. At the conclusion of the LDAP upgrade, the Successfully upgraded directory server s schema and data dialog appears. The Tivoli Identity Manager 4.3 using WebLogic to Tivoli Identity Manager 4.5 using WebLogic upgrade is complete. Installing Tivoli Identity Manager Version 4.5 using WebSphere Application Server This section describes the steps necessary to install Tivoli Identity Manager Version 4.5 using WebSphere Application Server in the specific context of an upgrade from Tivoli Identity Manager Version 4.3 using WebLogic. 1. Invoke the Tivoli Identity Manager 4.5 WebSphere installer and proceed as you normally would through the installation wizard until the Choose Install Directory dialog appears. 2. Select a folder to install Tivoli Identity Manager 4.5 that is different from the original Tivoli Identity Manager 4.3 installation. For example, itim45. The Choose Database Type dialog appears. 3. Select the existing database type that was used for the original Tivoli Identity Manager 4.3 installation. 116 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

129 4. Continue with a typical installation until the Database Configuration Program dialog appears. 5. Click Cancel. The Directory Configuration dialog appears. 6. Click Cancel. The System Configuration Tool dialog appears. 7. Select the Directory tab and enter connection information for your existing directory server. 8. Click Test to verify that the connection information you entered is correct. 9. Select the Database tab and enter connection information for your existing database. 10. Click Test to verify that the connection information you entered is correct. 11. Click the Mail tab. The Mail tab window opens. 12. Change the value for the Identity Manager Server URL field to that of your server and click Apply. 13. Click OK and complete the installation. The Tivoli Identity Manager 4.5 using WebSphere Application Server installation is complete. Configuring the New Installation This section describes the configuration steps necessary to complete the migration of Tivoli Identity Manager 4.3 using WebLogic to Tivoli Identity Manager 4.5 using WebSphere Application Server. Complete the steps in this section only after you have upgraded a Tivoli Identity Manager 4.3 installation using WebLogic to a Tivoli Identity Manager 4.5 installation using WebLogic and have completed an installation of Tivoli Identity Manager 4.5 using WebSphere Application Server. 1. Copy CustomLabels.properties from Tivoli Identity Manager 4.3 data subfolder to the Tivoli Identity Manager 4.5 data subfolder. 2. Modify the following properties in the Tivoli Identity Manager 4.5 enrole.properties file to match the ones stored in Tivoli Identity Manager 4.3 enrole.properties: v enrole.defaulttenant.id v enrole.organization.name Appendix E. Upgrading from Tivoli Identity Manager 4.3 to Tivoli Identity Manager

130 118 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

131 Appendix F. Upgrading from Tivoli Identity Manager Version 4.4.x to 4.5 Before You Begin This section describes upgrading from Tivoli Identity Manager Version 4.4.x to Tivoli Identity Manager Version 4.5. This section details upgrading both single-server and cluster Tivoli Identity Manager configurations. The Tivoli Identity Manager upgrade process is grouped into two efforts: v Upgrading prerequisite software. You will have to upgrade and configure any software that is part of the existing Tivoli Identity Manager environment to meet the requirements for the new Tivoli Identity Manager version. This includes migrating or patching databases and directory servers. v Installing the new version of Tivoli Identity Manager using the Tivoli Identity Manager installation program. The Tivoli Identity Manager installation program upgrades database tables, directory server schema, and properties files for use with the new version of Tivoli Identity Manager. Notes: 1. The upgrade instructions provided in this section assume that you will install and configure a new installation of WebSphere Application Server version 5.0 to coexist with WebSphere Application Server version 4.0. In an environment where two WebSphere Application Server installations coexist, you need to ensure that the value for the com.ibm.ws.scripting.port in {WAS_HOME}\properties\wsadmin.properties matches the port under SOAP_CONNECTOR_ADDRESS of server1 in the following: {WAS_HOME}\config\cells\<cell_name>\nodes\<node_name>\serverindex.xml Without the matching value, Tivoli Identity Manager deployment and Tivoli Identity Manager/WebSphere Application Server configuration will fail. If you do not want to retain the installation of WebSphere Application Server version 4.0, you must uninstall it manually using the WebSphere Application Server version 4.0 uninstaller. 2. If you intend to install WebSphere Application Server version 5.0 using the Tivoli Identity Manager version 4.5 installer you must uninstall the following products: v WebSphere Application Server 4.0 v IBM MQSeries v IBM MQSeries support pack MA88 3. After the upgrade, previous audit and log data may not be relevant to the new data. Before upgrading from Tivoli Identity Manager version 4.4.x to Tivoli Identity Manager version 4.5, do the following: 1. Back up all current WebSphere Application Server configuration settings, which includes the settings for Tivoli Identity Manager 4.4.x. These files are located in {WAS_HOME}\config. Copyright IBM Corp

132 2. Back up all current Tivoli Identity Manager information, which includes properties files and configuration settings. These files are located in {ITIM_HOME}\data. 3. Back up the directory server. Refer to the appropriate documentation for your product. 4. Back up the database. Refer to the appropriate documentation for your product. 5. Ensure your installation environment meets or exceeds Tivoli Identity Manager version 4.5 requirements. Refer to Appendix B, Software and Hardware Requirements on Windows, on page Upgrade the directory server and database software to meet Tivoli Identity Manager version 4.5 installation requirements. Refer to Appendix B, Software and Hardware Requirements on Windows, on page Ensure all items in the pending queue are clear and that all recurring scheduled events, such as existing reconciliations, are deleted. Workflow preservation is not supported when upgrading from Tivoli Identity Manager Version 4.4 to Tivoli Identity Manager Version 4.5. Failing to complete this task prior to the upgrade may result in exceptions being thrown as Tivoli Identity Manager Version 4.5 attempts to read recurring or pending events that were created in the previous installation. 8. Prepare your WebSphere Application Server environment. Refer to Preparing for WebSphere Application Server Installation on page Shut down the cluster, if applicable. Upgrading a Single-Server Configuration This section includes procedures for upgrading a Tivoli Identity Manager single-server configuration. Complete the following procedures which are divided into the following groups of tasks: 1. Installing WebSphere Application Server base 5.0. Refer to Installing Base on Each Node on page 101 for procedures. Disregard any Network Deployment Manager or cluster-specific information. 2. Upgrading Tivoli Identity Manager 4.4.x to 4.5. Refer to Upgrading Tivoli Identity Manager 4.4.x to 4.5 for procedures. Upgrading Tivoli Identity Manager 4.4.x to 4.5 This section includes procedures for upgrading Tivoli Identity Manager 4.4.x to Start the Tivoli Identity Manager installer: instw2k-was.exe The Welcome window opens. 2. Select the appropriate language and click OK. The License Agreement window opens. 3. Read the license agreement and decide whether to accept its terms. If you do, select Accept and click Next. The Choose Installation Type window opens. 4. Select Single Server and click Next. The Choose Install Directory window opens. 5. Click Choose... and select the Tivoli Identity Manager 4.4.x home directory. 6. Click Next. The Do You Want to Upgrade from 4.4 to 4.5? dialog appears. 120 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

133 7. Select Yes. The WebSphere Location Confirmation dialog appears. 8. Confirm the location of the WebSphere home directory and click Next. The Choose WebSphere Security dialog appears. 9. Determine if WebSphere Global Security is active on your system. If WebSphere Global Security is on, click WebSphere Security Enabled, otherwise, select WebSphere Security Disabled. If you choose WebSphere Security Enabled and click Next, an additional window appears that requires you to specify the WebSphere Application Server user ID and password. For more information, refer to Appendix D, Security Considerations, on page 105. The Specify the Encryption Key dialog appears. 10. Provide an encryption key and click Next. The Pre-Install Summary dialog appears. 11. Click Install. The System Configuration Tool dialog appears. 12. Click the Mail tab. The Mail tab window opens. 13. Change the value for the Identity Manager Server URL field to that of your server and click Apply. 14. Click OK and complete the installation. Notes: 1. The upgrade process should pick up previously configured database and LDAP server pointer information. If you experience difficulty connecting to these resources, you can use the System Configuration Tool to reconfigure the connection properties for these systems. Refer to the Tivoli Identity Manager Server Configuration Guide for System Configuration Tool information. 2. If you receive an error message during the install regarding the enrole.ear file, the Network Deployment Manager may not be able to connect to the SOAP port. Ensure the port configured for SOAP is the one configured during the WebSphere 5.0 installation. In an environment where two WebSphere Application Server installations coexist, you need to ensure that the value for the com.ibm.ws.scripting.port in {WAS_HOME}\properties\wsadmin.properties matches the port under SOAP_CONNECTOR_ADDRESS of server1 in the following: {WAS_HOME}\config\cells\<cell_name>\nodes\<node_name>\serverindex.xml Without the matching value, Tivoli Identity Manager deployment and Tivoli Identity Manager/WebSphere Application Server configuration will fail. Upgrading a Cluster Configuration This section includes procedures for upgrading a Tivoli Identity Manager cluster configuration. These procedures are divided into the following groups of tasks: 1. Installing and configuring WebSphere components for cluster configuration: a. Installing WebSphere Application Server Network Deployment. Refer to Installing WebSphere Application Server Network Deployment on page 98 for procedures. b. Installing IBM HTTP Server and Web plug-in components. Refer to Installing IBM HTTP Server and WebSphere Web Server Plugin on page 100 for procedures. Appendix F. Upgrading from Tivoli Identity Manager Version 4.4.x to

134 c. Installing WebSphere Application Server base 5.0 on a secondary server. Refer to Installing Base on Each Node on page 101 for procedures. d. Configuring the cluster environment. Refer to Configuring Tivoli Identity Manager Clusters on page 98 for more information. 2. Upgrading Tivoli Identity Manager 4.4.x to 4.5 for the Network Deployment Manager System. Refer to Upgrading Tivoli Identity Manager 4.4.x to 4.5 for the Network Deployment Manager System for procedures. 3. Upgrading Tivoli Identity Manager 4.4.x to 4.5 for the member node system. Refer to Upgrading Tivoli Identity Manager 4.4.x to 4.5 for the Member System on page 123 for procedures. Upgrading Tivoli Identity Manager 4.4.x to 4.5 for the Network Deployment Manager System This section includes procedures for upgrading Tivoli Identity Manager 4.4.x to 4.5 on the system hosting the Network Deployment Manager system. Note: WebSphere Application Server Network Deployment 5.0 can be loaded on the Tivoli Identity Manager 4.4.x primary or secondary server. 1. Start the Tivoli Identity Manager installer on the Network Deployment Manager computer: instw2k-was.exe The Welcome window opens. 2. Select the appropriate language and click OK. The License Agreement window opens. 3. Read the license agreement and decide whether to accept its terms. If you do, select Accept and click Next. The Choose Installation Type window opens. 4. Select Cluster and click Next. The Important Information window opens. 5. Click Next. The Choose Install Directory window opens. 6. Click Choose... and select the Tivoli Identity Manager 4.4.x home directory. 7. Click Next. The Do You Want to Upgrade from 4.4 to 4.5? dialog appears. 8. Select Yes. The Choose Cluster Node Type window opens. 9. Select Network Deployment Manager for the node type and click Next. The WebSphere Location Confirmation dialog appears. 10. Confirm the location of the WebSphere home directory and click Next. The Choose Cluster Name dialog appears. 11. Provide the name of the cluster created within Network Deployment Manager. 12. Click Next. The Choose WebSphere Security dialog appears. 13. Determine if WebSphere Global Security is active on your system. If WebSphere Global Security is on, click WebSphere Security Enabled, otherwise, select WebSphere Security Disabled. If you choose WebSphere Security Enabled and click Next, an additional window appears that requires 122 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

135 you to specify the WebSphere Application Server user ID and password. For more information, refer to Appendix D, Security Considerations, on page 105. The Specify the Encryption Key dialog appears. 14. Provide an encryption key and click Next. The Pre-Install Summary dialog appears. 15. Click Install. Note: If you receive an error message during the install regarding the enrole.ear file, the Network Deployment Manager may not be able to connect to the SOAP port. Ensure the port configured for SOAP is the one configured during the WebSphere 5.0 installation. In an environment where two WebSphere Application Server installations coexist, you need to ensure that the value for the com.ibm.ws.scripting.port in {WAS_HOME}\properties\wsadmin.properties matches the port under SOAP_CONNECTOR_ADDRESS of server1 in the following: {WAS_HOME}\config\cells\<cell_name>\nodes\<node_name>\serverindex.xml Without the matching value, Tivoli Identity Manager deployment and Tivoli Identity Manager/WebSphere Application Server configuration will fail. The System Configuration Tool dialog appears. 16. Click the Mail tab. The Mail tab window opens. 17. Change the value for the Identity Manager Server URL field to that of your server and click Apply. Note: The Identity Manager Server URL field is the only value that you are required to change. You may provide additional information for other System Configuration Tool tabs at this time. 18. Click OK and complete the installation. Note: The upgrade process should pick up previously configured database and LDAP server pointer information. If you experience difficulty connecting to these resources, you can use the System Configuration Tool to reconfigure the connection properties for these systems. Refer to the Tivoli Identity Manager Server Configuration Guide for System Configuration Tool information. Upgrading Tivoli Identity Manager 4.4.x to 4.5 for the Member System This section includes procedures for upgrading Tivoli Identity Manager 4.4.x to 4.5 on the cluster member system. Note: WebSphere Application Server Network Deployment 5.0 can be loaded on the Tivoli Identity Manager 4.4.x primary or secondary server. 1. Start the Tivoli Identity Manager installer on the member node machine: instw2k-was.exe The Welcome window opens. Appendix F. Upgrading from Tivoli Identity Manager Version 4.4.x to

136 2. Select the appropriate language and click OK. The License Agreement window opens. 3. Read the license agreement and decide whether to accept its terms. If you do, select Accept and click Next. 4. Click Next. The Choose Installation Type window opens. 5. Select Cluster and click Next. The Important Information window opens. 6. Click Next. The Choose Install Directory window opens. 7. Click Choose... and select the Tivoli Identity Manager 4.4.x home directory. 8. Click Next. The Do You Want to Upgrade from 4.4 to 4.5? dialog appears. 9. Select Yes. The Choose Cluster Node Type window opens. 10. Select Cluster Member for the node type and click Next. The WebSphere Location Confirmation dialog appears. 11. Confirm the location of the WebSphere home directory and click Next. The Choose Cluster Name dialog appears. 12. Provide the name of the cluster created within Network Deployment Manager. 13. Click Next. The Choose WebSphere Security dialog appears. 14. Determine if WebSphere Global Security is active on your system. If WebSphere Global Security is on, click WebSphere Security Enabled, otherwise, select WebSphere Security Disabled. If you choose WebSphere Security Enabled and click Next, an additional window appears that requires you to specify the WebSphere Application Server user ID and password. For more information, refer to Appendix D, Security Considerations, on page 105. The Specify the Encryption Key dialog appears. 15. Provide an encryption key and click Next. The Pre-Install Summary dialog appears. 16. Click Install. Note: If you receive an error message during the install regarding the enrole.ear file, the Network Deployment Manager may not be able to connect to the SOAP port. Ensure the port configured for SOAP is the one configured during the WebSphere 5.0 installation. In an environment where two WebSphere Application Server installations coexist, you need to ensure that the value for the com.ibm.ws.scripting.port in {WAS_HOME}\properties\wsadmin.properties matches the port under SOAP_CONNECTOR_ADDRESS of server1 in the following: {WAS_HOME}\config\cells\<cell_name>\nodes\<node_name>\serverindex.xml Without the matching value, Tivoli Identity Manager deployment and Tivoli Identity Manager/WebSphere Application Server configuration will fail. 124 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

137 The System Configuration Tool dialog appears. 17. Click the Mail tab. The Mail tab window opens. 18. Change the value for the Identity Manager Server URL field to that of your server and click Apply. Note: The Identity Manager Server URL field is the only value that you are required to change. You may provide additional information for other System Configuration Tool tabs at this time. 19. Click OK and complete the installation. Note: The upgrade process should pick up previously configured database and LDAP server pointer information. If you experience difficulty connecting to these resources, you can use the System Configuration Tool to reconfigure the connection properties for these systems. Refer to the Tivoli Identity Manager Server Configuration Guide for System Configuration Tool information. Appendix F. Upgrading from Tivoli Identity Manager Version 4.4.x to

138 126 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

139 Appendix G. Uninstalling Tivoli Identity Manager Before You Begin The Tivoli Identity Manager uninstall process uninstalls the following: v Tivoli Identity Manager, including all {ITIM_HOME} files copied to a target system during the Tivoli Identity Manager installation v Tivoli Identity Manager application and configuration settings created for Tivoli Identity Manager on WebSphere Application Server Uninstalling Tivoli Identity Manager does not modify existing database tables or the Directory server schema. The Tivoli Identity Manager uninstaller removes the Tivoli Identity Manager application from within WebSphere Application Server. To uninstall additional products that might have been installed during the Tivoli Identity Manager installation, such as WebSphere Application Server or IBM HTTP Server, refer to the appropriate documentation for the product. Note: If you uninstall Tivoli Identity Manager from a cluster configuration, remove Tivoli Identity Manager from all cluster members first, and then remove Tivoli Identity Manager from the computer on which the Network Deployment Manager is installed. If you intend to save Tivoli Identity Manager configuration information in WebSphere, prior to uninstalling Tivoli Identity Manager, perform a backup of the WebSphere configuration files. 1. Start the WebSphere Application Server. For more information on starting this server, refer to documentation provided by WebSphere Application Server. 2. Run the following command on the computer that hosts the WebSphere Application Server to make a backup file: {WAS_HOME}\bin\backupConfig.bat The command creates a zip file such as WebSphereConfig_ zip that contains all current Tivoli Identity Manager configuration settings. The file is created in the directory from which you run the backupconfig command. Note: To restore the configuration settings, run the following command: {WAS_HOME}\bin\restoreConfig.bat WebSphereConfig_datevalue.zip Notes: 1. If you uninstall Tivoli Identity Manager from a cluster configuration, ensure the Network Deployment Manager is running. In addition, you should also verify that the node agent is running on the system prior to performing an uninstall process to maintain communication between the application server and the Network Deployment Manager. 2. You may encounter problems if you uninstall Tivoli Identity Manager from a Network Deployment Manager system if there is not a local copy of JVM 1.3 or a local installation of WebSphere Application Server base resident on the system. In this case, you can either install a local copy of JVM 1.3 or update the JVM definition of the <ITIM_HOME>/itimUninstallerData/Uninstall ITIM.lax LAX file. Copyright IBM Corp

140 Change the following line: lax.nl.current.vm=\java\bin\javaw.exe to lax.nl.current.vm=<was_ndm_home>\java\bin\javaw.exe Steps to Uninstall Tivoli Identity Manager To uninstall Tivoli Identity Manager, do the following: 1. Uninstall the Tivoli Identity Manager application by running the following command on the computer on which Tivoli Identity Manager is installed: {ITIM_HOME}\itimUninstallerData\Uninstall_ITIM 2. Proceed through the uninstall wizard panels to confirm you want to uninstall Tivoli Identity Manager. 3. After the uninstall completes successfully, remove any residual directories, configuration files, and log files for Tivoli Identity Manager from your file system. The Tivoli Identity Manager uninstaller also removes the Tivoli Identity Manager application deployed in the WebSphere Application Server. To verify that Tivoli Identity Manager has been uninstalled and removed as an application from WebSphere Application Server, do the following: 1. Launch the WebSphere Application Server administrative console and log in. 2. From the navigation tree, navigate through the target node and click the Enterprise Applications link located beneath it. A list of the enterprise applications installed on the application server appears. If you see an application named enrole listed, the Tivoli Identity Manager uninstaller was unable to automatically remove the Tivoli Identity Manager application from WebSphere Application Server. You can remove the application manually. If you do not find the enrole application listed, the Tivoli Identity Manager uninstaller successfully removed the Tivoli Identity Manager uninstaller application from within WebSphere Application Server. To manually remove Tivoli Identity Manager as an application from WebSphere Application Server, do the following: 1. Launch the WebSphere Application Server administrative console and log in. 2. From the navigation tree, navigate through the target node and click the Enterprise Applications link located beneath it. A list of the enterprise applications installed on the application server appears. 3. Select the check box next to the enrole application. 4. Click the Stop button. 5. When the enrole application has successfully been stopped, select the check box next to the enrole application. 6. Click the Uninstall button. 7. Check that the enrole.ear directory is completely removed from {WAS_HOME}\AppServer\config\cells\servername\applications 8. Remove itim.log in {WAS_HOME}\AppServer\logs Note: In a cluster environment, once you remove Tivoli Identity Manager from the Network Deployment Manager system, Tivoli Identity Manager will no longer be available to the cluster. You can remove Tivoli Identity Manager 128 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

141 from an individual cluster member by following the instructions listed above for a manual uninstall of the application. Appendix G. Uninstalling Tivoli Identity Manager 129

142 130 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

143 Appendix H. Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user s responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo , Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Copyright IBM Corp

144 Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact: IBM Corporation 2ZA4/ Burnet Road Austin, TX U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Trademarks The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: AIX DB2 IBM IBM logo SecureWay Tivoli Tivoli logo Universal Database WebSphere Lotus is a registered trademark of Lotus Development Corporation and/or IBM Corporation. Domino is a trademark of International Business Machines Corporation and Lotus Development Corporation in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. 132 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebSphere

145 UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others. Appendix H. Notices 133