Tivoli Identity Manager

Transcription

1 Tioli Identity Manager Version 4.6 Serer Installation and Configuration Guide for WebSphere Enironments SC

2

3 Tioli Identity Manager Version 4.6 Serer Installation and Configuration Guide for WebSphere Enironments SC

4 Note: Before using this information and the product it supports, read the information in Appendix F, Notices, on page 145. First Edition (June 2005) This edition applies to ersion 4.6 of Tioli Identity Manager and to all subsequent releases and modifications until otherwise indicated in new editions. This edition merges and replaces SC and SC This product includes Adaptx, a free XSLT Processor. (C) Keith Visco and Contributors. Copyright International Business Machines Corporation 2003, All rights resered. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Preface ii Who should read this book ii Publications and related information ii Tioli Identity Manager library ii Prerequisite product publications......ix Related publications x Accessing publications online xi Accessibility xi Support information xi Conentions used in this book xi Typeface conentions xii Operating system differences xii Definitions for HOME and other directory ariables xii Special terms xi Chapter 1. Oeriew of the Tioli Identity Manager Enironment Tioli Identity Manager components Adapters oeriew WebSphere Application Serer products....2 Database serer products Directory serer products HTTP serer and WebSphere Web Serer plug-in 4 Configuration options Single-serer configurations Cluster configuration Oeriew of the installation Planning actiities for deployments at large sites..9 Chapter 2. Installing and configuring a database Before you install the database product Installing and configuring IBM DB2 Uniersal Database Recording user data and ensuring that installation succeeds Installing the required fix packs Configuring the DB2 serer Configuring the DB2 JDBC drier Determining the correct serice listening port and serice name Tuning performance Installing and configuring the Oracle database...19 Before you create a database Creating the Tioli Identity Manager database..21 Starting the Oracle product and the listener serice Installing and configuring SQL Serer 2000 on the Windows operating system Preparing to install SQL Serer Installing SQL Serer Configuring SQL Serer Chapter 3. Installing and configuring a directory serer Before you install the directory serer product...25 Installing and configuring IBM Tioli Directory Serer Installing IBM Tioli Directory Serer Installing the required fix packs Setting up the IBM Tioli Directory Serer...26 Aoiding port conflicts Installing and configuring Sun ONE Directory Serer Installing the Sun ONE Directory Serer Configuring the Sun ONE Directory Serer...32 Chapter 4. Installing and configuring WebSphere Application Serer Before you install the WebSphere Application Serer 33 Meeting installation requirements Solaris: Setting additional kernel parameters for WebSphere embedded messaging AIX: Validating port 9090 is aailable for the WebSphere Application Serer administratie host UNIX: Creating groups and users before installing WebSphere embedded messaging...34 Installing the WebSphere Application Serer base product, IBM HTTP Serer, and WebSphere Web Serer plug-in Installing the IBM HTTP Serer Creating a cluster configuration Installing the deployment manager Installing the WebSphere Application Serer base product on each node Adding nodes to a cell Verifying that the deployment manager, node agents, and JMS serers are running Creating a cluster Resoling port conflicts Optionally configuring security for Tioli Identity Manager Configuring security manually for single-node deployments before installing Tioli Identity Manager Configuring security manually for multi-node deployments before installing Tioli Identity Manager Disabling security Moing the HTTP serer out of the cell for additional security Chapter 5. Installing Tioli Identity Manager in a single-serer configuration Before you begin Copyright IBM Corp. 2003, 2006 iii

6 Oeriew of the installation program in a single-serer configuration Starting the installation wizard Completing the installation wizard pages...50 Responding to major installation actions Verifying that the Tioli Identity Manager Serer is operational UNIX: Sourcing the DB2 Uniersal Database profile Optionally installing a language pack Preparing to install adapters Chapter 6. Installing Tioli Identity Manager in a cluster configuration Before you begin Oeriew of the installation program in a cluster configuration Starting the installation wizard Completing the installation wizard pages Responding to major installation actions Starting a cluster Verifying that the Tioli Identity Manager Serer is operational UNIX: Sourcing the DB2 Uniersal Database profile 73 Optionally installing a language pack Changing cluster configurations after Tioli Identity Manager is installed Expanding a cluster using a new computer...74 Remoing cluster members Generating the WebSphere Web Serer plug-in configuration file Preparing to install adapters Chapter 7. Configuring the Tioli Identity Manager Serer Configuring the Tioli Identity Manager database 77 Completing the database configuration windows 77 Manually starting the DBConfig database configuration tool Configuring the directory serer Completing the directory serer configuration windows Manually running the ldapconfig configuration tool Configuring commonly used system properties..80 Manually starting the system configuration tool 80 General tab Directory tab Database tab Logging tab Mail tab UI tab Security tab Optionally configuring security after installing Tioli Identity Manager Mapping an administratie user to a role...88 Ensuring that the was.policy file exists Updating the system user and the EJB user...88 Running Jaa 2 security on single-node deployments Running Jaa 2 security on multi-node deployments Modifying system properties during normal operation Modifying system properties with the system configuration tool Modifying system properties manually Modifying system properties with the Tioli Identity Manager GUI Chapter 8. Troubleshooting and erifying the installation Correcting problems starting the installation...93 Verifying the installation Testing the database connection Ensuring that the directory serer is running..95 Ensuring that the HTTP serer is running...96 Ensuring that WebSphere embedded messaging is running Ensuring that the WebSphere Application Serer is running Checking the Web browser operation Troubleshooting the Tioli Identity Manager startup Logs and directories Chapter 9. Uninstalling the Tioli Identity Manager Serer What is not remoed Before you begin Steps to uninstall the Tioli Identity Manager Serer Verifying that the Tioli Identity Manager Serer is uninstalled Manually remoing components Manually remoing the Tioli Identity Manager Serer from the WebSphere Application Serer. 106 Manually remoing other files or directories Ensuring that Tioli Identity Manager objects are remoed from the Sun ONE Directory Serer Appendix A. Installation images and fix packs Installation images Verifying the fix pack leel Obtaining fix packs Appendix B. Worksheets Tioli Identity Manager information for the database Tioli Identity Manager information for the directory serer Tioli Identity Manager information WebSphere Application Serer: single-serer installation WebSphere Application Serer: cluster installation 114 i IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

7 Appendix C. Upgrading from Tioli Identity Manager Version to Version Processes and settings that the upgrade process preseres Processes and settings that are not presered, or require manual upgrade Before you begin Upgrading a single-serer configuration Upgrading a cluster configuration Post-migration tasks Presering customized data manually Upgrading Crystal Reports Correcting upgrade problems Appendix D. Steps that the installation program takes to configure the WebSphere enironment Before you begin Configuring resources for the Tioli Identity Manager Serer Setting enironment properties Setting transaction serice properties Creating J2C authentication data entries Creating the JDBC drier and the WebSphere Application Serer data source Creating Tioli Identity Manager JMS objects at the cell leel Creating Tioli Identity Manager JMS objects at the serer leel Creating message listener ports Configuring the internal JMS serer Updating the JVM classpath Oerriding client encoding Deploying and configuring the Tioli Identity Manager J2EE application Deploying Tioli Identity Manager on the WebSphere Application Serer Configuring application classloader settings Regenerating the WebSphere Web Serer plug-in 139 Configuring the JAAS login module Configuring the JAAS login module for JNDI feed Appendix E. Support information Searching knowledge bases Search the information center on your local system or network Search the Internet Obtaining fixes Contacting IBM Software Support Determine the business impact of your problem 143 Describe your problem and gather background information Submit your problem to IBM Software Support 144 Appendix F. Notices Trademarks Glossary Index Contents

8 i IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

9 Preface Who should read this book This guide for the IBM Tioli Identity Manager Serer describes how to install and configure the Tioli Identity Manager Serer in a WebSphere enironment. This book is intended for system and security administrators who install, maintain, or administer software on their computer systems. Readers are expected to understand system and security administration concepts. Additionally, the reader must understand administration concepts for the following types of products: Database serer Directory serer Application serer Messaging support IBM HTTP Serer Publications and related information Read the descriptions of the Tioli Identity Manager library. To determine which additional publications you might find helpful, read the Prerequisite product publications on page ix and the Related publications on page x. After you determine the publications you need, refer to the instructions in Accessing publications online on page xi. Tioli Identity Manager library The publications in the Tioli Identity Manager technical documentation library are organized into the following categories: Release information Planning for installation, configuration, and customization Online user assistance Serer installation and configuration Problem determination Technical supplements Adapter installation and configuration Release Information: IBM Tioli Identity Manager Release Notes Proides software and hardware requirements for Tioli Identity Manager, and additional fix, patch, and other support information. IBM Tioli Identity Manager Documentation Read This First Card Lists the Tioli Identity Manager publications. Planning for installation, configuration, and customization: IBM Tioli Identity Manager Planning for Deployment Guide describes the components, functions, and capabilities of the product, explains how the product can impact the infrastructure of an organization, recommends guidelines for Copyright IBM Corp. 2003, 2006 ii

10 managing the implementation of the product, and recommends strategies for integrating identity management capabilities into a production enironment. Online user assistance: Proides online help topics and an information center for all Tioli Identity Manager administratie tasks. The information center includes information that was preiously proided in the IBM Tioli Identity Manager Configuration Guide and the IBM Tioli Identity Manager Policy and Organization Administration Guide. Serer installation and configuration: IBM Tioli Identity Manager Serer Installation and Configuration Guide for WebSphere Enironments proides installation and configuration information for Tioli Identity Manager. Configuration information that was preiously proided in the IBM Tioli Identity Manager Configuration Guide is now included in either the installation guide or in the IBM Tioli Identity Manager Information Center. Problem determination: IBM Tioli Identity Manager Problem Determination Guide proides problem determination, logging, and message information for the Tioli Identity Manager product. Technical supplements: The following technical supplements are proided by deelopers or by other groups who are interested in this product: IBM Tioli Identity Manager Performance Tuning Guide Proides information needed to tune Tioli Identity Manager Serer for a production enironment. It is aailable on the Web at: Click the I character in the A-Z product list, and then, click the IBM Tioli Identity Manager link. Browse the information center for the Technical Supplements section. Redbooks and white papers are aailable on the Web at: IBMTioliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link. Technotes are aailable on the Web at: Field guides are aailable on the Web at: For an extended list of other Tioli Identity Manager resources, search the following IBM deeloperworks Web site: Adapter installation and configuration: iii IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

11 The Tioli Identity Manager Serer technical documentation library includes documentation for the adapter components of a Tioli Identity Manager implementation. Locate adapter documentation on the Web at: Click the I character in the A-Z product list, and then, click the IBM Tioli Identity Manager link. Locate Tioli Identity Manager adapters on the Web at: Passport_Adantage_Home Skills and training: Education solutions for Tioli Identity Manager coer these topics: Planning Basic and Adanced Administration Installation and Configuration Workflows You also hae the option of requesting custom training that is tailored to your needs. For more information, road maps, and schedules, access this IBM Tioli Education Web site: You can also these education deliery addresses: Americas: tiamedu@us.ibm.com Asia Pacific: titrainingap@au1.ibm.com Europe, the Middle East, and Africa (EMEA): tied@uk.ibm.com Additional skills and technical training information might be aailable at these Web sites IBM Professional Certification Search on identity manager to locate aailable classes and certification offerings. Virtual Skills Center for Tioli Software on the Web at: Tioli Technical Exchange on the Web at: supp_tech_exch.html Prerequisite product publications To use the information in this book effectiely, you must hae knowledge of the products that are prerequisites for Tioli Identity Manager Serer. Publications are aailable from the following locations: Operating systems IBM AIX Preface ix

12 Related Sun Solaris Red Hat Linux Microsoft Windows Serer Database serers IBM DB2 Uniersal Database - Support: - Information center: - Documentation: winos2unix/support/8pubs.d2w/en_main - DB2 product family: - Fix packs: - System requirements: Oracle Microsoft SQL Serer Directory serer applications IBM Tioli Directory Serer Version 5.2: en_us/html/ldapinst.htm Version 6.0: toc=/com.ibm.ibmds.doc/toc.xml Sun ONE Directory Serer IBM WebSphere Application Serer Additional information is aailable in the product directory or Web sites. WebSphere embedded messaging IBM HTTP Serer publications Information that is related to Tioli Identity Manager Serer is aailable in the following publications: x IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

13 Accessibility The Tioli Software Library proides a ariety of Tioli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tioli Software Library is aailable on the Web at: The Tioli Software Glossary includes definitions for many of the technical terms related to Tioli software. The Tioli Software Glossary is aailable from the Glossary link of the Tioli Software Library Web page at: Accessing publications online IBM posts publications for this and all other Tioli products, as they become aailable and wheneer they are updated, to the Tioli software information center Web site. Access the Tioli software information center at the following Web address: Click the I character in the A-Z list, and then click the IBM Tioli Identity Manager link to access the product library. Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your local paper. The product documentation includes the following features to aid accessibility: Documentation is aailable in conertible PDF format to gie the maximum opportunity for users to apply screen-reader software. All images in the documentation are proided with alternatie text so that users with ision impairments can understand the contents of the images. Support information If you hae a problem with your IBM software, you want to resole it quickly. IBM proides the following ways for you to obtain the support you need: Searching knowledge bases: You can search across a large collection of known problems and workarounds, Technotes, and other information. Obtaining fixes: You can locate the latest fixes that are already aailable for your product. Contacting IBM Software Support: If you still cannot sole your problem, and you need to work with someone from IBM, you can use a ariety of ways to contact IBM Software Support. For more information about these ways to resole problems, see Appendix E, Support information, on page 141. Conentions used in this book This reference uses seeral conentions for special terms and actions and for operating system-dependent commands and paths. Preface xi

14 Typeface conentions This guide uses the following typeface conentions: Bold Italic Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) Keywords and parameters in text Words defined in text Emphasis of words (words as words) New terms in text (except in a definition list) Variables and alues you must proide Monospace Examples and code examples File names, programming keywords, and other elements that are difficult to distinguish from surrounding text Message text and prompts addressed to the user Text that the user must type Values for arguments or command options Changed text Changed text is indicted by a ertical line ( ) in the margin. Operating system differences This guide uses the UNIX conention for specifying enironment ariables and for directory notation. When using the Windows command line, replace $ariable with %ariable% for enironment ariables and replace each forward slash (/) with a backslash (\) in directory paths. The names of enironment ariables are not always the same in Windows and UNIX. For example, %TEMP% in the Windows operating system is equialent to $tmp in a UNIX operating system. Note: If you are using the bash shell on a Windows system, you can use the UNIX conentions. Definitions for HOME and other directory ariables The following table contains the default definitions that are used in this guide to represent the HOME directory leel for arious product installation paths. You can customize the installation directory and HOME directory for your specific implementation. If this is the case, you need to make the appropriate substitution for the definition of each ariable represented in this table. The alue of path aries for these operating systems: Windows: drie:\program Files AIX: /usr Other UNIX: /opt xii IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

15 Path Variable Default Definition Description DB_INSTANCE_HOME Windows: path\ibm\sqllib UNIX: AIX, Linux: /home/dbinstancename Solaris: /export/home/dbinstancename LDAP_HOME For IBM Tioli Directory Serer Version 5.2 Windows: path\ibm\ldap UNIX: AIX, Linux: path/ldap Solaris: path/ibmldaps For IBM Tioli Directory Serer Version 6.0 Windows: path\ibm\ldap\v6.0 UNIX: AIX, Solaris: path/ibm/ldap/v6.0 Linux: opt/ibm/ldap/v6.0 For Sun ONE Directory Serer Windows: path\sun\mps UNIX: /ar/sun/mps The directory that contains the database for Tioli Identity Manager. The directory that contains the directory serer code. IDS_instance_HOME For IBM Tioli Directory Serer Version 6.0 Windows: drie\ ibmslapd-instance_owner_name The directory that contains the IBM Tioli Directory Serer Version 6.0 instance. The alue of drie might be C:\ on Windows systems. An example of instance_owner_name might be ldapdb2. For example, the log file might be C:\idsslapd-ldapdb2\logs\ibmslapd.log. UNIX: INSTANCE_HOME/idsslapd-instance_name On Linux and AIX systems, the default home directory is the /home/instance_owner_name directory. On Solaris systems, for example, the directory is the /export/home/ldapdb2/idsslapdldapdb2 directory. Preface xiii

16 Path Variable Default Definition Description HTTP_HOME ITIM_HOME WAS_HOME WAS_MQ_HOME WAS_NDM_HOME Tioli_Common_Directory Windows: path\ibmhttpserer UNIX: path/ibmhttpserer Windows: path\ibm\itim UNIX: path/ibm/itim Windows: path\websphere\appserer UNIX: path/websphere/appserer Windows: path\ibm\websphere MQ UNIX: path/mqm Windows: path\websphere\deploymentmanager UNIX: path/websphere/deploymentmanager Windows: path\ibm\tioli\common\ctgim UNIX: path/ibm/tioli/common/ctgim The directory that contains the IBM HTTP Serer code. The base directory that contains the Tioli Identity Manager code, configuration, and documentation. The WebSphere Application Serer home directory The directory that contains the WebSphere MQ code. The home directory on the deployment manager The central location for all sericeability-related files, such as logs and first-failure data capture Special terms The following special term is used in this information: UNIX and Linux The term UNIX means both UNIX and Linux systems. A Linux-specific label is used only when required for clarity. xi IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

17 Chapter 1. Oeriew of the Tioli Identity Manager Enironment This section proides a brief, high-leel description of Tioli Identity Manager components and prerequisite products, including an oeriew of basic configurations that you must consider before installing Tioli Identity Manager. This publication includes instructions for the supported UNIX, Linux, and Windows operating systems. Not all of this information may be appropriate for your choice of operating system or combination of products. To determine the supported combinations of prerequisite products, release leels, and fix pack specifications, refer to the IBM Tioli Identity Manager Release Notes, which takes precedence oer this document. This book focuses on the tasks that you must complete in order to configure and use Tioli Identity Manager, such as creating a database or an LDAP suffix. This book proides links to the more extensie, prerequisite information that you must obtain and the steps that you must complete to install middleware, before you can install Tioli Identity Manager. Tioli Identity Manager components Tioli Identity Manager proides life cycle management of user accounts on remote resources, using adapters to proide communication. The Tioli Identity Manager product: Proides user accounts to authorized users on one or more resources to which Tioli Identity Manager adapters are connected Runs in a WebSphere Application Serer enironment, either in a single-serer or clustered configuration Stores historical and pending data in a database serer Stores user account and organizational data in an LDAP directory serer Proides administration from a client interface in a Web browser that communicates through an HTTP serer, such as IBM HTTP Serer, and a WebSphere Web Serer plug-in A basic configuration is similar to Figure 1 on page 2. Copyright IBM Corp. 2003,

18 Client IBM HTTP Serer Managed resource (browser) } WebSphere Web } Tioli Identity Manager Serer Plug-in adapter } WebSphere Application Serer Tioli Identity Manager Serer JDBC drier Tioli Identity Manager database LDAP data store Figure 1. Tioli Identity Manager components Adapters oeriew The Tioli Identity Manager Serer and its adapters enable you to proision identities to a set of heterogeneous resources, which may be operating systems, data stores, or other applications. Adapters were called agents in preious Tioli Identity Manager releases. An adapter is a program that proides an interface between a managed resource and the Tioli Identity Manager Serer. Adapters function as trusted irtual administrators on the target platform for account management. For example, adapters perform such tasks as creating accounts, suspending accounts, and modifying account attributes. A Tioli Identity Manager adapter can be either agent-based or agentless: Agent-based adapter Deploys its adapter code onto the managed resource with which it is designed to communicate. Agentless adapter Deploys only on the serer, separate from the managed resource with which it is designed to communicate. WebSphere Application Serer products The WebSphere Application Serer is the primary component of the WebSphere enironment. The WebSphere Application Serer runs a Jaa irtual machine, 2 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

19 proiding the runtime enironment for the enterprise application code. The application serer proides containers that specialize in enabling the execution of specific Jaa application components. The Tioli Identity Manager application runs on a single-serer configuration with the WebSphere Application Serer base product. Tioli Identity Manager application also runs in a larger cluster configuration that is composed of one or more WebSphere Application Serers and a deployment manager that manages a cluster. Additional serer processes run in a WebSphere Application Serer enironment, such as the Jaa Message Serice (JMS, sometimes called the jmsserer process or the JMS serer) that proides the WebSphere embedded messaging. The JMS serer enables the Tioli Identity Manager application to exchange information with other applications by sending and receiing data as messages. For additional information about the WebSphere Application Serer products, refer to additional documentation cited in Prerequisite product publications on page ix. Database serer products Tioli Identity Manager stores transactional and historical data in a database serer. For example, the Tioli Identity Manager proisioning processes use a relational database to maintain their current state as well as their history. Computers that communicate with the database require a Jaa Database Connectiity drier (JDBC drier). A JDBC drier is used to connect a Jaa-based application to a database. For example, a JDBC drier enables a Tioli Identity Manager Serer on a local computer or on another computer to communicate with the data source. Tioli Identity Manager supports JDBC drier types that connect to corresponding databases. The supported JDBC driers include: DB2 Uniersal Database DB2 UDB supports a Type 2 JDBC drier. Seeral DB2 products include this drier. Installing the DB2 UDB serer automatically installs the JDBC drier. To enable Tioli Identity Manager to access a remote DB2 UDB serer, install this DB2 runtime client, which also includes the JDBC drier. Oracle database The Oracle database supports a Type 4 (Oracle thin) JDBC drier. No JDBC drier configuration is required when the Oracle database is on a remote computer. The Tioli Identity Manager installation program requires the location of this JDBC drier. Before you install the Tioli Identity Manager Serer, obtain this JDBC drier (ojdbc14.jar) from your Oracle Database Serer installation in the ORACLE_HOME/ora92/jdbc/lib/ directory. Alternatiely, you can download the drier from this Web site: sqlj_jdbc/index.html Microsoft SQL Serer 2000 database The SQL Serer 2000 database supports a Type 4 JDBC drier. No JDBC drier configuration is required when the SQL Serer 2000 database is on a Chapter 1. Oeriew of the Tioli Identity Manager Enironment 3

20 remote computer. The Tioli Identity Manager package includes this drier and the installation program installs the drier automatically. For more information on supported database serer products, refer to the IBM Tioli Identity Manager Release Notes. Directory serer products Tioli Identity Manager stores the current state of the managed identities in an LDAP directory, including user account and organizational data. For more information on supported directory serer products, refer to the IBM Tioli Identity Manager Release Notes. HTTP serer and WebSphere Web Serer plug-in An HTTP serer, such as IBM HTTP Serer, and a WebSphere Web Serer plug-in enable access to the Tioli Identity Manager Serer. The WebSphere Web Serer plug-in is a component that is installed onto an HTTP serer. The WebSphere Web Serer plug-in handles the assignment of tasks to specific cluster members, taking incoming requests and transporting them to the appropriate Web resource. The plug-in allows the Web serer to communicate requests for dynamic content, such as serlets, to the WebSphere Application Serer. Configuration options Before you install the Tioli Identity Manager application, you must determine how to configure WebSphere Application Serer, either in a single-serer or a cluster configuration. Single-serer configurations A single-serer configuration includes the WebSphere Application Serer base product and other required applications on one computer. You must ensure that the computer has the required memory, speed, and aailable disk space to meet the workload. WebSphere Application Serer Tioli Identity Manager Serer IBM HTTP Serer WebSphere Web Serer plug-in LDAP data store Tioli Identity Manager database }JDBC drier Figure 2. Single-serer configuration on one computer A single-serer configuration requires the following components and products: WebSphere Application Serer base product, which includes the WebSphere embedded messaging serer and client Tioli Identity Manager Serer An HTTP serer The WebSphere Web Serer plug-in A directory serer 4 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

21 A database serer A JDBC drier Optionally, you can install the WebSphere Application Serer base product and the Tioli Identity Manager Serer on one computer and install all other required applications on one or more additional computers, in a configuration similar to Figure 3. IBM HTTP Serer WebSphere Web Serer plug-in } WebSphere Application Serer Tioli Identity Manager Serer JDBC drier Tioli Identity Manager database LDAP data store Cluster Figure 3. Single-serer configuration on multiple computers In this configuration, the computer that has the Tioli Identity Manager Serer requires the following components and products: WebSphere Application Serer base product, which includes the WebSphere embedded messaging serer and client A JDBC drier The following components and products run on additional computers: A database serer A directory serer An HTTP serer A WebSphere Web Serer plug-in For tuning recommendations that place applications on separate computers, refer to the IBM Tioli Identity Manager Performance Tuning Guide technical supplement. For more information on a single-serer configuration, see Chapter 5, Installing Tioli Identity Manager in a single-serer configuration, on page 47. configuration A cluster configuration contains WebSphere Application Serer nodes, which are logical groups of one or more application serers on a computer. Nodes reside within an administratie domain called a cell, which the deployment manager manages. A node agent manages all managed processes on the node by communicating with the deployment manager to coordinate and synchronize the configuration. The deployment manager is the administratie process that proides a centralized management iew and control for all elements in the cell, including the management of clusters. Chapter 1. Oeriew of the Tioli Identity Manager Enironment 5

22 The Tioli Identity Manager application assumes that these common features describe eery cluster member: The operating system is the same. For example, all Tioli Identity Manager cluster members run on the IBM AIX operating system. To aoid problems with secure communication and certificate configuration, do not use more than one operating system type within a Tioli Identity Manager cluster. The ITIM_HOME directory is identical. For example, the ITIM_HOME directory on eery cluster member that runs on the IBM AIX operating system is /usr/ibm/itim. The Tioli Identity Manager application does not support a ertical cluster configuration, which has more than one cluster member within a WebSphere Application Serer node. In a configuration such as Figure 4 on page 7, each computer shape represents one WebSphere node on one computer. The configuration specifies the deployment manager on one computer. The remaining applications are configured on additional computers. WebSphere Application Serer also permits you to install both the WebSphere Application Serer base product and the deployment manager on the same computer. You must ensure that the computer has the required memory, speed, and aailable space to meet the additional load. The following describes the cluster configuration in Figure 4 on page 7: On the computer where you want to hae the deployment manager, install the following components and products: The deployment manager The Tioli Identity Manager Serer A JDBC drier A cluster member is an instance of a WebSphere Application Serer in a cluster. On each cluster member, install the following components and products: WebSphere Application Serer base product, which includes the WebSphere embedded messaging serer and client Tioli Identity Manager Serer A JDBC drier On one or more additional computers that are not in the cluster, install the following components and products: A database serer A directory serer An HTTP serer and the WebSphere Web Serer plug-in This is an example configuration only. An alternatie topology might configure these components on computers that are all inside the cluster. 6 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

23 Tioli Identity Manager cell IBM HTTP Serer WebSphere Web Serer plug-in Tioli Identity Manager cluster } } } WebSphere Application Serer base Tioli Identity Manager Serer JDBC drier Tioli Identity Manager database WebSphere Application Serer Network Deployment }JDBC drier LDAP data store Oeriew of the installation Figure 4. Cluster configuration on multiple computers For more information on configuring clusters, see Creating a cluster configuration on page 36. The installation has an extended sequence of actiities that are illustrated in Figure 5 on page 8. Chapter 1. Oeriew of the Tioli Identity Manager Enironment 7

24 1. Configuration known? No Specify configuration Yes 2. Operating system ready? No Update operating system Yes 3. Database ready? No Install, configure database for Tioli Identity Manager 6. Install Tioli Identity Manager Serer Yes 7. Configure database, LDAP, WebSphere Application Serer Yes 4. Directory serer ready? No Install, configure directory serer 8. Test Tioli Identity Manager Serer 5. WebSphere Application Serer ready? No Install, configure WebSphere Application Serer Yes Figure 5. Major steps in installation The process aries depending on whether installation is for a single-serer or cluster configuration. The major steps to install, configure, and test Tioli Identity Manager are: 1. Determining the Tioli Identity Manager Serer topology. The information in this chapter describes the major configuration choices. 8 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

25 2. Ensuring that the operating system is at the leel that Tioli Identity Manager requires. For more information on software and hardware requirements, refer to the IBM Tioli Identity Manager Release Notes. 3. Ensuring that the database serer is installed and preconfigured. See Chapter 2, Installing and configuring a database, on page 11 for steps to prepare the database. 4. Ensuring that the directory serer is installed and preconfigured. See Chapter 3, Installing and configuring a directory serer, on page 25 for steps to prepare the directory serer. 5. Determining that the WebSphere Application Serer is ready. See Chapter 4, Installing and configuring WebSphere Application Serer, on page 33 for steps to prepare the WebSphere Application Serer in a single-serer or cluster configuration. 6. Installing the Tioli Identity Manager application on one of these configurations: Single-serer. For more information, see Chapter 5, Installing Tioli Identity Manager in a single-serer configuration, on page 47. Cluster. For more information, see Chapter 6, Installing Tioli Identity Manager in a cluster configuration, on page 61. For steps to upgrade an existing installation of Tioli Identity Manager, see Appendix C, Upgrading from Tioli Identity Manager Version to Version 4.6, on page Configuring the database, the directory serer, and the WebSphere Application Serer for the Tioli Identity Manager Serer. For more information, see Chapter 7, Configuring the Tioli Identity Manager Serer, on page Resoling problems that happened during installation and startup. For more information, see Chapter 8, Troubleshooting and erifying the installation, on page 93. Planning actiities for deployments at large sites In large organizations, there are additional tasks that require planning before you deploy Tioli Identity Manager. For more information, refer to the IBM Tioli Identity Manager Planning for Deployment Guide. To preent initial deployment problems, consider proiding a ariation of the following planning actiities that are appropriate for your site, in adance of installing Tioli Identity Manager and also subsequent cumulatie fixes: Establish a working practice that proides comprehensie and releant Tioli Identity Manager information to all of the specialists who install middleware. For example, hae the team meet regularly to enumerate their problems and share their solutions. To ensure coordination, designate one person as a focal point for concerns that flow between your site and IBM customer support specialists. If possible, reduce the number of specialists who install and configure the applications. If specialists cannot be reduced in number, encourage communication flow between specialists: Proide a comprehensie library or list of FTP or Web sites for prerequisite installation and configuration information. Ensure that the specialist installing Tioli Identity Manager has root or Administrator authority for the prerequisite middleware. Chapter 1. Oeriew of the Tioli Identity Manager Enironment 9

26 Ensure that all elements of the system or solution hae sufficient priileges to proide accounts. Support a centralized problem and solution database that identifies troubleshooting actions and assigns action owners. Maintain a common library of scripts that automate start up. Create a change control database that coordinates all customization actiities. Determine a working practice in which specialists proide a record of critical alues in the worksheets similar to the ones that this publication proides. Ensure that all specialists hae access to and use a common worksheet that centralizes the information. For example, each installation chapter in this manual proides a checklist of prerequisites that must be installed, configured, and running before you begin installation. Additionally, Appendix B, Worksheets, on page 111 proides a centralized collection point for critical alues such as user IDs, passwords, and security settings. The IBM Tioli Identity Manager Release Notes specifies prerequisite leels and fix packs or patches. 10 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

27 Chapter 2. Installing and configuring a database The Tioli Identity Manager application stores transactional and historical data, including schedules, access control item definitions (ACIs), and audit data in a database. This chapter focuses on configuring a Tioli Identity Manager database prior to Tioli Identity Manager installation. The supported releases and required fix packs for the supported databases are described in the IBM Tioli Identity Manager Release Notes. The information in this chapter is not a substitute for the more extensie, prerequisite documentation that is proided by the database product. For more information that you are assumed to know, refer to these sources: IBM DB2 Uniersal Database (Information center) (Operating system prerequisites) winos2unix/support/8pubs.d2w/en_main Oracle Microsoft SQL Serer Before you install the database product Before you install the database product, complete these steps: Read the installation information that the database product proides. Ensure that your installation meets the product hardware and software requirements. All required operating system patches are in place. Ensure that kernel settings are correct for some operating systems, such as the Solaris operating system. Each database application specifies its own requirements, such as additional operating system alues. Before installing the application, refer to its documentation for these additional settings. For example, these Web sites describe kernel settings that DB2 UDB requires: AIX None required. Linux topic/com.ibm.db2.udb.doc/start/t htm Copyright IBM Corp. 2003,

28 Solaris topic/com.ibm.db2.udb.doc/start/t htm Installing and configuring IBM DB2 Uniersal Database This section describes installing and configuring IBM DB2 Uniersal Database (DB2 UDB). The configuration steps in this section create a new database for later use by the Tioli Identity Manager Serer installation program, which populates the database with data objects. You can install DB2 UDB on the same computer with Tioli Identity Manager or on a separate computer. If you install DB2 UDB on a separate computer, you must install a DB2 runtime client on the computer on which you install Tioli Identity Manager. For more information, see Configuring the DB2 JDBC drier on page 16. Tioli Identity Manager requires DB2 UDB to run with a required leel of the DB2 fix pack. For more information on installing DB2 UDB and any fix packs, refer to the IBM Tioli Identity Manager Release Notes and also to documentation that the database product proides. For example, access these Web sites: Recording user data and ensuring that installation succeeds The DB2 UDB installation requires that you specify some system data, such as the DB2 administrator user ID and password. The installation wizard proides both status reports and an initial erification actiity. Recording user names and passwords on UNIX systems Installing DB2 UDB creates the default DB2 instance. Table 1 shows the default alues that are created. Record this information, which is required to configure the DB2 UDB database that Tioli Identity Manager uses. For an example of the database tab that requires this information, see Figure 17 on page 83. For worksheets that describe database fields required for the Tioli Identity Manager configuration, such as the database name, see Tioli Identity Manager information for the database on page 111. Table 1. Field alues on UNIX systems Fields on UNIX systems Value DB2 instance name (user ID) db2inst1 DB2 instance password A user-defined alue DB2 instance home directory UNIX: /home/db2inst1 Solaris: /export/home/db2inst1 Recording user names and passwords on Windows systems Installing DB2 UDB creates the default DB2 instance. Table 2 on page 13 shows the default alues that are created. 12 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

29 Table 2. Field alues on Windows systems Fields on Windows systems Value DB2 instance name DB2 Administratie user ID db2admin Password A user-defined alue Verifying the installation The installation wizard proides a status report when the installation is complete. Additionally, run the DB2 First Steps operation to erify the installation is successful. To start the operation, complete these steps: Windows Click Start > Programs > IBM DB2 > Set-up Tools > First Steps. UNIX Enter this command: AIX /usr/opt/db2_08_01/db2fs Other UNIX /opt/ibm/db2/v8.1/db2fs Installing the required fix packs If your ersion of DB2 UDB requires a fix pack, obtain and install the fixes that are aailable at these DB2 UDB support Web sites: Verify that the correct fix pack is installed on both the database serer and the database client computers. On Windows, enter the db2leel command: db2leel On UNIX systems, log on as the DB2 instance owner and enter the db2leel command: su - DB2_instance_ID db2leel The alue of DB2_instance_ID is the DB2 instance owner such as db2inst1. For more information on these steps, refer to the IBM Tioli Identity Manager Release Notes and also to documentation that the DB2 UDB fix pack proides. Configuring the DB2 serer Configure the DB2 serer before you install the Tioli Identity Manager Serer. The DB2 UDB settings described in this chapter are initial settings that might require runtime adjustment. For more information, refer to the IBM Tioli Identity Manager Performance Tuning Guide technical supplement. Configuring the DB2 serer requires the following steps: 1. Creating a user on Windows and UNIX systems on page 14 or Creating a user on a Linux system on page 14 Chapter 2. Installing and configuring a database 13

30 2. Creating the Tioli Identity Manager database 3. Ensuring that TCP/IP communication is specified on page AIX only: Setting EXTSHM for DB2 UDB connections on page 15 Creating a user on Windows and UNIX systems Create an operating system user named enrole on the computer on which the DB2 serer is installed. The Tioli Identity Manager Serer uses the user ID enrole to access the database. No special priileges are required for this user. Ensure that a password change is not required at the next logon and that the password neer expires. To create a user, follow these steps: 1. As root or as Administrator, start the system management tool for your operating system. AIX: SMIT or SMITTY Solaris: admintool Windows: Click Start > Administratie Tools > Computer Management > Local Users and Groups > Users. 2. Add a new user enrole and set the user s password. 3. Exit the system management tool. 4. Test the user access. Ensure that you can log on with the user ID enrole without encountering a password reset. 5. Proceed to the next step, Creating the Tioli Identity Manager database. Creating a user on a Linux system You can use the console command interface or the GUI utility to create a user on Linux. To create a user by using the console command interface on a Linux (Red Hat) operating system, enter the following command: adduser -d /home/enrole -p password enrole The -d switch specifies the home directory. The entry enrole specifies the user ID that is created. Proceed to the next step, Creating the Tioli Identity Manager database. Creating the Tioli Identity Manager database You can specify any name for the Tioli Identity Manager database, such as itimdb. To create the Tioli Identity Manager database, follow these steps: 1. Open a DB2 UDB command window. UNIX: Log on as the DB2 instance owner and enter db2 to open a DB2 command window. Windows: Click Start > Run, and enter db2cmd. When the DB2 command window opens, enter db2. 2. In the DB2 command window, enter these commands to create the database: create db itim_dbname using codeset UTF-8 territory US update db cfg for itim_dbname using applheapsz 2048 update db cfg for itim_dbname using app_ctl_heap_sz 1024 The alue of itim_dbname is a name such as itimdb. For more information, refer to the IBM Tioli Identity Manager Performance Tuning Guide technical supplement. 3. Stop and start the DB2 serer to reset the configuration. 14 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

31 After you hae created the Tioli Identity Manager database and reset the configuration, stop and start the DB2 serer to allow the changes to take effect. Enter the following commands: db2stop db2start If entering db2stop fails and the database remains actie, enter db2 force application all to inactiate the database. Enter db2stop again. Ensuring that TCP/IP communication is specified Installing DB2 UDB specifies TCP/IP communication by default. To confirm that TCP/IP communication is specified on the DB2 serer and also on the DB2 client, follow these steps: 1. Enter the following command: db2set -all DB2COMM 2. If a tcpip entry is not in the list that was returned, enter the following command, including tcpip and any other alues that were returned in the list that the command proided: db2set DB2COMM=tcpip,alues_from_db2set_command For example, if the db2set -all DB2COMM command returned alues such as npipe and ipxspx in the list, specify these alues again when you enter the db2set command the second time: db2set DB2COMM=tcpip,npipe,ipxspx If the operating system is AIX, proceed to the next step, AIX only: Setting EXTSHM for DB2 UDB connections. Otherwise, proceed to Configuring the DB2 JDBC drier on page 16. AIX only: Setting EXTSHM for DB2 UDB connections If the DB2 serer is on the AIX operating system, ensure that you set the EXTSHM enironment ariable to ON. This action increases the number of shared memory segments to which a single process can be attached. Tioli Identity Manager processes might not be able to connect with DB2 UDB if DB2 UDB runs out of shared memory segments on the AIX operating system. The Tioli Identity Manager log file contains the following error message: [IBM][CLI Drier]SQL1224N A database agent could not be started to serice a request, or was terminated as a result of a database system shutdown or a force command. SQLSTATE=55032 The EXTSHM enironment ariable must be exported both in the shell where the client application is started and also in the shell where the database is started. A client application can be the WebSphere Application Serer, the node agent, or the deployment manager. To export the EXTSHM enironment ariable, complete these steps: 1. On the shell where the WebSphere Application Serer is started, set the enironment ariable EXTSHM by entering the following statement: export EXTSHM=ON Also add this statement to the etc/profile file of the root user from which the WebSphere Application Serer is started. 2. On the shell where the database is started, such as a shell of db2inst1, enter the following commands to configure the EXTSHM enironment ariable: export EXTSHM=ON db2set DB2ENVLIST=EXTSHM Chapter 2. Installing and configuring a database 15

32 3. To ensure that the enironment ariable is always set, also add the following line to the DB_INSTANCE_HOME/SQLLIB/userprofile file: export EXTSHM=ON Configuring the DB2 JDBC drier In a single-serer configuration, the DB2 serer might be on a remote computer on which Tioli Identity Manager Serer is not installed. Alternatiely, the DB2 serer might be on the local computer, on which you install Tioli Identity Manager Serer. If the DB2 serer is on a remote computer, you must install and configure the DB2 runtime client. You should also install the required fix pack. In a cluster configuration, assuming that the DB2 serer is on a remote computer, you must install and configure the DB2 runtime client and apply the required fix pack on these computers: The computer that has the deployment manager. Each cluster member on which you expect to install Tioli Identity Manager Serer. Installing and configuring the DB2 runtime client Complete these steps to install and configure the DB2 runtime client: 1. Install and configure the DB2 runtime client and the required fix pack. 2. Catalog the database. The catalog operation creates a database alias on the local DB2 client for the actual database on the DB2 serer. An application running on the same system as the database client uses the database alias defined in the catalog to access the database. Complete the following steps: a. Open a DB2 UDB command window. UNIX: Log on as the DB2 instance owner and enter db2 to open a DB2 command window. Windows: Click Start > Run, and enter db2cmd. When the DB2 command window opens, enter db2. b. In the command window, enter this command on one line to define the communication protocol and the local node alias: catalog tcpip node local_db2node_alias remote db2serer_hostname serer serice-name portnumber The parameters and ariables include: node local_db2node_alias A local alias for the node to be cataloged. This is an arbitrary name on the user s workstation that is used to identify the node. remote db2serer_hostname The host name or IP address of the node on which the target database resides. serer serice-name portnumber The serice name or the port number of the DB2 serer instance. The default alue of the DB2 UDB port number is For more information, see Determining the correct serice listening port and serice name on page 18. Use TCP/IP as the communication protocol. Do not use other protocols such as named pipes or NetBIOS. c. Enter the following command on one line to define the local database alias: 16 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

33 catalog database database_name as local_database_alias at node local_db2node_alias The parameters and ariables include: database database_name The name of the database on a remote computer. The alue of database_name is the alue of itim_dbname, such as itimdb that was specified when the database was created on the DB2 serer. local_database_alias An arbitrary local alias for the remote database. node local_db2node_alias A local alias for the node. This is the local node alias that is set in the preious step 2b on page 16. d. To test that the cataloging command was successful, enter the following command: connect to itim_dbname user db_admin_name using db2_admin_pwd The alue of itim_dbname is a name such as itimdb. The alue of db_admin_name is db2inst1 on UNIX systems, and db2admin on Windows systems. If the connection is successful, information is returned that identifies a local database alias, such as itimdb. If the connection fails, complete these steps: 1) Ensure that connect command uses the correct alues for the user ID and password. 2) Ensure that connect command uses the correct alue for the database name. 3) Ensure that the TCP/IP communication protocol is defined in DB2COMM. For more information, see Ensuring that TCP/IP communication is specified on page 15. 4) Ensure that the correct database serice name and listening port are used, and that the listening port is actie. For more information, see Determining the correct serice listening port and serice name on page 18. Enabling encrypted data transmission between the DB2 serer and client To specify the authentication type to use encrypted data for incoming connections at the database serer, update the configuration of the srcon_auth alue to enable the DATA_ENCRYPT attribute. For example, type this command at a DB2 command window on the DB2 serer: update database manager configuration using srcon_auth data_encrypt Additionally, to enable the DB2 client to send encrypted data to the DB2 serer, type this command on one line at a DB2 command window on the DB2 client: catalog database database_name as local_database_alias at node local_db2node_alias authentication data_encrypt For more information about these parameters, see Installing and configuring the DB2 runtime client on page 16. JDBC driers for a WebSphere Application Serer on 64-bit operating systems Although the WebSphere Application Serer at Version 5.1 can run on 64-bit operating systems, the WebSphere Application Serer requires a DB2 JDBC drier that is a 32-bit DB2 runtime client to connect to the DB2 database. Chapter 2. Installing and configuring a database 17

34 If you install the 64-bit DB2 serer on a 64-bit operating system on which the Tioli Identity Manager Serer and the WebSphere Application Serer will also be installed, you should not install the 64-bit DB2 runtime client. You should complete these steps when you install the DB2 serer: 1. Choose the Custom option. 2. Exclude the 64-bit runtime client. 3. After the serer is installed, install the DB2 JDBC drier that is a 32-bit DB2 runtime client. If the 64-bit runtime client is already installed, do one of the following: Remoe the 64-bit runtime client and then install the DB2 JDBC drier that is a 32-bit DB2 runtime client. Alternatiely, create a 32-bit DB2 instance and catalog a connection to the 64-bit instance that is either local or remote. Then, use the Tioli Identity Manager installation program to point the JDBC proider in the WebSphere Application Serer to the 32-bit instance. To create the 32-bit DB2, instance, enter the following command: Command line: - Windows: \sqllib\bin\db2icrt - UNIX: DB_INSTANCE_HOME/instance/db2icrt -w WordWidth instancename The alue of the -w WordWidth parameter specifies the bit leel that is used, such as 32-bit. The alue of instancename is a DB2 instance such as db2inst2. For example, type this command: db2icrt -w 32 db2inst2 Graphical user interface: DB_INSTANCE_HOME/instance/db2isetup Determining the correct serice listening port and serice name Creating the DB2 UDB instance creates the serice listening port number and the database serice name. The default serice listening port number is The serice name has this default alue: Windows: db2c_db2 UNIX: db2cdb2inst1 When you catalog the local DB2 node alias, which is step 2b on page 16, you must define either the serice listening port number or the default serice name. To determine whether the correct serice name or serice listening port is defined, complete these steps: 1. Locate the statement that is similar to the following example, which specifies the current port number in the serices file on the computer on which the DB2 serer resides: Windows DB2 UDB Version 8.1: db2c_db /tcp DB2 UDB Version 8.2: db2cdb2: 50000/tcp UNIX DB2 UDB Version 8.1: db2inst1: 50000/tcp DB2 UDB Version 8.2: db2c_db2: 50000/tcp The serices file has the following path: 18 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

35 Tuning Windows: %SYSTEMROOT%\system32\driers\etc\serices UNIX: /etc/serices 2. If the serices file does not contain the DB2 instance serice name and port number, complete these steps: a. Edit the appropriate serices file for your operating system and add a DB2 serice name and number: Windows: db2c_db /tcp UNIX: db2inst1: 50000/tcp The default alue of the DB2 UDB port number is b. Configure DB2 UDB to use the serice name. Use the following command: db2 update dbm cfg using scename serice_name port_number Proide the alue of either serice_name or port_number. The alue of serice_name matches the new serice name that you created in step 2a. c. Stop and start the DB2 serice to enable the port number to take effect. Use the following commands: db2stop db2start d. Verify the serice names and ports are successfully updated by checking that DB2 UDB is now listening on the new port. Enter this command: netstat -an In the listing, you should see the port that you specified, such as 50000, is open for listening. For more information, refer to documentation that the DB2 UDB product proides. Use these parameters: -a Show both listening and non-listening sockets. -n Show numerical addresses rather than symbolic host, port or user names. performance Performance issues can occur after you initially configure DB2 UDB. For example, loading a large number of users can encounter performance issues. You may see this message: Not enough storage aailable for processing the sql statements. To proide additional storage space, change the DB2 UDB application heap size to a larger alue. For recommendations and examples of setting DB2 UDB heap sizes and other performance-sensitie parameters, refer to the IBM Tioli Identity Manager Performance Tuning Guide technical supplement. Installing and configuring the Oracle database This section describes installing and configuring the Oracle database for Tioli Identity Manager. In all cases, refer to the installation and migration guides that the Oracle Corporation proides for complete information. For more information, refer to these Web sites: Chapter 2. Installing and configuring a database 19

36 Before you create a database This section describes steps to complete before you create an Oracle database for Tioli Identity Manager. Complete these steps: Installing the Oracle database serer Configuring the init.ora file Setting enironment ariables on page 21 Backing up an existing database on page 21 Installing the JDBC drier on page 21 Installing the Oracle database serer You might install the Oracle database serer on the same computer or on a computer that is separate from Tioli Identity Manager. For more information on installing the Oracle database serer, refer to documentation aailable at this Web site: Note: If you manually create the Oracle database for Tioli Identity Manager, you must manually install the JVM feature, or any transactions from Tioli Identity Manager will subsequently fail. Using the Oracle Database Configuration Assistant wizard installs the JVM feature by default. Configuring the init.ora file You must configure the init.ora file for the Tioli Identity Manager database. Complete these steps: 1. Copy the init.ora file. Windows a. Under the ORACLE_HOME\admin\ directory, create a directory named db_name\pfile. The alue of db_name might be itimdb. b. Copy the sample init.ora file from the ORACLE_HOME\ora92\dbs\sample\pfile\ directory to the ORACLE_HOME\admin\db_name\pfile directory. c. Rename the new init.ora file to a alue of initdb_name.ora. UNIX Copy the ORACLE_HOME/dbs/init.ora file to a new ORACLE_HOME/dbs/initdb_name.ora file. 2. Based on your enironment requirements, tune the alue of the following parameters in the initdb_name.ora file: compatible= db_name=itimdb processes=150 jaa_pool_size=32m shared_pool_size=50m Additionally, define three control files for the Tioli Identity Manager database. This example statement defines the control files: control_files=("/u01/app/oracle/oradata/db_name/control01.ctl", "/u01/app/oracle/oradata/db_name/control02.ctl", "/u01/app/oracle/oradata/db_name/control03.ctl" 3. Manually create all the directories defined in the initdb_name.ora file. 20 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

37 Setting enironment ariables Set the enironment ariables for Oracle by editing the.profile file. Required enironment ariables include ORACLE_SID and ORACLE_HOME, and also include the library path, and the system path. Source the profile on UNIX operating systems, which updates the enironment ariables in the current session, to ensure that Tioli Identity Manager can communicate with the database. To source the profile, enter the following command: #. /.profile For more information, refer to the Oracle Web site. Backing up an existing database Perform a full backup of any existing database, and reiew the preliminary steps that the documentation from the Oracle Corporation proides for upgrading an Oracle database, before you begin to install the Oracle product or upgrade an existing database. For Web sites that proide this information, see Installing the Oracle database serer on page 20. Installing the JDBC drier Copy the Oracle JDBC drier from the Oracle serer directory into a directory on the computer on which Tioli Identity Manager will later be installed. The Tioli Identity Manager installation program prompts for the directory containing the JDBC drier. In a cluster configuration, the JDBC drier is required on the computer that has the deployment manager and also on each Tioli Identity Manager cluster member computer. At Oracle database Version 9i, the Oracle JDBC drier (the ojdbc14.jar file) is located in the ORACLE_HOME/ora92/jdbc/lib/ directory. Creating the Tioli Identity Manager database Skip this step if you use the Oracle Database Configuration Assistant wizard, which creates the Tioli Identity Manager database. Manually create a Tioli Identity Manager database using these steps: 1. Create and start the database instance using these steps: Windows a. Create the instance with this command on one line: # oradim -new -sid db_name -pfile ORACLE_HOME\admin\db_name\pfile\ initdb_name.ora The alue of the -sid parameter specifies the database instance name. For example, the alue of db_name might be itimdb. The alue of the -pfile parameter specifies the file that you preiously configured in Configuring the init.ora file on page 20. b. Start the database instance with these commands: # sqlplus "/ as sysdba" SQL> startup nomount pfile=oracle_home\admin\db_name\pfile\initdb_name.ora c. Verify that the Windows serice OracleSericedb_name is started. UNIX Start the database instance with these commands: # sqlplus "/ as sysdba" SQL> startup nomount pfile= ORACLE_HOME/dbs/initdb_name.ora Chapter 2. Installing and configuring a database 21

38 2. Use an SQL script similar to the following example to create your database. Change the alues in the script to match any requirements at your site. In this example, the alue of the db_name is an instance name such as itimdb. -- Create database CREATE DATABASE db_name CONTROLFILE REUSE LOGFILE /u01/oracle/db_name/redo01.log SIZE 1M REUSE, /u01/oracle/db_name/redo02.log SIZE 1M REUSE, /u01/oracle/db_name/redo03.log SIZE 1M REUSE, /u01/oracle/db_name/redo04.log SIZE 1M REUSE DATAFILE /u01/oracle/db_name/system01.dbf SIZE 10M REUSE AUTOEXTEND ON NEXT 10M MAXSIZE 200M CHARACTER SET UTF8; -- Create another (temporary) system tablespace CREATE ROLLBACK SEGMENT rb_temp STORAGE (INITIAL 100 k NEXT 250 k); -- Alter temporary system tablespace online before proceeding ALTER ROLLBACK SEGMENT rb_temp ONLINE; -- Create additional tablespaces RBS: For rollback segments -- USERs: Create user sets this as the default tablespace -- TEMP: Create user sets this as the temporary tablespace CREATE TABLESPACE rbs DATAFILE /u01/oracle/db_name/db_name.dbf SIZE 5M REUSE AUTOEXTEND ON NEXT 5M MAXSIZE 150M; CREATE TABLESPACE users DATAFILE /u01/oracle/db_name/users01.dbf SIZE 3M REUSE AUTOEXTEND ON NEXT 5M MAXSIZE 150M; CREATE TABLESPACE temp DATAFILE /u01/oracle/db_name/temp01.dbf SIZE 2M REUSE AUTOEXTEND ON NEXT 5M MAXSIZE 150M; -- Create rollback segments. CREATE ROLLBACK SEGMENT rb1 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs; CREATE ROLLBACK SEGMENT rb2 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs; CREATE ROLLBACK SEGMENT rb3 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs; CREATE ROLLBACK SEGMENT rb4 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs; -- Bring new rollback segments online and drop the temporary system one ALTER ROLLBACK SEGMENT rb1 ONLINE; ALTER ROLLBACK SEGMENT rb2 ONLINE; ALTER ROLLBACK SEGMENT rb3 ONLINE; ALTER ROLLBACK SEGMENT rb4 ONLINE; ALTER ROLLBACK SEGMENT rb_temp OFFLINE; DROP ROLLBACK SEGMENT rb_temp ; 3. Install the JVM for the database. Use these commands: # sqlplus "/ as sysdba" SQL> SQL> SQL> SQL> SQL> connect system/manager The alue of the manager parameter is the password for the system user account. 22 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

39 Starting the Oracle product and the listener serice To start the Oracle database, complete these steps: Windows Use the Serices menu to start the Oracle database serice called OracleSericedb_name. UNIX Enter these commands: # su - oracle # sqlplus "/ as sysdba" # SQL> startup To start the Oracle listener serice, complete these steps: Windows Use the Serices menu to start the Oracle TNS listener named OracleOraHome92TNSListener. If the Oracle listener serice is idle, start the listener. UNIX # su - oracle # lsnrctl start To ensure that Oracle processes are started, enter this command: ps -ef grep ora The ps (process) command searches for processes. The grep command selects the processes that contain a string. The parameters in this example include: -e Select all processes. -f Display a full listing To ensure that the listener is running, enter this command: # lsnrctl status Installing and configuring SQL Serer 2000 on the Windows operating system This section describes installing and configuring SQL Serer 2000 on the Windows operating system. Complete these steps: Preparing to install SQL Serer 2000 Installing SQL Serer 2000 Configuring SQL Serer 2000 on page 24 Preparing to install SQL Serer 2000 Complete the following procedures prior to installing SQL Serer 2000 on a Windows system: 1. Obtain the latest SQL Serer 2000 serice pack. 2. Log in to the Windows system with an Administrator account before launching the SQL Serer 2000 installation. Installing SQL Serer 2000 You might install SQL Serer 2000 on the same computer or on a computer that is separate from Tioli Identity Manager. After installing SQL Serer 2000, install the Chapter 2. Installing and configuring a database 23

40 latest SQL Serer 2000 serice pack. For more information on installing SQL Serer 2000, refer to documentation aailable at these Web sites: Configuring SQL Serer 2000 You must complete seeral post-installation tasks to configure SQL Serer 2000 for Tioli Identity Manager: 1. Launch the MS SQL Serer Enterprise Manager. 2. Naigate the tree, clicking the Databases node. 3. Click Tools and use the menu to open SQL serer configuration properties. 4. On the SQL serer configuration properties window, click the Security tab. Ensure that SQL Serer and Windows authentication (mixed-mod authentication) is enabled. 5. Create a new database using a name such as itimdb. 6. For both data files and also for the transaction log, enter the following alues for the database that you create: Initial file size: 20 MB Automatically grow the file. Allow unrestricted file growth. 24 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

41 Chapter 3. Installing and configuring a directory serer Tioli Identity Manager stores user account and organizational data (but not data for schedules, ACI definitions, and audit data) in a directory serer. This chapter focuses on configuring the directory serer for use by Tioli Identity Manager. The supported combinations of directory serers and required fix packs are described in the IBM Tioli Identity Manager Release Notes. The information in this chapter is not a substitute for the more extensie, prerequisite documentation that is proided by the directory serer product itself. For more information that you are assumed to know, refer to these sources: IBM Tioli Directory Serer Hardware and software requirements, and documentation Version 5.2: en_us/html/ldapinst.htm Version 6.0: toc=/com.ibm.ibmds.doc/toc.xml Fixes IBMDirectorySerer.html Sun ONE Directory Serer Usage and maintenance Documentation Before you install the directory serer product Before you install the directory serer product, complete these steps: Read the installation guide that the directory serer product proides. Ensure that your installation meets the directory serer hardware and software requirements. Installing and configuring IBM Tioli Directory Serer This section describes installing and configuring the IBM Tioli Directory Serer. Installing IBM Tioli Directory Serer You can install the IBM Tioli Directory Serer on the same computer with Tioli Identity Manager or on a separate computer. The IBM Tioli Directory Serer uses DB2 Uniersal Database as a data store. If DB2 UDB is not already installed, installing the IBM Tioli Directory Serer can also install an instance of DB2 UDB on the same computer. On the same computer, if you install IBM Tioli Directory Serer and the DB2 serer that the Tioli Identity Manager Serer uses, you should install the DB2 serer before you install the IBM Tioli Directory Serer. For information on Copyright IBM Corp. 2003,

42 installing the directory serer, refer to documentation that the directory serer product proides. For example, access this Web site: IBMDirectorySerer.html Installing the required fix packs If your ersion of the IBM Tioli Directory Serer requires a fix pack, obtain and install the fixes. For more information, refer to these support Web sites: Version 5.2: en_us/html/ldapinst.htm Version 6.0: toc=/com.ibm.ibmds.doc/toc.xml Verify that the correct fix pack is installed on the IBM Tioli Directory Serer. Open a fix pack file such as PF520-operatingsystem-0x.txt. For example: Windows: FP520W-01.txt Solaris: FP520OS-01.txt Search for a text description similar to IBM Directory Release: aus52ldap Build: a. The file is in this directory: Windows LDAP_HOME\bin AIX and Linux usr/ldap/bin Solaris opt/ibmldapc/bin For more information on these steps, refer to the IBM Tioli Identity Manager Release Notes and also to the documentation that the IBM Tioli Directory Serer fix pack proides. Setting up the IBM Tioli Directory Serer Setting up the IBM Tioli Directory Serer requires creating the LDAP suffix for your organization before you install the Tioli Identity Manager Serer. Setting up the IBM Tioli Directory Serer also requires configuring the Tioli Identity Manager referential integrity file. An LDAP suffix, also known as a naming context, is a distinguished name (DN) that identifies the top entry in a locally-held directory hierarchy. Creating the LDAP suffix object Create the LDAP suffix for Tioli Identity Manager using the command line interface as follows: 1. Identify the directory serer process or serice, stop the directory serer, create the suffix, and restart the directory serer. a. Identify the directory serer process or serice. UNIX: grep for the process ID ibmslapd. Windows: Click Start > Administratie Tools > Serices. Scroll the list of serices to locate the IBM Tioli Directory Serer. 26 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

43 b. Check the status of the directory serer process or serice. For example, type: ibmdirctl -D admindn -w adminpw -h hostname -p port status The alue of admindn (required) binds to the LDAP directory. The admindn parameter is a string-represented distinguished name. The alue of adminpw (required) is the administrator password. The alue of hostname (optional) and port (optional) are the host name and port of the computer on which the directory serer and the administration daemon are running. c. If the serer is running, stop the serer. UNIX: End the ibmslapd process using the ibmdirctl command that the administration daemon control program proides. For example, type: ibmdirctl -D admindn -w adminpw -h hostname -p port stop The alue of admindn (required) binds to the LDAP directory. The admindn parameter is a string-represented distinguished name. The alue of adminpw (required) is the administrator password. The alue of hostname (optional) and port (optional) are the host name and port of the computer on which the directory serer and the administration daemon are running. Windows: 1) Click Start > Administratie Tools > Serices. 2) Right click the IBM Tioli Directory Serer item in the list of serices and click Stop. Alternatiely, use the ibmdirctl command that the administration daemon control program proides. For example, type: ibmdirctl -D admindn -w adminpw -h hostname -p port stop The alue of admindn (required) binds to the LDAP directory. The admindn parameter is a string-represented distinguished name. The alue of adminpw (required) is the administrator password. The alue of hostname (optional) and port (optional) are the host name and port of the computer on which the directory serer and the administration daemon are running. d. Create the suffix. For IBM Tioli Directory Serer Version 5.2, enter this command: ldapcfg -s "itim_suffix" The -s parameter specifies the suffix. The itim_suffix ariable is a alue such as dc=com. For IBM Tioli Directory Serer Version 6.0, enter this command: idscfgsuf -I instancename -s itim_suffix The -I parameter specifies the directory serer instance. For more information on a alue for instancename, see Definitions for HOME and other directory ariables on page xii. e. Start the serer. UNIX: Start the ibmslapd process using the ibmdirctl command that the administration daemon control program proides. For example, type: ibmdirctl -D admindn -w adminpw -h hostname -p port start The alue of admindn (required) binds to the LDAP directory. The admindn parameter is a string-represented distinguished name. The alue of adminpw (required) is the administrator password. The alue of hostname (optional) and port (optional) are the host name and port of the computer on which the directory serer and the administration daemon are running. Chapter 3. Installing and configuring a directory serer 27

44 Windows: 1) Click Start > Administratie Tools > Serices. 2) Right click the IBM Tioli Directory Serer item in the list of serices and click Start. 2. To add the LDAP suffix as a domain object, first create an LDAP Data Interchange Format (LDIF) file, such as suffix.ldif, that has the following statements. In this example, dc=com is the alue that is specified for the Tioli Identity Manager suffix. dn:dc=com dc:com objectclass:top objectclass:domain #one blank line must end this file, or the ldapadd command will not run 3. Use the ldapadd command to add the domain object. For example, complete these steps: a. Change to the LDAP_HOME/bin directory. b. Enter the following command on one line: ldapadd -h ldaphost -D ldap_admin -w ldap_admin_pwd -f full_pathsuffix.ldif For example: ldapadd -h localhost -D cn=root -w secret -f suffix.ldif This example uses the following parameters: -h Specifies an alternate host on which the LDAP serer is running. -D Uses the distinguished name to bind to the LDAP directory. -w Uses the password for simple authentication. -f Reads the entry modification from a file. Verifying successful suffix object configuration To erify the suffix object configuration in this example, enter this command: ldapsearch -h localhost -b dc=com "(objectclass=domain)" The options are: -h Specifies an alternate host on which the LDAP serer is running. -b Specifies the search base of the initial search, instead of the default. The output should confirm that you hae configured permissions for dc=com and initialized the suffix with data. dc=com objectclass=domain objectclass=top dc=com Configuring the referential integrity plug-in on the IBM Tioli Directory Serer The referential integrity plug-in for the Tioli Identity Manager application on the IBM Tioli Directory Serer helps maintain consistency in references to objects that are deleted from the directory. Use the following steps to configure the referential integrity plug-in on the IBM Tioli Directory Serer: 28 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

45 1. Assuming that you stopped the IBM Tioli Directory Serer, copy the referential integrity plug-in file from the Tioli Identity Manager product CD to the following directory in the default installation directory for IBM Tioli Directory Serer: Windows: Version 5.2: LDAP_HOME\bin. For example, copy the file to the C:\IBM\LDAP\bin directory. Version 6.0: LDAP_HOME\lib. For example, copy the file to the C:\IBM\LDAP\lib directory. UNIX: Version 5.2 and 6.0: LDAP_HOME/lib. For example, copy the file to the usr/ibm/ldap/lib directory. On an AIX 64-bit system using a 64-bit DB2 instance, use the LDAP_HOME/lib64 directory if the full library path name is not specified in the ibmslapd.conf file. The referential integrity plug-in file names are: AIX: libdelref.a Solaris: libdelref.so Windows: libdelref.dll Linux: libdelref.so On UNIX systems, ensure that the file permission on the referential integrity plug-in file is set to -r-xr-xr-x. 2. Copy the new Tioli Identity Manager configuration file named timdelref.conf from the ITIM_HOME/config/ldap/ibm directory on the ersion 4.6 Tioli Identity Manager Serer or from the Tioli Identity Manager product CD to the etc directory on the IBM Tioli Directory Serer, replacing the preious configuration file: Version 5.2: LDAP_HOME/etc Version 6.0: IDS_instance_HOME/etc 3. Edit the ibmslapd.conf configuration file for IBM Tioli Directory Serer. The file location aries depending on the IBM Tioli Directory Serer ersion: UNIX: Version 5.2: LDAP_HOME/etc. For example, locate the file in the usr/ibm/ldap/etc directory. Version 6.0: IDS_instance_HOME/etc. For example, locate the file in the /home/instance_owner_name/etc directory. Windows: Version 5.2: LDAP_HOME\etc. For example, locate the file in the C:\IBM\LDAP\etc directory. Version 6.0: IDS_instance_HOME\etc. For example, locate the file in the C:\idsslapd-ldapdb2\etc directory. 4. In the configuration file, specify the referential integrity file for Tioli Identity Manager: a. Locate the following line: ibm-slapdplugin: database path_to_rdbmfilename rdbm_backend_init The path_to_rdbmfilename ariable is one of the following files: AIX: /lib/libback-rdbm.a UNIX other than AIX: /lib/libback-rdbm.so Windows: /lib/libback-rdbm.dll Chapter 3. Installing and configuring a directory serer 29

46 The Windows path is specified with a forward slash. b. Add the following line, all on one line, directly after the preious line: UNIX: Version 5.2 ibm-slapdplugin: preoperation LDAP_HOME/lib/lib_filename DeleteReferenceInit file=ldap_home/etc/timdelref.conf dn=itim_suffix Version 6.0 ibm-slapdplugin: preoperation LDAP_HOME/lib/lib_filename DeleteReferenceInit file=ids_instance_home/etc/timdelref.conf dn=itim_suffix Windows: Version 5.2 ibm-slapdplugin: preoperation "LDAP_HOME/bin/lib_filename" DeleteReferenceInit file="ldap_home\etc\timdelref.conf" dn=itim_suffix Version 6.0 ibm-slapdplugin: preoperation "LDAP_HOME/lib/lib_filename" DeleteReferenceInit file="ids_instance_home\etc\timdelref.conf" dn=itim_suffix Notes: 1) The LDAP_HOME ariable is the default installation directory for the IBM Tioli Directory Serer. The lib_filename ariable is the name of the referential integrity plug-in filename, as identified in step 1 on page 29. 2) The itim_suffix ariable is a alue such as dc=com. 3) On the Windows operating system, to specify the path to the libdelref.dll and the timdelref.conf files, ensure that you enclose the alue of lib_filename in double quote marks. Additionally, specify the path to the libdelref.dll file with a forward slash. 5. Sae the changes that you made to the configuration file. 6. Start the IBM Tioli Directory Serer. 7. Determine whether the referential integrity plug-in is reconfigured and loaded appropriately. Locate the IBM Tioli Directory Serer log file for the configuration. UNIX: Version 5.2: LDAP_HOME/ar/ibmslapd.log. On AIX, for example, the file is in the usr/ibm/ldap/ar directory. Version 6.0: IDS_instance_HOME/etc/ibmslapd.log. On AIX, for example, the file is in the usr/idsslapd-ldapdb2/etc directory. Windows: Version 5.2: LDAP_HOME\ar\ibmslapd.log. For example, the file is in the C:\IBM\LDAP\ar directory. Version 6.0: IDS_instance_HOME\logs\ibmslapd.log. For example, the file is in the C:\idsslapd-ldapdb2\logs directory. You should see a message similar to the following information: Plugin of type PREOPERATION is successfully loaded from /usr/ldap/lib/libdelref.a 30 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

47 If you repeat this operation, more than one message occurs in the log file. Examine the timestamp on the most recent message in the file. If the operation does not succeed, ensure that the referential integrity plug-in file is in the target directory. Preenting connection problems with multiple LDAP sessions Each instance of the Tioli Identity Manager Serer allocates a number of LDAP sessions to form a connection pool at startup. The default minimum number of sessions is 50. In a Tioli Identity Manager cluster that has more than one cluster member, starting the cluster can require more than 100 LDAP connections. On the Windows operating system, the IBM Tioli Directory Serer supports a default of 64 concurrent connections. Connection attempts beyond 64 connections result in failed logons to the Tioli Identity Manager Serer and a Directory Serer not aailable error message similar to this example: Connection pool exceeded: directory serer not aailable To preent connection problems, define the alue of SLAPD_OCHANDLERS to increase the aailable connections. Complete these steps: 1. Locate the following stanza in the ibmslapd.conf file: dn: cn=front End, cn=configuration 2. Add the following line to this stanza: ibm-slapdseten: SLAPD_OCHANDLERS=number-of-threads One thread supports 64 connections. If there are multiple instances of the Tioli Identity Manager Serer, increase this alue. If there are two instances of the serer, each requiring a minimum of 50 simultaneous LDAP connections, specify a alue of 2 or larger. For example, add this line to the stanza: ibm-slapdseten: SLAPD_OCHANDLERS=4 3. Sae the changes that you made to the configuration file. 4. Restart the IBM Tioli Directory Serer so that the changes take effect. Aoiding port conflicts IBM Tioli Directory Serer might install the WebSphere Application Serer Express, which can cause potential port conflicts. If another WebSphere Application Serer is on the same computer, resole any port conflicts with WebSphere Application Serer Express before you run the other serer. For more information, see Resoling port conflicts on page 40. Installing and configuring Sun ONE Directory Serer This section describes installing and configuring Sun ONE Directory Serer. Installing the Sun ONE Directory Serer For the instructions and more information on installing the Sun ONE Directory Serer, refer to documentation aailable at these Web sites: Chapter 3. Installing and configuring a directory serer 31

48 Configuring the Sun ONE Directory Serer To configure the Sun ONE Directory Serer, complete these steps: 1. Start and log on to the Sun ONE Directory Serer administratie console. For example, to start the directory serer, enter this command: path/sun/mps/startconsole On AIX, for example, the alue of path is usr. 2. Naigate to your directory serer in the console tree and open the directory serer. 3. Select the Configuration tab and configure a new root suffix that can be any alue for the suffix that you define for Tioli Identity Manager, such as dc=com. For example, complete these steps: a. On the Configuration tab, right click the Data folder. b. In the New Suffix window, type dc=com. c. Select the new item dc=com. Then, add an attribute such as o for organization. d. Click Sae. Then, on the warning window, click Do nothing. 4. Gie the new root suffix an object class of domain. In the Create New Root Suffix window, complete these steps: a. Select the Directory tab. b. Right-click the name of the directory serer in the directory serer tree and select the new root suffix such as dc=com that you created in step 3, located under New Root Object. c. In the New Object window, select domain and repeatedly click OK in subsequent windows. 5. Restart the directory serer. 6. Open the Performance folder and increase the memory cache aailable for the Tioli Identity Manager Serer to an maximum cache size that is appropriate to the physical memory for your hardware configuration. If the Sun ONE Directory Serer is installed on its own machine, set this alue to 75% of the aailable memory. 7. Select the database object in the Tioli Identity Manager application node, and change the memory aailable in the database settings to a alue that is appropriate to the physical memory for your hardware configuration. If the Tioli Identity Manager application is the only application using this directory, set this alue to 60% of the maximum cache size. 8. Sae the settings. 9. Restart the directory serer. Note: Sun ONE Directory Serer access control instructions (ACIs) might hae enabled anonymous read access. To proide more secure data, modify the default ACIs to disable anonymous read access. For more information, refer to the Sun ONE Directory Serer documentation. 32 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

49 Chapter 4. Installing and configuring WebSphere Application Serer This chapter describes generic steps to create a WebSphere Application Serer enironment before you install the Tioli Identity Manager Serer in either single-serer or cluster configurations. Before you install the WebSphere Application Serer Before installing the WebSphere Application Serer, complete these tasks: Meeting installation requirements Solaris: Setting additional kernel parameters for WebSphere embedded messaging UNIX: Creating groups and users before installing WebSphere embedded messaging on page 34 Meeting installation requirements To meet the installation requirements for the WebSphere Application Serer, complete these steps: Read the installation guide that the WebSphere Application Serer proides. Ensure that your system meets the product hardware and software requirements. Ensure that all required operating system fix packs and cumulatie fixes are in place. For more information on tuning operating systems for the WebSphere Application Serer, refer to this Web site: com.ibm.websphere.nd.doc/info/ae/ae/tprf_tuneopsys.html For more information on installing the WebSphere Application Serer, refer to the following Web sites: Hardware and software requirements /prereqs/was_511.htm Fixes Documentation Solaris: Setting additional kernel parameters for WebSphere embedded messaging Before installing the WebSphere Application Serer on Solaris operating systems, specify the additional kernel parameter alues that the WebSphere Application Serer requires to support WebSphere embedded messaging. Installation fails if these additional kernel parameter alues are not specified. Copyright IBM Corp. 2003,

50 Tioli Identity Manager has prerequisites for WebSphere Application Serer and WebSphere embedded messaging that require additional kernel settings. On Solaris 9, for files and additional processes that ensure prerequisite checking, access these Web sites: topic=/com.ibm.websphere.base.doc/info/aes/relnotes/relnotes_aes.html To locate the list of kernel parameters for Solaris systems, take these steps in the WebSphere Application Serer information center that the Web site proides: 1. In the table of contents, click Installing -> Getting started -> Installing the product -> Installing the base Application Serer on Solaris platforms. 2. Scroll the target information section to the step that reads Set kernel alues to support Application Serer. AIX: Validating port 9090 is aailable for the WebSphere Application Serer administratie host The WebSphere Application Serer administratie host uses the default port On AIX systems, the AIX wsmserer process might use port 9090 for Web-based System Manager serers. To test whether the port is being used, enter this command: netstat -an grep 9090 Use these parameters: -a Show both listening and non-listening sockets. -n Show numerical addresses rather than symbolic host, port or user names. To make port 9090 aailable for the WebSphere Application Serer administratie host, specify a different port for the AIX wsmserer process. At a command line prompt, type these commands: cd /path/websm/bin./wsmserer -disable./wsmserer -enable -listenport aailableportnumber./wsmserer -start The path parameter has a alue such as usr. The alue of the aailableportnumber is an aailable, unused port number. UNIX: Creating groups and users before installing WebSphere embedded messaging Before you install the WebSphere embedded messaging serer and client that the WebSphere Application Serer proides, create the groups and users that the WebSphere embedded messaging requires on UNIX operating systems. Complete these steps: 1. Create the groups mqm and mqbrkrs, and create the mqm user. Add the mqm user to the mqm group. Add root to both groups. 2. To make the changes effectie, log off: UNIX: If you are running the Common Desktop Enironment, you must log off completely. Closing the open consoles is insufficient. Linux: Log out of the desktop session or shell process. 3. Log on again as root. For more information, refer to the installation documentation that the WebSphere product proides. 34 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

51 Installing the WebSphere Application Serer base product, IBM HTTP Serer, and WebSphere Web Serer plug-in The WebSphere installation program can also install the IBM HTTP Serer and WebSphere Web Serer plug-in. You can install these features either with the WebSphere Application Serer or on a separate computer. Additional configuration steps are required if you install the IBM HTTP Serer and WebSphere Web Serer plug-in on a separate computer. For more information on installation, refer to the following Web site: Run the WebSphere installation program to install the WebSphere Application Serer, IBM HTTP Serer and WebSphere Web Serer plug-in. In a cluster configuration, do not install the IBM HTTP Serer and the WebSphere Web Serer plug-in on each cluster member. Complete these steps: 1. Install the WebSphere Application Serer from the root user on UNIX systems, or from a user with administrator authority on the Windows operating system. 2. Start the WebSphere Application Serer base installation program and complete the required steps. 3. Choose custom installation and do not select the WebSphere sample applications. 4. Enter the alues that the WebSphere installation program requires. 5. When installation is complete, the installation wizard displays a First Steps window. Click Verify the Installation to erify that there are no installation problems. 6. If the IBM HTTP Serer and the WebSphere Application Serer are installed on the same computer, bring down the HTTP serer before you apply fix packs and cumulatie fixes for the WebSphere Application Serer. Stop the WebSphere Application Serer system and any related process. For example, stop the JMS serer. 7. After you apply the WebSphere Application Serer Fix Pack, start the WebSphere Application Serer using the following command: Windows WAS_HOME\bin\startSerer.bat serername For example, the alue of serername is serer1. UNIX WAS_HOME/bin/startSerer.sh serername 8. After you start the WebSphere Application Serer, erify that the WebSphere embedded messaging queue manager is also running. To erify the status, enter this command: dspmq A message similar to the following message indicates that the queue manager for serer1 is running: QMNAME(WAS_wasnodename_serer1) STATUS(status_string) The alue of wasnodename is the node name that is defined when the WebSphere Application Serer is installed. The alue of status_string might be a string such as Running or Ended Immediately. 9. Use the following Web address to access the WebSphere administratie console: Chapter 4. Installing and configuring WebSphere Application Serer 35

52 The alue of hostname is either the fully qualified host name or the IP address of the computer on which you installed the WebSphere Application Serer base product. The alue 9090 is the default port number for the WebSphere administratie HTTP transport. The port number may not be 9090 if there is another instance of the WebSphere Application Serer on the computer. 10. Ensure you hae resoled any port problems, if you hae more than one ersion of WebSphere Application Serer installed on the computer. For more information, see Resoling port conflicts on page Examine the SystemOut.log and SystemErr.log files to ensure that there are no other problems. For more information, see Logs and directories on page 102. Installing the IBM HTTP Serer Although you can install the IBM HTTP Serer and the WebSphere Web Serer plug-in on the same computer that has the deployment manager, you might want to install the IBM HTTP Serer and the WebSphere Web Serer plug-in on a separate computer for additional security. For more information, see Moing the HTTP serer out of the cell for additional security on page 45. To install the IBM HTTP Serer and the WebSphere Web Serer plug-in, complete these steps: 1. Start the WebSphere Application Serer base installation program. 2. Naigate through the installation windows and any windows that check prerequisites, accepting the default settings. 3. Choose the Custom installation option when that installation window is displayed and then click Next. 4. On the features selection window, select only the following items and then click Next: IBM HTTP Serer Web Serer plug-ins (for IBM HTTP Serer) 5. Accept the default target directories, or modify the target and then click Next. 6. On the summary window, erify the options and click Install to install the components. 7. Obtain and install the required fix pack and cumulatie fixes for the WebSphere Application Serer base product. The fix pack also includes the fix for IBM HTTP Serer. For more information, refer to the IBM Tioli Identity Manager Release Notes. If you install the IBM HTTP Serer on a separate computer, there are additional steps to set up the serer for use with Tioli Identity Manager on the WebSphere Application Serer. For more information, see Moing the HTTP serer out of the cell for additional security on page 45. Creating a cluster configuration The cluster installation and configuration program has the following sequence: 1. Installing the deployment manager on page Installing the WebSphere Application Serer base product on each node on page Adding nodes to a cell on page Verifying that the deployment manager, node agents, and JMS serers are running on page IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

53 5. Creating a cluster on page 39 Installing the deployment manager To install the deployment manager, complete these steps: 1. Start the deployment manager installation program and complete the required steps. Ensure that you do the following actions: If both the WebSphere Application Serer base product and the deployment manager are installed on the same computer, install the WebSphere Application Serer base product first. During the deployment manager installation, select the option that allows the deployment manager to co-exist with the WebSphere Application Serer base product. The deployment manager is assigned new port numbers to aoid a port conflict. 2. When installation is complete, the installation wizard displays a First Steps window. Click Verify the Installation to erify that there are no installation problems. 3. Stop the deployment manager before you apply a fix pack or cumulatie fix. 4. Install the required fix pack or cumulatie fixes. For more information, refer to the IBM Tioli Identity Manager Release Notes. 5. After you install the fix pack or cumulatie fix, start the deployment manager: a. Change to the deployment manager bin subdirectory. b. Start the deployment manager using the following command: Windows startmanager.bat UNIX startmanager.sh 6. Use the following Web address to access the administratie console: The alue of hostname is the fully qualified host name or the IP address of the computer on which you installed the deployment manager. The alue 9090 is the default port number for the WebSphere administratie HTTP transport. If you hae multiple instances of the WebSphere Application Serer on the same computer, the port number may be a different alue, such as The port number is the port number for the WebSphere irtual host (admin_host) that is assigned during installation, allowing coexistence of more than one WebSphere Application Serer. Installing the WebSphere Application Serer base product on each node Install the WebSphere Application Serer base product on each computer on which the Tioli Identity Manager Serer runs as a Tioli Identity Manager cluster member. Do not install the IBM HTTP Serer and the WebSphere Web Serer plug-in on each cluster member. To install the WebSphere Application Serer base product, follow the steps in Installing the WebSphere Application Serer base product, IBM HTTP Serer, and WebSphere Web Serer plug-in on page 35. Chapter 4. Installing and configuring WebSphere Application Serer 37

54 Adding nodes to a cell You can add a node to a Tioli Identity Manager cell by running the addnode.sh script on each application serer that you want to add as a node to the cluster. Enter this statement on one line: Windows "WAS_HOME\bin\addNode.bat dmgr_host portnumber" UNIX WAS_HOME/bin/addNode.sh dmgr_host portnumber The alue of dmgr_host is the host name of the computer on which the deployment manager is installed. The portnumber parameter specifies the Simple Object Access Protocol (SOAP) port number that is assigned to the deployment manager. The alue can be omitted if the default port number 8879 is used. A node agent is created and started after a node is successfully added to a cell. A JMS serer that is associated with the node is also created after a node is successfully added to a cell. Verifying that the deployment manager, node agents, and JMS serers are running You must ensure that the deployment manager, WebSphere Application Serer node agents, and JMS serers are running. If Tioli Identity Manager will use DB2 Uniersal Database, and either the DB2 serer or the DB2 runtime client is already installed, you must source the DB2 UDB profile on each cluster member computer on UNIX systems before the node agent is started. Sourcing the DB2 UDB profile on UNIX systems ensures that Tioli Identity Manager can communicate with the database. For more information, see either UNIX: Sourcing the DB2 Uniersal Database profile on page 57 for a single-serer configuration or UNIX: Sourcing the DB2 Uniersal Database profile on page 73 for a cluster configuration. To ensure that the deployment manager and all WebSphere Application Serer node agents are running, complete these steps using either a command line interface or the WebSphere administratie console: Command line interface To determine the status of the node agent and the JMS serer, run the following command on the computer on which the WebSphere Application Serer base product is installed: Windows WAS_HOME\bin\sererStatus.bat -all UNIX WAS_HOME/bin/sererStatus.sh -all The status of the node agent and JMS serer is displayed. If the node agent is not started, run the following command: Windows "WAS_HOME\bin\startNode.bat" UNIX WAS_HOME/bin/startNode.sh If the JMS serer is not started, run the following command on the computer on which the node agent resides: Windows "WAS_HOME\bin\startSerer.bat jmsserer" 38 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

55 UNIX WAS_HOME/bin/startSerer.sh jmsserer To determine the status of the deployment manager, run this command on the computer on which the deployment manager is installed: Windows WAS_NDM_HOME\bin\sererStatus.bat -all UNIX WAS_NDM_HOME/bin/sererStatus.sh -all If the deployment manager is not started, run this command on the computer that has the deployment manager: Windows startmanager.bat UNIX startmanager.sh Administratie console If the deployment manager is running, you can log on to the WebSphere administratie console to erify the status of the node agents and JMS serers. Complete these steps: 1. To erify the status of the node agents, click System Administration > Node Agents. A window opens that displays the node agents and their status. If a node agent is not running, start the node agent by entering this command on the computer that has the idle node agent: Windows "WAS_HOME\bin\startNode.bat" UNIX WAS_HOME/bin/startNode.sh 2. To erify the status of the JMS serers, click Serers > JMS Serers. A window opens that displays the JMS serers and their status. If a JMS serer is not running, start the JMS serer by selecting the serer on the WebSphere administratie console and clicking Start. Creating a cluster On the WebSphere administratie console of the deployment manager, complete these steps to create a cluster: 1. Click Serers > Clusters. 2. On the next window, click New. 3. Enter a name that you gie to the cluster, select the appropriate serer, and click Next. 4. Complete the New Clustered Serers window, specifying a cluster member, and click Apply. Repeat the specification for additional cluster members. When the list is complete, click Next. 5. Examine the cluster member summary to ensure that the list of cluster members is correct. Click Finish. 6. In the Messages window, click Sae. 7. Select Synch changes with Nodes, and sae the configuration to the master repository. Chapter 4. Installing and configuring WebSphere Application Serer 39

56 Resoling port conflicts The WebSphere Application Serer uses a set of default ports for different purposes. For example, the alue 9090 is the default port number for the WebSphere administratie HTTP transport. Seeral of the ports that are associated with the Tioli Identity Manager application are described in Table 3. If any default port numbers are already in use prior to installing either the WebSphere Application Serer base product or the deployment manager, either release the port or choose a different port number when you install the WebSphere Application Serer. Table 3. Default port numbers Description Port number Used by Alternate port number example HTTP Transport 9080 WebSphere Application Serer default host HTTP Transport 9090 WebSphere Application Serer administratie host SOAP connector port Deployment manager: 8879 WebSphere Application Serer base: 8880 WebSphere administratie component Deployment manager: 8889 WebSphere Application Serer base: 8881 IBM HTTP Serer 80 HTTP serer Value of 80 is required. To determine whether a port is aailable before starting the installation program, enter this command: netstat -an The command uses these parameters: -a Displays both listening and non-listening sockets. -n Displays addresses and port numbers in numerical form. Optionally configuring security for Tioli Identity Manager When enabled, WebSphere global security ensures that authenticated users hae the necessary permissions to access Tioli Identity Manager JaaBeans (EJB ) components. Configuring this security component inoles configuring an authentication mechanism, a user registry, and optionally, Jaa 2 security. The manual steps differ, depending on whether the deployment is for one node or for multiple nodes. The Jaa 2 security policy that Tioli Identity Manager proides grants Tioli Identity Manager all permissions on the system. Enabling Jaa 2 security can cause a reduction in performance of the WebSphere Application Serer. For more information, refer to performance information that the WebSphere Application Serer product proides. 40 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

57 Enabling Jaa 2 security for the Tioli Identity Manager application also causes Jaa 2 security to be enforced on all applications that are running on the WebSphere Application Serer. If you enable Jaa 2 security for the Tioli Identity Manager application, you should also appropriately configure all other applications running on the WebSphere Application Serer to support Jaa 2 security. For more information on configuring secure sockets layer (SSL) authentication in the Tioli Identity Manager enironment, refer to the IBM Tioli Identity Manager Information Center. Configuring security manually for single-node deployments before installing Tioli Identity Manager To configure the security for single-node deployment, complete the following manual steps before installing Tioli Identity Manager: 1. Specify an administratie user with these steps: a. Create or select an administratie user in the user registry of your operating system. In subsequent examples, the user is called the System User or wasadmin. b. Create or select another administratie user in the user registry of your operating system. In subsequent examples, the user is called the EJB user or itimadmin. Define the EJB User ID prior to starting installation. This user ID will be used when configuring security after Tioli Identity Manager installation. For more information, see Optionally configuring security after installing Tioli Identity Manager on page Specify the authentication mechanism and user registry with these steps: a. Start the WebSphere Application Serer, and log in at the console. b. Click Security > Global Security. c. Select the following options: Actie Authentication Mechanism: Select SWAM (Simple WebSphere Authentication Mechanism) Actie User Registry: Select Local OS d. Sae the configuration changes. 3. Configure the local OS user registry with these steps: a. Click Security > User Registries > Local OS. b. Enter the System User user ID (wasadmin) and password. c. Sae the configuration changes. 4. Enable security with these steps: a. Click Security > Global Security. b. Click Enabled. The action also selects Enforce Jaa 2 Security. For performance reasons, you might consider disabling Jaa 2 security. c. Sae the configuration changes. 5. On a single-node deployment, restart the WebSphere Application Serer. When starting the administratie serer, you might be required to specify the WebSphere administratie user ID and password. For example: Windows WAS_HOME\bin\stopSerer serer1 [-username wasadmin -password wasadminpwd] WAS_HOME\bin\startSerer serer1 UNIX WAS_HOME/bin/stopSerer.sh serer1 [-username wasadmin -password wasadminpwd] WAS_HOME/bin/startSerer.sh serer1 Chapter 4. Installing and configuring WebSphere Application Serer 41

58 Configuring security manually for multi-node deployments before installing Tioli Identity Manager To configure security for multi-node deployment, complete the following steps before installing Tioli Identity Manager: 1. Set up LDAP for multi-node security with these steps: a. First, using the management tool that the directory serer proides, create an organization unit (for example) ou=wassecurity,dc=com. The alue of dc=com might be the suffix for your organization. b. Next, create the wasadmin organizational Person object for the WebSphere Application Serer administratie user that is specified as the System User. Use the management tool that the directory serer proides, or use the following examples: IBM Tioli Directory Serer Create an eperson. For example, create (cn=wasadmin,ou=wassecurity,dc=com). Set the following fields and alues: sn=wasadmin cn=wasadmin uid=wasadmin userpassword=wasadminpwd You can also import the following LDIF file, updating the basedn with a alue such as dc=com and userpassword ariables for your enironment. For example, the file contains these statements: dn:cn=wasadmin,ou=wassecurity,basedn userpassword:userpassword uid:wasadmin objectclass:top objectclass:person objectclass:eperson sn:wasadmin cn:wasadmin Sun ONE Directory Serer Create an inetorgperson. For example, create (uid=wasadmin,ou=wassecurity,dc=com). Set the following fields and alues: sn=wasadmin cn=wasadmin uid=wasadmin userpassword=wasadminpwd gienname=wasadminpwd You can also import the following LDIF file, updating the basedn with a alue such as dc=com and userpassword ariables for your enironment. An example file contains these statements: dn:uid=wasadmin,ou=wassecurity,basedn userpassword:userpassword uid: wasadmin gienname: wasadmin objectclass:inetorgperson objectclass:organizationalperson objectclass:person objectclass:top sn:wasadmin cn:wasadmin 42 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

59 c. Depending on the directory serer, create the itimadmin organizational Person object for the WebSphere Application Serer administratie user that is specified as the EJB user. For more information on setting up an unpriileged itimadmin object in the context of security planning for Tioli Identity Manager, refer to the IBM Tioli Identity Manager Planning for Deployment Guide. IBM Tioli Directory Serer Create an eperson. For example, create (cn=itimadmin,ou=wassecurity,dc=com). Set the following fields and alues: sn=itimadmin cn=itimadmin uid=itimadmin userpassword=itimadminpwd You can also import the following LDIF file, updating the basedn with a alue such as dc=com and userpassword ariables for your enironment. An example file contains these statements: dn:cn=itimadmin,ou=wassecurity,basedn userpassword:userpassword uid:itimadmin objectclass:top objectclass:person objectclass:eperson sn:itimadmin cn:itimadmin Sun ONE Directory Serer Create an inetorgperson. For example, create (uid=wasadmin,ou=wassecurity,dc=com). Set the following fields and alues: sn=itimadmin cn=itimadmin uid=itimadmin userpassword=itimadminpwd gienname=itimadminpwd You can also import the following LDIF file, updating the basedn with a alue such as dc=com and userpassword ariables for your enironment. An example file contains these statements: dn:uid=itimadmin,ou=wassecurity,basedn userpassword:userpassword uid:itimadmin gienname:itimadmin objectclass:inetorgperson objectclass:organizationalperson objectclass:person objectclass:top sn:itimadmin cn:itimadmin 2. Set up the authentication mechanism and user registry with these steps: a. Start the deployment manager, and log in at the console. b. Click Security > Global Security. c. Select the following options: Actie Authentication Mechanism: LTPA (Lightweight Third Party Authentication) Chapter 4. Installing and configuring WebSphere Application Serer 43

60 Actie User Registry: LDAP d. Sae the configuration changes. 3. Configure the authentication mechanism with these steps: a. Click Security > Authentication Mechanisms > LTPA. b. Create and confirm a password for the LTPA authentication mechanism. c. Sae the configuration changes. 4. Configure the LDAP user registry with these steps: a. Click Security > User Registries > LDAP. b. Set the following fields and alues: Serer User ID=wasadmin Serer User Password=wasadminpwd Type=directoryserertype The alue of directoryserertype identifies the directory serer such as IBM_Directory_Serer. Host=ITIM LDAP serer hostname Base Distinguished Name (DN): ou=wassecurity,dc=com Bind Distinguished Name (DN): Enter the bind distinguished name such as cn=root. Bind Password: Enter the password for the bind distinguished name. Ignore Case: Check this option c. Sae the configuration changes. 5. Enable security with these steps: a. Click Security > Global Security. b. Click Enabled. The action also selects Enforce Jaa 2 Security. For performance reasons, you might consider disabling Jaa 2 security. c. Sae the configuration changes. 6. To run with security enabled, complete these steps: a. On the computer with the deployment manager, enter: Windows WAS_NDM_HOME\bin\stopManager [-username wasadmin -password wasadminpwd] WAS_NDM_HOME\bin\startManager UNIX WAS_NDM_HOME/bin/stopManager.sh [-username wasadmin -password wasadminpwd] WAS_NDM_HOME/bin/startManager.sh b. On other computers with the node agent: Windows WAS_HOME\bin\stopNode [-username wasadmin -password wasadminpwd] WAS_HOME\bin\startNode UNIX WAS_HOME/bin/stopNode.sh [-username wasadmin -password wasadminpwd] WAS_HOME/bin/startNode.sh c. Restart the cluster. Complete these steps: 1) Log in to the deployment manager using the wasadmin user ID and password at the console. 2) Click Serers > Clusters. 3) Select the cluster. 4) Click Stop and then click Start. 44 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

61 Disabling d. Restart the JMS serer. Complete these steps: 1) Log on to the deployment manager. 2) Click Serers > JMS Serers. 3) Select the serer. 4) Click Stop and then click Start. security For testing purposes or troubleshooting, you might need to disable security. To disable security using the WebSphere administratie console, complete these steps: 1. Click Security > Global Security. 2. Clear the Enabled and Enable Jaa 2 Security checkboxes. 3. Stop and then start all node agents, JMS serers, and application serers. Moing the HTTP serer out of the cell for additional security To proide additional security, configure an HTTP serer, such as the IBM HTTP Serer, to reside on a standalone computer that is external to any other Tioli Identity Manager component. An example of a cluster configuration that proides additional security is similar to Figure 6. This process includes installing the IBM HTTP Serer and the WebSphere Web Serer plug-in, copying seeral files from the deployment manager, and configuring the web serer to load and configure a WebSphere module when the serer is started. Tioli Identity Manager cell IBM HTTP Serer WebSphere Web Serer plug-in Tioli Identity Manager cluster } } } WebSphere Application Serer base Tioli Identity Manager Serer JDBC drier Tioli Identity Manager database WebSphere Application Serer Network Deployment }JDBC drier LDAP data store Figure 6. HTTP serer configuration for increased security Complete these steps: 1. On the external computer, install and configure the IBM HTTP Serer and the WebSphere Web Serer plug-in. 2. Create a directory under the HTTP_HOME/conf directory called WebSphere. 3. Copy the WAS_NDM_HOME/config/cells/plugin-cfg.xml file from the deployment manager computer to the HTTP_HOME/conf/WebSphere directory. Chapter 4. Installing and configuring WebSphere Application Serer 45

62 4. If Secure Socket Layer (SSL) communication is enabled, also copy the following files from the deployment manager computer to the HTTP_HOME/conf/WebSphere directory: WAS_NDM_HOME/etc/plugin-key.kdb WAS_NDM_HOME/etc/plugin-key.sth For more information on configuring SSL authentication in the Tioli Identity Manager enironment, refer to the IBM Tioli Identity Manager Information Center. 5. The behaior of the WebSphere Web Serer plug-in is goerned by the plugin-cfg.xml file. On the computer that has the IBM HTTP Serer, open the plugin-cfg.xml file in the text editor and make the following changes: Change each instance of the WAS_NDM_HOME/etc/ directory to the HTTP_HOME/conf/WebSphere directory. That is, replace /path/websphere/deploymentmanager/etc with /path/ibmhttpserer/conf/websphere. Change the directory of the http_plugin.log file to HTTP_HOME/logs. That is, replace /path/websphere/deploymentmanager/logs/http_plugin.log with /path/ibmhttpserer/logs/http_plugin.log. The alue of path aries for these operating systems: Windows: drie:\program Files AIX: /usr Other UNIX: /opt 6. Use a text editor to open the HTTP_HOME/conf/httpd.conf file and add the following WebSphere Web Serer plug-in setting as one line at the bottom of the file: LoadModule ibm_app_serer_http_module WAS_HOME/WebSphere/ AppSerer/bin/mod_ibm_app_serer_http.operatingsystem The operatingsystem is one of these alues: dll for the Windows operating system so for the UNIX, including the AIX operating system On the next line, enter the following WebSphere Web Serer plug-in setting: WebSpherePluginConfig HTTP_HOME/conf/WebSphere/plugin-cfg.xml Ensure that any required WebSphere Application Serer Fix Pack is also installed on the computer on which the WebSphere Web Serer plug-in is installed. For more information on fix packs, refer to the IBM Tioli Identity Manager Release Notes. 46 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

63 Chapter 5. Installing Tioli Identity Manager in a single-serer configuration Before you begin This chapter describes tasks that install and configure the Tioli Identity Manager Serer in a single-serer configuration. The installation program installs only the Tioli Identity Manager Serer. Before you begin to install Tioli Identity Manager Serer in a single-serer configuration, complete these tasks: 1. Determine which product CDs that you need to install Tioli Identity Manager. For an itemization of the CD contents, refer to a text file such as itim-4.6-cd-images-operatingsystem.txt that is proided with the CD image. For a complete list of these image files, see Appendix A, Installation images and fix packs, on page Ensure that free disk space and irtual memory requirements are met. Additionally, ensure that there is adequate free disk space in the system temp directory and in the WAS_HOME directory. The target computer must meet the machine requirements described in the IBM Tioli Identity Manager Release Notes. 3. Ensure that you hae the needed administratie authority. On Windows systems, the logon user ID must be in the Administrators Group. On UNIX systems, the logon user ID must be root. 4. Installing the Tioli Identity Manager Serer writes data to the Tioli Identity Manager database. If DB2 UDB is used, ensure that the following conditions are met: If DB2 UDB is selected, the Tioli Identity Manager installation program pre-allocates 1 GB database table space on the computer on which the DB2 serer resides. Ensure that this free disk space is aailable on the DB2 serer. For more information on database table space, refer to the IBM Tioli Identity Manager Performance Tuning Guide technical supplement. Database configuration, such as creating table space, requires that you hae authority as database administrator. On Windows systems, the authority can be the db2admin user. On UNIX operating systems, the authority can be db2inst1. 5. Ensure that the directory serer has loaded the appropriate referential integrity plug-in. For more information, see Configuring the referential integrity plug-in on the IBM Tioli Directory Serer on page Ensure that the prerequisite applications are running that are described in Table 4: Table 4. Prerequisite applications Prerequisite For more information, see Database Chapter 2, Installing and configuring a database, on page 11 Directory serer Chapter 3, Installing and configuring a directory serer, on page 25 Copyright IBM Corp. 2003,

64 7. Ensure that the WebSphere Application Serer can be stopped and started before you install the Tioli Identity Manager Serer. To be sure, stop and start the WebSphere Application Serer. See Chapter 4, Installing and configuring WebSphere Application Serer, on page 33 for more information on these steps. 8. If WebSphere global security is already turned on, complete the necessary manual steps after installing the Tioli Identity Manager Serer. For more information on post-installation steps, see Running Jaa 2 security on single-node deployments on page 89. For more information on global security, refer to the WebSphere documentation. 9. Obtain or complete the planning worksheet which captures the details of your configuration. For more information, see Appendix B, Worksheets, on page If you are upgrading a ersion of Tioli identity Manager that is already on the computer, see Appendix C, Upgrading from Tioli Identity Manager Version to Version 4.6, on page 115 for more information on protecting Tioli Identity Manager customizations and data. Oeriew of the installation program in a single-serer configuration The flowchart in Figure 7 on page 49 describes the basic sequence of eents during installation of Tioli Identity Manager Serer in a single-serer configuration: 48 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

65 Single serer Installation Type? Enter installation directory Cluster Cluster installation Detect WebSphere Application Serer installation directory Confirm WebSphere Application Serer installation directory No WebSphere Application Serer already installed? No Prompt warning message: Exit? Yes Exit installation Yes Enter host name, serer name Ignore Is WebSphere security on? Yes Enter credential No Enter encryption key Confirm location of the Tioli Common Directory Pre-installation summary Configure database Configure LDAP Configure system Figure 7. Single-serer installation flowchart Chapter 5. Installing Tioli Identity Manager in a single-serer configuration 49

66 Starting the installation wizard To install the Tioli Identity Manager Serer in a single-serer configuration, complete the following steps: 1. Start the installation program. Log on to an account with system administration priileges on the computer where the Tioli Identity Manager Serer will be installed. 2. Insert the Tioli Identity Manager product CD into the CD-ROM drie. To locate the correct CD for your enironment, refer to Appendix A, Installation images and fix packs, on page To run the installation program, complete these steps: Windows a. Click Start > Run. b. Enter your CD-ROM drie, and then enter the following command: UNIX instwin-was.exe The Welcome window opens. a. Open a command prompt window, and change to your CD-ROM drie. b. Enter one of the following commands for the Tioli Identity Manager installation program: AIX instaix-was.bin Solaris instsol-was.bin Linux instlinux-was.bin The installation program starts and displays the Welcome window. Completing the installation wizard pages Use the first set of installation wizard pages to set up the installation: 1. To change the language that is used for the installation wizard pages, select another language from the drop-down list. This choice only affects the installation wizard and not the language ersion of Tioli Identity Manager to be installed. Then, click OK. For more information on installing a language pack, see Optionally installing a language pack on page In the License Agreement window, read the license agreement and decide whether to accept its terms. If you do, select Accept, and then click Next. The Tioli Identity Manager Installation Directory window opens. 3. Accept the default ITIM_HOME installation directory, or select Choose to select another directory. Then, click Next. 4. In the Installation Type window, select Single Serer. Then, click Next. 5. In the Database Type window, select one of the following database types, and then click Next: DB2 Uniersal Database You are prompted for the DB_INSTANCE_HOME directory that contains the database for Tioli Identity Manager. Oracle Database Microsoft SQL Serer IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

67 Caution windows open to prompt you to ensure that these conditions are true: If DB2 UDB is selected, the Tioli Identity Manager installation program pre-allocates 1 GB database table space on the computer on which the DB2 serer resides. Ensure that space is aailable and click Next. If the Oracle database is selected, a window prompts you for the location of the Oracle JDBC drier. Proide the location and click Next. The directory serer ersion is at the correct leel. Ensure that the ersion is correct and click Next. 6. The WebSphere Application Serer Installation Directory window appears and displays a alue for the WAS_HOME directory. There can be multiple installations of the WebSphere Application Serer on a computer. If the WAS_HOME directory is not the directory on which you intend to install the Tioli Identity Manager Serer, enter the correct directory alue. Click Next. 7. A window opens to prompt you to erify the following WebSphere Application Serer data: Host name of the computer. Accept the displayed alue unless the computer has multiple host names and the WebSphere Application Serer is installed under a host name other than the displayed alue. WebSphere Application Serer name, which defaults to serer1, where you intend to deploy the Tioli Identity Manager Serer. Verify the WebSphere Application Serer data and click Next. 8. If WebSphere global security is on, a WebSphere Application Serer Administrator Credential window requires you to specify the WebSphere Application Serer user ID and password. This is the wasadmin user ID described in the manual steps in Optionally configuring security for Tioli Identity Manager on page 40. Chapter 5. Installing Tioli Identity Manager in a single-serer configuration 51

68 Figure 8. WebSphere Application Serer Administrator Credential window Proide the user ID and password, and then click Next. 9. In the encryption key window, proide an encryption key, which can be any word or phrase. The key is used to encrypt Tioli Identity Manager passwords and other sensitie text. Then, click Next. 10. In the Tioli Common Directory window, accept the default directory that the Tioli Identity Manager installation program defines, or choose a new one. Then, click Next. Ensure that the directory has at least 25 MB of free space. The Tioli Common Directory is the central location for all sericeability-related files, such as logs and first-failure capture data. 11. In the Pre-install Summary window, reiew the components to be installed, the required free disk space, and the Tioli Identity Manager installation directory. If eerything is acceptable, click Install. 12. Complete the remaining automated installation program in Responding to major installation actions. Responding to major installation actions The Tioli Identity Manager installation program opens a series of progress windows for additional, major installation actions. Some windows require your input. The installation program installs and configures the Tioli Identity Manager application on the WebSphere Application Serer, sets up the Tioli Identity Manager database on the database serer, and sets up the LDAP schema and a configuration of data on the directory serer. The major installation actions include these steps: 1. Copying Tioli Identity Manager files to the target computer. The installation program copies Tioli Identity Manager files to the ITIM_HOME directory. 2. Ensuring that the WebSphere Application Serer is running. 52 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

69 The WebSphere Application Serer must be running to allow Tioli Identity Manager deployment and configuration to occur. The Tioli Identity Manager installation program erifies the status of the WebSphere Application Serer. If the WebSphere Application Serer is not running, the Tioli Identity Manager installation program attempts to start the WebSphere Application Serer. An error message appears if the Tioli Identity Manager installation program fails to start the WebSphere Application Serer. If an error occurs, you can do either of these steps: Quit the installation program and complete these steps: a. Resole the problem that preents starting the WebSphere Application Serer. b. Manually delete all files in the ITIM_HOME directory. c. Run the Tioli Identity Manager installation program again. Continue the installation program after you ensure that you can manually start and stop the WebSphere Application Serer without error. Complete these steps: a. Start the WebSphere Application Serer: Windows "WAS_HOME\bin\startSerer.bat serername" UNIX WAS_HOME/bin/startSerer.sh serername b. Stop the WebSphere Application Serer: Windows "WAS_HOME\bin\stopSerer.bat serername" UNIX WAS_HOME/bin/stopSerer.sh serername c. Proceed to the next step in the Tioli Identity Manager installation program. 3. Deploying the Tioli Identity Manager Serer onto the WebSphere Application Serer. The Tioli Identity Manager application runs within the WebSphere Application Serer as an enterprise application. The Tioli Identity Manager installation program uses the WebSphere command line interface (wsadmin) to deploy the Tioli Identity Manager application onto the WebSphere Application Serer. Deploying the Tioli Identity Manager application also performs certain configuration steps on the WebSphere Application Serer. These steps require seeral minutes to complete. For more information about configuration, see Deploying and configuring the Tioli Identity Manager J2EE application on page 138. When the deployment completes, the Tioli Identity Manager files are in these directories: WAS_HOME/installedApps/cellname/enRole.ear WAS_HOME/config/cells/cellname/applications/enRole.ear If the deployment fails, an error message proides the location of the setupenrole.stdout log file. Examine the errors in the setupenrole.stdout log file. If the log data indicates failure to establish a Simple Object Access Protocol (SOAP) connection to the WebSphere Application Serer configuration manager, or some type of WebSphere Application Serer scripting error, complete these steps: Chapter 5. Installing Tioli Identity Manager in a single-serer configuration 53

70 a. Exit the Tioli Identity Manager installation program. b. Resole the problem that preents connection to the WebSphere Application Serer or a problem described as a scripting error. For more information, refer to the WebSphere documentation. c. Manually delete all files in the ITIM_HOME directory. d. Run the Tioli Identity Manager installation program again. If the log data indicates that failure is due to a timeout, continue the Tioli Identity Manager installation program. If the Tioli Identity Manager installation program has completed, delete the following directories if they exist: WAS_HOME/installedApps/cellname/enRole.ear WAS_HOME/config/cells/cellname/applications/enRole.ear Run one of the following commands to deploy the Tioli Identity Manager Serer onto the WebSphere Application Serer: If WebSphere global security is on, run this command: ITIM_HOME/bin/setupEnrole install serer:name user:user_id password:pwd The alue of name is the name of the WebSphere Application Serer on which the Tioli Identity Manager application is deployed. The alue of user_id is the WebSphere administrator user ID, such as wasadmin. The alue of pwd is the password for the WebSphere administrator user ID, such as wasadminpwd. If WebSphere global security is off, enter this command: ITIM_HOME/bin/setupEnrole install serer:name 4. Gathering database data and configuring the database. In this step, the Tioli Identity Manager installation program sets up the Tioli Identity Manager database and configures the JDBC drier proider in the WebSphere Application Serer. For more information, see Configuring the Tioli Identity Manager database on page 77. If an error occurs, examine the error and proide a correctie action. The error might describe a problem in configuring the Tioli Identity Manager database or the WebSphere Application Serer. There is more information in the ITIM_HOME/install_logs/dbConfig.stdout log file. You might need to refer to documentation that the database product or that the WebSphere product proides. Continue the Tioli Identity Manager installation program. When the installation completes, complete these steps: a. Sae the current log data by renaming the ITIM_HOME/install_logs/dbConfig.stdout log file. b. When the correction is complete, use this command to configure the Tioli Identity Manager database: Windows ITIM_HOME\bin\DBConfig UNIX ITIM_HOME/bin/cmdWrapper.sh DBConfig New log data is recorded in the ITIM_HOME/install_logs/dbConfig.stdout log file. Note: The DBConfig command creates the database table definitions that Tioli Identity Manager requires. Run this command only if the command failed to configure the database during installation. If the 54 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

71 Tioli Identity Manager database tables hae been preiously set, running the DBConfig command first drops all preiously existing Tioli Identity Manager tables. 5. Gathering directory serer data and configuring the directory serer. In this step, the Tioli Identity Manager installation program sets up the LDAP schema and defines default settings for Tioli Identity Manager. For more information, see Configuring the directory serer on page 79. If an error occurs, record the error message that is displayed, which might describe a problem in setting up the LDAP schema or creating a configuration of data on the directory serer. Continue the Tioli Identity Manager installation program. When the installation completes, complete these steps: a. Examine the errors and proide a correctie action. There is more information in the ITIM_HOME/install_logs/ldapConfig.stdout log file. You might also need to refer to documentation that the directory serer product proides. b. Sae the current log data by renaming the ITIM_HOME/install_logs/ldapConfig.stdout log file. c. When the correction is complete, use this command to configure the directory serer: ITIM_HOME/bin/ldapConfig New log data is recorded in the ITIM_HOME/install_logs/ldapConfig.stdout log file. Note: Do not run the ldapconfig command a second time, unless the LDAP configuration fails during the Tioli Identity Manager installation process. Running the ldapconfig command will restore default alues that Tioli Identity Manager uses. If you hae changed the alue of any of these Tioli Identity Manager attributes, such as the password of the user ID named itim manager, the alue is oerwritten. 6. Gathering Tioli Identity Manager data and configuring the Tioli Identity Manager Serer. The Tioli Identity Manager installation program copies a set of Tioli Identity Manager property files to the ITIM_HOME/data directory. During this step, you can use the GUI to change some of the Tioli Identity Manager properties. For more information, see Configuring commonly used system properties on page 80. The Tioli Identity Manager installation program also configures the WebSphere enironment settings that the Tioli Identity Manager Serer requires. This step takes seeral minutes to complete. For more information on configuring the WebSphere enironment, see Appendix D, Steps that the installation program takes to configure the WebSphere enironment, on page 127. If an error occurs, record the error message that is displayed, which might describe a problem in configuring the WebSphere enironment settings that the Tioli Identity Manager Serer requires. Continue the Tioli Identity Manager installation program. When the installation completes, complete these steps: a. Examine the errors and proide a correctie action. There is more information in the ITIM_HOME/install_logs/runConfigTmp.stdout log file. You might also need to refer to documentation that the WebSphere product proides. Chapter 5. Installing Tioli Identity Manager in a single-serer configuration 55

72 b. When the correction is complete, use this command: To update commonly-used properties and also to reset WebSphere Application Serer settings for the Tioli Identity Manager application, run this command: Windows ITIM_HOME\bin\runConfig install UNIX: DB2 UDB ITIM_HOME/bin/cmdWrapper.sh runconfig install The cmdwrapper.sh command automatically sources the DB2 profile. Other databases ITIM_HOME/bin/runConfig install New log data is recorded in the ITIM_HOME/install_logs/runConfig.stdout log file. 7. Restarting the WebSphere Application Serer, to make the new WebSphere Application Serer configuration aailable after completing the Tioli Identity Manager Serer installation. If an error message indicates failure to restart the WebSphere Application Serer, complete the installation and then attempt to restart the WebSphere Application Serer. To restart the WebSphere Application Serer, complete these steps: Windows WAS_HOME\bin\startSerer.bat serername For example, the alue of serername is serer1. UNIX WAS_HOME/bin/startSerer.sh serername For more information, see Verifying that the Tioli Identity Manager Serer is operational. Verifying that the Tioli Identity Manager Serer is operational To erify that the Tioli Identity Manager Serer and related processes are running, complete these steps: 1. Ensure that the WebSphere Application Serer is running. Start the WebSphere administratie console. On a browser, enter this Web address: The alue of address is the fully qualified host name or the IP address of the computer on which the WebSphere Application Serer is running. The alue 9090 is the default port number for the WebSphere administratie HTTP transport. If you hae multiple instances of the WebSphere Application Serer on the same computer, the port number may be a different alue, such as For more information, see step On the WebSphere administratie console, click Applications > Enterprise Application and erify that the Tioli Identity Manager Serer enrole is running. For additional steps to erify that the Tioli Identity Manager Serer and other processes are running, see Chapter 8, Troubleshooting and erifying the installation, on page Log on to the Tioli Identity Manager Serer using the WebSphere embedded HTTP transport. For example, at a browser window, enter this command: 56 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

73 The alue of hostname is the host name of the WebSphere Application Serer. Port 9080 is the default port number of the WebSphere irtual host. If you hae multiple installations of the WebSphere Application Serer on the same system, this port number may hae a different alue, such as The browser displays the Tioli Identity Manager logon window. Enter the Tioli Identity Manager Serer administrator user ID ( itim manager ) and password (immediately after installation, the alue is secret ). 4. After successfully logging on to Tioli Identity Manager Serer using the WebSphere embedded HTTP transport, attempt to log on to the Tioli Identity Manager Serer using the IBM HTTP Serer. Log on at this address: The alue of http_serer_hostname is the host name of the IBM HTTP Serer. For more information if you cannot display the Tioli Identity Manager logon window, or cannot log on to Tioli Identity Manager, see Ensuring that the HTTP serer is running on page After a first, successful logon, the logon window immediately prompts you to change the administrator password. Ensure that your password change is successful. After you change the password, you are ready to create your organization object and a user that is termed an ITIM User. If you cannot start and log on to Tioli Identity Manager, see Chapter 8, Troubleshooting and erifying the installation, on page 93. UNIX: Sourcing the DB2 Uniersal Database profile On UNIX operating systems, run the DB2 UDB profile to set up the correct enironment to run DB2 UDB programs. This action enables communication between the Tioli Identity Manager Serer and the DB2 serer. This manual step is not necessary on Windows systems. To source the profile, complete these steps: 1. Enter the appropriate db2profile command for your default login shell. For example, if your default login shell is ksh, source the DB2 UDB profile by entering the following command:. DB_INSTANCE_HOME/db2profile 2. Verify that you successfully sourced the profile. Enter the following command: set grep -i db2 The -i parameter specifies that the search is not sensitie to case. In the following output, the existence of the alue db2inst1 associated with the alue of DB_INSTANCE_HOME indicates that the profile was successfully sourced: CLASSPATH=/home/db2inst1... DB2DIR=/usr/lpp/db2_08_01 DB2INSTANCE=db2inst1 3. Include the db2profile command in your user profile to ensure that the profile is sourced eery time that the database runs. Ensure that the DB2 UDB profile is correctly sourced before doing these tasks: Running DBConfig, the database configuration tool. For more information, see step 4 on page 54. Running runconfig, the system configuration tool. For more information, see step 6 on page 55. Starting the WebSphere Application Serer. For more information, see step 7 on page 56. Chapter 5. Installing Tioli Identity Manager in a single-serer configuration 57

74 Optionally installing a language pack After installing Tioli Identity Manager, if the default language is not English, complete these steps: 1. Before you run the Tioli Identity Manager language pack setup program, ensure that the ersion of the Jaa Runtime Enironment that Tioli Identity Manager requires is accessible from the command line. For more information, refer to the IBM Tioli Identity Manager Release Notes. For example, enter this command: jaa-fullersion 2. Obtain the language pack CD for the Tioli Identity Manager Serer. On UNIX systems, mount the language pack CD. 3. Use command line mode to install the language pack. For example, enter this language pack command at a command prompt: jaa jar itimlp_setup.jar The Tioli Identity Manager language pack setup program starts. To complete the language pack installation, follow the instructions that appear in the setup program windows. 4. Verify that the language pack is installed. Complete these steps: a. Verify that these files are present in the WAS_HOME/installedApps/cellname/enRole.ear/app_web.war directory: AppletLabels_lang.properties AppletErrorMessages_lang.properties AppletMessages_lang.properties The alue of lang is a string such as fr that indicates a language such as French. b. Verify that one or more of the following files are present in the ITIM_HOME/data directory: ErrorMessages_lang.properties Labels_lang.properties Messages_lang.properties adhocreporting_lang.properties Preparing to install adapters Use SSL production certificates to ensure secure communication between the Tioli Identity Manager Serer and the Tioli Identity Manager adapter. For more information, see Adapters oeriew on page 2. The Certificate Authority issuer certificate that corresponds to the certificate of the Tioli Identity Manager adapter must be installed into the truststore file that the Tioli Identity Manager Serer is configured to use. Tioli Identity Manager uses the standard Jaa keystore and truststore mechanisms to store certificates and issuer certificates for SSL communications. You can use any standard Jaa keystore tools to maintain certificates, such as the Jaa keytool command line utility, or the WebSphere key management utility (ikeyman). The source certificate files can be in any format that the keystore tool supports. For more information, refer to the IBM Tioli Identity Manager Planning for Deployment Guide. Complete these steps: 1. Using the Tioli Identity Manager import utility, install the adapter profile. 58 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

75 2. After installing Tioli Identity Manager, if the default language is not English, complete these steps before you install the first Tioli Identity Manager adapter: a. Before you run the Tioli Identity Manager language pack setup program, ensure that the ersion of the Jaa Runtime Enironment that Tioli Identity Manager requires is accessible from the command line. For more information, refer to the IBM Tioli Identity Manager Release Notes. For example, enter this command: jaa-fullersion b. Obtain and mount the language pack CD for the Tioli Identity Manager adapters. Use command line mode to install the language pack for the adapters on the Tioli Identity Manager Serer. For example, enter the following command: jaa jar itimlp_agents_setup.jar The Tioli Identity Manager language pack setup program starts. To complete the language pack installation, follow the instructions that appear in the setup program panels. Chapter 5. Installing Tioli Identity Manager in a single-serer configuration 59

76 60 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

77 Chapter 6. Installing Tioli Identity Manager in a cluster configuration Before you begin This chapter describes installing and configuring the Tioli Identity Manager in a cluster configuration. Before continuing, read Configuration options on page 4. For required application ersions and fix packs, refer to the IBM Tioli Identity Manager Release Notes. Before you begin to install Tioli Identity Manager Serer in a cluster configuration, complete these tasks: 1. Determine which product CDs that you need to install Tioli Identity Manager. For an itemization of the CD contents, refer to a text file such as itim-4.6-cd-images-operatingsystem.txt that is proided with the CD image. For a complete list of these image files, see Appendix A, Installation images and fix packs, on page Ensure that free disk space and irtual memory requirements are met on eery computer in the cluster. Additionally, ensure that there is adequate free disk space in the system temp directory and in the WAS_HOME and WAS_NDM_HOME directories. The target computers must meet the machine requirements described in the IBM Tioli Identity Manager Release Notes. 3. Ensure that you hae the needed administratie authority. On Windows systems, the logon user ID must be in the Administrators Group. On UNIX systems, the logon user ID must be root. 4. Installing the Tioli Identity Manager Serer writes data to the Tioli Identity Manager database. If DB2 UDB is used, ensure that the following conditions are met: If DB2 UDB is selected, the Tioli Identity Manager installation program pre-allocates 1 GB database table space on the computer on which the DB2 serer resides. Ensure that this free disk space is aailable on the DB2 serer. For more information on database table space, refer to the IBM Tioli Identity Manager Performance Tuning Guide technical supplement. Database configuration, such as creating table space, requires that you hae authority as database administrator. On Windows systems, the authority can be the db2admin user. On UNIX systems, the authority can be db2inst1. 5. In a cluster, the name of the Tioli Identity Manager installation directory must be the same for all cluster members. Specify an identical directory to aoid later runtime difficulties in certificate recognition or in identity feed actiities on different cluster member computers. For example, specify /usr/ibm/itim on the AIX operating system as the directory on all cluster member computers. 6. Ensure that the directory serer has loaded the appropriate referential integrity plug-in. For more information, see Configuring the referential integrity plug-in on the IBM Tioli Directory Serer on page Ensure that the prerequisite applications are running that are described in Table 5 on page 62: Copyright IBM Corp. 2003,

78 Table 5. Prerequisites that must be running Prerequisite For more information Database Chapter 2, Installing and configuring a database, on page 11 Directory serer Chapter 3, Installing and configuring a directory serer, on page Determine that the WebSphere Application Serer cell and cluster are ready for Tioli Identity Manager installation. Complete the steps to construct a WebSphere Application Serer cell and a cluster, described in Creating a cluster configuration on page 36. The processes described in Table 6 must be running before and after you install the Tioli Identity Manager Serer: Table 6. Processes that must be running before and after installing the Tioli Identity Manager Serer Process For more information Deployment manager WebSphere Application Serer node agents WebSphere Application Serer JMS serers on all nodes in the cluster UNIX: Creating groups and users before installing WebSphere embedded messaging on page If DB2 UDB is used, ensure that the DB2 UDB profile is correctly sourced before starting the WebSphere node agent on each cluster member node. For more information, see UNIX: Sourcing the DB2 Uniersal Database profile on page If WebSphere global security is already turned on, complete the necessary manual steps after installing Tioli Identity Manager. For more information on those post-installation steps, see Running Jaa 2 security on multi-node deployments on page 89. For more information on global security, refer to the WebSphere documentation. 11. Obtain or complete the planning worksheet which captures the details of your configuration. For more information, see Appendix B, Worksheets, on page If you are upgrading a ersion of Tioli Identity Manager that is already on the computer, see Appendix C, Upgrading from Tioli Identity Manager Version to Version 4.6, on page 115 for more information on protecting Tioli Identity Manager customizations and data. Oeriew of the installation program in a cluster configuration The flowchart in Figure 9 on page 63 describes the basic sequence of eents during installation of the Tioli Identity Manager Serer in a cluster configuration: 62 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

79 Installation type? Cluster Single Serer Single serer installation Enter Tioli Identity Manager Serer installation directory Directory of WebSphere Application Serer base and deployment manager Choose cluster node type Is cluster member? Yes Confirm WebSphere Application Serer base product installation directory No No WebSphere Application Serer base product exists? No Prompt warning message: Exit? Yes Exit Yes Ignore Is deployment manager? Yes Confirm deployment manager installation directory No No Deployment manager exists? No Prompt warning message: Exit? Yes Exit Yes Ignore Enter cluster name Verify host name, IP address A Figure 9. Cluster installation flowchart Chapter 6. Installing Tioli Identity Manager in a cluster configuration 63

80 A Is WebSphere security on? Yes Enter credential No Enter encryption key Confirm location of the Tioli Common Directory Pre-installation summary Installing on deployment manager? No Yes Configure database Configure LDAP Configure system Figure 10. Cluster installation flowchart (continued) Install the Tioli Identity Manager Serer on the following computers: The deployment manager. Install the Tioli Identity Manager Serer on the computer that has the deployment manager before you install the Tioli Identity Manager Serer on cluster nodes. The deployment of the Tioli Identity Manager application and also the configuration of the database and the directory serer for Tioli Identity Manager occurs during this installation. The deployment manager distributes the Tioli Identity Manager application to all cluster member computers. The installation program expands the Tioli Identity Manager Enterprise Application Archie (EAR) file on each cluster member. One or more cluster members. Repeat the steps in this chapter to install the Tioli Identity Manager Serer on each computer that is a cluster member. The installation program does these tasks: Copies additional Tioli Identity Manager files to the target computer. 64 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

81 Configures the WebSphere Application Serer that hosts the cluster member. Installing the Tioli Identity Manager Serer on clusters must be done sequentially, one computer at a time. Running the Tioli Identity Manager installation program simultaneously on more than one computer at a time might result in synchronization problems with the WebSphere master configuration file. Note: If the same computer has both the deployment manager and a Tioli Identity Manager cluster member, you must select both the deployment manager and the cluster member node types when you run the Tioli Identity Manager installation program. Starting the installation wizard To install Tioli Identity Manager Serer in a cluster configuration, complete the following steps: 1. Log on to an account with system administration priileges on the computer where the Tioli Identity Manager Serer will be installed. 2. Insert the Tioli Identity Manager product CD into the CD-ROM drie. To locate the correct CD for your enironment, refer to Appendix A, Installation images and fix packs, on page To run the installation program, complete these steps: Windows a. Click Start > Run. b. Enter your CD-ROM drie, and then enter the following command: UNIX instwin-was.exe The Welcome window opens. a. Open a command prompt window, and change to your CD-ROM drie. b. Enter one of the following commands for the Tioli Identity Manager installation program: AIX instaix-was.bin Solaris instsol-was.bin Linux instlinux-was.bin The installation program starts and displays the Welcome window. Completing the installation wizard pages Use the first set of installation wizard pages to set up the installation: 1. To change the language that is used for the installation wizard pages, select another language from the drop-down list. This choice only affects the installation wizard and not the language ersion of Tioli Identity Manager to be installed. Then, click OK. For more information on installing a language pack, see Optionally installing a language pack on page In the License Agreement window, read the license agreement and decide whether to accept its terms. If you do, select Accept, and then click Next. The Tioli Identity Manager Installation Directory window opens. Chapter 6. Installing Tioli Identity Manager in a cluster configuration 65

82 3. Accept the default ITIM_HOME installation directory, or select Choose to select another directory. Then, click Next. 4. In the Installation Type window, select Regular cluster. Then, click Next. 5. In the Installing Tioli Identity Manager on a Cluster Enironment window, read the conditions that apply to a cluster enironment. Before continuing, apply any other changes that are necessary to configure the enironment for these conditions. For example, erify that the deployment manager and all WebSphere node agents are running. For more information, see Verifying that the deployment manager, node agents, and JMS serers are running on page 38. Click Next. The Database Type window opens. 6. In the Database Type window, select one of the following database types, and then click Next: DB2 Uniersal Database You are prompted for the DB_INSTANCE_HOME directory that contains the database for Tioli Identity Manager. Oracle Database If the Oracle database is selected, another window prompts you for the location of the Oracle JDBC drier. Proide the location and click Next. For more information, see Tioli Identity Manager information for the database on page 111. Microsoft SQL Serer In the Choose Cluster Node Type window, select one or both of these node types: Deployment manager You must install Tioli Identity Manager first on the computer that has the deployment manager. Cluster member Install Tioli Identity Manager on eery cluster member that does not reside on the same computer as the deployment manager, after you install Tioli Identity Manager on the computer that has the deployment manager. If you hae the deployment manager and a Tioli Identity Manager cluster member on the same computer, you must select both node types. 8. If you selected a cluster member for the Tioli Identity Manager installation, the WebSphere Application Serer Installation Directory window appears and displays a alue for a WAS_HOME directory. There can be multiple installations of the WebSphere Application Serer on a computer. If the WAS_HOME directory is not the directory on which you intend to install the Tioli Identity Manager Serer, enter the correct directory alue. Click Next. 9. If you selected the deployment manager for the Tioli Identity Manager installation, the WebSphere Application Serer Installation Directory window appears and displays a alue for a WAS_NDM_HOME directory. If the WAS_NDM_HOME directory is not the directory on which you intend to install the Tioli Identity Manager Serer, enter the correct directory alue. Click Next. 10. If you selected the deployment manager for the Tioli Identity Manager installation, caution windows open to prompt you to ensure that these conditions are true: 66 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

83 If DB2 UDB is selected, the Tioli Identity Manager installation program pre-allocates 1 GB database table space on the computer on which the DB2 serer resides. Ensure that space is aailable and click Next. The directory serer ersion is at the correct leel. Ensure that the ersion is correct and click Next. 11. In the data window that requests the cluster name, enter an existing cluster name such as cluster1 that was defined for the Tioli Identity Manager cluster. Then, click Next. 12. A window opens to prompt you to erify the host name and IP address of the computer. Accept the displayed alue unless the computer has multiple host names and IP addresses, and either the deployment manager or the WebSphere Application Serer is installed under a host name or IP address other than the displayed alue. Verify the WebSphere Application Serer data and click Next. 13. If you are installing Tioli Identity Manager on a cluster member, the Directory Serer Information window opens. Complete the fields shown in Figure 11. The window does not appear during Tioli Identity Manager installation on the computer that has the deployment manager. From the information worksheet you completed in Tioli Identity Manager information for the directory serer on page 112, enter organization data in the fields in the window. For eery cluster member, the information must be identical and must match the LDAP specification that was entered during Tioli Identity Manager installation on the deployment manager. Click Next. Figure 11. Directory serer information window 14. If WebSphere global security is on, a WebSphere Application Serer Administrator Credential window that is similar to Figure 12 on page 68 requires you to specify the WebSphere Application Serer user ID and Chapter 6. Installing Tioli Identity Manager in a cluster configuration 67

84 password. This is the wasadmin user ID described in the manual steps in Optionally configuring security for Tioli Identity Manager on page 40. Figure 12. WebSphere Application Serer Administrator Credential window 15. In the encryption key window, proide an encryption key, which can be any word or phrase. The key is used to encrypt Tioli Identity Manager passwords and other sensitie text. Then, click Next. 16. In the Tioli Common Directory window, accept the default directory for the Tioli Common Directory that the Tioli Identity Manager installation program defines, or choose a new one. For more information on directory paths, see Definitions for HOME and other directory ariables on page xii. Then, click Next. Ensure that the directory has at least 25 MB of free space. The Tioli Common Directory is the central location for all sericeability-related files, such as logs and first-failure capture data. 17. In the Pre-install Summary window, reiew the components to be installed, the required free disk space, and the Tioli Identity Manager installation directory. If eerything is acceptable, click Install. 18. Complete the remaining automated installation program. Responding to major installation actions describes these major steps. Responding to major installation actions The Tioli Identity Manager installation program opens a series of progress windows for additional, major installation actions. Some windows require your input. The installation program installs and configures the Tioli Identity Manager application on the WebSphere Application Serer, sets up the Tioli Identity Manager database on the database serer, and sets up the LDAP schema and a configuration of data on the directory serer. The major installation actions include these steps: 1. Copying Tioli Identity Manager files to the target computer. 68 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

85 The installation program copies Tioli Identity Manager files to the ITIM_HOME directory. 2. Deploying Tioli Identity Manager onto the deployment manager. The Tioli Identity Manager application runs within the WebSphere Application Serer as an enterprise application. The Tioli Identity Manager installation program uses the WebSphere command line interface (wsadmin) to deploy the Tioli Identity Manager application onto the deployment manager. The Tioli Identity Manager installation program also configures the WebSphere enironment settings that the Tioli Identity Manager Serer requires. The deployment takes seeral minutes to complete. For more information on configuring the WebSphere enironment, see Appendix D, Steps that the installation program takes to configure the WebSphere enironment, on page 127. When the deployment completes, the Tioli Identity Manager files are in the WAS_NDM_HOME/config/cells/cellname/applications/enRole.ear directory. If the deployment fails, an error message proides the location of the setupenrole.stdout log file. Examine the errors in the setupenrole.stdout log file. Then, complete these tasks: If the log data indicates failure to create a SOAP connection to the deployment manager, or some type of deployment manager scripting error, complete these steps: a. Exit the Tioli Identity Manager installation program. b. Resole the problem that preents connection to the WebSphere Application Serer or a problem described as a scripting error. For more information, refer to the WebSphere documentation. c. Manually delete all files in the ITIM_HOME directory. d. Run the Tioli Identity Manager installation program again. If the log data indicates that failure is due to a timeout, continue the Tioli Identity Manager installation program. When installation finishes, complete these steps: a. If the WAS_NDM_HOME/config/cells/cellname/applications/enRole.ear directory was created, delete the directory on the computer that has the deployment manager. b. Run one of the following commands to deploy the Tioli Identity Manager Serer onto the deployment manager: If WebSphere global security is on, run this command: ITIM_HOME/bin/setupEnrole install serer:name user:user_id password:pwd The alue of name is the name of the WebSphere Application Serer on which the Tioli Identity Manager application is deployed. The alue of user_id is the WebSphere administrator user ID, such as wasadmin. The alue of pwd is the password for the WebSphere administrator user ID, such as wasadminpwd. If WebSphere global security is off, enter this command: ITIM_HOME/bin/setupEnrole install serer:name 3. If installation is on the deployment manager, the next step is gathering database data and configuring the database. In this step, the Tioli Identity Manager installation program sets up the Tioli Identity Manager database and configures the JDBC drier proider in the WebSphere Application Serer. For more information, see Configuring the Tioli Identity Manager database on page 77. Chapter 6. Installing Tioli Identity Manager in a cluster configuration 69

86 If an error occurs, examine the error and proide a correctie action. There is more information in the ITIM_HOME/install_logs/dbConfig.stdout log file. You might need to refer to documentation that the database product or that the WebSphere product proides. Continue the Tioli Identity Manager installation program. When the installation completes, complete these steps: a. Sae the current log data by renaming the ITIM_HOME/install_logs/dbConfig.stdout log file. b. When the correction is complete, type this command to configure the Tioli Identity Manager database: Windows ITIM_HOME\bin\DBConfig UNIX ITIM_HOME/bin/cmdWrapper.sh DBConfig New log data is recorded in the ITIM_HOME/install_logs/dbConfig.stdout log file. Note: The DBConfig command creates the database table definitions that Tioli Identity Manager requires. Run this command only if the command failed to configure the database during installation. If the Tioli Identity Manager database tables hae been preiously set, running the DBConfig command first drops all preiously existing Tioli Identity Manager tables. 4. If installation is on the deployment manager, the next step is gathering directory serer data and configuring the directory serer. In this step, the Tioli Identity Manager installation program sets up the LDAP schema and defines default settings for Tioli Identity Manager. For more information, see Configuring the directory serer on page 79. If an error occurs, record the error message that is displayed, which might describe a problem in setting up the LDAP schema or creating a configuration of data on the directory serer. Continue the Tioli Identity Manager installation program. When the installation completes, complete these steps: a. Examine the errors and proide a correctie action. There is more information in the ITIM_HOME/install_logs/ldapConfig.stdout log file. You might also need to refer to documentation that the directory serer product proides. b. Sae the current log data by renaming the ITIM_HOME/install_logs/ldapConfig.stdout log file. c. When the correction is complete, use this command to configure the directory serer: ITIM_HOME/bin/ldapConfig New log data is recorded in the ITIM_HOME/install_logs/ldapConfig.stdout log file. Note: Do not run the ldapconfig command a second time, unless the LDAP configuration fails during the Tioli Identity Manager installation process. Running the ldapconfig command will restore default alues that Tioli Identity Manager uses. If you hae changed the alue of any of these Tioli Identity Manager attributes, such as the password of the user ID named itim manager, the alue is oerwritten. 70 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

87 5. If installation is on the deployment manager or on a cluster member, the Tioli Identity Manager installation program copies a set of Tioli Identity Manager property files to the ITIM_HOME directory. During this step, you can use the GUI to change some of the Tioli Identity Manager properties. If the installation is on a cluster member, ensure that the directory and database connection information that you enter on the Directory tab and the Database tab match the information that you entered on these tabs when you configure the deployment manager. The default database user ID is enrole. The user ID password is the password that is created for the user ID enrole during the deployment manager setup. Do not change the default database user ID and password. The Tioli Identity Manager will not function properly if any user information is incorrect. For more information, see Configuring commonly used system properties on page 80. The Tioli Identity Manager installation program also configures the WebSphere enironment settings that the Tioli Identity Manager Serer requires. This step takes seeral minutes to complete. For more information on configuring the WebSphere enironment, see Appendix D, Steps that the installation program takes to configure the WebSphere enironment, on page 127. If an error occurs, record the error message that is displayed, which might describe a problem in configuring the WebSphere enironment settings that the Tioli Identity Manager Serer requires. Continue the Tioli Identity Manager installation program. When the installation completes, complete these steps: a. Examine the errors and proide a correctie action. There is more information in the ITIM_HOME/install_logs/runConfigTmp.stdout log file. You might also need to refer to documentation that the WebSphere product proides. b. When the correction is complete, enter one of the following commands: To update commonly-used properties and also to reset WebSphere Application Serer settings for the Tioli Identity Manager application, run this command: Windows ITIM_HOME\bin\runConfig install UNIX: DB2 UDB ITIM_HOME/bin/cmdWrapper.sh runconfig install The cmdwrapper.sh command automatically sources the DB2 profile. Other databases ITIM_HOME/bin/runConfig install New log data is recorded in the ITIM_HOME/install_logs/runConfig.stdout log file. 6. Restart the cluster. For more information, see Starting a cluster on page Verify that the Tioli Identity Manager Serer is working correctly. For more information, see Verifying that the Tioli Identity Manager Serer is operational on page 56. Chapter 6. Installing Tioli Identity Manager in a cluster configuration 71

88 Starting a cluster When installation completes and any required configuration and security modification is done, restart the cluster. On the WebSphere administratie console, complete these steps, which assume that the installation process automatically started the Tioli Identity Manager: 1. Stop the Tioli Identity Manager program and the Tioli Identity Manager cluster. a. Click Serers > Clusters. b. Select the Tioli Identity Manager cluster. c. Click Stop. The Tioli Identity Manager application stops when the cluster stops. 2. Start the Tioli Identity Manager application and the Tioli Identity Manager cluster. a. Click Serers > Clusters. b. Select the Tioli Identity Manager cluster. c. Click Start. The Tioli Identity Manager application starts when the cluster starts. Use the WebSphere administratie console to erify that all required cluster applications are started. Complete these steps: 1. Click Applications > Enterprise Applications. Examine the status of the Tioli Identity Manager (enrole) application. 2. Click Serers > Application Serers. Examine the status of the cluster members. 3. Additionally, examine the log files for other problems. For more information, see Logs and directories on page 102. If the status of the Tioli Identity Manager (enrole) application indicates a partial start, complete these steps: 1. Locate the computer that has the cluster member that fails to start. 2. Examine the following log files of the computer where the cluster member resides: WAS_HOME/logs/member_hostname/SystemOut.log Tioli_Common_Directory/logs/trace.log 3. Correct the problem. Then, use the WebSphere administratie console to start the cluster member. Verifying that the Tioli Identity Manager Serer is operational To erify that the Tioli Identity Manager Serer and related processes are running, complete these steps: 1. Start the Tioli Identity Manager Serer cluster. For more information, see Starting a cluster. 2. Ensure that the JMS serer that is associated with each cluster member node is running. a. On the WebSphere administratie console, click Serers > JMS Serers. b. Select the target JMS serer and examine the status column for the serer. If the serer is not actie, click Start to actiate it. For more information, see Determining if the JMS serer is running on a cluster node on page IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

89 3. Log on to Tioli Identity Manager Serer using the WebSphere embedded HTTP transport. For example, at a browser window, enter this command: The alue of hostname is the fully qualified name or IP address of the computer on which the Tioli Identity Manager Serer is running. The port number default is If you hae multiple instances of the WebSphere Application Serer on the same computer, the port number may be a different alue, such as The browser displays the Tioli Identity Manager logon window. Enter the Tioli Identity Manager Serer administrator user ID ( itim manager ) and password (immediately after installation, the alue is secret ). 4. After successfully logging on to Tioli Identity Manager Serer using the WebSphere embedded HTTP transport, attempt to log on to the Tioli Identity Manager Serer using the IBM HTTP Serer. Log on at this address: The alue of http_serer_hostname is the host name of the IBM HTTP Serer. For more information if you cannot display the Tioli Identity Manager logon window, or cannot log on to Tioli Identity Manager, see Ensuring that the HTTP serer is running on page After a first, successful logon, the logon window immediately prompts you to change the administrator password. Ensure that your password change is successful. After you change the password, you are ready to create your organization object and a user that is called an ITIM User. If you cannot start and log on to Tioli Identity Manager, see Chapter 8, Troubleshooting and erifying the installation, on page 93. UNIX: Sourcing the DB2 Uniersal Database profile On UNIX operating systems, run the DB2 UDB profile to set up the correct enironment to run DB2 UDB programs. This action enables communication between the Tioli Identity Manager Serer and the DB2 serer. This manual step is not necessary on Windows systems. To source the profile, complete these steps: 1. Enter the appropriate db2profile command for your default login shell. For example, if your default login shell is ksh, source the DB2 UDB profile by entering the following command:. DB_INSTANCE_HOME/SQLLIB/db2profile 2. Verify that you successfully sourced the profile. Enter the following command: set grep -i db2 The -i parameter specifies that the search is not sensitie to case. In the following output, the existence of the alue db2inst1 associated with the alue of DB_INSTANCE_HOME indicates that the profile was successfully sourced: CLASSPATH=/home/db2inst1... DB2DIR=/usr/lpp/db2_08_01 DB2INSTANCE=db2inst1 3. Include the db2profile command in your user profile to ensure that the profile is sourced eery time that the database runs. Ensure that the DB2 UDB profile is correctly sourced before doing these tasks: Chapter 6. Installing Tioli Identity Manager in a cluster configuration 73

90 Running DBConfig, the database configuration tool. For more information, see step 3 on page 69. Running runconfig, the system configuration tool. For more information, see step 5 on page 71. Starting a WebSphere node agent. For more information, see Verifying that the deployment manager, node agents, and JMS serers are running on page 38. Optionally installing a language pack After installing Tioli Identity Manager, if the default language is not English, complete these steps: 1. Before you run the Tioli Identity Manager language pack setup program, ensure that the ersion of the Jaa Runtime Enironment that Tioli Identity Manager requires is accessible from the command line. For more information, refer to the IBM Tioli Identity Manager Release Notes. For example, enter this command: jaa-fullersion 2. Obtain the language pack CD for the Tioli Identity Manager Serer. On UNIX systems, mount the language pack CD. 3. Use command line mode to install the language pack. For example, enter this language pack command at a command prompt: jaa jar itimlp_setup.jar The Tioli Identity Manager language pack setup program starts. To complete the language pack installation, follow the instructions that appear in the setup program windows. 4. Verify that the language pack is installed. Complete these steps: a. Verify that these files are present in the WAS_HOME/installedApps/cellname/enRole.ear/app_web.war directory: AppletLabels_lang.properties AppletErrorMessages_lang.properties AppletMessages_lang.properties The alue of lang is a string such as fr that indicates a language such as French. b. Verify that one or more of the following files are present in the ITIM_HOME/data directory: ErrorMessages_lang.properties Labels_lang.properties Messages_lang.properties adhocreporting_lang.properties Changing cluster configurations after Tioli Identity Manager is installed This section describes expanding or reducing the members in a cluster for performance reasons after Tioli Identity Manager is installed. Expanding a cluster using a new computer To add a new cluster member to an existing Tioli Identity Manager cluster, complete these steps to add a computer with a WebSphere Application Serer that was not preiously in the WebSphere cell. 74 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

91 1. Run the addnode command to federate the new node into the cell. If DB2 UDB is used, ensure that you set the DB2 enironment before you run the addnode command. For more information, see Adding nodes to a cell on page Create a new Tioli Identity Manager cluster member on the new node. On the WebSphere administratie console, complete these steps: a. Click Serers > Cluster. b. On the next window, click the Tioli Identity Manager cluster name. c. Click Cluster Members, then click New. d. Select the node name that is the node that you added to the cell. Enter the node name. Then, click Next. e. Verify the summary window, then click Finish. f. Sae the changes. 3. Run the Tioli Identity Manager installation program on the new computer, choosing cluster member installation. 4. Update the WebSphere Web Serer plug-in file. Using the WebSphere administratie console, click Enironment > Update Web Serer Plugin > OK. If the IBM HTTP Serer is located on a different computer than the computer that has the WebSphere Application Serer, moe the plugin-cfg.xml file to the IBM HTTP Serer computer. For more information, see Moing the HTTP serer out of the cell for additional security on page Start the new cluster member. Click Serers > Clusters and select the cluster. In the cluster, click Cluster Members. Select the new member and click Start. Remoing cluster members To remoe cluster members, complete these steps: 1. Run the Tioli Identity Manager uninstallation program on the computer that has the cluster member that you intend to remoe. For more information, see Chapter 9, Uninstalling the Tioli Identity Manager Serer, on page On the WebSphere administratie console, delete the cluster member from the cluster. 3. Update the WebSphere Web Serer plug-in file. Using the WebSphere administratie console, click Enironment > Update Web Serer Plugin > OK. For more information, see Generating the WebSphere Web Serer plug-in configuration file. Generating the WebSphere Web Serer plug-in configuration file If you add to or reduce the number of cluster members, you must generate the plugin-cfg.xml configuration file for the WebSphere Web Serer plug-in. Complete these steps: 1. Log on to the deployment manager, using the WebSphere administratie console. 2. From the left pane of the console, click Enironment > Update Web Serer Plugin > OK. 3. After the update completes, click Sae to sae your configuration to the master repository. The updated plugin-cfg.xml file should reside in the WAS_NDM_HOME/config/cells directory. 4. If the IBM HTTP Serer and deployment manager are installed on different computers, you must moe the plugin-cfg.xml file to the computer that has the IBM HTTP Serer, and replace the existing plugin-cfg.xml file. Chapter 6. Installing Tioli Identity Manager in a cluster configuration 75

92 5. Restart the IBM HTTP Serer. Preparing to install adapters Use SSL production certificates to ensure secure communication between the Tioli Identity Manager Serer and the Tioli Identity Manager adapter. For more information, see Adapters oeriew on page 2. The Certificate Authority issuer certificate that corresponds to the certificate of the Tioli Identity Manager adapter must be installed into the truststore file that the Tioli Identity Manager Serer is configured to use. Tioli Identity Manager uses the standard Jaa keystore and truststore mechanisms to store certificates and issuer certificates for SSL communications. You can use any standard Jaa keystore tools to maintain certificates, such as the Jaa keytool command line utility, or the WebSphere key management utility (ikeyman). The source certificate files can be in any format that the keystore tool supports. For more information, refer to the IBM Tioli Identity Manager Planning for Deployment Guide. A cluster configuration requires that the issuer certificate that corresponds to the certificate of the Tioli Identity Manager adapter is installed into the truststore file of each application serer on the cluster. Complete these steps: 1. Using the Tioli Identity Manager import utility, install the adapter profile. 2. In a cluster configuration, install the adapter profile once. For recommendations on where to install the adapter profile in a cluster configuration, refer to the adapter installation guide for your specific adapter. 3. Labels from the CustomLabels.properties file are stored in the Tioli Identity Manager database. In a cluster configuration, import the adapter profile on the computer on which the deployment manager is installed, although the adapter profile can be imported on any serer in the cluster. The profile information is pushed into the directory and becomes aailable to all cluster members. 4. After installing Tioli Identity Manager, if the default language is not English, complete these steps before you install the first Tioli Identity Manager adapter: a. Before you run the Tioli Identity Manager language pack setup program, ensure that the ersion of the Jaa Runtime Enironment that Tioli Identity Manager requires is accessible from the command line. For more information, refer to the IBM Tioli Identity Manager Release Notes. For example, enter this command: jaa-fullersion b. Obtain and mount the language pack CD for the Tioli Identity Manager adapters. Use command line mode to install the language pack for the adapters on the Tioli Identity Manager Serer. For example, enter the following command: jaa jar itimlp_agents_setup.jar The Tioli Identity Manager language pack setup program starts. To complete the language pack installation, follow the instructions that appear in the setup program panels. 76 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

93 Chapter 7. Configuring the Tioli Identity Manager Serer Configuring the Tioli Identity Manager Serer has these steps: Configuring the Tioli Identity Manager database Configuring the directory serer on page 79 Configuring commonly used system properties on page 80 Optionally configuring security after installing Tioli Identity Manager on page 87 Modifying system properties during normal operation on page 90 Configuring the Tioli Identity Manager database The Tioli Identity Manager installation program automatically uses the DBConfig database configuration tool during a single-serer installation, or during a cluster installation on the deployment manager, to set up these components: Tioli Identity Manager database WebSphere JDBC drier proider configuration WebSphere data source configuration Completing the database configuration windows A database configuration window opens to allow you to configure the database property file and to set up tables in the Tioli Identity Manager database. The fields that appear in the window might ary, depending on which database that you use. For more information, see Appendix B, Worksheets, on page 111. On the database configuration window, follow these steps: 1. Complete the Identity Manager Database Information fields. The data is required to configure and connect to the Tioli Identity Manager database. Ensure that the database administrator ID has the rights to update the database. If the database is DB2 UDB, the IP Address and Port Number fields are greyed out. These fields are required for other databases. For example, for an Oracle database, enter the IP address of your Oracle database serer in the IP Address field; the default alue for the Port Number field is Copyright IBM Corp. 2003,

94 Figure 13. Database configuration window 2. Click Test to ensure that the connection to the database is actie. When the database test is successful, the Tioli Identity Manager User Password field becomes actie and the Test button changes to Continue. The User ID field defaults to the alue enrole, which cannot be changed. Before you continue, ensure that the user ID enrole exists on the computer that is the database serer. 3. Enter the correct password for the existing database user ID that is named enrole and click Continue. The database configuration requires seeral minutes to complete. Manually starting the DBConfig database configuration tool The DBConfig command creates the database table definitions that Tioli Identity Manager requires. Run this command only if the command failed to configure the database during installation. If the Tioli Identity Manager database tables hae been preiously set, running the DBConfig command first drops all preiously existing Tioli Identity Manager tables. To manually start the database configuration tool (DBConfig), complete these tasks: 1. Ensure that the WebSphere Application Serer is running. For more information, see Ensuring that the WebSphere Application Serer is running on page Run the following command: Windows ITIM_HOME\bin\DBConfig UNIX ITIM_HOME/bin/cmdWrapper.sh DBConfig Running the database configuration tool writes data to the ITIM_HOME/install_logs/dbConfig.stdout log file. The database configuration requires seeral minutes to complete. 78 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

95 Configuring the directory serer Do not run the ldapconfig command a second time, unless the LDAP configuration fails during the Tioli Identity Manager installation process. Running the ldapconfig command will restore default alues that Tioli Identity Manager uses. If you hae changed the alue of any of these Tioli Identity Manager attributes, such as the password of the user ID named itim manager, the alue is oerwritten. Completing the directory serer configuration windows To configure the LDAP data repository with Tioli Identity Manager alues, complete these steps: 1. Enter the alues for the LDAP Serer Information fields to set up the connection to the directory serer. For example, the alue of the Host Name field is the fully qualified host name of the computer on which the directory serer is running. Figure 14. Directory configuration window 2. Click Test to ensure that the connection to the directory serer can be established. When the test for a connection to the directory serer is successful, the fields in the Identity Manager Directory Information section become actie. 3. See Appendix B, Worksheets, on page 111 and complete the fields with the alues for your site. Then, click Continue. Manually running the ldapconfig configuration tool To aoid the loss of existing directory serer data, you must not manually run this tool unless a directory serer configuration problem occurs during installation. To manually start the ldapconfig configuration tool, run the following command: ITIM_HOME/bin/ldapConfig Running the configuration tool writes data to the ITIM_HOME/install_logs/ldapConfig.stdout log file. The directory serer configuration requires seeral minutes to complete. Chapter 7. Configuring the Tioli Identity Manager Serer 79

96 Configuring commonly used system properties The Tioli Identity Manager installation program automatically runs the runconfig system configuration tool to edit commonly used system properties for the Tioli Identity Manager Serer and also to configure WebSphere Application Serer settings for the Tioli Identity Manager application. The Tioli Identity Manager installation program runs the system configuration tool for both a single-serer and cluster configuration, which includes the deployment manager and the cluster members. You can run the system configuration tool manually. For more information, see Manually starting the system configuration tool. For alternatie ways to configure system properties, see Modifying system properties during normal operation on page 90. The system configuration tool proides these windows: General tab Directory tab on page 82 Database tab on page 83 Logging tab on page 84 Mail tab on page 84 UI tab on page 85 Security tab on page 86 Manually starting the system configuration tool To update commonly-used properties and also to reset WebSphere Application Serer settings for the Tioli Identity Manager application, run this command: General Windows ITIM_HOME\bin\runConfig install UNIX: DB2 UDB ITIM_HOME/bin/cmdWrapper.sh runconfig install The cmdwrapper.sh command automatically sources the DB2 profile. Other databases ITIM_HOME/bin/runConfig install Running the system configuration tool writes log data to the ITIM_HOME/install_logs/runConfig.stdout log file. tab Click the General tab. The General tab of the system configuration tool configures the general information about the Tioli Identity Manager Serer. 80 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

97 Figure 15. General tab window The following field alues on the General tab are prefilled by the installation program: Host name Not used with the Tioli Identity Manager Serer running on the WebSphere Application Serer. TCP/IP port number Not used with the Tioli Identity Manager Serer running on the WebSphere Application Serer. SSL TCP/IP port number Not used with the Tioli Identity Manager Serer running on the WebSphere Application Serer. Scheduling information Heart beat The Scheduling Information field displays information about how frequently a scheduling thread queries the scheduled message stores for eents to process (Heart Beat). You might want to consider performance issues before you enable a more frequent beat. Only system administrators can modify the Heart Beat, which is measured in seconds. Recycle bin age limit (days) When you delete Tioli Identity Manager objects (such as organization units, persons, or accounts), the objects are not immediately remoed from the system. Instead, they are moed to a recycle bin container. Emptying the recycle bin is a separate deletion process that inoles running cleanup scripts. For example, to aoid assigning an old user ID to a new user, the assignment process might check the recycle bin to determine if an old user ID exists. You might set the alue of the recycle bin interal to an interal that determines the length of time to retain old user IDs. The Recycle Bin Age Limit field specifies the number of days that an object remains in the recycle bin of the system before it becomes aailable for deletion by cleanup scripts. The cleanup scripts can only remoe those objects that are older than the age limit setting. For example, if the age limit setting is Chapter 7. Configuring the Tioli Identity Manager Serer 81

98 Directory 62 days (the default alue), only objects that hae been in the recycle bin for more than 62 days can be deleted by cleanup scripts. You can use the following scripts to either manually remoe or to schedule the periodic cleanup of recycle bin entries with expired age limits: - Windows ITIM_HOME\bin\win\ldapClean.cmd To schedule periodic cleanup, register the aboe command script with the Windows scheduler. - UNIX ITIM_HOME/bin/unix/ldapClean.sh To schedule periodic cleanup, create a UNIX cron job such as the following example: ITIM_HOME/bin/unix/schedule_garbage.cron tab Click the Directory tab. The Directory tab of the system configuration tool displays directory connection information and LDAP connection pool information. The tab also has a Test button to test the connection to the directory serer. If you update any field on this tab, click Test to ensure that the connection works. Figure 16. Directory tab window The information is pre-filled for the deployment manager, but not for a WebSphere Application Serer. If necessary, modify the following information for the directory serer: Principal DN and password that the Tioli Identity Manager Serer uses to log onto the directory serer Directory serer host name Port number for the directory serer The LDAP connection pool information defines a pool of LDAP connections accessible by the Tioli Identity Manager Serer. Once a connection is established and data is stored in the LDAP directory serer, changing the host name or the port number might hae detrimental effects. 82 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

99 Database In the Maximum Pool Size field, specify the maximum number of connections that the LDAP Connection Pool can hae at any time. In the Initial Pool Size field, specify the initial number of connections to be created for the LDAP Connection Pool. In the Increment Count field, specify the number of connections to be added to the LDAP Connection Pool eery time a connection is requested after all connections are in use. tab Click the Database tab. The Database tab displays general database information and database pool information. The tab also has a Test button to test the connection to the database. If you update any field on this tab, click Test to ensure that the connection works. Changing the configuration after the system is set up can hae detrimental effects. Figure 17. Database tab window Depending on the type of connection that is used, one of seeral windows is displayed when configuring database properties. The window in this example displays the Database tab when Tioli Identity Manager does not use an Oracle Client to connect to the Oracle database. If this installation is on a cluster member, the information must match the database specification preiously made for the deployment manager. In the Database Type field, specify a database such as DB2 UDB. In the Database Name or Alias field, specify the name or alias of the database. For example, the alue of Database Name may be itimdb. DB2 Uniersal Database only: The Database Name or Alias field displays how Tioli Identity Manager connects to the database. If the database is installed locally, the alue represents the name of the database. If the database is installed remotely, the alue represents the local alias name of the remote database. Oracle only: The field label is: Database IP:Port:Name Microsoft SQLSerer only: The field label is: Database IP:Port:Serice Name Chapter 7. Configuring the Tioli Identity Manager Serer 83

100 Logging In the Database User and the User Password fields, specify the database account and password that Tioli Identity Manager uses to log onto the database. The default user ID is enrole, which is created by the Tioli Identity Manager database configuration program (DBConfig). The account must hae a alid user password. The database pool information determines the number of JDBC connections. For more information on supported JDBC driers, see Configuring the DB2 JDBC drier on page 16. In the Initial Capacity field, specify the initial number of JDBC connections. In the Maximum Capacity field, specify the maximum number of JDBC connections that the Tioli Identity Manager Serer can open to the database at any one time. In the Login Delay Seconds field, specify the time, in seconds, between connections. tab Click the Logging tab. Figure 18. Logging tab window The Logging tab of the system configuration tool enables you to set the leel of tracing. Choose one of these alues: MIN Writes less information to the log file. Use this setting for best performance. MED Writes an increased amount of information to the log file. MAX Writes the maximum amount of information to the log file. The increased amount of logging actiity mighty affect performance. This is approximately the equialent of INFO or VERBOSE. Mail tab Click the Mail tab. 84 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

101 UI tab Figure 19. Mail tab window The Mail tab of the system configuration tool displays mail notification and gateway parameters: In the Identity Manager URL field, specify the login Uniersal Resource Locator (URL) for the Tioli Identity Manager Serer that is first presented as a hyperlink in to new Tioli Identity Manager users. The alue is the URL of the proxy serer (for example, the IBM HTTP Serer). Specify the host name (or IP address) and port in the base URL. Ensure that the alue matches the published login URL to your Tioli Identity Manager system. Single-serer configuration The base URL is the address of the Web serer (for example, the IBM HTTP Serer) which by default uses port 80. For more information, see Table 3 on page 40. Cluster configuration The base URL is the address of the Web serer which load-balances to all application serer instances in the cluster (not the base URL of a specific application serer instance). In the Mail From field, specify the address to the Tioli Identity Manager system administrator address for your site. All is deliered from the Mail From parameter. You must change this address, or you will send spam to the address listed. In the Mail Serer Name field, specify the SMTP mail host that sends mail notification. SMTP mail serers are supported. The SMTP host is the mail gateway. For example, enter a host name such as swiftcreek.mycity.ibm.com. Click the UI tab. Chapter 7. Configuring the Tioli Identity Manager Serer 85

102 Security Figure 20. UI tab window The UI tab of the system configuration tool displays information to customize the Tioli Identity Manager Serer GUI. In the Customer Logo field, specify the file name of the logo graphic. In the Customer Logo Link field, specify an optional URL link actiated by clicking on the logo image. System administrators can specify these two ariables to replace the IBM logo with their company logo throughout the Tioli Identity Manager system. The default IBM logo file is the ibm_banner.gif file, which is located in the WAS_HOME/installedApps/cell_name/enRole.ear/app_web.war/images directory. In the List Page Size field, specify how many items that require a search in the directory are displayed on lists throughout the user interface. If the total number of items exceeds the set List Page Size, the list is spread oer multiple pages. For example, the alue controls the size of the names list that appears when you browse the My Organization > Manage People tab in the Tioli Identity Manager GUI. tab Click the Security tab. The Security tab of the system configuration tool displays information to manage database, LDAP, and application serer user IDs and passwords that are stored in Tioli Identity Manager properties files. The tab displays the encryption settings and application serer user management preferences in the Tioli Identity Manager Serer. 86 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

103 Figure 21. Security tab window By default, passwords in the Tioli Identity Manager property files are not encrypted. In the Encryption box, check the box to encrypt the passwords used for database and LDAP connections and the password of the EJB user that is used for EJB authentication. The encryption flags are set to true. Clear the box to decrypt the passwords and set the flags to false. The flags are represented by the following properties in the enrole.properties file: enrole.password.database.encrypted enrole.password.ldap.encrypted enrole.password.appserer.encrypted In the System User and System User Password fields, specify the system user and the system user password. The fields are prefilled if WebSphere global security is on, and an administrator user ID and password hae been entered. The fields are blank if WebSphere global security is not on. In the EJB User and EJB User Password fields, specify the EJB user and the EJB user password. The fields initially take the alues of the System User and Password fields. The length of the EJB user ID must be fewer than 12 characters. If you define your own EJB user during installation to be different than the System User, you might need to modify the EJB User and EJB User Password fields. If you change the alue of the EJB user ID or the EJB password on this system configuration Security window, additional manual steps are required after Tioli Identity Manager installation to map the security role to the ITIM user in order to start Tioli Identity Manager. For more information, see Optionally configuring security after installing Tioli Identity Manager. Optionally configuring security after installing Tioli Identity Manager If you chose to enable global security on the WebSphere Application Serer, map the itimadmin administratie user to the ITIM_SYSTEM role to further limit access. If you also enabled Jaa 2 security, erify that the was.policy file exists. Any time that the System User or EJB User are modified outside of Tioli Identity Manager, run the runconfig command to update the Tioli Identity Manager configuration. Each of the following steps applies to both single and multi-node deployments. Chapter 7. Configuring the Tioli Identity Manager Serer 87

104 Mapping an administratie user to a role Map an administratie user to a Tioli Identity Manager role with these steps: 1. On the WebSphere administratie console, click Applications > Enterprise Applications. 2. Click enrole. 3. In Additional Properties, scroll down and click Map security roles to users/groups. 4. Select the check box for ITIM_SYSTEM. 5. Click Lookup users. 6. Click Search. 7. Select the EJB User (itimadmin) from the list. 8. Click OK. 9. To preent unauthorized access, clear the Eeryone? or All Authenticated? check boxes. 10. Sae the configuration changes. Ensuring that the was.policy file exists The Tioli Identity Manager installation program automatically creates the was.policy policy file with all the permissions that the Tioli Identity Manager application needs to run with Jaa 2 security enabled. Enabling Jaa 2 security for the Tioli Identity Manager application also causes Jaa 2 security to be enforced on all applications that are running on the WebSphere Application Serer. If you enable Jaa 2 security for the Tioli Identity Manager application, you should also appropriately configure all other applications running on the WebSphere Application Serer to support Jaa 2 security. Ensure that the was.policy file exists. If the file does not exist, create the file in the following directory on the node: WAS_HOME/config/cells/cellname/applications/enRole.ear/deployements/enrole/META-INF The file contents are similar to these lines: grant codebase "file::${application}" { permission jaa.security.allpermission; }; Updating the system user and the EJB user If you made changes to the System User or to the EJB User fields, you must update Tioli Identity Manager configurations with these new alues. Complete these steps: 1. Start the system configuration tool. To do so, enter the following command: Windows ITIM_HOME\bin\runConfig UNIX ITIM_HOME/bin/runConfig.sh 2. Select the Security tab. 88 IBM Tioli Identity Manager: Serer Installation and Configuration Guide for WebSphere Enironments

105 Figure 22. Security tab window 3. Update the System User field and its password with the wasadmin user ID that you created in the local OS registry. 4. Update the EJB User field and its password with the itimadmin user ID that you created in the local operating system registry. 5. Click OK. Running Jaa 2 security on single-node deployments To run with security enabled in a single-node deployment, use the WebSphere administratie console to restart Tioli Identity Manager and log in when prompted. Complete these steps: 1. Click Applications > Enterprise Applications. 2. Select enrole. Then, click Start. Running Jaa 2 security on multi-node deployments To run the Jaa 2 security component after installing Tioli Identity Manager on multi-node deployments, synchronize the nodes in the cell, and ensure that the timeout interal is large enough to preent accidental timeouts. Synchronizing the nodes in the cell Synchronize the deployment manager configuration with the nodes in the cell. Restart the Tioli Identity Manager cluster. Restart Tioli Identity Manager with these steps: 1. Click Serer > Clusters. 2. Select the check box next to the cluster name. 3. Click Stop. Wait for the cluster to stop, and then click Start. Increasing the timeout interal Ensure that the token expiration alue is large enough to preent accidental timeouts. Security uses a Lightweight Third Party Authentication (LTPA) token that expires after an interal of system inactiity. The default is 120 minutes, which might not be large enough to use with Tioli Identity Manager. On some systems, the actual Chapter 7. Configuring the Tioli Identity Manager Serer 89