Contents. Index iii

Transcription

1 Product oeriew

2 ii Product oeriew

3 Contents Product oeriew Initial login and password information Access management with IBM Tioli Identity Manager and other products Support for corporate regulatory compliance... 3 Identity goernance Release information What s new in this release Hardware and software requirements Installation images and fix packs Known limitations, problems, and workarounds 22 Technical oeriew Users, authorization, and resources Main components People oeriew Resources oeriew System security oeriew Organization tree oeriew Policies oeriew Workflow oeriew Features oeriew Improed user interface Recertification Reporting Static and dynamic roles Self-access management Proisioning features Resource proisioning About this information Intended audience Publications Tioli technical training Support information Conentions used in this information Notices Accessibility Index iii

4 i Product oeriew

5 Product oeriew These topics describe the product and its surrounding business and technology context. They include information about: The particular product release, such as new or deprecated product features and functions The open standards, technologies, and architecture on which the product is based The user model and roles underlying the product features The graphical interfaces and tools proided to support arious user roles The information center for iewing documentation Initial login and password information To get started after installing IBM Tioli Identity Manager, you need to know the login URL and the initial user ID and password. Login URL The login URL enables you to access the IBM Tioli Identity Manager web interface. The login URL for the IBM Tioli Identity Manager administratie console is: Where ip-address is the IP address or DNS address of the IBM Tioli Identity Manager serer, and port is the port number. The default port for new installations of IBM Tioli Identity Manager is The login URL for the IBM Tioli Identity Manager self-serice console is: Where ip-address is the IP address or DNS address of the IBM Tioli Identity Manager serer, and port is the port number. The default port for new installations of IBM Tioli Identity Manager is Initial user ID and password The initial user ID and password to authenticate to IBM Tioli Identity Manager is: Table 1. Initial user ID and password for IBM Tioli Identity Manager User ID Password itim manager secret 1

6 Access management with IBM Tioli Identity Manager and other products In a security lifecycle, IBM Tioli Identity Manager and seeral other products proide access management that enables you to determine who can enter your protected systems, what can they access, and how to ensure that users access only what they need for their business tasks. Access management addresses three questions from the business point of iew: Who can come into my systems? What can they do? Can I easily proe what they e done with that access? These products alidate the authenticity of all users with access to resources, and ensure that access controls are in place and consistently enforced: IBM Tioli Identity Manager Proides a secure, automated and policy-based user management solution that helps effectiely manage user identities throughout their lifecycle across both legacy and e-business enironments. IBM Tioli Identity Manager proides centralized user access to disparate resources in an organization, using policies and features that streamline operations associated with user-resource access. As a result, your organization realizes numerous benefits, including: Web self-serice and password reset and synchronization; users can self-administer their passwords using the rules of a password management policy to control access to multiple applications. Password synchronization enables a user to use one password for all accounts that IBM Tioli Identity Manager manages. Quick response to audits and regulatory mandates Automation of business processes related to changes in user identities by proiding life-cycle management Centralized control and local autonomy Enhanced integration with the use of extensie APIs Choices to manage target systems either with an agent or agentless approach Reduced help desk costs Increased access security through the reduction of orphaned accounts Reduced administratie costs through the proisioning of users using software automation Reduced costs and delays associated with approing resource access to new and changed users Tioli Access Manager Enables your organization to use centralized security policies for specified user groups to manage access authorization throughout the network, including the ulnerable, internet-facing Web serers. Tioli Access Manager can be tightly coupled with IBM Tioli Identity Manager to reconcile user groups and accounts managed by Tioli Access Manager with the identities managed by IBM Tioli Identity Manager to proide an integrated solution for resource access control. Tioli Access Manager deliers: Unified authentication and authorization access to dierse Web-based applications within the entire enterprise 2 Product oeriew

7 Flexible single sign-on to Web, Microsoft, telnet and mainframe application enironments Rapid and scalable deployment of Web applications, with standards-based support for Jaa 2 Enterprise Edition (J2EE) applications Design flexibility through a highly scalable proxy architecture and easy-to-install Web serer plug-ins, rule- and role-based access control, support for leading user registries and platforms, and adanced APIs for customized security Tioli Federated Identity Manager Handles all the configuration information for a federation across organizational boundaries, including the partner relationships, identity mapping, and identity token management. Tioli Federated Identity Manager enables your organization to share serices with business partner organizations and obtain trusted information about third-party identities such as customers, suppliers, and client employees. You can obtain user information without haing to create, enroll, or manage identity accounts with the organizations that proide access to serices that are used by your organization. Consequently, users are spared from haing to register at a partner site, and from haing to remember additional logins and passwords. The result is improed integration and communication between your organization and your suppliers, business partners, and customers. For more information how access management products fit in larger solutions for a security lifecycle, refer to the Tioli Security Management Web site: IBM Redbooks and Redpapers also describe implementing IBM Tioli Identity Manager within a portfolio of IBM security products. Support for corporate regulatory compliance IBM Tioli Identity Manager proides support for corporate regulatory compliance. Compliance areas Tioli Identity Manager addresses corporate regulatory compliance in the following key areas: Proisioning and the approal workflow process Audit trail tracking Enhanced compliance status Password policy and password compliance Account and access proisioning authorization and enforcement Recertification policy and process Reports Proisioning and the approal workflow process Tioli Identity Manager proides support for proisioning, user accounts and access to arious resources. When implemented as one of a suite of security products, Tioli Identity Manager plays a key role to ensure that resources are proisioned only to authorized persons, safeguarding the accuracy and completeness of information processing methods and granting authorized users access to information and associated assets. Tioli Identity Manager proides an Product oeriew 3

8 integrated software solution for managing the proisioning of serices, applications, and controls to employees, business partners, suppliers, and others associated with your organization across platforms, organizations, and geographies. You can use its proisioning features to control the setup and maintenance of user access to system and account creation on a managed resource. At its highest leel, an identity management solution automates and centralizes the process of proisioning resources, such as operating systems and applications, to people in, or affiliated with, an organization. Organizational structure can be altered to accommodate the proisioning policies and procedures. Howeer, the organization tree used for proisioning resources does not necessarily reflect the managerial structure of an organization. Administrators at all leels can use standardized procedures for managing user credentials. Some leels of administration can be reduced or eliminated, depending on the breadth of the proisioning management solution. Furthermore, you can securely distribute administration capabilities, manually or automatically, among arious organizations. The approal process can be associated with different types of proisioning requests, including account and access proisioning requests. Life cycle operations can also be customized to incorporate the approal process. Models for proisioning Depending on business needs, Tioli Identity Manager proides alternaties to proision resources to authorized users on request-based, role-based, or hybrid models. Approal workflows Account and access request workflows are inoked during account and access proisioning. You typically use account and access request workflows to define approal workflows for account and access proisioning. Account request workflows proide a decision-based process to determine if the entitlement proided by a proisioning policy should be granted. The entitlement proided by a proisioning policy specifies the account request workflow that applies to the set of users in the proisioning policy membership. If multiple proisioning policies apply to the same user for the same serice target, and there are different account request workflows in each proisioning policy, the account request workflow that is inoked for the user is determined based on the priority of the proisioning policy. If a proisioning policy has no associated workflow and the policy grants an account entitlement, the operations that are related to the request run immediately. For example, an operation might add an account. Howeer, if a proisioning policy has an associated workflow, that workflow runs before the policy grants the entitlement. If the workflow returns a result of Approed, the policy grants the entitlement. If the workflow has a result of Rejected, the entitlement is not granted. For example, a workflow might require a manager s approal. Until the approal is submitted and the workflow completes, the account is not proisioned. When you design a workflow, consider the intent of the proisioning policy and the purpose of the entitlement itself. 4 Product oeriew

9 Tracking Tioli Identity Manager proides audit trail information about how and why a user has access. On a request basis, Tioli Identity Manager proides a process to grant, modify, and remoe access to resources throughout a business, and to establish an effectie audit trail using automated reports. The steps inoled in the process, including approal and proisioning of accounts, are logged in the request audit trail, and corresponding audit eents are generated in the database for audit reports. User and Account lifecycle management eents, including account and access changes, recertification, and compliance iolation alerts, are also logged in the audit trail. Enhanced compliance status Tioli Identity Manager proides enhanced compliance status on items such as dormant and orphan accounts, proisioning policy compliance status, recertification status, and a ariety of reports. Dormant accounts. You can iew a list of dormant accounts using the Reports feature. Tioli Identity Manager includes a dormant account attribute to serice types that you can use to find and manage unused accounts on serices. Orphan accounts. Accounts on the managed resource whose owner in the Tioli Identity Manager Serer cannot be determined are orphan accounts, which are identified during reconciliation when the applicable adoption rule cannot successfully determine the owner of an account. Proisioning policy compliance status. The compliance status based on the specification of proisioning policy is aailable for accounts and access. An account could be either compliant, non-compliant with attribute alue iolations, or disallowed. An access is either compliant or disallowed. Recertification status. The recertification status is aailable for user, account, and access target types, which indicates whether the target type is certified, rejected, or neer certified. The timestamp of the recertification is also aailable. Password policy and password compliance Tioli Identity Manager proides the ability to create and manage password policies. password policy defines the password strength rules that are used to determine whether a new password is alid. A password strength rule is a rule to which a password must conform. For example, password strength rules might specify that the minimum number of characters of a password must be fie and the maximum number of characters must be ten. The Tioli Identity Manager administrator can also create new rules to be used in password policies. If password synchronization is enabled, the administrator must ensure that password policies do not hae any conflicting password strength rules. When password synchronization is enabled, Tioli Identity Manager combines policies for all accounts that are owned by the user to determine the password to be used. If conflicts between password policies occur, the password might not be set. Proisioning policy and policy enforcement A proisioning policy grants access to many types of managed resources, such as Tioli Identity Manager serer, Windows NT serers, Solaris serers, and so on. Product oeriew 5

10 Proisioning policy parameters help system administrators define the attribute alues that are required and the alues that are allowed. Policy enforcement is the manner in which Tioli Identity Manager allows or disallows accounts that iolate proisioning policies. You can specify one of the following policy enforcement actions to occur for an account that has a noncompliant attribute. Mark Sets a mark on an account that has a noncompliant attribute. Suspend Suspends an account that has a noncompliant attribute. Correct Replaces a noncompliant attribute on an account with the correct attribute. Alert Issues an alert for an account that has a noncompliant attribute. Recertification policy and process A recertification policy includes actiities to ensure that users proide confirmation that they hae a alid, ongoing need for the target type specified (user, account, and access). The policy defines how frequently users must alidate an ongoing need. Additionally, the policy defines the operation that occurs if the recipient declines or does not respond to the recertification request. Tioli Identity Manager supports recertification policies that use a set of notifications to initiate the workflow actiities that are inoled in the recertification process. Depending on the user response, a recertification policy can mark a user s roles, accounts, groups, or accesses as recertified, suspend or delete an account, or delete a role, group, or access. Audits that are specific to recertification are created for use by seeral reports that are related to recertification: Accounts, access, or users pending recertification Proides a list of recertifications that are not completed. Recertification history Proides a historical list of recertifications for the target type specified. Recertification policies Proides a list of all recertification policies. User recertification history Proides history of user recertification. User recertification policy Proides a list of all user recertification policies. Reports Security administrators, auditors, managers, and serice owners in your organization can use one or more of the following reports to control and support corporate regulatory compliance: Accesses Report, which lists all access definitions in the system. Approals and Rejections Report, which shows request actiities that were either approed or rejected. Dormant Accounts Report, which lists the accounts that hae not been used recently. 6 Product oeriew

11 Entitlements Granted to an Indiidual Report, which lists all users with the proisioning policies for which they are entitled. Noncompliant Accounts Report, which lists all noncompliant accounts. Orphan Accounts Report, which lists all accounts not haing an owner. Pending Recertification Report, which highlights recertification eents that can occur if the recertification person does not take action on an account or access. This report supports data filtering by a specific serice type or a specific serice instance. Recertification Change History Report, which shows a history of accesses (including accounts) and when they were last recertified. This report seres as eidence of past recertifications. Recertification Policies Report, which shows the current recertification configuration for a gien access or serice. Separation of Duty Policy Definition Report, which lists the separation of duty policy definitions. Separation of Duty Policy Violation Report, which contains the person, policy, and rules iolated, approal and justification (if any), and who requested the iolating change. Serices Report, which lists serices currently defined in the system. Summary of Accounts on a Serice Report, which lists a summary of accounts on a specified serice defined in the system. Suspended Accounts Report, which lists the suspended accounts. User Recertification History Report, which lists the history of user recertifications performed manually (by specific recertifiers), or automatically (due to time out action). User Recertification Policy Definition Report, which lists the user recertification policy definitions. All reports are aailable to all users when the appropriate access controls are configured. Howeer, certain reports are designed specifically for certain types of users. Table 2. Summary of reports Designed for Aailable reports Security administrators Dormant Accounts Orphan Accounts Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies Managers Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies Product oeriew 7

12 Table 2. Summary of reports (continued) Designed for Aailable reports Serice owners Dormant Accounts Orphan Accounts Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies Auditors Dormant Accounts End users, help desk, and deelopers Orphan Accounts Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies None Identity goernance Release information IBM Tioli Identity Manager extends the identity management goernance capabilities with a focus on operational role management. Using roles simplifies the management of access to IT resources. Identity goernance includes these Tioli Identity Manager features: Role management Manages user access to resources, but unlike user proisioning, role management does not grant or remoe user access. Instead, it sets up a role structure to do it more efficiently. Entitlement management Simplifies access control by administering and enforcing fine-grained authorizations. Access certification Proides ongoing reiew and alidation of access to resources at role or entitlement leel. Priileged user management Proides enhanced user administration and monitoring of system or administrator accounts that hae eleated priileges. Separation of duties Preents and detects business-specific conflicts at role or entitlement leel. This section describes new features and hardware and software requirements for IBM Tioli Identity Manager. 8 Product oeriew

13 What s new in this release IBM Tioli Identity Manager continues to delier new identity management capabilities in line with common standards and best practices. This release extends identity management goernance capabilities with a focus on compliance. Role management capabilities Roles manage user access to resources, but unlike user proisioning, role management does not grant or remoe user access. Instead, it sets up a role structure to do it more efficiently. IBM Tioli Identity Manager 5.1 extends identity management goernance capabilities with a focus on operational role management. Management of access to IT resources using roles is simplified and enhanced with these role management capabilities: Role hierarchies Role hierarchies allow security administrators to build and plan logical role hierarchies and to build more meaningful role relationships. Role relationships can be implemented. Immediate parent-child role relationships can be tracked and naigated. Separation of duty can be ealuated where role hierarchy is used. Role relationships Role relationships allow roles to be logically linked by allowing parent-child role relationships in the hierarchy, in which child roles inherit the entitlements of their parent roles. A parent role can hae multiple child roles. A child role can hae multiple parent roles. Role relationships can be ealuated to determine which entitlements are inherited and granted. Proisioning behaior can be changed by role hierarchy assignment; for example, by making a department role a child of an application role. Role classification Role classification is the ability to classify a role for workflow and policy customization purposes. Default role types are business and application types. Business roles encompass the kind of job that a person does. Application roles encompass the kind of access that the person requires. Role relationships and role classification can be used to define how different role types relate. Role ownership and approals Role owners can be users or other roles. Roles can hae multiple owners. Workflow participants and access control items (ACIs) are enhanced to analyze and resole role participants. Role administration Organizational roles are a method of proiding users with entitlements to managed resources by determining which resources are proisioned for a user or set of users who share similar responsibilities. A role is a job function that identifies the tasks that a person can perform and the resources to which the person has access. Product oeriew 9

14 Separation of duty capabilities Separation of duty is a policy-drien feature to manage potential or existing role conflicts. A separation of duty policy is a logical container of separation rules that define mutually exclusie relationships among roles. Separation of duty policies are defined by one or more business rules that exclude users from membership in multiple roles that might present a business conflict. The purpose of the separation of duty policy is to group the rules for ease of administration. For example, you can assign a set of administrators to a policy, making the administrators responsible for tracking the iolations of a set of rules. Separation of duty capabilities include: Violation tracking through the administratie console, which proides identity goernance and accountability Violation and exemptions auditing through reports, which helps preent or highlight inappropriate use of priileges Approal workflow for separation of duties, which helps achiee compliance goals New access control items (ACIs), which reflect new separation of duty policy targets Ealuation of the separation of duty policy when workflow is used for identity feeds Preention of inalid or inconsistent (with business policy) combinations of roles, which prohibits parent-child relationships within a separation of duty policy Workflow participant type (SoD Policy Owner) Violations entity for workflow and notification customization Approal process, which allows for exemptions when a iolation occurs; the exemptions can be reoked later Separation of duty policies A separation of duty policy is a logical container of separation rules that define mutually exclusie relationships among roles. Separation of duty policies are defined by one or more business rules that exclude users from membership in multiple roles that might present a business conflict. Separation of duty policies reports This section describes arious separation of duty policy reports. Separation of duty iolation report This section describes the separation of duty iolation report. This report contains the person, policy, and rules iolated, approal and justification (if any), and who requested the iolating change. SeparationOfDutyRuleViolation Object that proides information about a specific separation of duty rule iolation. Use this object to get specific information about a separation of duty policy iolation. This object cannot be created for use by the user. The user can work only with SeparationOfDutyRuleViolation objects that the system has generated as part of the approesodviolation workflow. ParticipantType Workflow Participant Type constants. 10 Product oeriew

15 User recertification IBM Tioli Identity Manager proides the ability to certify and alidate a user s access to IT resources on a regular interal. User recertification is a type of certification process that combines recertification of a user s accounts, group memberships of accounts, and role memberships into a single actiity. User recertification actiities are completed by a specified participant, such as a manager or application owner. Each user recertification actiity lists accounts, group memberships, and role memberships owned by a user. Groups that are enabled as access are displayed within the actiity using the access information rather than the group information. The participant can indiidually approe or reject whether the user still requires each account, group membership, and role membership. Seeral actions can be taken when a resource or membership is rejected, including suspension of the resource or remoal of the membership. The user recertification policy proides options for configuring the scope of the recertification, workflow actiities, notifications, and timeout and rejection behaiors. Recertification policies Recertification simplifies and automates the process of periodically realidating a target type (account or access) or a membership (role or resource group). The recertification process alidates whether the target type or membership is still required for a alid business purpose. The process sends recertification notification and approal eents to the participants that you specify. A recertification policy includes actiities to ensure that users proide confirmation that they hae a alid, ongoing need for a specified resource or membership. Creating a user recertification policy As an administrator, you can create a user recertification policy to recertify the accounts, group membership of accounts, and memberships of users. User recertification history report This section describes the report that lists history of user recertifications performed manually (by specific recertifiers), or automatically (due to time out action). User recertification policy definition report This section describes a report that lists information about the user recertification policies defined in the system. Group management capabilities IBM Tioli Identity Manager proides additional security administration enhancements through new group management capabilities. Group management capabilities include: Ability to create, change, delete groups on the target resource as long as the Tioli Identity Manager ersion 5.1 adapter is installed Synchronous group proisioning to the target resource for creating, modifying, and deleting groups Streamlined naigation in the administratie console for group management New ersion 5.1 adapters and profiles take adantage of group management capabilities Product oeriew 11

16 Group administration IBM Tioli Identity Manager proides predefined groups. You can also create and modify customized groups. Tioli Common Reporting IBM Tioli Identity Manager features new reporting capabilities for auditing purposes and proides reports based on a common reporting component named IBM Tioli Common Reporting. This component is based on the Eclipse Business Intelligence Reporting Tool and proides custom report authoring, report distribution, report scheduling capabilities, and the ability to run and manage reports from multiple IBM Tioli products. Tioli Common Reporting is a reporting feature that is aailable as an additional benefit to owners of Tioli products. Tioli Common Reporting offers Tioli customers a common approach to iewing and administering reports. Tioli products proide report packages based on Tioli Common Reporting, with reports that hae a common look and feel across all Tioli products. For more details about the Tioli Common Reporting component, see the documentation on the Tioli Common Reporting DVD. For more information about the aailability of Tioli Identity Manager reports, see the Tioli Identity Manager Support Site. Reports included with Tioli Common Reporting Accesses Report Approals and Rejections Report Dormant Accounts Report Entitlements Granted to an Indiidual Report Noncompliant Accounts Report Orphan Accounts Report Separation of Duty Policy Definition Report Separation of Duty Policy Violation Report Serices Report Summary of Accounts on a Serice Report Suspended Accounts Report User Recertification History Report User Recertification Policy Definition Report Configuring and administering IBM Tioli Common Reporting IBM Tioli Common Reporting (also called the reports pack) focuses on account, serice, and request information. New APIs These new application programming interfaces (APIs) are aailable to support the new features of IBM Tioli Identity Manager 5.1. Group GroupEntity GroupFactory GroupManager GroupMO GroupSearch 12 Product oeriew

17 GroupSerice New methods on the Role, RoleEntity, and RoleMO classes SeparationOfDutyPolicy SeparationOfDutyPolicyManager SeparationOfDutyPolicyMO SeparationOfDutyRule UserRecertificationCompletionImpact UserRecertificationWorkflowAssignmentMO New workflow extensions These new workflow extensions are aailable to support the new features of IBM Tioli Identity Manager 5.1. approerolesbyowner approeroleswithoperation callapproaloperation addseparationofdutypolicy callsodapproaloperation constructapproaldocument remediateaccountsandgroups remediaterolememberships updaterecertificationstatusallapproed updaterecertificationstatusemptydocument Sample workflow: sequential approal for user recertification using packaged approal node This scenario shows an organization policy that requires user recertification to be approed by two leels of approers. The first approer submits decisions that are reiewed by the second approer. The second approer can change the decisions made by the first approer and then submit the final decisions. The request in this scenario is for recertification approal of user resources (accounts, groups, or roles). Sample workflow: user recertification role membership approal by role owner This scenario shows an organization with a policy that requires that role membership recertifications are completed by indiidual role owners, while the user s accounts and groups are recertified by the manager. After all approals hae been completed, the indiidual resource decisions are combined and remediated. New JaaScript functions These new JaaScript functions are aailable to support the new features of IBM Tioli Identity Manager 5.1. PackagedApproalDocument PackagedApproalItem RecertificationWorkflow SeparationOfDutyRuleViolation PackagedApproalDocument A releant data object used in multi-item approal, used exclusiely in user recertification workflows. This object is made up of multiple Product oeriew 13

18 PackagedApproalItem objects from the user recertification approal and allows for searching and retrieing recertification items. PackagedApproalItem A releant data object used in IBM Tioli Identity Manager multi-item approal, used exclusiely in user recertification workflows. This object represents the indiidual roles, accounts, and groups that are presented to the user during the recertification process. Some items might contain a decision code indicating the choice of the approers for that item. Each item also contains a list of children that is used to represent relationships between accounts and groups. RecertificationWorkflow Proides extended capabilities to user recertification workflows, including audit support for the reporting and iew requests functions. SeparationOfDutyRuleViolation Object that proides information about a specific separation of duty rule iolation. Use this object to get specific information about a separation of duty policy iolation. This object cannot be created for use by the user. The user can work only with SeparationOfDutyRuleViolation objects that the system has generated as part of the approesodviolation workflow. Hardware and software requirements Hardware and software requirements that are stated here for IBM Tioli Identity Manager take precedence oer any other mention in other IBM Tioli Identity Manager publications. These requirements were current when this publication went to production. For possible updates to this information, contact your customer support representatie. Operating system requirements The IBM Tioli Identity Manager installation program checks to ensure that specific operating systems and leels are present before starting the installation process. Table 3 identifies the operating systems, patches, and minimum requirements for installation: Table 3. Operating system requirements for IBM Tioli Identity Manager Operating system Patch or maintenance leel requirements AIX Version 5.3 None AIX Version None Sun Serer Solaris 10 (SPARC) 2 None Windows Serer 2003 Standard None Edition and Enterprise Edition Windows Serer 2008 Standard None Edition and Enterprise Edition Red Hat Linux Enterprise 4.0 None for Intel, System p and System z Red Hat Linux Enterprise 5.0 for Intel, System p and System z None 14 Product oeriew

19 Table 3. Operating system requirements for IBM Tioli Identity Manager (continued) Operating system SUSE Linux Enterprise Serer 9.0 for Intel, System p and System z SUSE Linux Enterprise Serer 10.0 for Intel, System p and System z SUSE Linux Enterprise Serer 11.0 for Intel, System p and System z Patch or maintenance leel requirements None None None Note: 1. Support is also aailable for AIX 6.1 WPAR. 2. Support is also aailable for Sun Serer Solaris bit LDOM. Hardware requirements IBM Tioli Identity Manager has these hardware requirements: Table 4. Hardware requirements for IBM Tioli Identity Manager System components Minimum alues* Recommended alues** System memory (RAM) 2 gigabytes 4 gigabytes Processor speed Single 2.0 gigahertz Intel or pseries processor Dual 3.2 gigahertz Intel or pseries processors Disk space for product and prerequisite products 20 gigabytes 25 gigabytes * Minimum alues: These alues enable a basic use of IBM Tioli Identity Manager. ** Recommended alues: You might need to use larger alues that are appropriate for your production enironment. Software prerequisites IBM Tioli Identity Manager has these software prerequisites: Jaa Runtime Enironment (JRE) requirements: IBM Tioli Identity Manager requires JRE ersion 1.5 SR9, which is installed in the WAS_HOME/jaa directory when WebSphere Application Serer Fix pack 23 is installed. Use of an independently installed deelopment kit for Jaa, from IBM or other endors, is not supported. The JRE requirements for using a browser to create a client connection to the IBM Tioli Identity Manager serer are different than the JRE requirements for running the WebSphere Application Serer. WebSphere Application Serer requirements: The following table lists the required ersion of WebSphere Application Serer and any applicable fix pack or APAR requirements. Product oeriew 15

20 Table 5. Requirements for using WebSphere Application Serer with IBM Tioli Identity Manager Application Fix Cumulatie Additional AIX AIX Solaris Windows Windows Red serer pack, fix APARs Serer SererHat patch, and maintenance leel requirements Linux 4.0 WebSphere Fix Application pack Serer 23 Version 6.1 WebSphere Fix Application pack 5 Serer Version 7.0 None None None None Red Hat Linux 5.0 SUSE SUSE SUSE Linux Linux Linux 9.0, Database serer requirements: IBM Tioli Identity Manager has these database serer requirements: Table 6. Database serer requirements Database Fix serer AIX 5.3 pack, patch, and maintenance leel requirements AIX 6.1 SolarisWindows Windows Red 10 Serer 2003 Serer 2008 Hat Linux 4.0 Red Hat Linux 5.0 SUSE Linux 9.0 SUSE Linux 10.0 SUSE Linux 11.0 IBM Fix pack DB2 4 Enterprise Version 9.1 IBM Fix pack DB2 3B Enterprise Version IBM DB2 Enterprise Version 9.7 Microsoft SQL Serer 2005, Enterprise Edition 2 16 Product oeriew

21 Table 6. Database serer requirements (continued) Database Fix serer pack, patch, and AIX 5.3 maintenance leel requirements AIX 6.1 SolarisWindows Windows Red 10 Serer 2003 Serer 2008 Hat Linux 4.0 Red Hat Linux 5.0 SUSE Linux 9.0 SUSE Linux 10.0 SUSE Linux 11.0 Oracle 10g Release 2 (Version ) 3 Oracle 11g Release Note: 1. IBM DB2 Enterprise 9.5 is not supported on Linux 32 bit operating systems or on any Linux operating systems on pseries hardware. IBM DB2 9.5 WorkGroup Edition is bundled for Linux 32 bit operating systems. 2. IBM Tioli Identity Manager must be running on a supported Windows operating system if Microsoft SQL Serer is used for the IBM Tioli Identity Manager database. 3. The Oracle database drier is required for both Oracle 10gR2 and Oracle 11g databases. 4. Oracle 11g ersion supports Windows Serer and 64 bit operating systems. Directory serer requirements: IBM Tioli Identity Manager has these directory serer requirements: Table 7. Directory serer requirements Directory Fix serer AIX 5.3 pack, patch, and maintenance leel requirements AIX 6.1 SolarisWindows Windows Red 10 Serer 2003 Serer 2008 Hat Linux 4.0 Red Hat Linux 5.0 SUSE Linux 9.0, SUSE Linux 10.0 SUSE Linux 11.0 IBM Tioli Directory Serer Version IBM Tioli Directory Serer Version Product oeriew 17

22 Table 7. Directory serer requirements (continued) Directory Fix serer pack, patch, and AIX 5.3 maintenance leel requirements AIX 6.1 SolarisWindows Windows Red 10 Serer 2003 Serer 2008 Hat Linux 4.0 Red Hat Linux 5.0 SUSE Linux 9.0, SUSE Linux 10.0 SUSE Linux 11.0 Sun Enterprise Directory Serer Version 6.3 Note: 1. Supported with Tioli Directory Serer 6.1 Fix pack Supported with Tioli Directory Serer 6.1 Fix pack 4. Directory Integrator requirements: Tioli Identity Manager has these optional directory integrator requirements: You can optionally install IBM Tioli Directory Integrator Version 6.1.1, Version 6.1.2, or Version 7.0 for use with IBM Tioli Identity Manager. IBM Tioli Directory Integrator is used to enable communication between the installed agentless adapters and IBM Tioli Identity Manager. For more information on agentless adapters, refer to the IBM Tioli Identity Manager Installation and Configuration Guide. Table 8. Directory integrator requirements Directory Fix integrator pack, AIX 5.3 patch, and maintenance leel requirements AIX 6.1 SolarisWindows Windows Red 10 Serer 2003 Serer 2008 Hat Linux 4.0 Red Hat Linux 5.0 SUSE Linux 9.0, SUSE Linux 10.0 SUSE Linux 11.0 IBM Tioli Directory Integrator Version IBM Tioli Directory Integrator Version Product oeriew

23 Table 8. Directory integrator requirements (continued) Directory Fix integrator pack, AIX 5.3 patch, and maintenance leel requirements AIX 6.1 SolarisWindows Windows Red 10 Serer 2003 Serer 2008 Hat Linux 4.0 Red Hat Linux 5.0 SUSE Linux 9.0, SUSE Linux 10.0 SUSE Linux 11.0 IBM Tioli Directory Integrator Version 7.0 Note: For the UNIX and Linux adapter IBM Tioli Identity Manager requires: Version 6.1.1, Fix Pack FP0003 or higher Version 6.1.2, Fix Pack FP0001 or higher Version 7.0, Fix Pack FP0001 or higher Report serer requirements: The following table lists the required ersion of Tioli Common Reporting Serer and any applicable fix pack or APAR requirements. Table 9. Requirements for using Tioli Reporting Serer with IBM Tioli Identity Manager Report serer Fix pack, patch, and maintenance leel Cumulatie fix Additional APARs requirements Tioli Common Reporting Serer, Version Interim fix 02 of fix pack 2 None None You can download the latest fixes for Tioli Common Reporting Serer from the Fix Central Web site at Browser requirements for client connections: IBM Tioli Identity Manager has browser requirements for client connections. The IBM Tioli Identity Manager administratie user interface uses applets that require a Jaa plug-in proided by Sun Microsystems JRE Version 1.5 or higher. When the browser requests a page that contains an applet, it attempts to load the applet using the Jaa plug-in. If the required JRE is not present on the system, the browser prompts the user for the correct Jaa plug-in, or fails to complete the presentation of the items in the window. The Tioli Identity Manager user interface is displayed correctly for all pages that do not contain a Jaa applet, regardless of JRE installation. Cookies must be enabled in the browser to establish a session with IBM Tioli Identity Manager. Product oeriew 19

24 Note: Do not start two or more separate browser sessions from the same client computer. The two sessions are regarded as one session ID, which will cause problems with the data. The following table lists the browser and browser ersions that are supported by IBM Tioli Identity Manager. Supported browsers are not included with the product installation. Table 10. Browser requirements BrowserFix pack, patch, and Mozilla, Firefox Version 2.0 Mozilla, Firefox Version 3.0 Mozilla, Firefox Version 3.5 Microsoft Internet Explorer, Version 7.0 Microsoft Internet Explorer, Version 8.0 AIX 5.3 maintenance leel requirements AIX 6.1 Solaris Windows Windows Windows Red 10 Serer 2003 Serer 2008 clients Hat Linux 4.0 Red Hat Linux 5.0 SUSE Linux 9.0, SUSE Linux 10.0 SUSE Linux 11.0 Note: 1. Supported with Windows Serer 2003 Serice Pack 1 (SP1). Supported adapter leels IBM Tioli Identity Manager supports the use of agentless and agent-based adapters. The IBM Tioli Identity Manager installation program will always install the following adapter profiles: AIX profile (UNIX and Linux adapter) Solaris profile (UNIX and Linux adapter) HP-UX profile (UNIX and Linux adapter) Linux profile (UNIX and Linux adapter) LDAP profiles (LDAP adapter) 20 Product oeriew

25 The IBM Tioli Identity Manager installation program will optionally install the agentless adapter profiles for the IBM Tioli Identity Manager LDAP adapter and IBM Tioli Identity Manager UNIX and Linux adapter. It is recommended that you install the latest adapter profile before you start using the adapter. You must take additional steps to install adapters if you choose not to install them during the IBM Tioli Identity Manager installation or if the adapter is not installed as a serice profile with IBM Tioli Identity Manager. The LDAP adapter supports an LDAP directory that uses the RFC 2798 schema, which enables communication between the IBM Tioli Identity Manager and systems running IBM IBM Tioli Directory Serer or Sun ONE directory serer. The IBM Tioli Identity Manager LDAP Adapter Installation Guide describes how to configure the LDAP adapter. The following table lists the UNIX and Linux systems and ersions that are supported by the UNIX and Linux adapter. Table 11. Prerequisites to run the UNIX and Linux adapter Operating system Version AIX AIX 5.1, AIX 5.2, AIX 5.3 HP-UX HP-UX 11i Trusted, HP-UX 11i Non-Trusted Red Hat Linux Red Hat Enterprise Linux Adanced Serer 3.0 Red Hat Enterprise Linux Adanced Serer 4.0 Red Hat Enterprise Linux Enterprise Serer 3.0 Red Hat Enterprise Linux Enterprise Serer 4.0 Solaris Solaris 9, Solaris 10 SUSE Linux SLES 8, SLES 9 Adapters are aailable at the following IBM Passport Adantage Web site: passporthome Installation and configuration guides for adapters can be found at the following Tioli Identity Manager information center Web site: Installation images and fix packs IBM Tioli Identity Manager installation files and fix packs can be obtained using the IBM Passport Adantage Web site, or by another means, such as a CD or DVD as proided by your IBM sales representatie. The Passport Adantage Web site proides packages, referred to as eassemblies, for arious IBM products. The IBM Tioli Identity Manager Installation and Configuration Guide proides full instructions for installing and configuring IBM Tioli Identity Manager and the prerequisite middleware products. The procedure that is appropriate for your organization depends on the following conditions: Operating system used by IBM Tioli Identity Manager Product oeriew 21

26 Language requirements for using the product Type of installation you need to perform: eassembly for the product and all prerequisites The IBM Tioli Identity Manager installation program enables you to install IBM Tioli Identity Manager, prerequisite products, and required fix packs as described in the IBM Tioli Identity Manager Installation and Configuration Guide. This type of installation is recommended if your organization does not currently use one or more of the products required by IBM Tioli Identity Manager. eassembly for a manual installation You can install IBM Tioli Identity Manager separately from the prerequisites, and you can install separately any of the prerequisite products that are not installed. In addition, you must erify that each prerequisite product is operating at the required fix or patch leel. Known limitations, problems, and workarounds IBM Tioli Identity Manager has these known software limitations, problems, and workarounds. As limitations and problems are discoered and resoled, the IBM Software Support team updates the online knowledge base. By searching the knowledge base, you can find workarounds or solutions to problems that you experience. The following link launches a customized query of the lie Support knowledge base for items specific to ersion 5.0: Tioli Identity Manager Version 5.0 tech notes To create your own query, go to the Adanced search page on the IBM Software Support Web site. Product installation, upgrade, and remoal limitations, problems and workarounds You might encounter these IBM Tioli Identity Manager Serer installation, upgrade, or product remoal problems, and use these workarounds: Problem: The dollar sign ($) has special meaning in the installer frameworks used by IBM Tioli Identity Manager Serer and non-windows operating platforms. The installer framework or operating system might do ariable substitution for the alue. For example, on UNIX-like platforms, $$ will be replaced with the process ID. For installers based on ISMP (InstallShield Multiplatform), $$ are replaced with a single $. Workaround: Aoid using $ as a alue in any field in a IBM Tioli Identity Manager Serer installation or configuration page. Problem: If you uninstall and then quickly reinstall IBM Tioli Identity Manager Serer, the performance of the graphical user interface degrades significantly and might become unusable. The performance of the WebSphere Application Serer might also degrade. Although no messaging engine problem is the cause, the symptom is a message such as: CWSIT0019E: No suitable messaging engine is aailable on bus itim_bus Workaround: Remoe the WebSphere Application Serer transaction log files. In the WAS_PROFILE_HOME/tranlog/cell_name/node_name/serer_name/ transaction/tranlog/ directory, the files are named log1 and log2. Additionally, in the WAS_PROFILE_HOME/tranlog/cell_name/node_name/ serer_name/transaction/partnerlog/ directory, the files are named log1 and log2. 22 Product oeriew

27 The cause of the problem is that after reinstallation, transaction recoery may not be able to complete properly. The cause is a problem in the transaction log. The messaging engine detects this condition as identifiers in the transaction log that remain from the preious IBM Tioli Identity Manager Serer installation, and that differ from the current database. Problem: When user groups are migrated from Version 4.6 of IBM Tioli Identity Manager Express, a help desk assistant at IBM Tioli Identity Manager Version 5 is able to change the role of a group member, but not the IBM Tioli Identity Manager account. Workaround: At IBM Tioli Identity Manager Express Version 4.6, groups and roles were not separated. A help desk user could assign any user to any group by changing the user s personal profile, because groups and roles were treated as the same. At Version 4.6, howeer, a help desk user could not update or request a IBM Tioli Identity Manager account. To proide change permission, create a new access control item that targets IBM Tioli Identity Manager accounts and grants that permission. Problem: After an upgrade from IBM Tioli Identity Manager Express Version 4.6 to IBM Tioli Identity Manager Version 5, a manager who clicks Manage users to manage a specific subordinate will obsere these results: All the users in IBM Tioli Identity Manager are displayed. The details of the subordinates were read only. Workaround: Immediately after upgrading from Version 4.6 to Version 5, as system administrator, adjust the iews and access control items for managers, to produce the correct results: iews IBM Tioli Identity Manager Express Version 4.6 proided independent iew settings for manager tasks. These independent tasks no longer exist in IBM Tioli Identity Manager Version 5. Instead, managers use the same tasks as help desk assistants. In this scenario, the Change Subordinate s Profile task no longer exists. After the upgrade, you must enable Change User in the manager iew. This also applies to the other manager-specific tasks from IBM Tioli Identity Manager Express Version 4.6 such as requesting, changing, or deleting an account. access control items The *default* access control items in IBM Tioli Identity Manager Express Version 4.6 allowed managers to search for all users, but the logic in the manager-specific tasks, such as Change Subordinate s Profile, displayed only the manager s subordinates. Since those special tasks no longer exist in IBM Tioli Identity Manager Version 5, you must adjust the access control items so that managers can search only for their subordinates. Problem: After an upgrade from IBM Tioli Identity Manager Express Version 4.6 to IBM Tioli Identity Manager Version 5, for the users created preiously on Version 4.6, the Identity Manager login ID field is also displayed in a user s profile in the Personal Information page at Version 5. Howeer, for the default System Administrator which is a system generated person, the attribute Identity Manager login ID is not displayed. Creating a new person on the upgraded Version 5 does not display the Identity Manager login ID. Workaround: Upgrade disables the default identity policy for ITIM Serice, which is responsible for populating the erpersonuid (Identity Manager Login ID) attribute when a user is created. To hide the field for the users created preiously on Version 4.6, use the Form Designer to hide the TIM Account Product oeriew 23

28 userid in the Person form. To enable all preious and new end-users to see the field, enable the IBM Tioli Identity Manager Express Version 4.6 identity policy that copies the userid to that attribute. The Identity Manager login ID field was used in IBM Tioli Identity Manager Express Version 4.6 because the IBM Tioli Identity Manager Express account was hidden, and users needed a field that displayed their user ID. After upgrading to Version 5, the IBM Tioli Identity Manager accounts are no longer hidden and there is no need for the field. Users can find their user ID by looking at the IBM Tioli Identity Manager accounts. The identity policy might not function if you migrate a deployment from single-serer deployment of IBM Tioli Identity Manager Express Version 4.6 to a cluster enironment at Version 5, because a cluster enironment uses an in-memory cache to aoid ID collisions that would be unique to each cluster member. Problem: Middleware configuration errors occur if you use InstallShield MultiPlatform to install IBM Tioli Identity Manager on RedHat Enterprise Linux Version 5.0, which proides 64-bit JVM. For example, an error message might be: The installer is unable to run in graphical mode. Try running the installer with the -console or -silent flag. Additionally, some X display programs might not work. Workaround: During installation on RedHat Enterprise Linux Version 5.0, the InstallShield MultiPlatform middleware configuration tool requires 32-bit JVM, including the 32-bit ersion of libxmu.so.6, which must reside in the /usr/lib directory. These 32-bit libraries are not installed by default. Before installing IBM Tioli Identity Manager, obtain the following files and write them to the /usr/lib directory: 64-bit zlinux systems libxmu s390.rpm 64-bit X86 systems libxmu i386.rpm Problem: When you upgrade IBM Tioli Identity Manager Version 5.0, you might perform tasks similar to this scenario: 1. Create a new organization and create users in the new organization. 2. Create a hosted ITIM serice and proide at least one of the newly created users with an account on the serice. For example, the newly created user s account might hae the user ID of helpdeskuser. 3. Add helpdeskuser to the Help Desk Assistant group. 4. Log out and log in as helpdeskuser. 5. Naigate to Manage users in the portfolio and search for users. Although users exist, the search by the Help Desk member displays no users. The default search page does not automatically search the logged in user s organization. Workaround: Use the Adanced search feature to select to the new organization and perform the search. The users are then found and listed. Problem: After an upgrade from a preious ersion of Tioli Identity Manager, errors can occur when you attempt to iew requests made before the upgrade. Additionally, a similar error occurs in iewing requests if you create identically named serices and then delete them. 24 Product oeriew

29 Workaround: Pending a fix, a method in the serice search returns items from the recycle bin. To correct this, remoe all serice entries from the recycle bin. For example, to remoe a serice entry, complete these steps: 1. Use the ldap browser to connect to the directory serer. 2. Expand the entries under ou=recyclebin, ou=itim, <tenant_dn>, where the alue of <tenant_dn> is the actual DN. 3. Delete the entry matching objectclass=ersericeitem attribute under ou=recyclebin, ou=itim, <tenant_dn>. Problem: Problems might arise from an improper configuration of the JDBC drier at upgrade time for IBM Tioli Identity Manager. At upgrade time, the IBM Tioli Identity Manager installation prompts for the location of the JDBC drier for IBM Tioli Identity Manager to use in connecting to the database. If the administrator does not reference an Oracle 10.x JDBC drier (ojdbc14.jar), problems can occur when users attempt to reconcile serices following an Oracle upgrade from Version 9.x to 10.x. The error produces a message similar to this: CTGIMU552E An error occurred while communicating with the serer. Workaround: IBM Tioli Identity Manager requires the JDBC drier to be matched with the database serer leel; therefore, the drier needs to be updated with the Oracle 10.x drier. Replace the ojdbc14.jar file in ITIM_HOME/lib with the JAR file proided by the Oracle Version 10.x installation, and then restart the WebSphere Application Serer. The JDBC drier leel used by the WebSphere Application Serer is printed in the SystemOut.log at serer startup. This is an example log record in SystemOut.log for the Oracle 9.x JDBC drier, which is the wrong drier: [12/6/07 10:32:02:369 EST] DSConfigurati I DSRA8205I: JDBC drier name : Oracle JDBC drier [12/6/07 10:32:02:372 EST] DSConfigurati I DSRA8206I: JDBC drier ersion : This is an example log record in SystemOut.log for the Oracle 10.x JDBC drier, which is the correct drier: [12/6/07 10:54:41:913 EST] InternalOracl I DSRA8205I: JDBC drier name : Oracle JDBC drier [12/6/07 10:54:41:918 EST] InternalOracl I DSRA8206I: JDBC drier ersion : Problem: If there are two or more nodes that contain node.xml files on the WebSphere Application Serer, errors can occur when the IBM Tioli Identity Manager installation program checks in alphabetic order for the existence of the NODE_NAME directory as the node that the WebSphere Application Serer should use as the target serer to deploy IBM Tioli Identity Manager to. For example, you might see an error message similar to this one: Serer name is not alid This is a critical failure. Although the installation process will continue, the installation will later fail. On the WebSphere Application Serer, the node.xml file is in this directory: WAS_HOME/config/cells/CELL_NAME/nodes/ NODE_NAME/serers/SERVER_NAME/ where: WAS_HOME The installation directory, such as /opt/ibm/websphere/appserer/ profiles/appsr01. Product oeriew 25

30 CELL_NAME The cell name, such as tims12node01cell. NODE_NAME The node name, such as tims12node01. SERVER_NAME The serer name, such as serer1. Workaround: To work around the error, complete these tasks: 1. Back up in your sequence of completing the installation panels to the preious panel. 2. Temporarily rename the node.xml files that exist in the wrong nodes, to allow the installation program to find the correct node.xml file. 3. Continue forward in the installation panels, passing the Serer Name is not alid error message to continue the installation. 4. Rename the files back to their original names when installation is complete. To rename a node.xml file, for example, type: Windows systems: rename node.xml node.xml.original UNIX/Linux systems: m node.xml node.xml.original Problem: When running the manual uninstallation of IBM Tioli Identity Manager Version 5.0 from the ITIM_HOME\itim\itimUninstallerData directory, the messages Preparing SILENT Mode Installation... and Installation Complete appear. These messages are not indicatie of the proper function of the uninstaller. Limitation: This is a known limitation of the InstallAnywhere platform that is used to customize the manual uninstallation of IBM Tioli Identity Manager. Problem: After upgrading from IBM Tioli Identity Manager ersion 4.6 and iewing requests in the Identity Manager console, the following warning is issued in the trace log: Unable to parse erworkflow attribute alue for iew requests -- using default query. This message occurs because the formatting of the user s iew requests preferences was changed between releases. This trace entry indicates that the preferences cannot be parsed, and is replaced with the default query. Limitation: This is a onetime occurrence for each user as they use the iew requests function after the upgrade. The message can safely be ignored. The user preferences are updated, using the default query as a starting point. Problem: Passwords might be displayed in the clear in the itim_install.stderr installation log file. Limitation: This is a onetime installation log file. After a successful installation the log can be deleted. Problem: The script files changecipher and startincrementalsynchronizercmd_was are not working correctly. Workaround: To use the scripts changecipher.sh, changecipher.bat, startincrementalsynchronizercmd_was.sh and startincrementalsynchronizercmd_was.bat, you must first set the ITIM_HOME and WAS_HOME ariables in the scripts. 26 Product oeriew

31 IBM Tioli Identity Manager Serer limitations, problems, and workarounds These are IBM Tioli Identity Manager Serer problems, workarounds, and limitations: Problem: APARS that were fixed in IBM Tioli Identity Manager Version 4.6 and in IBM Tioli Identity Manager Express Version 4.6 are still pending resolution for IBM Tioli Identity Manager Version 5.0. Limitation: APARS pending resolution at Version 5.0 include: IY86885, IY86991, IY88093, IY91022, IY91040, IY91106, IY91896, IY92097, IY92176, IY92227, IY92688, IY92841, IY92851, IY93514, IY94096, IY94415, IY94425, IY94471, IY94616, IY94708, IY94774, IY94978, IY94980, IY94986, IY95478, IY95684, IY95834, IY96118, IY96257, IY96616, IY96967, IY97292, IY97340, IY97662, IY97665, IY97769, IY98312, IY98464, IY98612, IY99084, IY99175, IY99208, IY99295, IY99300, IY99416, IY99624, IY99659, IY99660, IY99813, IY99826, IZ00148, IZ00153, IZ00195, IZ00197, IZ00311, IZ00318, IZ00812, IZ00815, IZ01021, IZ01059, IZ01074, IZ01107, IZ01112, IZ01125, IZ01187, IZ01588, IZ01602, IZ01654, IZ01763, IZ01768, IZ01799, IZ01890, IZ01953, IZ02057, IZ02355, IZ02621, IZ02744, IZ03822, IZ03983, IZ04263, IZ04631, IZ47646, IZ04801, IZ05063, IZ05103, IZ05313, IZ05732, IZ05951, IZ06712, IZ07364, IZ07571, IZ08011, IZ08157, IZ08190, IZ08287, IZ08459 Problem: When you apply the IBM Tioli Identity Manager Serer Fix Pack for LdapUpgrade, the Fix Pack application fails with error 80 if the TAM-ESSO Tioli Access Manager for Enterprise Single Sign-On Proisioning Adapter has been integrated into IBM Tioli Identity Manager Serer. The process of TAM-ESSO integration introduces new attributes into the IBM Tioli Identity Manager Serer system object classes eraccountitem and ersericeitem. LdapUpgrade will fail with the message Error in loading schema - LDAP: error code 80-Other. The NamingException should be logged in ITIM_HOME/install_logs/ldapUpgrade.stdout file. Limitation: To resole the error, complete these manual steps: 1. Click OK when the Error in loading schema message occurs. 2. After the Fix Pack application is done, update the ITIM_HOME/config/ ldap/er-schema.dsml file by modifying IBM Tioli Identity Manager Serer object classes, eraccountitem and ersericeitem. a. After the object-identifier object-identifier of eraccountitem, add the entries below: <attribute ref="goadminid" required="false" /> <attribute ref="goadminpwd" required="false" /> <attribute ref="goapplicationdescription" required="false" /> <attribute ref="goapplicationid" required="false" /> <attribute ref="goapplicationpwd" required="false" /> <attribute ref="gocredattribute1" required="false" /> <attribute ref="gocredattribute2" required="false" /> <attribute ref="gossouserid" required="false" /> b. After the object-identifier object-identifier of ersericeitem, add the entries below: <attribute ref="goapplicationidmeta" required="false" /> <attribute ref="gossouseridmeta" required="false" /> <attribute ref="goapplicationdescriptionmeta" required="false"/> <attribute ref="gocredattribute1meta" required="false" /> <attribute ref="gocredattribute2meta" required="false" /> <attribute ref="goapplicationuseridmeta" required="false" /> c. Run ITIM_HOME/bin/ldapUpgrade. Problem: The forms designer proides the ability to edit the Person form template. During an editing session, under the personal tab, you can replace the Product oeriew 27

32 initials text field with the password pop-up widget. The field will then contain initials of a person which are encrypted because of change in widget. Howeer, a correct error message does not appear after you create the Person instance, and then put incorrect initials in the text field. Limitation: To aoid issues with popup blocking software, the password pop-up widget does not launch a new window. Problem: During a change or modify operation, the password widget used in custom form pages can cause display of a blank password field, rather than a sequence of asterisks (***). Howeer, if the widget is part of the first tab in a notebook or first step in a wizard, the field will be blank. Limitation: Use of a blank alue preents a user from discoering the alue of a password by iewing the page source file. Problem: How to define default alues for attributes not shown on an account form using a form widget is not described. Workaround: To use a form widget to define an account default when the attribute is not on the form, complete the following steps: 1. Select Configure System > Design Forms task to add the attribute to the account form. 2. Select a widget for the attribute and sae the form. 3. Select Manage Serices > Manage Default task to define the default alue. You can use the widget configured for the attribute on the form to define the default alue. 4. Remoe the attribute from the account form, using the Configure System > Design Forms task and sae the form. Problem: Errors occur if a semicolon is used within a password on the Windows operating system. Workaround: When you define a password, do not use a semicolon. Problem: If you start an actiity as a user, and while the actiity is pending, delete the serice to which the actiity applies, the actiity remains in the actiity list for the user, and an error message occurs if you attempt to iew the target actiity. Limitation: Cleanup of pending actiities does not immediately occur for running workflows that reference a serice, when the serice is deleted. The information is not easily aailable (if at all) to the running workflows. The workflow runs to completion, or until an error occurs. For example, if a workflow is assigned to account creation for a gien serice and an account on that serice is requested, the workflow starts. If the serice is deleted during the run, the account request workflow continues to run, including any required approals, and other operations. When the workflow attempts to create the account on the deleted serice, the workflow fails because the serice no longer exists. Problem: In a key=alue pair in a property file such as CustomLabels.properties file, you must specify a key name that is entirely lowercase. Otherwise, an error occurs. Limitation: Because the method that fetches the schema class for an attribute will return only lowercase characters, you must specify in any properties file, a key name that is entirely lowercase. Problem: If you suspend and then restore an account, the notification of account restoration does not contain the account password. This occurs if the 28 Product oeriew

33 person initiating the restore is the owner of the account, or if the password was not changed as part of the restore operation (the account is restored with the same password as before). Limitation: This notification behaior is working as designed. The person who owns the restored account, and did not change the password, still knows the existing password. Problem: Using LDAP Data Interchange Format (LDIF) files to import backed-up directory information can cause problems if the system is not stopped, or workflows are incomplete. Workaround: When you use LDIF files to import backed-up directory information, ensure that the application serers hae been stopped. If the LDIF import modifies workflows or operations, ensure that all workflows are complete before you perform the import operation. For more information about importing LDIF files, refer to your directory serer documentation. Problem: When you create a serice and add an attribute, there might be attribute with the same name that already exists, but does not yet hae any user data stored. If you add a duplicate attribute with same name in other serice type, the change to attribute with the duplicate name will affect data in other serice profiles. For example, adding a single-alued attribute in the case where a preiously existing attribute is multi-alued, will change the attribute type to single-alued in all serice profiles in which this attribute exists. If no data exists, there is no warning message. Workaround: Before you create an attribute for a serice, ensure that the new attribute does not already exist in other serice profiles. Problem: When configuring an entitlement parameter for a proisioning policy, if the attribute alue is defined to be of type JaaScript, but only a single string is entered, such as my password, the string is automatically conerted to type Constant. Limitation: A single string of type JaaScript is automatically conerted to type Constant, for an attribute of an entitlement parameter of a proisioning policy. Problem: When selecting objects for a partial export, other objects that the selected objects depend on are automatically added to the export list by the system. If you then remoe a selected object, the objects that the selected object depends on are not also automatically remoed from the export list, nor can they be remoed manually. Workaround: Either continue to export the list and ignore the extraneous objects, or sae the list, and then delete it and make a new partial export list without the object that you wanted to remoe. Then, perform the export. Problem: If a user has a IBM Tioli Identity Manager account in multiple IBM Tioli Identity Manager groups, an notification that the user receies might contain links to both the administrator and self-care user interfaces. Workaround: Use either link. This is working as designed. Two links are generated because of user s membership in two different types of IBM Tioli Identity Manager groups (end user and non-end user) through the user s IBM Tioli Identity Manager accounts. Problem: In some circumstances, when you click Test Connection for an AD OrganizationalPerson identity feed serice, and you hae proided incorrect information, an error message is displayed without the remaining content of the page. Workaround: Refresh your browser page, or exit the task and perform it again using correct information. Product oeriew 29

34 Problem: To configure SSL connections between the IBM Tioli Identity Manager Serer and adapters, the following two parameters are required to be defined in the WebSphere Application Serer as parameters to JVM. jaax.net.ssl.truststore jaax.net.ssl.truststorepassword When you inquire for a process list by typing the ps -ef command, the password of the Jaa Key Store is listed in the result output. Workaround: Describe these parameters in a file, then specify the file with the -Xoptionsfile option. Complete these tasks: 1. Create a file, then describe these parameters on the same line as follows: -Djaax.net.ssl.trustStore=/usr/IBM/itim/itim50.jks -Djaax.net.ssl.trustStorePassword=password 2. Specify the file name with the -Xoptionsfile option as a parameter to JVM. a. Open the WebSphere Application Serer Administratie Console. b. Select Serer Application Serer serername Process Definition Jaa Virtual Machine. c. Add the-xoptionsfile option as follows: -Xoptionsfile=/usr/IBM/itim/jksProps.txt d. Restart the WebSphere Application Serer. Problem: A filter change to a lifecycle rule does not take effect immediately when running it manually. Lifecycle rule operations can take an extended period of time to finish for the entire result set returned from the ealuation of the lifecycle rule filter, primarily due to the manual workflow actiities associated with the operation. Additional information: For lifecycle rules that are associated with profiles or categories, execution is dependent on the enrole.profile.timeout property, defined in minutes, in the enrole.properties file. Een if the filter that is present in the lifecycle rule is modified and run manually, it takes the preious filter the maximum time of the refresh interal to elapse, specified in minutes for the enrole.profile.timeout property. Once this period is oer, the modified alue for the filter is then used during lifecycle execution. Problem: Owners of disabled IBM Tioli Identity Manager accounts still receie notification s targeted to them as the participant of a request for information or approal request. Limitation: This is a current limitation. Problem: When you hae access control items for default Person and custom Person (deried from inetorgperson) entities in IBM Tioli Identity Manager, the access control item for the default Person entity also affects the custom Person entity. For example, a custom Person entity that is defined as customperson inherits from inetorgperson. Any access control item that applies to the inetorgperson entity also applies to the customperson entity, in addition to access control items defined for the customperson entity. Note: The behaior of the access control items was changed in IBM Tioli Identity Manager at Version 4.6 to enforce the inheritance. An access control item defined for an objectclass not only applies to entities of the objectclass, but also to entities belonging to objectclasses that inherit this objectclass directly or indirectly. Workaround: Define an access control item exclusiely for inetorgperson to allow for the access control item to apply only to the default person entity. Set the following access control item target filter: (!(objectclass=customperson)) 30 Product oeriew

35 Problem: To allow some users to change a user s role, you might configure access control items for both Person and custom Person objects with Read and Write access on erroles (as well as Search/Modify operations). An additional access control item would allow users to search for organizational roles. Howeer, when a user then attempts to modify the errole attribute, you might find that IBM Tioli Identity Manager does not allow the modification. Workaround: For an organizational role, create an additional access control item that grants Modify rights to users. To assign an organizational role to a person or remoe the person from an organizational role, define appropriate access control items that gie a user all of the following permissions and operations: Write attribute permission for the erroles attribute of the Person to be modified. Modify operation on the Person to be modified. Modify operation for the organizational role that is to be remoed from or added to the Person. Problem: To proide a role for a serice owner, you must change the Category owner field on the serice form to Static Organizational Role. Howeer, it is not recommended to change the owner type (from Person to Static Organizational Role and ice ersa) for a serice profile when one or more serice instances hae been defined for that profile. Workaround: If you want to specify Static Organizational Role on the serice form for a profile that already has existing serices, remoe the serice owner of all serices of the profile. For example, if you want to specify Static Organizational Role for a WinLocal serice, you must remoe all serice owners of all Winlocal serices. Problem: If you use the Form Designer to configure a date on a form, you can configure the attribute and see the alue correctly displayed, as long as it is not set to null in LDAP. Workaround: The DateInput Type allows users to select a default or an alternatie date. The Default date input type allows the user to specify that the attribute alue neer expires, by selecting Neer in the administratie console, or No date selected in the self-serice console. The Alternatie Date date input type does not allow the user to specify that the attribute alue neer expires, and should be used if the attribute alue must expire at some point in time. For a default date, a null or empty alue for the attribute is interpreted as the attribute neer expires, and is displayed on the administratie console with Neer selected, and on the self-serice console with No date selected selected. Problem: When you preiew a change to a proisioning policy, the list size of the display of the affected accounts is limited by the combination of two properties in ui.properties file: enrole.ui.pagesize and enrole.ui.pagelinkmax. The account list size limit is determined by the alue of enrole.ui.pagesize property multiplied by the alue of enrole.ui.pagelinkmax property plus 1 (one). For example, by default, if enrole.ui.pagesize=50 and enrole.ui.pagelinkmax=10, the maximum affected account list size would be calculated as: 50x10+1=501 Workaround: If you hae a large number of affected accounts to preiew for a change in a proisioning policy, increase these two properties appropriately. Product oeriew 31

36 Start by increasing only the enrole.ui.pagelinkmax alue, because increasing the alue of enrole.ui.pagesize will affect other parts of the IBM Tioli Identity Manager user interface. Problem: A proisioning policy preiew will time out if the preiew summary page is idled for more than 10 minutes after ealuation completion, or if you naigate away from the preiew summary page for more than 10 minutes. When the preiew times out, naigating to obtain detail from the summary page is not possible. If timeout occurs, you can only click Close on the summary page. Workaround: To preent timeout, aoid idling or naigating away from the preiew summary page for more than 10 minutes. To correct the problem after it occurs, resubmit the preiew request. Problem: If an access definition for a group on a serice is referenced by a recertification policy and the access definition is undefined for the group, the recertification policy is not fully updated with the remoal of the access definition. The target of the recertification policy will be listed in the user interface as null or None, due to an improper update of the recertification policy for the access remoal. Although the recertification policy user interface will show the target as None, running the recertification policy will continue to recertify accounts which make use of the group for which the access was defined. Workaround: Edit the recertification policy by using the user interface for the policy which referenced the access definition to be deleted: 1. First, remoe the access to be deleted from the recertification policy with which it is associated. If the access definition is remoed before remoing the target from the recertification policy, the recertification policy pages can be used to work around the issue. 2. Once the recertification policy is opened in edit mode, naigate to the Access Target tab and remoe the target listed as None. 3. Sae the recertification policy to properly update the policy. If None is the only target for the recertification policy, you might want to delete the recertification policy entirely, because it is not used for other access definitions. A similar issue can occur when you modify an access definition to deselect Display in an Access list. If this option is not selected in the access definition, the recertification policy that references that access definition will not be searchable by access name. Problem: When you manage identities, no default operations appear for a Person object at the Entity Leel. Operations do appear at the Entity Type leel. Howeer, when they are changed, the operations still indicate they are system-defined operations. Limitation: This is an existing limitation. By design, operations that are defined at the Entity Type Leel are not shown, when the Entity Leel is selected. A system-defined entity operation indicates it is system-defined, een after a user has modified the operation. Problem: When you configure IBM Tioli Identity Manager Integration for Maximo Serice Request Manager Version 7.1, the Maximo Web serice issues call failures when IBM Tioli Identity Manager attempts to proision more than 10,000 users. One to two dozen Maximo users do not get created due to the call failures. Howeer, the users are created when the requests for them are resubmitted. Limitation: This is an existing limitation. For more information, refer to APAR IZ Product oeriew

37 Problem: If you remoe a cluster node from a cluster and then add the cluster node back to the cluster, the Tioli Identity Manager administratie console does not start. Workaround: Add the ITIM_Home/data directory again to the classpath on the serer associated with the node. Problem: When using the GUI to submit an attribute with leading or trailing spaces, the IBM Tioli Identity Manager serer deletes the leading or trailing spaces for that attribute alue. This occurs for all attributes except for the password attribute. Limitation: This is an existing limitation. WebSphere Application Serer limitations, problems, and workarounds You might encounter these WebSphere Application Serer problems, and use these workarounds: Problem: The WebSphere Application Serer and the DB2 Uniersal Database are installed on the same Windows machine. The WebSphere Application Serer and the DB2 Uniersal Database serices are set up to start automatically. After rebooting the machine, the WebSphere Application Serer and DB2 Uniersal Database are successfully started, but a user or account cannot be created or modified. Workaround: The messaging engine did not start because the WebSphere Application Serer started before the DB2 Uniersal Database started. When the WebSphere Application Serer starts, the messaging engine for IBM Tioli Identity Manager is started, if the DB2 Uniersal Database is aailable at that time. After rebooting the machine, manually ensure that the messaging engine for IBM Tioli Identity Manager started successfully. On the WebSphere Application Serer Administratie Console, select Serice Integration > Buses > itim_bus > Messaging engines from the Topology section. If the messaging engine is not started, start it from this page. Problem: On the Sun Solaris 10 operating system, the WebSphere Application Serer JVM produces a core error while attempting to resize the JVM heap during a garbage collection. Workaround: Set both the minimum and maximum JVM heap sizes (Xms and Xmx) to the same alue. Database serer limitations, problems, and workarounds You might encounter these IBM Tioli Identity Manager database serer problems, and use these workarounds: Problem: IBM Tioli Identity Manager does not install on a Windows system configured in the Russian language. Specifically, DB2 Uniersal Database cannot determine the Windows Administrator user if the user ID is spelled in Russian. Workaround: Before you attempt to start the IBM Tioli Identity Manager installation program or the middleware configuration utility, open the operating system user management utility and change the Russian spelling of the user Administrator and the group Administrators to the English spelling. Try the installation again. Problem: IBM Tioli Identity Manager does not work with SQL Serer JDBC Drier 1.2 when FIPS is enabled. Workaround: disable FIPS. IBM Tioli Identity Manager works with SQL Serer JDBC Drier 1.2 when FIPS is disabled. Microsoft has accepted this problem as a defect in the SQL Serer 2005 JDBC drier 1.2. Product oeriew 33

38 Problem: IBM Tioli Identity Manager does not work with SQL Serer if the database is case sensitie (CS). Workaround: Ensure that Microsoft SQL Serer 2005 or at least the database is installed with the codepage set to case insensitie (CI). Directory serer limitations, problems, and workarounds You might encounter these IBM Tioli Identity Manager directory serer problems, and use these workarounds: Problem: In some Linux enironments, a potentially ignorable error message might occur during a serice profile import operation. You might obsere the following socket failure error message in the ibmslapd.log file on the IBM Tioli Directory Serer: 07/22/07 16:06:11 GLPCOM001E Creation of socket failed; errno 4 (Interrupted system call). 07/22/07 16:06:11 GLPCOM001E Creation of socket failed; errno 4 (Interrupted system call). 07/22/07 16:06:11 GLPCOM001E Creation of socket failed; errno 4 (Interrupted system call). Workaround: If either the Tioli Identity Manager or the LDAP operation succeeded, ignore these messages, which are written to the ibmslapd.log file, but do not affect the requested operation. If the operation failed, contact Tioli Identity Manager leel 2 support for assistance. Problem: The LDAP serer can hang after seeral days of continuous actiity, or during interals with large numbers of concurrent users. Workaround: On the directory serer, set the enironment ariable LDAP_WAITQ=NO before you start the LDAP serer. Setting the alue of LDAP_WAITQ to NO changes the behaior of the LDAP serer to use the ersion 6.0 method of handling requests. For more information, refer to APAR IO Directory Integrator limitations, problems, and workarounds You might encounter these IBM Tioli Directory Integrator problems, and use these workarounds: Problem: IBM Tioli Directory Integrator Version 6.1 is known to stop under heay load from a high number of user deletion requests. For example, attempting to delete 1,000 or more users at a time can cause IBM Tioli Directory Integrator to stop. Workaround: Try deleting fewer users at a time to aoid the problem. For more information, refer to APAR IO Browser limitations, problems, and workarounds You might encounter these browser limitation, or browser problems, and use these workarounds: Problem: When you click Manage Serices > Select a Serice, and then search for a serice, the Serices table returns a list of serices. If the hyperlinked name of a serice in the table is ery long, the rightmost characters in the name might oerrun the right column boundary in the table. Limitation: This is a browser limitation, in which a long serice name will fail to wrap within the column boundary. Problem: If you are using the Mozilla Version 1.7 browser, you can create a subordinate node, such as a Location, from the menu on the main Organization node. The new node appears under the main Organization node. Howeer, if you collapse the main Organization, and then create a second node, such as an additional Location, the Organization subtree expands in the display, but the second node does not appear in the tree. Workaround: Collapse the node for the Organization subtree, and then expand it again. The additional node appears. 34 Product oeriew

39 Problem: Using the Mozilla Version 1.7 browser, the last row of the Users table might oerlap with the summary line after you reconcile a serice and then list all the users of the serice. For example, complete these tasks: 1. Click Manage Serices > Select a Serice, and then click Search for aailable serices. In the Serices table, select a serice. Then, click Reconcile Now in the popup menu. 2. After the reconciliation completes successfully, click Manage Users > Select a User. Then, click Search for aailable users. Assuming there are sufficient users to fill the table, the last row of the Users table oerlaps the summary line. Limitation: This is a known limitation of the browser. Problem: Using the Internet Explorer browser, when you intend to select the Browse button in some actiities, pressing the Enter key does not cause the next action to occur. For example, pressing Enter does not cause the Browse key to display a Choose File page during the reconciliation step of serice creation. Workaround: Press the space bar instead the Enter key to select the Browse button. This is a known limitation of the browser. Problem: Display is blocked for security reasons if you attempt to open the About information page for IBM Tioli Identity Manager using the Internet Explorer browser with Enhanced Security Configuration (ESC) enabled. The About page proides the serer name, product build number and date, and other product information. Workaround: To iew the page, add the about:blank site to the browser s list of trusted sites. Howeer, this is not recommended because adding about:blank as a trusted site will reduce the security of the system. Problem: When you are managing actiities, and want to iew and lock your actiities, a graphic image of a lock does not consistently appear adjacent to the actiity that you lock for IBM Tioli Identity Manager, iewed with the Mozilla browser at Version 1.7.x. Workaround: To iew the lock symbol, open the browser to another tab, and then return to the page on which you iew locked actiities. Problem: Clicking the Back button on the browser during data entry in the user interface might cause a loss of the data that you enter. For example, clicking Back and then Forward causes data that you entered in fields to be lost. Limitation: Do not use the Back and Forward selections proided by the browser; use only the selections proided in the application window to naigate from one window to another. Problem: A user cannot open multiple browser sessions with the IBM Tioli Identity Manager Serer on the same system. Limitation: IBM Tioli Identity Manager does not support using the same browser on the same machine to start multiple sessions with the serer. Problem: The tab sequence for pages containing radio buttons is not always correct in Internet Explorer. Limitation: When tabbing to a group of radio buttons, focus should moe to the currently selected radio button. Howeer, in some cases, focus will incorrectly moe to the closest radio button in the group, rather than the currently selected radio button. Problem: Using the Firefox browser, you might hae difficulty selecting multiple items in some selection boxes using the shift-down key combination. One example is the Organizational Roles field located in the person form. This problem does not occur on Internet Explorer. Product oeriew 35

40 Workaround: Select multiple items by clicking items while holding down the control (Ctrl) key, or by clicking shift-down quickly and repeatedly, or by selecting the first item and shift-clicking another item, which will select both items and all items in between. Problem: Using the Internet Explorer browser at ersion 6 with SP2, the Submit and Cancel buttons might become disabled when you enter an incorrect file name during data import and then attempt to import the file. For example, this might occur when you click Configure System > Import Data and then attempt to upload a file that is not correctly specified. This problem does not occur with a Mozilla browser, or with a later ersion of Internet Explorer. Workaround: Repeat the operation, entering a alid name for the file that you want to import. Problem: The title of the JaaScript dialog box appears as [JaaScript Application] instead of IBM IBM Tioli Identity Manager 5.0 when exiting out of the launchpad installer. Limitation: This is a known limitation with titles of JaaScript dialog boxes when using the Mozilla or Firefox browser. This issue does not occur on Windows operating systems. Problem: Internet Explorer 7, running on a non English Windows operating system can render drop down list with truncated contents. Limitation: This is a known limitation that does not occur with the FireFox browser or Internet Explorer running on English ersion operating systems. Accessibility limitations, problems, and workarounds You might encounter these IBM Tioli Identity Manager accessibility limitations, or accessibility problems. If so, use these workarounds: Problem: A separating symbol used as part of a breadcrumb between the trail of tasks, which is the > character, is read as greater than by screen reader such as JAWS. The screen reader encounters the symbol when it reads a task title on a window that IBM Tioli Identity Manager proides. For example, the screen reader might read Home > View or Change Profile as the words Home greater than View or Change Profile. Limitation: The use of the separator symbol > is coded as the greater than character. An equialent isual character that aoids causing a screen reader to read the symbol is not aailable in this release. Problem: No logout occurs when you tab to and then press ENTER on the logout button, at the top right corner of the main IBM Tioli Identity Manager console page. Additionally, a screen reader such as JAWS does not read the logout button as a link. Workaround: Press the Tab one additional time, before you press ENTER. Otherwise, the cell in which the logout button exists is selected, not the button itself. There is no workaround for a screen reader such as JAWS. Howeer, a isually impaired person is unlikely to tab through all the frames. It is more likely that the person will inoke a list of links (click Ins-F7) and select Log out. Problem: A screen reader such as JAWS reads read-only buttons as aailable on the Mozilla Firefox browser. For example, the screen reader reads greyed out Change or Delete buttons as aailable. Howeer, using Internet Explorer at Version 6.0, serice pack 2 or aboe, the screen reader correctly determines that read-only buttons are unaailable. Limitation: For purposes of correctly reading unaailable buttons, the Internet Explorer browser reads correctly for isually-impaired users. 36 Product oeriew

41 Problem: JAWS does not read file input fields correctly, using Internet Explorer. A file input consists of a text field and a browse button. Using Internet Explorer, JAWs reads both widgets when the focus is on the text field, but says nothing when the focus is on the Browse button. For example, the screen reader fails to read a Browse button, when it should read the button as Browse button, to actiate press spacebar. These problems are not obsered using the Mozilla FireFox browser. Limitation: For purposes of correctly reading empty fields and Browse buttons, the Mozilla FireFox browser reads correctly for isually-impaired users. Howeer, other reading problems might exist, which are soled by a different browser. Problem: A screen reader such as JAWS reads some fields such as scheduling start and end date entry fields as though they were read-only, rather than fields that allow selecting a new date from the calendar control. Additionally, a screen reader will read fields that are populated by a Search or a Browse button as read-only, rather than fields that can be changed by clicking Search or Browse. For example, if you select a person in the search results and then click OK, the program returns to the page that has the target field, and the name of the selected person now appears in the read-only text field. A similar problem is clicking Clear to clear the alue in the read-only text field. Limitation: There is no workaround. The user must understand when to click the appropriate button from the additional information in page text or help that is proided. Problem: Using the middle pane of the Form Designer applet, it is not possible to use the keyboard to switch between the property dialog page and the attributes. For example, using Enter and Tab keys does not switch the focus. Workaround: Start your edit actiity by clicking the launch in new page link. Because there are no leel one (that is, main) headings on IBM Tioli Identity Manager console pages, you cannot use the reading function that the Freedom Scientific JAWS application proides. Users using screen readers should read the screen using the paragraph, line, or full page reading functions of JAWS. The most important frames that readers use include: Task Switcher to switch between actie tasks in the console. Portfolio area to access the list of tasks to perform. Work area, which is the current, actie page. Problem: Occasionally, certain browser readers that are used by sight-impaired users may read a control twice on a IBM Tioli Identity Manager Version 5 page in the graphical user interface. This occurs, for example, using the JAWS browser reader. Workaround: Ignore the second reading. The IBM Tioli Identity Manager Version 5 graphical user interface does not hae more than one control with the same name on the same page. Report limitations, problems, and workarounds You might encounter these IBM Tioli Identity Manager report problems, and use these workarounds. Problem: After you perform a data synchronization and then run a report for account operations with a status of Pending, the report does not show pending requests to create accounts. When the report runs, the actual serice proisioning process is in a pending/scheduled state and no account create process exists in workflow tables. The account create process is inoked when a scheduled serice proision Product oeriew 37

42 process runs. Howeer, because there is no pending create account process in the case of a scheduled account creation, the report is not able to capture that process as a pending request in the report. Workaround: A partial workaround exists. To iew account create requests for serice types other than Tioli Identity Manager accounts, select Create account as the request type and then select the root process type as ANY or serice proision process. Selecting ANY as root process type will show all account creation requests where root processes may be different from one another. Problem: After you install Japanese from the language pack, iewing a report shows erroneous characters after selecting English at the Tioli Identity Manager logon. Howeer, if you select Japanese as the language at the logon, the report is correctly displayed. Workaround: This problem occurs if you run a Japanese language report and hae set the locale to English, because the default English font does not support DBCS characters. To iew reports generated in a double-byte character set (DBCS) language, specify a font that is capable of displaying DBCS characters. This workaround applies for locales other than English when DBCS characters are not supported by the respectie font. Complete these tasks: 1. Open the ITIM_HOME/data/enRoleFonts.properties file. 2. Comment out the $LOCALE=$font_name line for the English font. For example, if characters in the report are Japanese, and $LOCALE = en, comment out en=sans-serif. 3. Add a new line for the $LOCALE=$DBCS_character_support_font_name. The following fonts are supported: Japanese Simplified_Chinese Traditional_Chinese Korean Problem: For languages such as Arabic or Korean, the date and time data remains in English, in reports formatted in Portable Document Format (PDF). Limitation: This is a Jaa limitation. The date and time format for Arabic and Korean languages are displayed incorrectly, based on their locale. Problem: Life cycle rule reports do not generate correctly. The life cycle rule operation appears to hae root process of LC. In an account operation report, all account operations which are performed for the life cycle rule are displayed with the root process as LC. Workaround: Change a statement and add a statement in the ITIM_HOME/data/reportingLabels.properties file. Complete these steps: 1. Open the ITIM_HOME/data/reportingLabels.properties file in any text editor. If you hae a language pack installed, the file that you edit is the ITIM_HOME/data/reportingLabels_languagecode.properties file, where languagecode is a locale-specific code, such as en for English. 2. Edit the following statement, replacing ls with lc. rootprocessiew.type.ls=life Cycle Rule Execution After the change, the line reads: rootprocessiew.type.lc=life Cycle Rule Execution For languages other than English, the language of the text following the equal sign will ary. 3. Add a new label by adding the following line: 38 Product oeriew

43 process.type.lc=life Cycle Rule Execution For languages other than English, the language of the text following the equal sign will ary. 4. Sae the file and quit the text editor. 5. Run the report again. Problem: The CrystalTestWAS script indicates a connectiity problem between the IBM Tioli Identity Manager Serer machine and the Crystal Enterprise machine. More specifically, the CrystalTestWAS.sh script runs from a UNIX setup that hosts the Tioli Identity Manager Serer fails to connect to the Crystal Management serer installed on a Windows machine. The error is similar to this message: com.crystaldecisions.enterprise.ocaframework.ocaframeworkexception$allserersdown: All the serers with CMS, cluster and kind cms are down or disabled As a result of this error, Crystal Reports can not be executed from Tioli Identity Manager, and Tioli Identity Manager also cannot import new Crystal Report templates. Workaround: If the connection type of the Crystal Enterprise user (crystalenterpriseuser property in the ITIM_HOME/data/crystal.properties file) is chosen as Concurrent User, the access to the Crystal Enterprise system for the concurrent user will depend on the number of other users that are currently connected to the Crystal system. This sometimes leads to a situation in which the Crystal Enterprise user used by Tioli Identity Manager is unable to connect to the Crystal system because of a connection limit being reached at the Crystal serer. As a result, this type of error may appear while running the CrystalTestWAS script. Complete these steps: 1. Log on to the Windows system where Crystal Enterprise 10 system is installed. Click Start Programs Crystal Enterprise 10 Crystal Configuration Manager. A page listing all the Crystal Report serices is opened. Select all the serices that are currently running, and restart them. 2. Log on to the UNIX system that hosts Tioli Identity Manager as the non-root Crystal user that was used to install Crystal Enterprise client components on the UNIX system. Go to the directory of client components (crystalhome property in the ITIM_HOME/data/crystal.properties file), and run en.sh. 3. Make sure that all the properties specified in the ITIM_HOME/data/ crystal.properties file are correct. 4. Run the ITIM_HOME/bin/unix/CrystalTestWAS.sh script again. Problem: Generating a Tioli Common Reporting Serer Approal and Rejections report might hae performance problems when large amounts of data are inoled. Limitation: This is a know limitation when using like in the query. Other limitations, problems, and workarounds You might encounter these additional problems, and use these workarounds: Problem: When high contrast is enabled on Windows XP, the display of the IBM Tioli Identity Manager workflow designer applet is not reformatted to the high contrast scheme. When you turn on High Contrast, the applet window outline is conerted to high contrast. Howeer, the interior fields of the applet display do not match the high contrast changes. Workaround: Refresh the browser to reload the workflow designer, which will update the applet with the high contrast settings. Product oeriew 39

44 Problem: Actie users experience unexpected results when the date and time is changed on the operating system on which IBM Tioli Identity Manager is installed. Workaround: As an administrator, if you change the date and time on the operating system on which IBM Tioli Identity Manager is installed, always ensure that no users are currently logged into the IBM Tioli Identity Manager Serer. Users that are logged on can experience unpredictable results if the change is significant. Problem: The help panel for the user adanced search displays additional fields. Limitation: The help panel displays information about additional fields that are not displayed on the search page. These fields are specific to an LDAP account and can be added using the Add another search filed link. Note: The Account type information incorrectly states that the type cannot be changed. The account type can be changed. Problem: The help panel for the Form designer interface page lists Tungsten Theme as the default menu theme. Limitation: The correct name is Default Theme. Problem: The contextual help for the Separation of Duty Policy Violations page indicates that there is a Person Name column in the policy table. Howeer, the table does not include that column. Limitation: This is a known limitation in the contextual help content. Technical oeriew You can use IBM Tioli Identity Manager to manage the identity records that represent people in a business organization. This section introduces the product architecture and main components. Tioli Identity Manager is an identity management solution that centralizes the process of proisioning resources, such as proisioning accounts on operating systems and applications to users. Tioli Identity Manager gies you the ability to add business processes and security policies to basic user management, including approals for user requests to access resources. In addition, Tioli Identity Manager proides a uniform way to manage user accounts and to delegate administration, including self-serice and a help desk user interface. Users, authorization, and resources An administrator uses the entities that IBM Tioli Identity Manager proides for users, authorization, and resources to proide both initial and ongoing access in a changing organization. 40 Product oeriew

45 Accounts Access control item Identity policy Adapter Identities Password policy Serice Users Other policies Group Workflow People Authorization Workflows/policies Resources Figure 1. Users, authorization, and resources Identities An identity is the subset of profile data that uniquely represents a person in one or more repositories, and includes additional information related to the person. Accounts An account is the set of parameters for a managed resource that defines your identity, user profile, and credentials. Users A user is an indiidual who uses IBM Tioli Identity Manager to manage their accounts. Access control items An access control item is data that identifies the permissions that users hae for a gien type of resource. You create an access control item that allows you to specify a set of operations and permissions, and then identify which groups use the access control item. Groups A group is used to control user access to functions and data in IBM Tioli Identity Manager. Membership in a IBM Tioli Identity Manager group proides a set of default permissions and operations, as well as iews, that group members need. Policies A policy is a set of considerations that influence the behaior of a managed resource (called a serice in IBM Tioli Identity Manager) or a user. A policy represents a set of organizational rules and the logic that IBM Tioli Identity Manager uses to manage other entities, such as user IDs, and applies to a specific managed resource as a serice-specific policy. Adapters An adapter is a software component that proides an interface between a managed resource and the IBM Tioli Identity Manager Serer. Serices A serice represents a managed resource, such as an operating system, a database application, or another application that IBM Tioli Identity Manager manages. For example, a managed resource might be a Lotus Notes application. Users access these serices by using an account on the serice. Product oeriew 41