Deployment Overview Guide

Transcription

1 IBM Security Priileged Identity Manager Version 1.0 Deployment Oeriew Guide SC

2

3 IBM Security Priileged Identity Manager Version 1.0 Deployment Oeriew Guide SC

4 Note Before using this information and the product it supports, read the information in Notices. Edition notice Note: This edition applies to ersion 1.0 of IBM Security Priileged Identity Manager (product number 5725-H30) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Figures Tables ii About this publication ix Access to publications and terminology..... ix Accessibility x Technical training x Support information x Chapter 1. Priileged identity management Chapter 2. Planning What you must prepare Downloading IBM Security Priileged Identity Manager Hardware and software requirements AccessProfile language support Workstation configuration support Managed resources support Planning for high aailability Roadmap for configuring shared access for a managed resource Chapter 3. Installation Installing IBM Security Identity Manager, Version Installing IBM Security Access Manager for Enterprise Single Sign-On, Version Preparing the IMS Serer Preparing the AccessAgent Verifying the installation and configuration Installing IBM Security Access Manager for Enterprise Single Sign-on Adapter, Version Upgrade to IBM Security Priileged Identity Manager Upgrading IBM Tioli Identity Manager, Version Upgrading IBM Security Access Manager for Enterprise Single Sign-On Upgrading IBM Tioli Identity Manager and IBM Tioli Access Manager for Enterprise Single Sign-on Chapter 4. Configuration for IBM Security Priileged Identity Manager.. 23 Shared access configuration Setting the minimum AccessAgent ersion on the Priileged Identity Management AccessProfile Uploading AccessProfiles to the IMS Serer Adding a policy in the User Policy template for Priileged Identity Manager on the IMS Serer.. 26 Creating a user policy template only for priileged identity management users Mapping the authentication serice Configuring a group policy to prompt the client for passwords (RDP) Adding priileged identity management policies in AccessAdmin Uploading policy definitions and objects Chapter 5. Automating the credential check-out and check-in process Automation oeriew Shared access credential check-out process Configuring the shared access credential usage prompt Configuring the re-authentication prompt Shared access credential check-in process IBM Security Identity Manager password change process Additional examples that can trigger check-out and check-in automation Automatic check out and check in with client application logon Logging on with PuTTY Logging on with the Microsoft Remote Desktop Connection (RDP) client Logging on with IBM Personal Communications 36 Logging on with the VMware Sphere Client.. 37 Manual check-out Chapter 6. Administering Administering shared access Priileged administrator iew Priileged user iew Manual checkout and check in of shared credentials 41 Managing multiple AccessProfiles for the same client application Identifying AccessProfile collision Merging AccessProfiles Accessing administratie consoles Chapter 7. Modifying AccessProfiles 45 Modifying AccessProfiles for the IBM Personal Communications application Modifying AccessProfiles for the PuTTY application 47 Chapter 8. Reports and audit logs Types of aailable reports Configuring the audit logs to include priileged identity eents Configuring or administering IBM Tioli Common Reporting Importing the reports into Tioli Common Reporting Copyright IBM Corp iii

6 Viewing reports with Tioli Common Reporting 52 Update IMS iew to show Priileged Identity Management eents Shared access objects for custom reports Viewing audit logs with the AccessAdmin utility.. 54 Chapter 9. Troubleshooting Troubleshooting serer connectiity and aailability 55 Troubleshooting the audit log Troubleshooting checklist Information center resources for troubleshooting shared access Appendix A. Optional configuration tasks Optional configuration for shared access Creating your own priileged identity management AccessProfiles Modifying lease time Appendix B. Requirements for component products IBM Security Access Manager for Enterprise Single Sign-On, Version Hardware and software requirements IBM Security Identity Manager, Version Hardware requirements Operating system support Virtualization support Jaa Runtime Enironment support WebSphere Application Serer support Database serer support Directory serer support Directory Integrator support Report serer support Browser requirements for client connections.. 68 Adapter leel support Appendix C. References Report examples Example: User information Example: Application usage Example: Shared access audit history Example: Shared access entitlements by owner. 74 Example: Shared access entitlements by role.. 75 AccessAgent PIM API reference CheckOut CheckIn Message reference Appendix D. Accessibility features for IBM Security Priileged Identity Manager. 81 Glossary Index Notices i IBM Security Priileged Identity Manager: Deployment Oeriew Guide

7 Figures 1. IBM Security Priileged Identity Manager users and components Flowchart for configuring shared access for a managed resource User information audit report Application usage audit report Shared access audit history report Shared access entitlements by owner report Shared access entitlements by role report 75 Copyright IBM Corp. 2012

8 i IBM Security Priileged Identity Manager: Deployment Oeriew Guide

9 Tables 1. Priileged identity management users and tasks 3 2. Supported prerequisite software and ersions Types of supported managed resources and the client application Supported managed resource types with the bundled AccessProfiles Configuring managed resources that are supported by the IBM Security Identity Manager adapter Configuring managed resources that are not supported by the IBM Security Identity Manager adapter Defining roles and proisioning policies to grant ownership of sponsored accounts Configuring shared access for the new managed resource Upgrade matrix Shared access configuration tasks Password entry options Additional eents that can trigger automated check-out or check-in behaior Shared access administration tasks Data reference for shared access Common administratie consoles for IBM Security Priileged Identity Manager Audit logs and reports for the IBM Security Priileged Identity Manager solution Troubleshooting audit log problems and solutions Lists some of the common problems and possible solutions Hardware requirements for IMS Serer Hardware requirements for IMS Serer (irtualization) Supported software Hardware requirements for AccessAgent and AccessStudio Supported operating systems Supported web browsers Supported web browsers Supported software for authentication deices Version compatibility for the IBM Security Access Manager for Enterprise Single Sign-On components Hardware requirements for IBM Security Identity Manager Operating system support Virtualization support Database serer support Directory serer support Supported ersions of IBM Tioli Directory Integrator Prerequisites to run the UNIX and Linux adapter List of message identifiers Copyright IBM Corp ii

10 iii IBM Security Priileged Identity Manager: Deployment Oeriew Guide

11 About this publication IBM Security Priileged Identity Manager Deployment Oeriew Guide describes the process of setting up and logging on to managed resources with priileged identities. Access to publications and terminology This section proides: A list of publications in the IBM Security Priileged Identity Manager library. Links to Online publications. A link to the IBM Terminology website. IBM Security Priileged Identity Manager library The IBM Security Priileged Identity Manager Deployment Oeriew Guide, SC , is aailable in the IBM Security Priileged Identity Manager library. Online publications IBM posts product publications when the product is released and when the publications are updated at the following locations: IBM Security Priileged Identity Manager Information Center The com.ibm.ispim.doc_10/ic-homepage.html site displays the information center welcome page for this product. IBM Security Identity Manager Information Center The com.ibm.isim.doc_6.0/ic-homepage.htm site displays the information center welcome page for the IBM Security Identity Manager product. IBM Security Access Manager for Enterprise Single Sign-On Information Center The com.ibm.itamesso.doc/ic-homepage.html site displays the information center welcome page for the IBM Security Access Manager for Enterprise Single Sign-On product. IBM Security Information Center The site displays an alphabetical list of and general information about all IBM Security product documentation. IBM Publications Center The pbi.wss site offers customized search functions to help you find all the IBM publications you need. IBM Terminology website The IBM Terminology website consolidates terminology for product libraries in one location. You can access the Terminology website at software/globalization/terminology. Copyright IBM Corp ix

12 Accessibility Technical training Support information Accessibility features help users with a physical disability, such as restricted mobility or limited ision, to use software products successfully. With this product, you can use assistie technologies to hear and naigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. For additional information, see Appendix D, Accessibility features for IBM Security Priileged Identity Manager, on page 81. For technical training information, see the following IBM Education website at IBM Support proides assistance with code-related problems and routine, short duration installation or usage questions. You can directly access the IBM Software Support site at The IBM Security Identity Manager Troubleshooting Guide and IBM Security Access Manager for Enterprise Single Sign-On Troubleshooting Guide proides details about: What information to collect before contacting IBM Support. The arious methods for contacting IBM Support. How to use IBM Support Assistant. Instructions and problem-determination resources to isolate and fix the problem yourself. See Chapter 9, Troubleshooting, on page 55 for instructions and problem-determination resources for IBM Security Priileged Identity Manager. Note: The Community and Support tab on the product information center can proide additional support resources. x IBM Security Priileged Identity Manager: Deployment Oeriew Guide

13 Chapter 1. Priileged identity management IBM Security Priileged Identity Manager helps organizations manage, automate, and track the use of shared priileged identities. Oeriew of Priileged Identity Management (PIM) IBM Security Priileged Identity Manager is a software solution based on IBM Security Identity Manager and IBM Security Access Manager for Enterprise Single Sign-On. The solution proides: Centralized administration, secure access, and storage of priileged shared account credentials Role-based access control for shared accounts Lifecycle management of shared accounts ownership Single sign-on through automated check-out and check-in of shared credentials Auditing of shared credentials access actiities Integration with the broader Identity and Access Management Goernance portfolio Priileged Administrator Priileged Administrator Priileged Administrator Reporting Console Identity Manager Admin Console Web Application Priileged User IBM Security Identity Manager Serer Shared Access Module Identity Manager Self Serice Web Application Priileged User Applications IBM Security Access Manager for Enterprise Single Sign-On IMS Serer IBM Security Access Manager for Enterprise Single Sign-On Priileged Identity Manager agent For example: PuTTY, SSH, IBM Personal Communications. OS400 Windows Linux/UNIX MVS/RACF Managed resources or endpoints Figure 1. IBM Security Priileged Identity Manager users and components Priileged identity refers to the pre-built accounts in nearly eery operating system and application. Priileged accounts are general user identities distinguished by the assignment of security, administratie, or system authorities. Copyright IBM Corp

14 Priileged identities are typically distinguished by the names they use. For example, administrator, sa, root, db2admin. Unlike a personal identity like jdoe, you can access priileged accounts only with a priileged password, and account access is hard to disable. In an enterprise enironment, multiple administrators might share access to a single user ID for easier administration. When multiple administrators share accounts, you can no longer definitiely proe that an account was used by one administrator as opposed to another. You lose personal accountability and audit compliance. To better manage priileged identities, a user receies an indiidual identity to a system: If they need it. When they need it. On the condition that they need it. If they hae access to it. With a reusable or shared access user ID, you can log on to a system without any knowledge of the password for the priileged identity. Instead, a user can check out or lease a reusable ID from a shared access repository for a limited time. How the solution works You reestablish accountability and traceability when you can map check-out and check-in actions of shared priileged accounts to. For example: 1. An organization defines priileged roles, for example SystemAdmin_Staff or Operations_Database_Admin in IBM Security Identity Manager. These roles are tied to appropriate system and account entitlements. You can also tie the roles to pools of accounts. For example, if multiple users might use a priilege simultaneously, you might tie a pool of 15 database administrator accounts to the Operations_Database_Admin. 2. When a user, for example jdoe, accesses a system where a priileged ID is required, the IBM Security Access Manager for Enterprise Single Sign-On client automatically checks out the required account. 3. The IBM Security Access Manager for Enterprise Single Sign-On client then automatically injects the credentials into the users session. You can configure the credential check-out automation to work for desktop applications, terminal applications, and mainframe applications. 4. After finishing the tasks that require the priileged account, the automatic check-in process returns the priileged user ID to the credential ault. Primary user types Each priileged identity management user type has a different role and objectie to achiee with the solution. 2 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

15 Table 1. Priileged identity management users and tasks User type Priileged administrator Tasks Uses the IBM Security Identity Manager console to Manage shared accounts, credentials, and credential pools. Configure roles and policies for shared account and shared access. Uses the IBM Tioli Common Reporting console to access shared access reports. Priileged User Uses the IBM Security Identity Manager self-serice user interface to manually check out and check in shared credentials. Uses the IBM Security Access Manager for Enterprise Single Sign-On shared access agent to access systems and applications with shared credentials. Component software IBM Security Priileged Identity Manager has seeral components, which are described in this section. IBM Security Identity Manager shared access module IBM Security Identity Manager includes shared access management, which extends its core features. This module is the centerpiece of the IBM Security Priileged Identity Manager solution. The core features include user account proisioning and identity and access goernance framework. Installing this module is optional during the IBM Security Identity Manager installation. Highlights: Account proisioning framework proides centralized account and password management for priileged users. Shared access uses secure check-in, check-out, and logging of account credentials from a credential ault serer. Administratie control of shared credential access ensures indiidual accountability. Jaa APIs and Web Serices APIs make it possible for application clients to programmatically access shared credentials. There is role-based access control for shared credential access and shared account ownership. There is lifecycle management of priileged identities. These tasks include management of access requests; approal and realidation of account ownership, role-based access requests; and shared credential access. There is end-to-end auditing for administration and shared credential access actiities. There are web applications for shared credential administration and manual check-out and check-in. IBM Security Access Manager for Enterprise Single Sign-On IBM Security Access Manager for Enterprise Single Sign-On proides automated check-out and check-in of shared access credentials from the IBM Security Identity Manager Serer. Chapter 1. Priileged identity management 3

16 The AccessAgent client software connects to the Integrated Management System (IMS) Serer. It proides the priileged identity management logon automation on clients from AccessProfiles on the IMS Serer. Administrators use AccessStudio to create and maintain AccessProfiles. An AccessProfile contains a definition of the logon and change password screen characteristics of an application. It also contains the workflow instructions on how to automate application logons. Architecture oeriew The priileged identity management solution consists of AccessProfiles on a client computer with AccessAgent. The AccessAgent communicates through web serices with the IBM Security Identity Manager Serer. The main components of the solution inole communication between: IBM Security Identity Manager Serer IBM Security Access Manager for Enterprise Single Sign-On Adapter IBM Security Access Manager for Enterprise Single Sign-On IMS Serer IBM Security Access Manager for Enterprise Single Sign-On AccessAgent client 4 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

17 Chapter 2. Planning What you must prepare Installing and configuring IBM Security Priileged Identity Manager inoles seeral steps. Reiew the prerequisites and roadmap before you begin the installation process. Follow this process to prepare for the IBM Security Priileged Identity Manager solution. 1. Reiew the hardware and software requirements. See Hardware and software requirements on page Install and configure IBM Security Identity Manager, Version 6.0, if you did not yet do so. For installation instructions, see the IBM Security Identity Manager Information Center. Note: Install the Shared Access module. 3. Install and configure IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2, if you did not yet do so. Install IMS Serer, Version Install AccessAgent, Version , on Windows client computers that require automated check-out and check-in of credentials. Install AccessStudio, Version For installation instructions, see the IBM Security Access Manager for Enterprise Single Sign-On Information Center. If IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2, is already installed: Install the required fix packs, ISS-SAMESSO-IMS-FP0003 and ISS-SAMESSO-AA-FP0011. See the Fix Pack readme file for installation and configuration instructions. Ensure that the ersion of AccessStudio is Install and configure IBM Security Access Manager for Enterprise Single Sign-On Adapter for IBM Security Identity Manager if you did not yet do so. See the IBM Security Access Manager for Enterprise Single Sign-On Adapter Installation and Configuration Guide at com.ibm.itim_pim.doc/tamesso/install_config/tamesso_html_mstr.htm. Downloading IBM Security Priileged Identity Manager You can download the IBM Security Priileged Identity Manager solution from the IBM Passport Adantage website. Before you begin You must hae a customer account number and password for IBM Passport Adantage Online. To learn more, go to the IBM Passport Adantage Online website at Copyright IBM Corp

18 Reiew the Hardware and Software requirements for any required fix packs. See Hardware and software requirements. Note: If you preiously installed IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2: Install the fix packs ISS-SAMESSO-IMS-FP0003 and ISS-SAMESSO-AA- FP0011 or later ersions. See the Fix Pack readme file for the installation and configuration instructions. Install the new AccessStudio build. See the IBM Security Access Manager for Enterprise Single Sign-On Installation Guide for the instructions. About this task The IBM Security Priileged Identity Manager solution includes: IBM Security Identity Manager IBM Security Access Manager for Enterprise Single Sign-On Adapter IBM Security Access Manager for Enterprise Single Sign-On Procedure 1. Go to the IBM Security Priileged Identity Manager, Version 1.0, download page. 2. Go to the AccessProfiles Library. Hardware and software requirements Check the hardware and software requirements before you install the IBM Security Priileged Identity Manager solution. Software requirements The IBM Security Priileged Identity Manager solution supports the following software: Table 2. Supported prerequisite software and ersions. Required software and components IBM Security Identity Manager Shared Access module IBM Security Access Manager for Enterprise Single Sign-On Adapter IBM Security Access Manager for Enterprise Single Sign-On IMS Serer, Version AccessAgent, Version AccessStudio, Version Version See Appendix B, Requirements for component products, on page 59 for the detailed requirements for each product component. To iew the latest hardware and software requirements, For IBM Security Identity Manager, see dociew.wss?uid=swg IBM Security Priileged Identity Manager: Deployment Oeriew Guide

19 For IBM Security Access Manager for Enterprise Single Sign-On, see Software considerations There are additional software support considerations for IBM Security Priileged Identity Manager. Language support AccessAgent supports shared credential check-out and check-in automation only on English ersions of Microsoft Windows. PuTTY AccessAgent supports access to 32-bit PuTTY, Version 0.58, on 32-bit Windows XP 32-bit and 64-bit Windows 7 Remote Desktop Protocol (RDP) client AccessAgent supports access to 64-bit Remote Desktop Protocol (RDP) client on 64-bit Windows 7. AccessAgent supports access to 32-bit Remote Desktop Protocol (RDP) client on 32-bit Windows XP and 32-bit Windows 7. IBM Personal Communications client AccessAgent supports access to 32-bit IBM Personal Communications client, Version 5.9, on 32-bit Windows XP 32-bit and 64-bit Windows 7 VMware Sphere client AccessAgent supports access to 32-bit VMware Sphere client, Version 5.0.0, on 32-bit Windows XP 32-bit and 64-bit Windows 7 Important: If your IMS Serer deployment has customized AccessProfiles for any of the proided logon applications, consider taking steps to ensure that earlier ersions are not oerwritten by the bundled AccessProfiles. For example, back up the AccessProfiles. You cannot single sign-on to the same client application with multiple AccessProfiles that hae the same signature. Managed resources and client application requirements IBM Security Priileged Identity Manager proides priileged identity management access to seeral managed resources. Table 3. Types of supported managed resources and the client application. If you log on to Remote desktops Terminal serices Mainframes Virtual machines Access the managed resource with the following client application Microsoft Remote Desktop Connection client PuTTY / SSH client IBM Personal Communications client VMware Sphere Client Chapter 2. Planning 7

20 Hardware requirements There are no additional hardware requirements for IBM Security Priileged Identity Manager, apart from the requirements for the following products. IBM Security Identity Manager See the IBM Security Identity Manager, Version 6.0, information center. IBM Security Access Manager for Enterprise Single Sign-On See the IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2, information center. Accounts and priileges To deploy the IBM Security Priileged Identity Manager, you must hae administrator priileges. To check out shared access credentials from the credential ault, you must hae IBM Security Identity Manager credentials. AccessProfile language support IBM Security Priileged Identity Manager, Version 1.0, includes Priileged Identity Management AccessProfiles that supports English ersions of the client application. Priileged identity management automation with AccessProfiles is supported only on the English language ersions of the PuTTY Client, Microsoft RDP Client, IBM Personal Communications, and the VMware Sphere Client. Table 4. Supported managed resource types with the bundled AccessProfiles. Resource types UNIX Windows Mainframes VMware ESXi English Yes Yes Yes Yes Note: You access managed resources from Windows client computers. Workstation configuration support The IBM Security Priileged Identity Manager automates the credential check-out and check-in to mainframes, terminal, and windows applications. It also supports deployments on personal workstations. The IBM Security Priileged Identity Manager does not support deployment on: Priate desktops Shared desktops Managed resources support The IBM Security Priileged Identity Manager supports automated check-out and check-in for managed resources. Linux/UNIX Windows Mainframes Note: The AccessAgent client component proides automated check-in and check-out from Windows client computers. 8 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

21 Planning for high aailability High aailability ensures that serices are always aailable. If you require a high aailability deployment, allocate additional resources for recoery processes, software, and hardware. Priileged identity management has no additional high aailability dependencies apart from the requirements for IBM Security Identity Manager and IBM Security Access Manager for Enterprise Single Sign-On. There are no additional planning considerations apart from the high aailability considerations for the following products: IBM Security Identity Manager, Version 6.0 See the IBM Security Identity Manager Information Center. IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2 See the IBM Security Access Manager for Enterprise Single Sign-On Information Center. Roadmap for configuring shared access for a managed resource This roadmap proides high-leel steps for configuring shared access for a new managed resource in IBM Security Identity Manager. Flowchart for configuring shared access for a managed resource Configure shared access for a managed resource for one of the following reasons: Setting up the priileged identity management solution for the first time. Adding a serice type or application. Adding a managed resource. Chapter 2. Planning 9

22 Figure 2. Flowchart for configuring shared access for a managed resource Step 1: Ensure that all prerequisites are met Verify the prerequisites for IBM Security Identity Manager. Requirement Install the Shared Access Module on the IBM Security Identity Manager Serer. See Installing IBM Security Identity Manager, Version 6.0 on page IBM Security Priileged Identity Manager: Deployment Oeriew Guide

23 Requirement Note: You can skip this step if you do not want to deploy automated single sign-on. Install the AccessAgent client on computers that require automated check-in and check-out. See Installing IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2 on page 15 Step 2: Import or configure serice types in IBM Security Identity Manager for the managed resource For each resource type, configure the profile information in IBM Security Identity Manager either by importing the serice type or by creating the serice type for a manual serice. See Importing serice types and Creating serice types in the Configuration Guide in the IBM Security Identity Manager Information Center. Step 3: Import or configure the client application for IBM Security Access Manager for Enterprise Single Sign-On Identify the client application used to access the managed resource. Complete the installation and configuration of the client application on client computers according to the endor proided instructions. For the list of supported client applications, see Hardware and software requirements on page 6. Remember: If you hae not uploaded the AccessProfiles for IBM Security Priileged Identity Manager, see Uploading AccessProfiles to the IMS Serer on page 24. Note: You can skip this step if you do not want to deploy automated single sign-on. Step 4: Customize the serice form template to include the unique identifier (eruri) field Add the unique identifier (eruri) field to the serice form template. For more information, see Customizing the serice form template to include the unique identifier (eruri) field in the Administration Guide in the IBM Security Identity Manager Information Center. Step 5: Configure the new managed resource in IBM Security Identity Manager You must follow these steps eery time there is a new managed resource on your system. Is the new managed resource supported by the IBM Security Identity Manager adapter? See Yes Table 5 on page 12 No Table 6 on page 12 Chapter 2. Planning 11

24 Table 5. Configuring managed resources that are supported by the IBM Security Identity Manager adapter Steps Note: This step does not apply to agentless adapters.install and configure the See the following topics in the IBM Security Identity Manager Information Center Adapter documentation in the IBM Security Identity Manager Information Center IBM Security Identity Manager adapter for the managed resource. Create the IBM Security Identity Manager serice instance for the managed resource. Note: You can skip this step if you do not want to deploy automated single sign-on. Creating serices in the Administration Guide. Setting the serice unique identifier in the Administration Guide. Set the serice unique identifier in the managed resource serice definition in IBM Security Identity Manager. Use the administratie console to set the unique identifier for connecting to the managed resource on the AccessAgent. For example, the unique identifier might be an IP address or host name of the serer. Since the unique identifier field is case-sensitie on IBM Security Identity Manager, enter the unique identifier in lowercase. By default, IBM Security Access Manager for Enterprise Single Sign-On processes the alue in lowercase. Note: Unique identifiers for computer names that are in the form of domain\name or must be as it is. Table 6. Configuring managed resources that are not supported by the IBM Security Identity Manager adapter Steps Create the IBM Security Identity Manager serice instance with the manual serice type. See the following topics in the IBM Security Identity Manager Information Center Manual serices and serice types in the Configuration Guide. Creating manual serices in the Administration Guide. 12 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

25 Table 6. Configuring managed resources that are not supported by the IBM Security Identity Manager adapter (continued) Steps Note: You can skip this step if you do not want to deploy automated single sign-on. Set the serice unique identifier in the managed resource serice definition in IBM Security Identity Manager. Use the administratie console to set the unique identifier for connecting to the managed resource on the AccessAgent. For example, the unique identifier might be an IP address or host name of the serer. Since the unique identifier field is case-sensitie on IBM Security Identity Manager, enter the unique identifier in lowercase. By default, IBM Security Access Manager for Enterprise Single Sign-On processes the alue in lowercase. See the following topics in the IBM Security Identity Manager Information Center Setting the serice unique identifier in the Administration Guide. Step 6: Define roles and proisioning policies to grant ownership of sponsored accounts Perform these tasks in IBM Security Identity Manager. Table 7. Defining roles and proisioning policies to grant ownership of sponsored accounts Steps Reconcile groups and accounts. Define roles and proisioning policies to grant ownership of sponsored accounts. See the following topics in the IBM Security Identity Manager Information Center Managing reconciliation schedules in the Administration Guide. Creating a proisioning policy in the Administration Guide. Creating roles in the Administration Guide. Identify or create groups for priileged access to managed resources. Specifying owners of a role in the Administration Guide. Creating groups in the Administration Guide. Defining access on a group in the Administration Guide. Chapter 2. Planning 13

26 Table 7. Defining roles and proisioning policies to grant ownership of sponsored accounts (continued) Steps Proision or adopt priileged accounts to authorized owners. The account that is used for shared access must be a sponsored account. The ownership type for the account can be anything other than Indiidual. See the following topics in the IBM Security Identity Manager Information Center If an account does not exist on the serice, see Requesting accounts on a serice in the Administration Guide. If an account exists on the serice, see Assigning an account to a user in the Administration Guide. For general information about sponsored accounts, see Managing accounts in the Administration Guide. Step 7: Configure shared access for the new managed resource Perform these tasks in IBM Security Identity Manager. Table 8. Configuring shared access for the new managed resource Steps Add the priileged accounts to be shared to the credential ault. Designate a sponsored account to be shared by storing its credentials (user ID and password) in a credential ault. Access to these credentials is goerned by a role-based shared access policy. Create the credential pools, typically based on groups of the serice. Use the credential pools to organize shared credentials that hae the same priileged access. Define roles and shared access policies to grant access to shared credentials. Shared access policies authorize role members to share credentials or credential pools. See the following topics in the IBM Security Identity Manager Information Center Adding credentials to the ault in the Administration Guide. Creating a credential pool in the Administration Guide. Creating a shared access policy in the Administration Guide. For an oeriew of shared access, see the "Shared access" topic in the IBM Security Identity Manager Information Center. Related information: For additional information about the Priileged Identity Manager deployment, see the IBM Security Identity Manager wiki. 14 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

27 Chapter 3. Installation Install the IBM Security Priileged Identity Manager components that are required in your enironment. Note: To upgrade from earlier ersions of installed product components, see Upgrade to IBM Security Priileged Identity Manager on page 18. Install IBM Security Identity Manager and IBM Security Access Manager for Enterprise Single Sign-On on separate systems. Complete the following tasks: Installing IBM Security Identity Manager, Version 6.0 Installing IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2 Installing IBM Security Access Manager for Enterprise Single Sign-on Adapter, Version 6.0 on page 17 Related information: For additional information about the Priileged Identity Manager deployment, see the IBM Security Identity Manager wiki. Installing IBM Security Identity Manager, Version 6.0 Install IBM Security Identity Manager with the shared access module. To install IBM Security Identity Manager, follow the directions in the IBM Security Identity Manager Installation Guide. You can access the guide in the IBM Security Identity Manager Information Center. The IBM Security Identity Manager installation wizard asks if you want to install the shared access module. To deploy IBM Security Priileged Identity Manager, you must install the shared access module. If you install the shared access module into a WebSphere cluster enironment, you must complete configuration steps after the installation finishes. See the topic "Shared access module configuration" in the IBM Security Identity Manager Installation Guide. Before you begin installation, reiew the hardware and software requirements in IBM Security Identity Manager, Version 6.0 on page 64. Installing IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2 Install IBM Security Access Manager for Enterprise Single Sign-On with the AccessAgent client to proide automated shared access credential check-in and check-out for IBM Security Priileged Identity Manager. To install IBM Security Access Manager for Enterprise Single Sign-On, follow the directions in the IBM Security Access Manager for Enterprise Single Sign-On Installation Guide in the IBM Security Access Manager for Enterprise Single Sign-On Information Center. Copyright IBM Corp

28 Use the instructions to install: IMS Serer, Version AccessAgent, Version Note: To erify the installation, configure AccessAgent to communicate with the IMS Serer. Optional: AccessStudio, Version To modify the bundled AccessProfiles, install AccessStudio on an administratie computer to deelop custom AccessProfiles. Note: If you hae an earlier ersion of the components, see Upgrading IBM Security Access Manager for Enterprise Single Sign-On on page 19. Complete the following tasks: 1. Prepare the IMS Serer. 2. Prepare the AccessAgent. 3. Verify the configuration. Preparing the IMS Serer Configure the IMS Serer to support the management of priileged identities. Note: The irtual appliance serer deployment mode for the IMS Serer is not supported in IBM Security Priileged Identity Manager. Install IMS Serer, Version , using the IMS Serer installer from Passport Adantage. Then, upload the AccessProfiles to the IMS Serer. See Uploading AccessProfiles to the IMS Serer on page 24. Note: If the installed IMS Serer is a ersion earlier than , for example, , you must upgrade the IMS Serer. See Upgrading the IMS Serer from to on page 20. Preparing the AccessAgent You must prepare the AccessAgent client computers. Before you begin Ensure that the client computer meets the hardware and software prerequisites. See Hardware and software requirements on page 6. Note: If you hae a ersion of AccessAgent that is earlier than ersion , you must upgrade the AccessAgent component. See Upgrading IBM Security Access Manager for Enterprise Single Sign-On on page 19. About this task Before you deploy the AccessAgent in a production enironment with many computers, you can install the AccessAgent client on one computer. Then, complete and erify the rest of the IBM Security Priileged Identity Manager configuration tasks. If the erification is successful, continue with the AccessAgent deployment. 16 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

29 Procedure 1. Open the AccessAgent installer folder. 2. Naigate to the Config folder. 3. Open the DeploymentScript.bs file with a text editor. 4. Search for the following text: Add your own ISIM host name here. Examples: trusty.serer.com: Dim HOSTS: HOSTS = Array() 5. Specify the IBM Security Identity Manager IP address inside the Array (). For example: Dim HOSTS: HOSTS = Array(" ") 6. Install AccessAgent. See the IBM Security Access Manager for Enterprise Single Sign-On Installation Guide. Verifying the installation and configuration Verify if you hae successfully installed and configured the IMS Serer AccessAgent to support priileged identity management. Before you begin Ensure that: The required components are installed and configured. The Priileged Identity Management AccessProfiles are uploaded in the IMS Serer. See Uploading AccessProfiles to the IMS Serer on page 24. About this task Before deploying AccessAgent to actual users for check-out and check-in automation, alidate all the serer configurations by using a single installation of AccessAgent. Procedure 1. Start the managed resource client application. 2. Test the credential check-out and check-in automation. See the following scenarios: Logging on with PuTTY on page 34 Logging on with the Microsoft Remote Desktop Connection (RDP) client on page 35 Logging on with IBM Personal Communications on page 36 Logging on with the VMware Sphere Client on page Ensure that the priileged identity management scenarios work according to your requirements. If the test fails, see Chapter 9, Troubleshooting, on page 55. Installing IBM Security Access Manager for Enterprise Single Sign-on Adapter, Version 6.0 Install the IBM Security Access Manager for Enterprise Single Sign-On Adapter to manage proisioning of users to the IMS Serer. Chapter 3. Installation 17

30 To install IBM Security Access Manager for Enterprise Single Sign-On Adapter, follow the instructions in the IBM Security Access Manager for Enterprise Single Sign-On Adapter Installation and Configuration Guide in the IBM Security Identity Manager Information Center. After you install the IBM Security Access Manager for Enterprise Single Sign-On Adapter files, you must integrate the adapter into the IBM Security Priileged Identity Manager enironment by completing the required configuration tasks. Follow the instructions in the IBM Security Access Manager for Enterprise Single Sign-On Adapter Installation and Configuration Guide. Upgrade to IBM Security Priileged Identity Manager You can upgrade to IBM Security Priileged Identity Manager from existing deployments of the component software. You can upgrade from any of these existing deployments: IBM Tioli Identity Manager, Version 5.0 or 5.1 See Upgrading IBM Tioli Identity Manager, Version 5.1 on page 19. IBM Tioli Access Manager for Enterprise Single Sign-On, Version 8.1 or earlier. See Upgrading IBM Security Access Manager for Enterprise Single Sign-On on page 19 A deployment that consists of all of the following products: IBM Tioli Identity Manager, Version 5.1 or 5.0 IBM Tioli Access Manager for Enterprise Single Sign-On, Version 8.1 or earlier IBM Tioli Access Manager for Enterprise Single Sign-On Adapter, Version 5.1. See Upgrading IBM Tioli Identity Manager and IBM Tioli Access Manager for Enterprise Single Sign-on on page 21. Upgrade considerations What is aailable by default after the upgrade: IBM Security Identity Manager proisioning and goernance for users and managed resources. Bundled adapters to manage arious types of LDAP serers and UNIX serers, such as AIX, HP-UX, Linux, and Solaris. IBM Security Role and Policy Modeler and Role loaders. Automated check-out, check-in, and single sign-on for target resources that are accessed directly through the following applications: PuTTY RDP IBM Personal Communications VMware Sphere Separate reports for IBM Security Identity Manager shared access eents and AccessAgent check-in, check-out, or single sign-on eents. Types of common customizations that might require more effort: 18 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

31 Customization of default AccessProfiles to meet local needs. For example, support for different languages, differing prompts, different commands in a command prompt or shell. Deelopment of new AccessProfiles for additional IBM Security Priileged Identity Manager applications. Consolidation of audit logs from IBM Security Identity Manager, IBM Security Access Manager for Enterprise Single Sign-On, and target resources into Security Information and Eent Management (SIEM) solutions. Upgrading IBM Tioli Identity Manager, Version 5.1 Upgrade IBM Tioli Identity Manager to IBM Security Identity Manager. In this scenario, you preiously deployed IBM Tioli Identity Manager, Version 5.1. Now, you want to upgrade to IBM Security Priileged Identity Manager. If your IBM Security Priileged Identity Manager deployment does not require automated checkout and checkin, your only task is to upgrade IBM Tioli Identity Manager, Version 5.1 to IBM Security Identity Manager, Version 6.0. If your IBM Security Priileged Identity Manager deployment requires automated checkout and checkin, you must first upgrade IBM Tioli Identity Manager, Version 5.1, and then do a new install of the other IBM Security Priileged Identity Manager components: IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2 IBM Security Access Manager for Enterprise Single Sign-On Adapter, Version 6.0 For IBM Tioli Identity Manager upgrade, you can complete either an in-place system upgrade or a separate system upgrade with data migration. Most deployments use a separate system upgrade with data migration. The IBM Security Identity Manager installation wizard runs as part of the upgrade. When prompted by the wizard, be sure to select the Shared Access Module. Follow the instructions for your upgrade type in the IBM Security Identity Manager Installation Guide in the IBM Security Identity Manager Information Center: IBM Security Identity Manager upgrade Separate system upgrade and data migration Note: In the separate system upgrade, you do not immediately replace the IBM Tioli Identity Manager Serer. Instead, you create a separate deployment of IBM Security Identity Manager and migrate data from the old IBM Tioli Identity Manager Serer to the new IBM Security Identity Manager Serer. Upgrading IBM Security Access Manager for Enterprise Single Sign-On In this case, you preiously installed IBM Security Access Manager for Enterprise Single Sign-On. Now, you want to deploy IBM Security Priileged Identity Manager. Install IBM Security Identity Manager, Version 6.0, with the shared access module. See Installing IBM Security Identity Manager, Version 6.0 on page 15. Upgrade IBM Security Access Manager for Enterprise Single Sign-On. Chapter 3. Installation 19

32 Table 9. Upgrade matrix If you hae IBM Security Access Manager for Enterprise Single Sign-On, Version 8.1 or earlier IMS Serer, Version with or without fix packs or interim fixes AccessAgent, Version with or without fix packs or interim fixes AccessStudio, Version with or without fix packs or interim fixes Action for the IMS Serer Install IMS Serer, Version See the IBM Security Access Manager for Enterprise Single Sign-On Installation Guide. Upgrade to IMS Serer, Version , using ISS-SAMESSO- IMS-FP0003. See Upgrading the IMS Serer from to Action for AccessAgent Install AccessAgent, Version See the IBM Security Access Manager for Enterprise Single Sign-On Installation Guide. Upgrade to AccessAgent, Version , using ISS-SAMESSO- AA-FP0011. See Upgrading AccessAgent from to on page 21. Action for AccessStudio Install AccessStudio, Version See the IBM Security Access Manager for Enterprise Single Sign-On Installation Guide. Install AccessStudio, Version See the IBM Security Access Manager for Enterprise Single Sign-On Installation Guide. Install IBM Security Access Manager for Enterprise Single Sign-On Adapter, Version 6.0. See Installing IBM Security Access Manager for Enterprise Single Sign-on Adapter, Version 6.0 on page 17. Upgrading the IMS Serer from to If you hae installed IMS Serer, Version , with or without fix packs or interim fixes, you must install ISS-SAMESSO-IMS-FP0003 and configure the IMS Serer to support priileged identity management. Procedure 1. Install the IMS Serer fix pack ISS-SAMESSO-IMS-FP0003. See the fix pack readme file. Download the file from IBM Support & downloads. 2. Upload the AccessProfiles in the IMS Serer. 3. Add a policy in the User Policy template for Priileged Identity Manager on the IMS Serer. 4. Configure the audit logs to include priileged identity eents. 5. Create a user policy template only for priileged identity management users. 6. Map the authentication serice. 7. Update IMS iew to show Priileged Identity Management eents on page Optional: Add priileged identity management policies in AccessAdmin. 9. Optional: Upload policy definitions and objects. 20 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

33 Upgrading AccessAgent from to If you hae installed AccessAgent, Version , with or without fix packs or interim fixes, you must install ISS-SAMESSO-AA-FP0011 and install the IBM Security Identity Manager certificates on the computer where AccessAgent is installed. Before you begin Ensure that the client computer meets the hardware and software prerequisites. See Hardware and software requirements on page 6. About this task Before you deploy the AccessAgent in a production enironment with many computers, you can install the AccessAgent client on one computer. Then, complete and erify the rest of the IBM Security Priileged Identity Manager configuration tasks. If the erification is successful, continue with the AccessAgent deployment. When you install AccessAgent, deploy the IBM Security Identity Manager SSL certificates on each AccessAgent client computer. If you are deploying the AccessAgent on multiple computers, use a wrapping installation package that installs the AccessAgent fix pack and the IBM Security Identity Manager certificates. Procedure 1. Install the AccessAgent fix pack ISS-SAMESSO-AA-FP0011. See the fix pack readme file. 2. Run the following command to install or import the IBM Security Identity Manager certificates on the computer where you installed the AccessAgent. If you hae an: x86 architecture rundll32.exe aa_installpath\aa\ecss\pimslnhelper.dll,beliee isim_ip_host x64 architecture rundll32.exe aa_installpath\aa\ecss\pimslnhelper64.dll,beliee isim_ip_host For example: rundll32.exe c:\program Files\IBM\ISAM ESSO\AA\ECSS\ PIMSlnHelper.dll,Beliee " " 3. If the computer requires a client application to access a specific managed resource, install the client application. Upgrading IBM Tioli Identity Manager and IBM Tioli Access Manager for Enterprise Single Sign-on Upgrade an existing deployment of Tioli Identity Manager plus Tioli Access Manager for Enterprise Single Sign-on to an IBM Security Priileged Identity Manager deployment. In this scenario, you preiously deployed all of the following products: IBM Tioli Identity Manager, Version 5.1 IBM Tioli Access Manager for Enterprise Single Sign-On, Version 8.1 Chapter 3. Installation 21

34 IBM Tioli Access Manager for Enterprise Single Sign-On Adapter, Version 5.1 Now, you want to upgrade to use IBM Security Priileged Identity Manager. The tasks are: 1. Upgrade IBM Tioli Identity Manager, Version 5.1, to IBM Security Identity Manager, Version 6.0, with the shared access module. Complete the instructions in Upgrading IBM Tioli Identity Manager, Version 5.1 on page Upgrade IBM Tioli Access Manager for Enterprise Single Sign-On, Version 8.1, to IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2. If IBM Tioli Access Manager for Enterprise Single Sign-On, Version 8.1, or earlier is installed, upgrade to ersion 8.2. See the IBM Security Access Manager for Enterprise Single Sign-On Installation Guide. If IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2 is installed: Upgrade to IMS Serer, Version , using ISS-SAMESSO- IMS-FP0003. See Upgrading the IMS Serer from to on page 20. Upgrade to AccessAgent, Version , using ISS-SAMESSO- AA-FP0011. See Upgrading AccessAgent from to on page 21. Install AccessStudio, Version See the IBM Security Access Manager for Enterprise Single Sign-On Installation Guide. 3. Upgrade IBM Tioli Access Manager for Enterprise Single Sign-On Adapter, Version 5.1, to IBM Security Identity Manager, Version 6.0. Upgrade the adapter to IBM Security Access Manager for Enterprise Single Sign-On Adapter, Version 6.0. Follow the instructions in the IBM Security Access Manager Enterprise Single Sign-On Adapter Installation and Configuration Guide. See the following sections: Before you begin the upgrade, determine whether you must migrate existing group shared accounts. See Migrating Group Sharing Account to Priileged Identity Management. If you must remoe group shared accounts, see Remoing the Group Sharing Account feature. Upgrading the IBM Security Access Manager Enterprise Single Sign-On Adapter. 22 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

35 Chapter 4. Configuration for IBM Security Priileged Identity Manager Shared access configuration There are seeral required configuration tasks that you must perform so that IBM Security Priileged Identity Manager operates properly. This chapter coers those tasks. There are also seeral optional configuration tasks that are coered in the Appendix. You can complete configuration tasks for shared access as needed for your deployment. Table 10 describes configuration tasks that you might want to complete, depending on the requirements of your deployment. Table 10. Shared access configuration tasks Configuration task Configuring the credential default settings Customizing the serice form template to include the unique identifier (eruri) attribute Configuring an external credential ault serer Customization of the checkout operation Shared access approal and recertification Customizing the checkout form Shared access Tioli Common Reporting reports Description Specifies the default settings for each credential that is added to the credential ault. Updates the managed resource serice form template to include a field for the unique identifier that you use to connect to the managed resource. Specifies the required properties to configure an external credential ault serer. The shared access module supports both synchronous and asynchronous checkout of shared accounts. Synchronous checkout is enabled by default. If you want to use asynchronous checkout, you must enable and configure it. You can add an approal process to the default operation for adding credentials to the ault. You can also define a custom workflow to recertify credentials in the ault. You can customize the form that is used for checkout of shared accounts. You can add more attributes to be filled out during checkout. This customization increases indiidual accountability when credentials are shared. You can configure reports that show: Shared access audit history Shared access entitlements for a specified owner Shared access entitlements for a specified role. Consult the IBM Security Identity Manager documentation to understand which configuration tasks apply to your deployment: Shared access documentation On this page in the IBM Security Identity Manager Information Center, see the "System configuration" section to find links to the documentation for shared access configuration tasks. Copyright IBM Corp

36 IBM Security Identity Manager Information Center To find information about a task in Table 10 on page 23, go to this information center. On the home page, locate the information center search field, and enter the configuration task name as shown in the Configuration task column of the table. For example, to use an external credential ault serer, enter "Configuring an external credential ault serer". Setting the minimum AccessAgent ersion on the Priileged Identity Management AccessProfile Set the minimum AccessAgent ersion for each of the Priileged Identity Management AccessProfiles if you hae a mixed deployment of computers running on different AccessAgent ersions. For example, one computer is running on AccessAgent, Version 8.1 and another computer is running on AccessAgent, Version 8.2. About this task Complete this task for Concurrent_profiles_bgMonitor_Wnd_Explorer.eas AND PIM_Profiles_With_General_RDP_Flow.eas OR PIM_Profiles.eas. Procedure 1. Open the EAS file in the AccessStudio. 2. Set the minimum AccessAgent ersion for each of the AccessProfile from the AccessProfile pane. a. Select the AccessProfile. b. Click the General properties pane. c. Enter in the Minimum AccessAgent ersion field. d. Repeat these steps for each AccessProfile included in the EAS file. 3. Sae the EAS file. 4. Repeat these steps for each of the EAS file. Uploading AccessProfiles to the IMS Serer To actiate and use the Priileged Identity Management AccessProfiles, upload the AccessProfiles to the IMS Serer. Before you begin If you hae multiple AccessProfiles, see Managing multiple AccessProfiles for the same client application on page 42 for a better understanding before you upload AccessProfiles to the IMS Serer. If you hae a mixed deployment of computers running on different AccessAgent ersions, see Setting the minimum AccessAgent ersion on the Priileged Identity Management AccessProfile. About this task There are four Priileged Identity Management AccessProfiles aailable for upload to the IMS Serer. You must upload the following Priileged Identity Management AccessProfiles: 24 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

37 Use_Shared_Credentials_Authentication_Serice.eas Concurrent_profiles_bgMonitor_Wnd_Explorer.eas Then, upload either of these Priileged Identity Management AccessProfiles: PIM_Profiles_With_General_RDP_Flow.eas This AccessProfile contains both PIM workflows and non PIM workflows. Use this AccessProfile if the non PIM workflows for RDP are required for non PIM users. The non PIM workflows are proided in the IBM Security Access Manager for Enterprise Single Sign-On bundled AccessProfiles. The non PIM workflows that are included in this AccessProfile might be outdated. See the AccessProfiles Library for the latest ersion. Note: This AccessProfile is just an example of a merged AccessProfile. If the non PIM workflows included in this AccessProfile is outdated, download the latest ersion of the AccessProfile from the AccessProfiles Library and merge it with the RDP AccessProfile for the PIM workflow. The RDP Profile ID is profile_rdp_main. PIM_Profiles.eas This AccessProfile contains the PIM workflows only. Use this AccessProfile if you want to use the PIM workflows only. You can get these AccessProfiles from the AccessProfiles Library. If you cannot find or download these AccessProfiles from the AccessProfiles Library, you can get the files from this location: <IMS Serer installation folder>\com.ibm.tamesso.ims-delhi.build.boot\src\ config\data\config\pim\profiles. For example: C:\Program Files\IBM\ISAM ESSO\IMS Serer\com.ibm.tamesso.imsdelhi.build.boot\src\config\data\config\pim\Profiles. Procedure 1. Open the command prompt. 2. Naigate to <IMS Serer installation folder>\bin. 3. Run the following command: uploadsync.bat <was_admin> <was_admin_password> --datafile "<accessprofile_absolute_path>". For example: C:\Program Files\IBM\ISAM ESSO\IMS Serer\bin>uploadSync.bat wasadmin p@ssw0rd --datafile "C:\Program Files\IBM\ISAM ESSO\IMS Serer\com.ibm.tamesso.ims-delhi.build.boot\src\config\data\config\pim\ Profiles\Concurrent_profiles_bgMonitor_Wnd_Explorer.eas" Chapter 4. Configuring 25

38 Related information: AccessProfiles Library Adding a policy in the User Policy template for Priileged Identity Manager on the IMS Serer Use this topic to configure the shared access credential usage policy, through the user policy template, for all users. Before you begin Upload the IBM Security Priileged Identity Manager AccessProfiles in the IMS Serer. About this task Complete this task only if you upgraded the IMS Serer using the ISS-SAMESSO-IMS-FP0003 fix pack. Procedure 1. Log on to the IBM Integrated Solutions Console with the WebSphere administrator credentials. For example: wasadmin. 2. On the Integrated Solutions Console naigation pane, select Applications > Application Types > WebSphere Enterprise Applications. 3. Stop the ISAMESSOConfig and ISAMESSOIMS applications. 4. Modify the ims.xml configuration file. For WebSphere Application Serer Stand-alone Deployment: <WAS_profile>/config/tamesso/config/ For WebSphere Application Serer Network Deployment: <Dmgr_profile>/config/tamesso/config/ 5. Add the following lines under the <main> element: <encentuate.ims.pim.enabled.serice.list> <alue xml:lang="en">use_shared_credentials</alue> </encentuate.ims.pim.enabled.serice.list> 6. Start the ISAMESSOConfig application. 7. For WebSphere Application Serer Stand-alone Deployment, start the ISAMESSOIMS application. For WebSphere Application Serer Network Deployment, resynchronize the nodes and restart the cluster. Creating a user policy template only for priileged identity management users Configure a user policy template in AccessAdmin to segregate PIM and non-pim users. Segregation lets you configure prompts that display for selected groups of users and hide the prompt from the rest of the users. If there is no segregation, the dialog box prompt displays for eery user when the priileged identity management client applications are used. Before you begin See Configuring the shared access credential usage prompt on page IBM Security Priileged Identity Manager: Deployment Oeriew Guide

39 Procedure 1. Log on to AccessAdmin. 2. Create or modify an existing user policy template for priileged identity management users. a. Under User Policy Templates, click New template. b. Type a name for the template. For example: PIM admins only. c. Expand the Authentication Serice Policies group. d. Expand Use Shared Credentials. e. For Password entry of injection policy per authentication serice, choose Ask. f. Click Update. g. Apply the user policy template to priileged identity management users. See the topic Applying a User Policy Template in the IBM Security Access Manager for Enterprise Single Sign-On Information Center. 3. Create or modify an existing user policy template for non-priileged identity management users. For example: Non-PIM users only. a. For the policy template, expand Authentication Serice Policies. b. Expand Use Shared Credentials. c. For Password entry of injection policy per authentication serice, choose Neer. d. Click Update. e. Apply the user policy template to users not using priileged identity management. See the topic Applying a User Policy Template in the IBM Security Access Manager for Enterprise Single Sign-On Information Center. Mapping the authentication serice Define an IBM Security Identity Manager authentication serice. The credentials stored against the authentication serice in the users Wallet is authenticated with IBM Security Identity Manager during check-out and check-in. Before you begin If you did not already do so: Obtain details about the authentication serice ID that are required for this configuration. 1. Log on to the IMS Configuration Utility. 2. From the Basic Settings menu, select Authentication Serices. A list of aailable authentication serices is displayed. 3. Select the appropriate authentication serice to iew the authentication serice ID and the account data template. About this task For more information about authentication serices, see the topic Managing authentication serices in the IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guide. Chapter 4. Configuring 27

40 You can choose to create an authentication serice or use an existing authentication serice. To create an authentication serice, see the topic Creating authentication serices in the IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guide. If the IBM Security Access Manager for Enterprise Single Sign-On Adapter is used then map the proisioned IBM Security Identity Manager credentials with the IBM Security Identity Manager authentication serice as defined in the PIM configuration policy. Procedure 1. Log on to AccessAdmin. For example: admin 2. In the System group, click System policies. 3. In the System policies page, expand PIM Configuration Policies. 4. Specify the following alues: ISIM URL Specify the IBM Security Identity Manager URL. For example: ISIM Authentication Serice ID Specify the configured IBM Security Identity Manager authentication serice ID. For example: pim_auth_serice. 5. Click Update. Configuring a group policy to prompt the client for passwords (RDP) If you use a Remote Desktop Connection client for priileged access to a Windows host, configure the RDP policy to prompt for, not store, passwords. Before you begin You must hae administrator priileges to configure the Windows group policy. About this task The procedure documented here is an example only. For more information about configuring a group policy for the RDP client in Windows, go to the Microsoft website at Search for RDP Always prompt client for password upon connection. Procedure 1. Log on as an administrator. 2. Start the Group Policy tool. a. Click Start > Run. b. Type gpedit.msc. c. Press Enter. 3. Browse for the policy: Windows XP: Click Computer Configuration > Administratie Templates > Windows Components > Terminal Serices > Encryption and Security > Always prompt client for password upon connection. 28 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

41 Windows 7: Click Computer Configuration > Administratie Templates > Windows Components > Remote Desktop Serices > Remote Desktop Connection Client > Do not allow passwords to be saed. 4. From the Action menu, click Edit. 5. Choose Enabled. 6. Click OK. Adding priileged identity management policies in AccessAdmin The policyconfig.xml file controls the policies that are displayed in the AccessAdmin user interface. To display the priileged identity management policies in AccessAdmin, the existing policyconfig.xml file must be replaced with the updated ersion. About this task Do this task only if you hae already configured the IMS Serer using the IMS Configuration Wizard, before you installed IMS Serer fix pack ISS-SAMESSO-IMS-FP0003. Procedure 1. Back up the policyconfig.xml file from the following locations: For WebSphere Application Serer Stand-alone Deployment: <WAS_profile>/config/tamesso/config/ For WebSphere Application Serer Network Deployment: <Dmgr_profile>/config/tamesso/config/ 2. Copy the policyconfig.xml from the <IMS_Serer_installation_directory>\ com.ibm.tamesso.ims-delhi.build.boot\build\config. For example: C:\Program Files\IBM\ISAM ESSO\IMS Serer\com.ibm.tamesso.imsdelhi.build.boot\BUILD\config 3. Paste the copied policyconfig.xml in the following locations: For WebSphere Application Serer Stand-alone Deployment: <WAS_profile>/config/tamesso/config/ For WebSphere Application Serer Network Deployment: <Dmgr_profile>/config/tamesso/config/ What to do next Upload policy definitions and objects. Uploading policy definitions and objects To support priileged identity management, upload the pim_policy_definitions.xml and pim_policy_mgmnt_objects.xml files in the IMS Serer. About this task Do this task only if you hae already configured the IMS Serer using the IMS Configuration Wizard before you installed IMS Serer fix pack ISS-SAMESSO-IMS-FP0003. Chapter 4. Configuring 29

42 The pim_policy_definitions.xml and pim_policy_mgmnt_objects.xml files are located in <IMS_Serer_folder>\com.ibm.tamesso.ims-delhi.build.boot\src\ config\data\config\pim\. For example: C:\Program Files\IBM\ISAM ESSO\IMS Serer\com.ibm.tamesso.imsdelhi.build.boot\src\config\data\config\pim\ Procedure 1. Open the command prompt. 2. Naigate to <IMS Serer installation folder>\bin. 3. Run the following command: uploadsync.bat <was_admin> <was_admin_password> --datafile "<pim_policy_xml_absolute_path>". For examples: C:\Program Files\IBM\ISAM ESSO\IMS Serer\bin>uploadSync.bat wasadmin --datafile "C:\Program Files\IBM\ISAM ESSO\IMS Serer\com.ibm.tamesso.ims-delhi.build.boot\src\config\data\config\ pim\pim_policy_definitions.xml" C:\Program Files\IBM\ISAM ESSO\IMS Serer\bin>uploadSync.bat wasadmin --datafile "C:\Program Files\IBM\ISAM ESSO\IMS Serer\com.ibm.tamesso.ims-delhi.build.boot\src\config\data\config\ pim\pim_policy_mgmt_objects.xml" 4. For WebSphere Application Serer Stand-alone Deployment, restart the ISAMESSOIMS application. For WebSphere Application Serer Network Deployment, resynchronize the nodes and restart the cluster. 30 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

43 Chapter 5. Automating the credential check-out and check-in process Automation oeriew You can automate the check out and check in of shared access credentials from the IBM Security Identity Manager Serer for conenience. In some cases, you need to customize the AccessProfiles that automates the check-out and check-in process. This topic coers when to customize the AccessProfiles. A sequence of steps takes place when user initiates check-out and check-in. This topic describes the details of these associated processes. Shared access credential check-out process In a priileged identity management workflow, you can check out shared access credentials for a managed resource automatically. You can log on to a managed resource with a shared access credential without knowing the shared access credential. 1. Choose the supported application for the managed resource. For example: PuTTY. See Software requirements on page Specify the target managed resource. 3. When prompted, log on with shared credentials. Note: You can also choose not log on to a managed resource with a shared access credential. See Configuring the shared access credential usage prompt on page When prompted with the AccessAgent reauthentication prompt, specify your IBM Security Access Manager for Enterprise Single Sign-On password. See Configuring the re-authentication prompt on page 32. IBM Security Access Manager for Enterprise Single Sign-On authenticates and retriees your credentials from your single sign-on Wallet. If your Wallet contains alid IBM Security Identity Manager credentials, IBM Security Access Manager for Enterprise Single Sign-On retriees the list of credential pools from the IBM Security Identity Manager Serer. If your Wallet does not contain any IBM Security Identity Manager credentials, you are prompted to proide them. 5. When prompted, choose a credential pool to check out shared access credentials. After you choose the credential pool, IBM Security Priileged Identity Manager: a. Checks out the shared access credential from the IBM Security Identity Manager. b. Enters the shared access credential into the client application. You are logged on to the managed resource with a shared access credential. When you check out a credential through the automated check-out process, there is no option to enter the check-out justification comment. Copyright IBM Corp

44 Configuring the shared access credential usage prompt The prompt asking the user whether to use shared credentials to log on to a managed resource, when using any of the client logon applications, can be configured using the injection policy. Procedure 1. Open the Wallet Manager. 2. On the Authentication Serice column, search for Use shared credentials and select any of the Password Entry options. Table 11. Password entry options Password entry Automatic logon Always Ask Neer Description Use only shared credentials to log on to the managed resources. Always prompt the user to use shared credentials to log on or not to the managed resources. Prompt the user to use shared credentials to log on or not to the managed resources. Do not use shared credentials to log on to the managed resources. Configuring the re-authentication prompt For additional security, IBM Security Access Manager for Enterprise Single Sign-Onusers can be asked to re-authenticate when they access managed resources. See this topic to configure whether to require the users to re-authenticate eery time a user accesses a client logon application and commands the use of shared credentials. Procedure 1. Open AccessAdmin. 2. Click Authentication serice policies. 3. Select the authentication serice Use Shared Credentials. 4. Under Password Policies, specify whether to require re-authentication before performing single sign-on using the automatic sign-on mode. Shared access credential check-in process The software automatically checks in shared access credentials when you log out, exit, or close the client application. If the credential check-in process is not triggered automatically, the credential remains checked out to the user until the lease time expires. You can check out a shared access credential only for a limited amount of time. The specific amount of time is the lease time. See the IBM Security Identity Manager Information Center for more information about shared access credential lease. IBM Security Identity Manager password change process If there is a change in the IBM Security Identity Manager password, the IBM Security Access Manager for Enterprise Single Sign-On Adapter automatically captures the password change. 32 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

45 To ensure that any password changes that you initiate for IBM Security Identity Manager is applied successfully for IBM Security Identity Manager, install the IBM Security Access Manager for Enterprise Single Sign-On Adapter for IBM Security Identity Manager. For more information, see the IBM Security Access Manager for Enterprise Single Sign-On Adapter Installation and Configuration Guide. Additional examples that can trigger check-out and check-in automation Different eents can determine the automation behaior. For example, when you start multiple sessions or when sessions are terminated abnormally. Table 12. Additional eents that can trigger automated check-out or check-in behaior. When Automated check-out or check-in behaior You No check-out is necessary. Start a second client application session. Check-out does not affect initial client Connect to the same resource as your application session credentials. client application session. Choose the same credential pool. AccessAgent reuses the checked out credential from the preious session. The user is prompted whether to use an already checked out credential. The user can choose to reuse or check out a new credential. Note: If you choose a different credential pool, a separate check-out occurs. You use a client application. A session is terminated abnormally because of a system crash or deliberate termination. There is no connection to the IBM Security Identity Manager Serer. AccessAgent checks in all credentials for a user. After the client application closes properly or terminates, AccessAgent continuously attempts to check in all credentials that a user checked out. You restart a client computer, and there are still credentials that are pending for check-in. This process preents any checked out credentials from being used outside the IBM Security Access Manager for Enterprise Single Sign-On domain. AccessAgent retries the check-in when a corresponding user logs on to IBM Security Access Manager for Enterprise Single Sign-On. This approach aoids locking credentials so that they can be checked out by users. Chapter 5. Automating the credential check-out and check-in process 33

46 Table 12. Additional eents that can trigger automated check-out or check-in behaior. (continued) When Automated check-out or check-in behaior You use the managed resource using a checked out credential, from the client logon application, and after the lease expires on the checked out credential. For example: You are done using the client logon application and the managed resource but forgot to close the client logon application. You are away from the computer for a long time. When you use the managed resource using a checked out credential, from the client logon application, and after the lease expires on the checked out credential. For example: The computer goes into hibernate mode, and the credential is not checked in. AccessAgent checks in credentials when the IBM Security Identity Manager administrator configured lease time expires. Note: One hour before the lease time expiration, a notification tells you when the lease time is almost expired. You must stop using the credentials or hae AccessAgent terminate the application when the lease expires. If you do not respond to the notification, the application is terminated. See the IBM Security Identity Manager Information Center for more information about lease expiry configurations. IBM Security Identity Manager performs lease expiry handling based on how the lease expiry handling is configured. For example: The credentials can be checked in or Notification s can be sent See the IBM Security Identity Manager Information Center for more information. Automatic check out and check in with client application logon To log on with a client application, you can use the shared access credentials that you checked out and checked in automatically or manually. With single sign-on automation Use the IBM Security Access Manager for Enterprise Single Sign-On AccessAgent client to proide check-out and check-in automation of shared access credentials. You must install and configure the AccessAgent client on computers from where the client application is accessed. Without single sign-on automation Use the IBM Security Identity Manager self-serice user interface console to check out and check in shared access credentials for a resource. After you check out a credential, proide the shared access credentials when the client application prompts you. Logging on with PuTTY You can use PuTTY to log on to a remote terminal host from Windows with shared priileged identities. Before you begin If you did not already do so: 34 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

47 Configure the managed resource that you are going to access from PuTTY for shared access. Upload the Priileged Identity Management AccessProfile for PuTTY to the IMS Serer. See Uploading AccessProfiles to the IMS Serer on page 24. Ensure that there are IBM Security Identity Manager credentials in the Wallet. About this task You can configure the PuTTY AccessProfile for different log on prompts. See Modifying AccessProfiles for the PuTTY application on page 47. Procedure 1. Start PuTTY. 2. Specify the target host name or IP address. 3. When prompted to log on with shared access credentials, choose Yes. 4. When prompted with the Shared Access Selection window, select one of the credential pools. Results The AccessProfile checks out the credentials from IBM Security Identity Manager and injects the logon credential in the terminal serer logon prompt. Logging on with the Microsoft Remote Desktop Connection (RDP) client You can log on to a remote desktop with shared priileged identities with Remote Desktop Connection. Before you begin If you did not already do so: Configure the managed resource that you are going to access from the RDP client for shared access. Upload the AccessProfile for the Microsoft Remote Desktop Connection RDP client to the IMS Serer. See Uploading AccessProfiles to the IMS Serer on page 24. Configure a group policy to always prompt RDP clients for a password before making a connection. About this task The IBM Security Priileged Identity Manager AccessProfile for Microsoft Remote Desktop Connection RDP client does not support the injection of shared credentials at the RDP lock screen on the computer to where the user did a remote desktop connection. Procedure 1. Start the Microsoft Remote Desktop Connection client by clicking Start > All Programs > Accessories > Remote Desktop Connection. 2. Specify the target host name or IP address. 3. Click Connect. 4. When prompted to log on with shared access credentials, choose Yes. Chapter 5. Automating the credential check-out and check-in process 35

48 5. When prompted with the Shared Access Selection window, select one of the credential pools. 6. Enter the AccessAgent authentication credentials. Results The AccessProfile checks out the credentials from IBM Security Identity Manager, and injects the logon credential in the remote desktop logon prompt. Logging on with IBM Personal Communications Use the IBM Personal Communications application to log on to a mainframe application with shared access identity. You must configure the bundled priileged identity management AccessProfile for your mainframe application before check-out and check-in automation can work. Before you begin Configure the AccessProfile for your mainframe application. See Modifying AccessProfiles for the IBM Personal Communications application on page 45. About this task For check-out and check-in automation to work with your custom mainframe applications, you must apply specific changes to the bundled IBM Security Priileged Identity Manager AccessProfile. Customization is necessary because: Each mainframe or terminal application might contain different output phrases. The AccessProfile or application signature must contain a similar phrase as the one displayed by the mainframe application. So, when the application displays the phrase, the logon automation by the AccessProfile can proceed. The following steps describe an outline of one of the ways that the shared credential check-out automation might work. Procedure 1. Start IBM Personal Communications. 2. Specify the target host name or IP address. Note: The window title of IBM Personal Communications must match the session name. 3. Select the application. 4. When prompted to log on with shared access credentials, choose Yes. 5. When prompted with the Shared Access Selection window, select one of the credential pools. Results The AccessProfile checks out the credentials from IBM Security Identity Manager and injects the logon credential in the mainframe logon prompt. 36 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

49 Logging on with the VMware Sphere Client Use the VMware Sphere Client to log on to a irtual machine with shared access credentials. Manual check-out Before you begin If you did not already do so: Configure the managed resource for shared access. Upload the shared access AccessProfile for VMware Sphere Client to the IMS Serer. See Uploading AccessProfiles to the IMS Serer on page 24. Procedure 1. Start the VMware Sphere Client. 2. When the ISAMESSO AccessAgent dialog box is displayed: a. Specify the target host name or IP address. b. Click OK. If you successfully checked out the shared access credentials, the credentials are injected into the VMware Sphere logon prompt. If the check-out failed, there are no credentials injected. 3. Click Login. 4. When prompted to log on with shared access credentials, choose Yes. 5. When AccessAgent prompts for re-authentication, enter the AccessAgent credentials. 6. When prompted with the Shared Access Selection window, select one of the credential pools. Results The AccessProfile checks out the credentials from IBM Security Identity Manager, and injects the logon credentials in the VMware Sphere Client logon prompt. For workflows and applications not supported by the bundled priileged identity management AccessProfiles, you can check out credentials manually through the IBM Security Identity Manager self-serice user interface. The priileged identity management authentication serice policy configuration in the IMS Configuration Utility determines whether a prompt is displayed for an IBM Security Identity Manager managed resource. For supported client applications, if you do not want AccessAgent to check out and inject credentials automatically, select No. See Shared access credential check-out process on page 31. Chapter 5. Automating the credential check-out and check-in process 37

50 38 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

51 Chapter 6. Administering Administering shared access When your IBM Security Priileged Identity Manager deployment is configured, you can administer shared access features. The IBM Security Identity Manager shared access module proides centralized management of shared and priileged accounts. Table 13 describes administration tasks that you might want to complete, depending on the requirements of your deployment. Table 13. Shared access administration tasks Administration Task Description Setting the serice unique identifier Managing the credential ault Managing the credential pool Managing shared access policies Shared access bulk load Shared access objects for custom reports In the managed resource serice definition, set the unique identifier for connecting to the managed resource. For example, the unique identifier might be an IP address or the host name of the serer. As an administrator, you can manage the credentials for shared accounts through the credential ault. As an administrator, you can use IBM Security Identity Manager to manage credential pools. A credential pool proides a way to group credentials that hae similar access priileges. This grouping can be defined as a serice group or a set of serice groups. Shared access policies authorize role members to share credentials or credential pools. As an administrator, you can use the shared access comma-separated alue (CSV) file to add accounts to the credential ault or add and update the credential pools in bulk. You can also modify credential settings for the accounts that are in the credential ault. You can generate custom reports by using the Shared Access objects. Use the shared access entities, such as Credential, Credential Pool, Credential Lease, and Shared Access Policy to generate the custom reports. Table 14 describes data references you can during administration tasks. Table 14. Data reference for shared access Data Reference Description Default access control items Use the default access control items for shared access to manage access security. Shared access tables Database tables that IBM Security Identity Manager creates and uses to store information related to Shared Access Module. Copyright IBM Corp

52 Table 14. Data reference for shared access (continued) Data Reference Shared access classes Auditing schema Description For Directory Serer schema, shared access module has seeral types object classes, such as credential component, credential, credential pool, credential lease, and shared access policy. You can use auditing schema to track shared access policy management, credential lease management, credential pool management, and credential management. Priileged administrator iew For more information: Roadmap for configuring shared access for a managed resource on page 9 Shared access documentation On this page in the IBM Security Identity Manager Information Center, see the "Administration" section to find links to the documentation for administering shared access. IBM Security Identity Manager Information Center To find information about a task in either Table 13 on page 39 or Table 14 on page 39, go to this information center. On the home page, locate the information center search window, and enter the administration task name or data reference name, as listed in the table. For example, to administer shared access policies, enter "Managing shared access policies". In IBM Security Identity Manager, the shared access feature includes a default group and a default iew for priileged administrators. The default iew shows the administratie tasks that can be accessed by users who hae the group membership. The scope of actiities for members of the Priileged Administrator group is: Manage a serice, including the user accounts and requests for that serice Manage and load priileged accounts from the managed serice into the credential ault A priileged administrator can manage and delegate the actiities that are shown in administration console iew for the Priileged Administrator group. The Priileged Administrator group can also iew nearly all tasks on the self serice console. For more information: Shared access documentation On this page in the IBM Security Identity Manager Information Center, see the section "Features" for links to topics on priileged administrators IBM Security Identity Manager Information Center To find more information about priileged administrators, go to this information center. On the home page, locate the information center search window, and enter "Scope of the Priileged Administrator group". 40 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

53 Priileged user iew In IBM Security Identity Manager, the shared access feature includes a default group and a default iew for priileged users. The default iew shows the tasks that can be accessed by users who hae the group membership. The scope of actiities for members of the Priileged User group is: Manage their own profile Change their password Check in and check out shared accounts from the credential ault The Priileged User group has no default iew on the administration console, and no default access control items. For more information: Shared access documentation On this page in the IBM Security Identity Manager Information Center, see the section "Features" for links to topics on priileged users. IBM Security Identity Manager Information Center To find more information about priileged users, go to this information center. On the home page, locate the information center search window, and enter "Scope of the Priileged User group". Manual checkout and check in of shared credentials Use the IBM Security Identity Manager self-serice user interface console to access shared credentials. Some IBM Security Priileged Identity Manager deployments do not require automated access to shared credentials. These deployments use only the IBM Security Identity Manager component. In these deployments, users who hae sufficient priileges, such as membership in the Priileged Users group, can manually access shared credentials. For initial access to the self serice user interface console, see the topic Initial login and password information in the IBM Security Identity Manager Product Oeriew Guide in the IBM Security Identity Manager Information Center. When you log in to the self-serice interface, go to the My Shared Access section of the entry panel. From this section, you can select wizards to assist you with the following tasks: Checking out a credential Check out the credential of your authorized shared accesses. Checking in a credential Check in the credential that you checked out preiously. Viewing a password View the password for the credentials. From anywhere in the self-serice user interface, you can start the Help system to iew help topics. In the Shared access section of the Help system, see: Checking out a credential or credential pool Viewing the password for a shared credential Checking in credentials Chapter 6. Administering 41

54 For more information: Shared access documentation On this page in the IBM Security Identity Manager Information Center, see the section "User scenarios for shared access" to iew links to topics on user access. IBM Security Identity Manager Information Center To find more information about manual access to shared credentials, go to this information center. On the home page, locate the information center search window, and enter "Checking out a credential or credential pool". Managing multiple AccessProfiles for the same client application Each application signature for an AccessProfile must be unique. Single sign-on cannot occur if there are multiple AccessProfiles with the same application signature on the IMS Serer. If you hae more than one AccessProfile for the same application, consider deleting or modifying copies of the AccessProfile. Note: Duplicate AccessProfiles with signature detection conflicts are also logged in the AccessAgent logs as errors. For example, a Remote Desktop Connection (RDP) AccessProfile is already on the IMS Serer. You might already hae a custom Remote Desktop Connection (RDP) AccessProfile for logging on to remote desktops. If you upload a new priileged identity management AccessProfile with the same application signature, single sign-on does not trigger. Consider the actions you can take to resole the issue. Delete the existing AccessProfile for the RDP application from the IMS Serer if the AccessProfile is not in use. Merge the AccessProfiles. Important: Priileged identity management AccessProfiles work only with AccessAgent, Version 8.2. Identifying AccessProfile collision You can use the AccessStudio message pane logs to determine whether there are multiple AccessProfiles for the same client application on the IMS Serer. Before deployment, complete these steps on a test computer with the AccessAgent installed: 1. Ensure that you are logged on to AccessAgent. 2. Import data from the IMS Serer with AccessStudio. 3. Start the client application you are testing for AccessProfile collision. 4. From the AccessStudio real-time logs, look for the phrase:...multiple AccessProfiles were found. Merging AccessProfiles If you want both the priileged identity management AccessProfiles and the AccessProfiles you already hae, then you must consider adanced AccessProfile merging. For help with adanced AccessProfile merging, contact IBM Serices. 42 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

55 Accessing administratie consoles Table 15. Common administratie consoles for IBM Security Priileged Identity Manager. Consoles Example URL IBM Security Access Manager for Enterprise Single Sign-On AccessAdmin IBM Security Access Manager for Enterprise Single Sign-On IMS Configuration Utility IBM Security Identity Manager administratie console IBM Security Identity Manager self-serice console console self Chapter 6. Administering 43

56 44 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

57 Chapter 7. Modifying AccessProfiles Modify the AccessProfile to customize its functions for the application. Some custom mainframe applications hae additional logon requirements. For example: Specifying additional logon credential fields for credential injection. Simulating different keyboard keys to shift the terminal entry focus. To customize adanced AccessProfiles that are not coered in this section, see the IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guide. Alternatiely, search the IBM website for Adanced AccessProfile Redbooks for guidance. Use the priileged identity management AccessProfiles for IBM Personal Communications as a template. For more information, see Modifying AccessProfiles for the IBM Personal Communications application Modifying AccessProfiles for the PuTTY application on page 47 Modifying AccessProfiles for the IBM Personal Communications application Modify the Personal Communications AccessProfile to customize its behaior. Before you begin If you did not already do so: Install AccessStudio. Install the IBM Personal Communications client. Open the Personal Communications application. Upload the AccessProfile to the IMS Serer. Tip: Before you apply any modifications, you can take a local backup of the AccessProfile. To back up the AccessProfile to file, you can sae the AccessProfile to a location on your computer. About this task The window title of the Personal Communications application must match the session name. Procedure 1. Start AccessStudio. 2. Import the Priileged Identity Management AccessProfile package into the AccessStudio workspace by clicking File > Import data from IMS. 3. In the AccessProfile pane, open profile_pcomm_main. Copyright IBM Corp

58 4. Select the States tab. 5. In the AccessProfile state diagram canass, select the Run a VBScript or JScript action under the second state. 6. In the Properties pane, select the Form Editor tab. 7. Click Open Script Editor. 8. Edit the script. a. Select a unique text from the mainframe application screen. b. Remoe the ariable portion of the text. c. Retain the non-ariable portion of the text in the form of a regular expression. For example: Unique text: Welcome UserA Variable: UserA Non-ariable: Welcome Regular expression of the non-ariable text: Welcome.* This regular expression matches any instances of text that might be displayed as: WELCOME -WELCOME- EXAMPLE APPLICATION WELCOME This regular expression does not match the following instances: welcome Welcome Example Welcome W.E.L.C.O.M.E d. Modify the second argument for each pc.setpropvalue entry. You can add the regular expression or replace the existing regular expression. pc.setpropvalue "text_to_identify_the_welcome_screen", "^.*WELCOME.*$.*User\sID\s:.*" pc.setpropvalue "text_to_identify_and_initiate_pim_workflow", ".*WELCOME\sTO\sCICS.*.*User\sID\s:.*" pc.setpropvalue "text_is_found_for_injecting_username", ".*[Ll]ogin.*:.*.*LOGIN.*:.*.*WELCOME\sTO\sCICS.*.*Userid.*.*User\sID.*" pc.setpropvalue "text_is_found_for_injecting_password", ".*(?i)(please type your password missing password).*" pc.setpropvalue "text_is_found_for_not_injecting_password", ".*(?i)(your userid is inalid).*" pc.setpropvalue "text_is_first_displayed_for_access_denied_or_failure", ".*[Dd]enied.*.*DENIED.*.*[Ii]nalid.*.*not\sdefined\.*" pc.setpropvalue "text_is_found_for_successful_logon", ".*[Ll]ast login.*:.*.*last LOGIN.*:.*.*Microsoft\sWindows.*.*Sign-on\sis\scomplete.*.*Enterprise\sSummary.*" pc.setpropvalue "Wnd_sig_Username", "/child::wnd[@class_name=""pcsws:main: ""]" pc.setpropvalue "wnd_for_text_identication_on_mainframe_screen", "/child::wnd[@class_name=""pcsws:main: ""]/ child::wnd[@class_name=""pcsws:pres: "" 46 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

59 pc.setpropvalue "Parent_Wnd_Signature", 9. Test the AccessProfile. a. Start Test Mode. b. Start IBM Personal Communications. 10. After the test is completed, sae the AccessProfile. The AccessProfile on the IMS Serer is updated. Note: If you are working from a local copy of the AccessProfile, remember to publish the completed AccessProfile to the IMS Serer. Modifying AccessProfiles for the PuTTY application Modify the PuTTY application AccessProfile to customize its behaior. Before you begin If you did not already do so: Install AccessStudio. Install the PuTTY client. Open the PuTTY application. Upload the AccessProfile to the IMS Serer. Tip: Before you apply any modifications, you can take a local backup of the AccessProfile. To back up the AccessProfile to file, you can sae the AccessProfile to a location on your computer. Procedure 1. Start AccessStudio. 2. Import the Priileged Identity Management AccessProfile package into the AccessStudio workspace by clicking File > Import data from IMS. 3. In the AccessProfile pane, open profile_putty_main. 4. Select the States tab. 5. In the AccessProfile state diagram canass, select the Run a VBScript or JScript action under the second state. 6. In the Properties pane, select the Form Editor tab. 7. Click Open Script Editor. 8. Edit the script. a. Select a unique text from the mainframe application screen. b. Remoe the ariable portion of the text. c. Retain the non-ariable portion of the text in the form of a regular expression. For example: Unique text: Welcome UserA Variable: UserA Non-ariable: Welcome Regular expression of the non-ariable text: Welcome.* This regular expression matches any instances of text that might be displayed as: Chapter 7. Modifying AccessProfiles 47

60 WELCOME -WELCOME- EXAMPLE APPLICATION WELCOME This regular expression does not match the following instances: welcome Welcome Example Welcome W.E.L.C.O.M.E d. Modify the second argument for each pc.setpropvalue entry. You can add the regular expression or replace the existing regular expression. pc.setpropvalue "text_is_found_for_injecting_password", ".*[Pp]assword.*.*PASSWORD.*" pc.setpropvalue "text_is_found_for_not_injecting_password", ".*[Dd]enied.*.*DENIED.*" pc.setpropvalue "text_is_first_displayed_for_access_denied_or_failure", ".*[Dd]enied.*.*DENIED.*.*[Ii]nalid.*.*not\sdefined\.*" pc.setpropvalue "text_is_found_for_successful_logon", ".*[Ll]ast login.*:.*.*last LOGIN.*:.*.*$.*.*>.*.*#.*.*Microsoft\sWindows.*.*Sign-on\sis\scomplete.*.*Enterprise\sSummary.*" pc.setpropvalue "Parent_Wnd_Signature", PuTTY"" pc.setpropvalue "wnd_for_text_identication_on_mainframe_screen", PuTTY"" 9. Test the AccessProfile. a. Start Test Mode. b. Start IBM Personal Communications. 10. After the test is completed, sae the AccessProfile. The AccessProfile on the IMS Serer is updated. Note: If you are working from a local copy of the AccessProfile, remember to publish the completed AccessProfile to the IMS Serer. 48 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

61 Chapter 8. Reports and audit logs Types of aailable reports Use the reports or audit logs to inestigate security eents or collect metrics about how you are using priileged identities. To iew reports about priileged identity management actiities, install IBM Tioli Common Reporting. Use IBM Tioli Common Reporting to iew, and customize aailable shared access reports from IBM Security Access Manager for Enterprise Single Sign-On and IBM Security Identity Manager. IBM Security Priileged Identity Manager records some audit logs for all shared access eents. Audit logs and reports are aailable as: IMS Serer audit log entries. IBM Tioli Common Reporting BIRT-based reports. The priileged identity AccessProfile includes actions that generate an audit log entry. You can configure additional audit log entries for either successful or unsuccessful logon attempts. To iew the IBM Security Priileged Identity Manager reports, you must import and deploy the reports into IBM Tioli Common Reporting. Table 16. Audit logs and reports for the IBM Security Priileged Identity Manager solution. Report or audit log Parameters or examples Description Priileged ID Check-out Audit log report iewed ApplicationName in AccessAdmin. Name of the application. For example: PuTTY. SericeURI Endpoint host name or IP address of the managed resource you are logging on to. Shared Access ID Shared Access ID of the priileged account. Priileged User ID User ID of the priileged account. Return code Return code of the checkout function. See Message reference on page 77 for the example codes. Copyright IBM Corp

62 Table 16. Audit logs and reports for the IBM Security Priileged Identity Manager solution. (continued) Report or audit log Parameters or examples Description Priileged ID Check-in Shared access audit history report Shared access entitlements by owner Shared access entitlements by role ApplicationName Name of the application. For example: PuTTY. SericeURI Endpoint host name or IP address of the managed resource you are logging on to. Shared Access ID Shared Access ID of the priileged account. Priileged User Id User ID of the priileged account. Return code Return code of the checkout function. See Message reference on page 77 for the example codes. See Example: Shared access audit history on page 73. See Example: Shared access entitlements by owner on page 74. See Example: Shared access entitlements by role on page 75. Audit log report iewed in AccessAdmin. BIRT-based report iewed on a reporting workstation with IBM Tioli Common Reporting. BIRT-based report iewed on a reporting workstation with IBM Tioli Common Reporting. BIRT-based report iewed on a reporting workstation with IBM Tioli Common Reporting. User Information Report See Example: User information on page 71. BIRT-based report iewed on a reporting workstation with IBM Tioli Common Reporting. Application Usage Report See Example: Application usage on page 72. BIRT-based report iewed on a reporting workstation with IBM Tioli Common Reporting. Configuring the audit logs to include priileged identity eents Configure the ims.xml file to include IBM Security Priileged Identity Manager eent codes in the IMS Serer audit log tables. Use these eent codes to track and log the check-out and check-in of shared access credentials. About this task Complete this task only if you upgraded the IMS Serer using the ISS-SAMESSO-IMS-FP0003 fix pack. The IMS Serer does not display the full content of the audit log. View the full content using IBM Tioli Common Reporting. 50 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

63 Procedure 1. Log on to the IBM Integrated Solutions Console with the WebSphere administrator credentials. For example: wasadmin. 2. On the Integrated Solutions Console naigation pane, select Applications > Application Types > WebSphere Enterprise Applications. 3. Stop the ISAMESSOConfig and ISAMESSOIMS applications. 4. Access the ims.xml file with a text editor. For WebSphere Application Serer Stand-alone Deployment: <WAS_profile>/config/tamesso/config/ For WebSphere Application Serer Network Deployment: <Dmgr_profile>/config/tamesso/config/ 5. Add the following eent codes at the end of the list of alues specified under the <encentuate.ims.log.useradminlog.searchableeentcodes> tag Note: Put all alues in a single line, with no extra spaces, and separated by a comma. You are not required to copy the alues that are already in the ims.xml file. Append the new eent codes specified in this step. For example: <encentuate.ims.log.useradminlog.searchableeentcodes> <alue xml:lang="en"> , , , c, F, D, E, F, , , , , , , , , , , , , ,4300A101, 4300A108,4300A10A,4300A10E,4300A10D,4300A001, , , , ,4300B037,4300B038,4300A120, ,4300F004,4300F001, , , , , ,4300F006,4300F005, , </alue> </encentuate.ims.log.useradminlog.searchableeentcodes> 6. Start the ISAMESSOConfig application. 7. Take one of the following actions: For WebSphere Application Serer Stand-alone Deployment, start the ISAMESSOIMS application. For WebSphere Application Serer Network Deployment, resynchronize the nodes and restart the cluster. Configuring or administering IBM Tioli Common Reporting An administrator can use IBM Tioli Common Reporting to iew the shared access reports that are aailable from IBM Security Access Manager for Enterprise Single Sign-On and IBM Security Identity Manager. You can iew, administer, and run the aailable reports with the IBM Tioli Common Reporting software. Note: For more information about customizing the default shared access report layouts, see the IBM Security Identity Manager Information Center. Chapter 8. Reports and audit logs 51

64 Importing the reports into Tioli Common Reporting Importing the report packages places the reports in an IBM Tioli Common Reporting instance that you can access. Before you begin Install IBM Security Identity Manager, Version 6.0. For more information, see the IBM Security Identity Manager Installation Guide. Install IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2. For more information, see the IBM Security Access Manager for Enterprise Single Sign-On Installation Guide. Install or upgrade to IBM Tioli Common Reporting, Version About this task Install the reports into Tioli Common Reporting to run IBM Security Identity Manager, Version 6.0, and IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2, reports from IBM Tioli Common Reporting. Both IBM Security Access Manager for Enterprise Single Sign-On and IBM Security Identity Manager include a subset of reports that you can install into IBM Tioli Common Reporting. Procedure 1. Import the IBM Security Identity Manager, Version 6.0, report package into IBM Tioli Common Reporting. 2. Import the IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2, report package into IBM Tioli Common Reporting. 3. Configure the data source in IBM Tioli Common Reporting to work with each report package. Results Importing the reports places them in Common Reporting > Public Folders > Tioli Products. Viewing reports with Tioli Common Reporting You can use the report console to iew a larger collection of shared access and priileged identity reports from a single console. Before you begin Install and configure IBM Tioli Common Reporting. Install the Business Intelligence Reporting Tool (BIRT) reports for both IBM Security Identity Manager Serer and IBM Security Access Manager for Enterprise Single Sign-On. Procedure 1. Log on to the Tioli Common Reporting instance. 2. Expand Reporting > Common Reporting. 3. Click IBM Security Products. 4. Expand the following options to see related priileged identity reports: SAM Enterprise Single Sign-On 8.2 User Information 52 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

65 Application Usage Security Identity Manager 6.0 Shared access audit history Shared access entitlements by owner Shared access entitlements by role Update IMS iew to show Priileged Identity Management eents To use Tioli Common Reporting to iew the Priileged Identity Manager reports, delete iew ImsAppUsageInfoR from the database schema. Recreate it with the iew using the script that is applicable to your database. Note: Complete this task only if you upgraded the IMS Serer using the ISS-SAMESSO-IMS-FP0003 fix pack. The CREATE VIEW script aries for each database. Note: Remoe the line breaks when you copy the script. IBM DB2 CREATE VIEW <schema_name>.imsappusageinfor AS SELECT ua.enterpriseid AS entid, ua.sociid AS sociid, ua.appid AS authserice, ua.appuid AS appuid, ua.eentcode AS eent, ua.resultcode AS result, ua.clientipaddr AS client, ua.logimssererid AS serer, ua.logtime AS time, ua.description AS description FROM IMSLOGUserActiity ua WHERE (ua.eentcode = OR ua.eentcode = OR ua.eentcode = OR ua.eentcode = OR ua.eentcode = OR ua.eentcode = OR ua.eentcode = OR ua.eentcode = OR ua.eentcode = OR ua.eentcode = OR ua.eentcode = ); Microsoft SQL Serer CREATE VIEW <schema_name>.imsappusageinfor AS SELECT ua.enterpriseid as entid, ua.sociid as sociid, ua.appid as authserice, ua.appuid as appuid, ua.eentcode as eent, ua.resultcode as result, ua.clientipaddr as client, ua.logimssererid as serer, ua.logtime as time, ua.description as description FROM IMSLOGUserActiity ua WHERE (ua.eentcode= OR ua.eentcode = OR ua.eentcode= OR ua.eentcode = OR ua.eentcode= OR ua.eentcode= OR ua.eentcode= OR ua.eentcode= OR ua.eentcode= OR ua.eentcode= OR ua.eentcode= ) Oracle CREATE VIEW <schema_name>.imsappusageinfor AS SELECT ua.enterpriseid as entid, ua.sociid as sociid, ua.appid as authserice, ua.appuid as appuid, ua.eentcode as eent, ua.resultcode as result, ua.clientipaddr as client, ua.logimssererid as serer, ua.logtime as time, ua.description as description FROM IMSLOGUserActiity ua WHERE (ua.eentcode= OR ua.eentcode = OR ua.eentcode= OR ua.eentcode = OR ua.eentcode= OR ua.eentcode= OR ua.eentcode= OR ua.eentcode= OR ua.eentcode= OR ua.eentcode= OR ua.eentcode= ) Chapter 8. Reports and audit logs 53

66 Shared access objects for custom reports You can generate custom reports by using the Shared Access objects in IBM Security Identity Manager. Use the Shared Access entities, such as Credential, Credential Pool, Credential Lease, and Shared Access Policy to generate the custom reports. For more information, see Shared access objects for custom reports in the IBM Security Identity Manager Administration Guide in the IBM Security Identity Manager Information Center. Viewing audit logs with the AccessAdmin utility When you automatically log on with shared access credentials, an audit log entry is created. You can use the AccessAdmin utility to iew audit log entries. About this task For more information about iewing: IMS Serer audit logs, see the IBM Security Access Manager for Enterprise Single Sign-On Administrator Guide. IBM Security Identity Manager audit logs, see the IBM Security Identity Manager information center. Procedure 1. Log on to the managed resource with shared access credentials to generate alid audit entries. 2. Log on to AccessAdmin. 3. Under System, click Audit logs. 4. Under Choose search criterion, choose the eent name. For example: Priileged ID Check Out. 54 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

67 Chapter 9. Troubleshooting You can diagnose and troubleshoot errors that occur during the IBM Security Priileged Identity Manager installation. Troubleshooting serer connectiity and aailability A network connection problem or an unconfigured managed resource are common installation problems. Problems The IBM Security Identity Manager Serer is not aailable or cannot be contacted. Causes Some possible causes: The network connection is disconnected. The managed resource is not configured for shared access. Solutions Check the network connection. Troubleshooting the audit log If you are the administrator, ensure that the IBM Security Identity Manager Serer is started. Ensure that the managed resource is already configured for shared access. Check out the credentials manually from the IBM Security Identity Manager Serer and choose not to log on with shared credentials. Specify the logon credentials manually. This section describes audit log problems and solutions. Table 17. Troubleshooting audit log problems and solutions. Problem Eent number mismatch. The eent code changes are not reflected on the client. Solution Update the AccessProfile custom audit log action if you are defining custom audit codes. Synchronize the AccessAgent computer with the IMS Serer. Copyright IBM Corp

68 Troubleshooting checklist This section describes some of common problems and possible solutions. Table 18. Lists some of the common problems and possible solutions. Problem When the IBM Security Identity Manager Serer is not aailable. The managed resource is not configured for shared access for IBM Security Identity Manager. All the aailable shared access credentials are checked out. There are no IBM Security Identity Manager Serer credentials in the Wallet. The account used to log on to the managed resource does not hae correct entitlements on IBM Security Identity Manager. Solutions Check the network connection. Ensure that the managed resource is configured for shared access. Configure the managed resource for shared access with IBM Security Identity Manager. Aoid logging with shared access credentials. Wait for a few minutes until there are aailable shared credentials. Find out the identity of checked out credentials from the IBM Security Identity Manager. Ask the credential owner to check in their credentials. Follow the instructions on the screen to enter the credentials. The credentials must hae priileges to check out shared access credentials. Use IBM Security Identity Manager to ensure that the account used to log on has correct permissions for the aailable shared access accounts. Information center resources for troubleshooting shared access The IBM Security Identity Manager Information Center proides additional information about troubleshooting issues with shared access. To troubleshoot the shared access module, see: Fixing data replication errors for inalid object names in the IBM Security Identity Manager Installation Guide. You might see a data replication error during installation, if you: Run DBConfig to drop all database tables. Do not run SAConfig to repopulate the tables that are specific to the shared access module. Complete the steps in this topic to reconfigure the shared access module. Troubleshooting shared access module problems in the IBM Security Identity Manager Troubleshooting Guide. This section describes how to fix configuration problems that can preent a credential from displaying in the Self Serice user interface. It also describes how to reconfigure the shared access module when LDAP is configured. 56 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

69 Appendix A. Optional configuration tasks There are seeral optional configuration tasks for IBM Security Priileged Identity Manager. Optional configuration for shared access Complete the optional tasks to configure shared access if needed for your deployment. Manual configuration of the shared access module After the initial installation of IBM Security Identity Manager, you might need to reconfigure your directory serer or your database. You can use the ldapconfig and the DBConfig tools proided by the IBM Security Identity Manager. If you use those tools to modify the IBM Security Identity Manager configuration, you must also reconfigure the shared access module. You can use the SAConfig tool to populate the default data for the shared access module and regenerate key files for the credential ault serer. See the topic Shared access module configuration in the IBM Security Identity Manager Installation Guide. Configuration of an external credential ault serer The IBM Security Identity Manager installation automatically installs and configures a credential ault serer. This serer does the check-out and check-in of shared access credentials. A typical installation does not require any manual configuration of the credential ault serer. Optionally, you can deploy multiple IBM Security Identity Manager serers that all use one credential ault serer. This configuration reduces the management actiities required to update the credential ault serers when you change the credentials. For example, this configuration is useful in a WebSphere cluster. You can configure each of the IBM Security Identity Manager serers to use an external credential ault serer. See Configuring an external credential ault serer in the IBM Security Identity Manager Information Center. Creating your own priileged identity management AccessProfiles Use the IBM Security Priileged Identity Manager AccessProfile to start deeloping or enhancing your own priileged identity management scenarios. Before you begin If you did not already do so: Install AccessStudio, Version Ensure that you hae the Priileged Identity Management AccessProfiles. You can download the AccessProfiles from the AccessProfiles Library. Procedure 1. In AccessStudio, open the sample AccessProfile. Copyright IBM Corp

70 Modifying lease time 2. Build or enhance the Priileged Identity Management AccessProfile. For more information, see Chapter 7, Modifying AccessProfiles, on page Debug and start your AccessProfile. 4. Upload your AccessProfile to the IMS Serer. If you manually check out shared access credentials from IBM Security Identity Manager Serer, you can modify the lease expiry time for shared access credentials. To modify the lease time expiry for a credential, see the IBM Security Identity Manager information center and search for "lease time expiry". You cannot modify the lease expiry time when you check out or check in credentials automatically. 58 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

71 Appendix B. Requirements for component products IBM Security Priileged Identity Manager is a solution based on IBM Security Identity Manager and IBM Security Access Manager for Enterprise Single Sign-On. IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2 View the hardware and software requirements for IBM Security Access Manager for Enterprise Single Sign-Onat the time the product was released. To iew the latest hardware and software requirements for IBM Security Access Manager for Enterprise Single Sign-On, see dociew.wss?uid=swg Hardware and software requirements Verify the different requirements and compatible ersions for each of the IBM Security Access Manager for Enterprise Single Sign-On components. You must hae administrator priileges to install the required software. Requirements for the IMS Serer Hardware requirements depend on usage. For the hardware requirements of software that is not listed in this section, see the documentation proided with that product. Note: The IMS Serer runs on the WebSphere Application Serer on Windows serer platform only. With, the IMS Serer hardware requirements are already accommodated when you comply to the WebSphere Application Serer hardware requirements. Hardware requirements Table 19. Hardware requirements for IMS Serer Software Hardware IBM DB2 2GBRAM IBM WebSphere Application Serer Network Deployment 20 GB disk space 2 GHz processor 8 GB disk space 3GBRAM IBM HTTP Serer 1 GB RAM 1 GB disk space Hardware requirements (irtualization) Table 20. Hardware requirements for IMS Serer (irtualization) Software Virtual hardware requirements (minimum) VMware ESX and ESXi 3.5 or Virtual processors 4 GB Virtual RAM Copyright IBM Corp

72 Supported operating systems Microsoft Windows Serer 2003 (x86), Standard, Datacenter, and Enterprise Editions Microsoft Windows Serer 2008 Serice Pack 2 (x86 and x64), Standard, Datacenter, and Enterprise Editions Microsoft Windows Serer 2008 R2 Serice Pack 1 (x64) Standard, Datacenter, and Enterprise Editions Supported software Install and configure the following software to successfully install and run the IMS Serer: Note: Sample instructions and guidelines on installing the supported software are proided. For the detailed and up-to-date procedures, see the releant product documentation. IBM WebSphere Application Serer (Base and Network Deployment Edition) x86 works only with IBM HTTP Serer x86 and ice ersa. IBM WebSphere Application Serer (Base and Network Deployment Edition) x64 works only with IBM HTTP Serer x64 and ice ersa. Do not combine x86 and x64 middleware ersions. If you use a middleware for x64, use the x64 ersion of the other middleware and operating systems. Table 21. Supported software Middleware Supported software Supported ersion Application serer IBM WebSphere Application Serer (Base and Network Deployment Edition) 7.0 (x86 and x64) with the latest fix pack Web serer IBM HTTP Serer 7.0 (x86 and x64) with the latest fix pack Database serer IBM DB2 (Workgroup and Enterprise Serer Edition) with DB2 JDBC drier (x86 and x64) 9.7 (x86 and x64) Oracle database 10g R2 (x86 and x64) Directory serer Microsoft SQL Serer (Standard and Enterprise Editions) with SQL JDBC drier 3.0 Microsoft Windows Actie Directory 11g R1 (x86 and x64) 11g R2 (x86 and x64) 2005 Serice Pack 4 (x86 and x64) 2008 Serice Pack 2 (x86 and x64) 2008 R2 (x86 and x64) 2003 Serice Pack 2 (x86) 2008 Serice Pack 2 (x86 and x64) 2008 R2 Serice Pack 1 (x64) IBM Tioli Directory Serer (x86 and x64) (x86 and x64) LDAP compatible directory serer IBM Security Priileged Identity Manager: Deployment Oeriew Guide

73 Table 21. Supported software (continued) Middleware Supported software Supported ersion Reporting tool IBM Tioli Common Reporting Required fix packs Download the latest fix packs for the following products: For IBM DB2, go to www-01.ibm.com/support/ dociew.wss?uid=swg Note: For Oracle or Microsoft SQL Serer, download the latest serice packs and patches from the product website. For IBM WebSphere Application Serer 7.0 and related subcomponents, go to www-01.ibm.com/support/dociew.wss?uid=swg IBM WebSphere Application Serer 7.0 IBM HTTP Serer 7.0 IBM HTTP Serer 7.0 plug-in for WebSphere IBM Update Installer 7.0 Note: For WebSphere Application Serer 7.0, use fix pack 17 or later. Requirements for AccessAgent and AccessStudio The following are the hardware, network, and software requirements for AccessAgent and AccessStudio. AccessAgent and AccessStudio works only on Windows platforms. The following table list the hardware requirements for AccessAgent and AccessStudio: Table 22. Hardware requirements for AccessAgent and AccessStudio Platform AccessAgent minimum requirements AccessStudio minimum requirements Windows XP memory 512 MB 512 MB Windows Vista memory 1 GB 1 GB Windows 7 memory 1 GB 1 GB Hard disk space 200 MB 300 MB Supported operating systems Table 23. Supported operating systems Platform x86 x64 Microsoft Windows XP Serice Pack 3 Serice Pack 2 Professional Microsoft Windows Vista Serice Pack 2 Serice Pack 2 Microsoft Windows 7 Serice Pack 1 Serice Pack 1 Microsoft Windows Serer 2003 Serice Pack 2 Serice Pack 2 Appendix B. Requirements for component products 61

74 Table 23. Supported operating systems (continued) Platform x86 x64 Microsoft Windows Serer 2008 Serice Pack 2 Serice Pack 1 Note: Use a 32-bit AccessAgent installer on a Windows 32-bit operating system. A 32-bit AccessAgent is not supported on a 64-bit Windows operating system. Use a 64-bit AccessAgent installer on a 64-bit Windows operating system. AccessAgent is not supported on Microsoft Windows XP, Windows Vista, and Windows 7 WOW64 mode. AccessAgent is not supported on Microsoft Windows 7 XP mode. A 32-bit AccessStudio can be installed on a 32-bit or 64-bit Windows operating system. Supported software Install the following components before you install AccessStudio 8.2: AccessAgent ersion 8.2 Microsoft.NET Framework 2.0 for Windows XP Professional only Microsoft.NET Framework 2.0 Language Pack for Windows XP Professional only To support languages other than English, download the Microsoft.NET Framework 2.0 Redistributable Package (x86) Language Pack for translation of messages. Go to the Microsoft website at and search for.net Framework Version 2.0 Redistributable Language Pack. The following are the supported software for irtualization: Citrix XenApp ersion 5.0 and 6.0 Citrix ICA Client and Web plug-in ersion 12.x Microsoft App-V ersion 4.6 (x86 and x64) Microsoft Hyper-V Serer The AccessAgent installation automatically installs the following software: Microsoft C Runtime Library MSXML ersion 4.0 and 6.0 Supported web browsers Table 24. Supported web browsers Web browsers Supported Versions Microsoft Windows Internet Explorer Mozilla Firefox IBM Security Priileged Identity Manager: Deployment Oeriew Guide

75 Requirements for IMS Configuration Utility, AccessAdmin, AccessAssistant, and Web Workplace This section lists the supported web browsers for IMS Configuration Utility, AccessAdmin, AccessAssistant, and Web Workplace. Supported web browsers Table 25. Supported web browsers Web browsers Supported Versions Microsoft Windows Internet Explorer Mozilla Firefox Requirements for authentication deices This section lists the supported software for biometrics, smart cards, or RFIDs for authentication. Table 26. Supported software for authentication deices Category Supported software Supported ersion Biometric BIO-key Biometric Serice 1.9.x (x86) Proider 1.10.x (x86) UPEK BioAPI SDK 3.0 (x86) 3.5 (x86) Digital Persona Gold Fingerprint Recognition Software 3.2 (x86) Smart Card Gemalto Classic Client 6.0 (x86) Gemalto Access Client 5.5 (x86) SafeSign Identity Client 3.0 (x86) Charismatics Smart Security 4.8 (x86) Interface Spanish DNIe (x86) Hybrid Smart Card Gemalto Classic Client 6 Gemalto Prox-DU OMNIKEY 5x21 Passie RFID RFIdeas pcproxapi SDK 6.5 (x86) and (x64) Actie RFID Ensure Tech ETSecure SDK 4.0 (x86) Compatibility Matrix The following matrix summarizes the ersion compatibility for the IBM Security Access Manager for Enterprise Single Sign-On components. Appendix B. Requirements for component products 63

76 Table 27. Version compatibility for the IBM Security Access Manager for Enterprise Single Sign-On components IMS Serer ersion AccessAgent ersion AccessStudio ersion IBM Security Identity Manager, Version 6.0 View the hardware and software requirements for IBM Security Identity Manager at the time the product was released. To iew the latest hardware and software requirements for IBM Security Identity Manager, see Hardware requirements IBM Security Identity Manager has these hardware requirements: Table 28. Hardware requirements for IBM Security Identity Manager System components Minimum alues* Suggested alues** System memory (RAM) 2 gigabytes 4 gigabytes Processor speed Single 2.0-gigahertz Intel or pseries processor Dual 3.2-gigahertz Intel or pseries processors Disk space for product and prerequisite products 20 gigabytes 25 gigabytes * Minimum alues: These alues enable a basic use of IBM Security Identity Manager. ** Suggested alues: You might need to use larger alues that are appropriate for your production enironment. Operating system support IBM Security Identity Manager supports multiple operating systems. The IBM Security Identity Manager installation program checks to ensure that specific operating systems and leels are present before starting the installation process. Table 29. Operating system support Operating system Platform Patch or maintenance leel AIX Version 6.1 and AIX System p None Version 7.1 Oracle Solaris 10 SPARC None Windows Serer 2008 Standard x86-32, x86-64 None Edition and Enterprise Edition Windows Serer 2008 Release 2 Standard Edition and Enterprise Edition x86-64 None 64 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

77 Table 29. Operating system support (continued) Operating system Platform Patch or maintenance leel Red Hat Linux Enterprise 5.0, Red Hat Linux Enterprise 6.0 SUSE Linux Enterprise Serer 10.0, SUSE Linux Enterprise Serer 11.0 System z, System p, x86-32, x86-64 System z, System p, x86-32, x86-64 For 5.0, Update 1 through Update 5. For both 5.0 and 6.0, Security Enhanced Linux must be disabled. See the topic "Red Hat Linux Serer Configuration" in the IBM Security Identity Manager Installation Guide. None Virtualization support IBM Security Identity Manager supports irtualization enironments. See Table 30 for a list of the irtualization products thatibm Security Identity Manager supports at the time of product release. Table 30. Virtualization support Product IBM AIX Workload Partitioning (WPAR) and Logical Partitioning (LPAR) 6.1 and 7.1 and future fix packs IBM PowerVM Hyperisor (LPAR, DPAR, Micro-Partition), any supported ersion and future fix packs IBM PR/SM, any ersion, and future fix packs IBM z/vm Hyperisor 5.4 and any future fix packs IBM z/vm Hyperisor 6.1 and any future fix packs KVM in SUSE Linux Enterprise Serer (SLES) 11 Red Hat KVM as deliered with Red Hat Enterprise Linux (RHEL) 5.4 and future fix packs Red Hat KVM as deliered with Red Hat Enterprise Linux (RHEL) 6.0 and future fix packs Sun Solaris 10 Global/Local Zones (SPARC) 10 and future fix packs Sun/Oracle Logical Domains (LDoms) any ersion and future fix packs VMware ESXi 4.0 and future fix packs VMware ESXi 5.0 and future fix packs Applicable operating systems All supported operating system ersions automatically applied AIX All supported operating system ersions automatically applied All supported operating system ersions automatically applied Linux All supported operating system ersions automatically applied Linux, Windows All supported operating system ersions automatically applied All supported operating system ersions automatically applied Solaris All supported operating system ersions automatically applied All supported operating system ersions automatically applied Appendix B. Requirements for component products 65

78 Jaa Runtime Enironment support IBM Security Identity Manager requires Jaa Runtime Enironment (JRE), ersion 1.6, SR10 Fix Pack 1. This ersion is installed in the WAS_HOME/jaa directory when WebSphere Application Serer, Version 7.0, Fix Pack 23 is installed. Use of an independently installed deelopment kit for Jaa, from IBM or other endors, is not supported. The Jaa Runtime Enironment requirements for using a browser to create a client connection to the IBM Security Identity Manager serer are different than the JRE requirements for running the WebSphere Application Serer. WebSphere Application Serer support IBM Security Identity Manager runs as an enterprise application in a WebSphere Application Serer enironment. IBM Security Identity Manager requires: WebSphere Application Serer, Version 7.0 WebSphere Fix Pack 23 for WebSphere Application Serer, Version 7.0, and SDK WebSphere interim fix PM64800 WebSphere interim fix PM66514 WebSphere interim fix WS-WAS-IFPM71296 Note: You must apply Fix Pack 23 before applying the interim fixes. WebSphere supports each of the operating systems that IBM Security Identity Manager supports. Reiew the WebSphere website for WebSphere requirements for each operating system: &uid=swg Database serer support IBM Security Identity Manager supports multiple database serer products. Table 31. Database serer support Database serer Fix pack Notes IBM DB2 Enterprise Version 9.5 Fix Pack 3b IBM DB2 Enterprise 9.5 is not supported on Linux 32-bit operating systems or on any Linux operating systems on pseries hardware. IBM DB2 9.5 WorkGroup Edition is bundled for Linux 32-bit operating systems. IBM DB2 Enterprise Version 9.7 Fix Pack 4 On Linux, DB2 9.7 Enterprise Serer Edition is only supported on 64-bit architectures. See support/dociew.wss?uid=swg IBM DB2 9.7 Workgroup Edition is required on Linux 32-bit operating systems. IBM Tioli Directory Serer requires Fix Pack 2. Red Hat Linux 6.0 requires Fix Pack IBM Security Priileged Identity Manager: Deployment Oeriew Guide

79 Table 31. Database serer support (continued) Database serer Fix pack Notes Microsoft SQL Serer 2008, Enterprise Edition Microsoft SQL Serer 2008, R2 Oracle 10g Release 2 (Version ) and Oracle 11g Release 2 none WebSphere Application Serer supports Microsoft SQL Serer 2008, Enterprise Edition IBM Security Identity Manager must be running on a supported Windows operating system if Microsoft SQL Serer is used for the IBM Security Identity Manager database. For information about JDBC drier support with Microsoft SQL Serer 2008, see support/dociew.wss?uid=swg none The Oracle database drier is required for both Oracle 10gR2 and Oracle 11g databases. Oracle 11g ersion supports Windows Serer and 64-bit operating systems. Support is aailable for Oracle11gR2 with Oracle11gR1 ojdbc5 drier only. Directory serer support IBM Security Identity Manager supports multiple directory serers. Table 32. Directory serer support Directory serer IBM Tioli Directory Serer, Version 6.2 IBM Tioli Directory Serer, Version 6.3 Sun Directory Serer Enterprise Edition Oracle Directory Serer Enterprise Edition Fix packs FP1 none none none Notes IBM Tioli Directory Serer supports the operating system releases that IBM Security Identity Manager supports. See Oracle documentation to erify operating system support. Directory Integrator support IBM Security Identity Manager supports IBM Tioli Directory Integrator. You can optionally install IBM Tioli Directory Integrator for use with IBM Security Identity Manager. IBM Tioli Directory Integrator enables communication between the installed agentless adapters and IBM Security Identity Manager. See the IBM Security Identity Manager Installation Guide. Table 33. Supported ersions of IBM Tioli Directory Integrator Release Fix pack IBM Tioli Directory Integrator, Version 7.1 Fix Pack 5 IBM Tioli Directory Integrator, Version Fix Pack 1 and Limited Aailability Fix TIV-TDI-LA0001 Appendix B. Requirements for component products 67

80 IBM Tioli Directory Integrator supports each of the operating system ersions that IBM Security Identity Manager supports. Report serer support IBM Security Identity Manager supports IBM Tioli Common Reporting, Version The following fix packs and ifixes are required. Install the fixes in the following order: 1. IBM Tioli Common Reporting, Version 2.1.1, interim fix 2 2. IBM Tioli Common Reporting, Version 2.1.1, interim fix 5 3. IBM Tioli Integrated Portal Fix Pack IBM Tioli Common Reporting, Version 2.1.1, interim fix 6 To obtain fixes: Download the latest fixes for IBM Tioli Common Reporting Serer from the Fix Central website at Obtain and install the IBM Tioli Integrated Portal Fix Pack before installing IBM Tioli Common Reporting, Version 2.1.1, interim fix 6. For instructions on how to obtain IBM Tioli Integrated Portal Fix Pack , see the IBM deeloperworks topic: Tioli Common Reporting Interim Fix 6. Browser requirements for client connections IBM Security Identity Manager has browser requirements for client connections. IBM Security Identity Manager supports the following browser ersions: Microsoft Internet Explorer 8.0 Microsoft Internet Explorer 9.0 Mozilla Firefox 3.6 (on AIX only) Note: Firefox 3.6 requires the Next-Generation Jaa plug-in, which is included in Jaa 6 Update 10 and newer. Mozilla Firefox 10 Extended Support Release (not supported on AIX) IBM Security Identity Manager software distribution does not include the supported browsers. The IBM Security Identity Manager administratie user interface uses applets that require a Jaa plug-in proided by Sun Microsystems JRE Version 1.6 or later. When the browser requests a page that contains an applet, it attempts to load the applet with the Jaa plug-in. If the required JRE is not on the system, the browser either prompts the user for the correct Jaa plug-in, or fails to complete the presentation of the items in the window. The IBM Security Identity Manager user interface is displayed correctly for all pages that do not contain a Jaa applet, regardless of JRE installation. You must enable cookies in the browser to establish a session with IBM Security Identity Manager. Do not start two or more separate browser sessions from the same client computer. The two sessions are regarded as one session ID, which causes problems with the data. 68 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

81 Adapter leel support The IBM Security Identity Manager installation program always installs a number of adapter profiles. The installation program installs these profiles: AIX profile (UNIX and Linux adapter) Solaris profile (UNIX and Linux adapter) HP-UX profile (UNIX and Linux adapter) Linux profile (UNIX and Linux adapter) LDAP profiles (LDAP adapter) The IBM Security Identity Manager installation program optionally installs the IBM Security Identity Manager LDAP adapter and IBM Security Identity Manager UNIX and Linux adapter. Newer ersions of the adapters might be aailable as a separate download. Install the latest ersions before you use the adapters. You must take additional steps to install adapters if you jdo not install them during the IBM Security Identity Manager installation. The following table lists the UNIX and Linux systems and ersions that are supported by the UNIX and Linux adapter. Table 34. Prerequisites to run the UNIX and Linux adapter Operating system Version AIX AIX 6.1, AIX 7.1 HP-UX HP-UX 11i1, HP-UX 11i1 trusted, HP-UX 11i2, HP-UX 11i2 trusted, HP-UX 11i3, HP-UX 11i3 trusted Red Hat Linux Red Hat Enterprise Linux Enterprise Serer 6.0, Red Hat Enterprise Linux Enterprise Serer 6.1, Red Hat Enterprise Linux Enterprise Serer 6.2 Oracle Solaris Oracle Solaris 10 SUSE Linux SLES 10.0, SLES 11.0 The following directory serer ersions that are supported by the LDAP adapter: IBM Tioli Directory Serer 6.1, IBM Tioli Directory Serer 6.2, IBM Tioli Directory Serer 6.3 Sun Directory Serer Enterprise Edition 6.3, Sun Directory Serer Enterprise Edition The LDAP adapter supports an LDAP directory that uses the RFC 2798 scheme. This scheme supports communication between the IBM Security Identity Manager and systems that run IBM IBM Tioli Directory Serer or Sun Directory Serer Enterprise Edition. The IBM Security Identity Manager LDAP Adapter Installation Guide describes how to configure the LDAP adapter. Adapters are aailable at the following IBM Passport Adantage website: passporthome Appendix B. Requirements for component products 69

82 Installation and configuration guides for adapters are aailable in the IBM Security Identity Manager Information Center. 70 IBM Security Priileged Identity Manager: Deployment Oeriew Guide

83 Appendix C. References Report examples IBM Security Priileged Identity Manager inoles shared access-related reports and APIs. This appendix proides examples of the shared access-related reports that you deploy on the Tioli Common Reporting instance. Use the included reports to track how shared access priileged identities are used. Example: User information The user information report contains the actiity of one or more users, sorted by eent, result, and time. The report also displays the computer IP address of the user and the full name of the user. test.example.com\ linlin2 test.example.com\ peter2 test.example.com\ annie1 test.example.com\ benson1 test.example.com\ chuck1 test.example.com\ james01 test.example.com\ testadmin Figure 3. User information audit report Copyright IBM Corp

84 Example: Application usage An application usage report contains the authentication serice actiity of one or more users, sorted by eent and time. The report also displays the IP address of the computer and the full name of each user. To iew related shared access eents, select one of the following eents as report parameters: Priileged ID Check In Priileged ID Check Out test. example. com\linlin2 test. example. com\linlin2 test. example. com\linlin2 test. example. com\ jamess01 test. example. com\ jamess01 test. example. com\linlin2 test. example. com\linlin2 test. example. com\linlin2 test. example. com\linlin2 test. example. com\linlin2 test. example. com\linlin2 test. example. com\linlin2 test. example. com\ jamess01 test. example. com\linlin2 test. example. com\ jamess Figure 4. Application usage audit report 72 IBM Security Priileged Identity Manager: Deployment Oeriew Guide