IBM Tivoli Access Manager for Linux on zseries. Installation Guide. Version 3.9 GC

Transcription

1 IBM Tioli Access Manager for Linux on zseries Installation Guide Version 3.9 GC

2

3 IBM Tioli Access Manager for Linux on zseries Installation Guide Version 3.9 GC

4 Note Before using this information and the product it supports, read the information in Notices on page 49. First Edition (April 2002) Copyright Sun Microsystems, Inc Copyright International Business Machines Corporation 2001, All rights resered. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Preface Who should read this book What this book contains Publications IBM Tioli Access Manager i Release information i Base information i WebSEAL information i Deeloper references ii Technical supplements ii Related publications iii IBM DB2 Uniersal Database iii IBM Global Security Toolkit iii IBM SecureWay Directory iii Accessing publications online ix Ordering publications ix Proiding feedback about publications ix Accessibility ix Contacting customer support x Conentions used in this book x Typeface conentions x Chapter 1. Installation oeriew Planning for deployment Secure domain oeriew Installation components Access Manager runtime Application deelopment kit Authorization serer IBM Global Security Toolkit IBM SecureWay Directory client Policy serer System requirements Supported operating system Supported user registry IBM SecureWay Directory serer OS/390 Security Serer z/os Security Serer IBM Global Security Toolkit IBM SecureWay Directory client Release Limitations Chapter 2. Installing Access Manager components Installation considerations Installation process Installing the IBM Global Security Toolkit Installing the IBM SecureWay Directory client Installing and configuring Access Manager Configuration options Access Manager runtime (PDRTE-PD ) LDAP registry Policy serer (PDMgr-PD ) Authorization serer (PDAcld-PD ) Default ports Uninstalling Access Manager for Linux on zseries Copyright IBM Corp. 2001, 2002 iii

6 Uninstallation considerations Unconfiguring Access Manager for Linux on zseries Components Remoing Access Manager for Linux on zseries Packages Chapter 3. Configuring supported LDAP serers LDAP serer configuration oeriew Configuring the IBM SecureWay Directory serer Configuring z/os or OS/390 LDAP serers Create a DB2 database for the TDBM backend Create an LDAP configuration file for a TDBM backend Start the serer Update and load schema files Enabling LDAP replication Add a stanza to the replica LDAP serer s configuration file Add an object to the master LDAP serer s backend Configuring Access Manager for LDAP Natie authentication user administration Sample LDAP configuration Sample DB2 database and tablespace script for SPUFI Sample DB2 index script for SPUFI Sample CLI bind batch job Sample CLI initialization file Chapter 4. Enabling SSL for LDAP serers Configuring the IBM SecureWay Directory serer for SSL access Creating the key database file and the certificate Obtaining a personal certificate from a certificate authority Creating and extracting a self-signed certificate Enabling SSL access Configuring OS/390 or z/os SecureWay LDAP serers for SSL access Create a key database file for the serer Create a self-signed certificate Store the serer certificate Add a security stanza to the LDAP configuration file Restart the LDAP serer Configuring the IBM SecureWay Directory client for SSL access Creating a key database file Adding a signer certificate Testing SSL access Configuring LDAP serer and client authentication Creating a key database file Obtaining a personal certificate from a certificate authority Creating and extracting a self-signed certificate Adding a signer certificate Testing the SSL access Appendix. Notices Trademarks Glossary i IBM Tioli Access Manager for Linux on zseries: Installation Guide

7 Preface Who should read this book What this book contains Publications IBM Tioli Access Manager (Access Manager) is the base software that is required to run applications in the Access Manager product suite. It enables the integration of Access Manager applications that proide a wide range of authorization and management solutions. Sold as an integrated solution, these products proide an access control management solution that centralizes network and application security policy for e-business applications. Note: IBM Tioli Access Manager is the new name of the preiously released software entitled Tioli SecureWay Policy Director. Also, for users familiar with the Tioli SecureWay Policy Director software and documentation, the term management serer is now referred to as policy serer. The IBM Tioli Access Manager Base for Linux on zseries Installation Guide explains how to install and configure Access Manager Base for Linux on the zseries platform. This guide is for system administrators responsible for the installation and deployment of Access Manager. Readers should be familiar with the following: IBM zseries platform Database architecture and concepts Security management Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and Telnet A supported Lightweight Directory Access Protocol (LDAP) user registry and directory serices Authentication and authorization If you are enabling Secure Sockets Layer (SSL) communication, you also should be familiar with SSL protocol, key exchange (public and priate), digital signatures, cryptographic algorithms, and certificate authorities. This guide contains the following sections: Chapter 1, Installation oeriew on page 1 Chapter 2, Installing Access Manager components on page 7 Chapter 3, Configuring supported LDAP serers on page 15 Chapter 4, Enabling SSL for LDAP serers on page 35 This section lists publications in the Access Manager library and any other related documents. It also describes how to access Tioli publications online, how to order Tioli publications, and how to make comments on Tioli publications. Copyright IBM Corp. 2001, 2002

8 IBM Tioli Access Manager The Access Manager library is organized into the following categories: Release information Base information WebSEAL information Deeloper reference information Supplemental technical information For additional sources of information about Access Manager and related topics, see the following Web sites: Release information IBM Tioli Access Manager for e-business Read Me First, GI (am39_readme.pdf) Proides information for installing and getting started using Access Manager. IBM Tioli Access Manager for e-business Release Notes, GI (am39_relnotes.pdf) Proides late-breaking information, such as software limitations, workarounds, and documentation updates. Base information IBM Tioli Access Manager Base for Linux on zseries Installation Guide, GC (am39_zinstall.pdf) Explains how to install and configure Access Manager Base for Linux on the zseries platform. IBM Tioli Access Manager Base Installation Guide, GC (am39_install.pdf) Explains how to install, configure, and upgrade Access Manager software, including the Web portal manager interface. IBM Tioli Access Manager Base Administrator s Guide, GC (am39_admin.pdf) Describes the concepts and procedures for using Access Manager serices. Proides instructions for performing tasks from the Web portal manager interface and by using the pdadmin command. WebSEAL information IBM Tioli Access Manager WebSEAL for Linux on zseries Installation Guide, GC (amweb39_zinstall.pdf) Proides installation, configuration, and remoal instructions for WebSEAL serer and the WebSEAL application deelopment kit for Linux on the zseries platform. IBM Tioli Access Manager WebSEAL Installation Guide, GC (amweb39_install.pdf) Proides installation, configuration, and remoal instructions for the WebSEAL serer and the WebSEAL application deelopment kit. IBM Tioli Access Manager WebSEAL Administrator s Guide, GC (amweb39_admin.pdf) i IBM Tioli Access Manager for Linux on zseries: Installation Guide

9 Proides background material, administratie procedures, and technical reference information for using WebSEAL to manage the resources of your secure Web domain. IBM Tioli Access Manager WebSEAL Deeloper s Reference, GC (amweb39_deref.pdf) Proides administration and programming information for the Cross Domain Authentication Serice (CDAS), the Cross Domain Mapping Framework (CDMF), and the Password Strength Module. Deeloper references IBM Tioli Access Manager Authorization C API Deeloper s Reference, GC (am39_authc_deref.pdf) Proides reference material that describes how to use the Access Manager authorization C API and the Access Manager serice plug-in interface to add Access Manager security to applications. IBM Tioli Access Manager Authorization Jaa Classes Deeloper s Reference, GC (am39_authj_deref.pdf) Proides reference information for using the Jaa language implementation of the authorization API to enable an application to use Access Manager security. IBM Tioli Access Manager Administration C API Deeloper s Reference, GC (am39_adminc_deref.pdf) Proides reference information about using the administration API to enable an application to perform Access Manager administration tasks. This document describes the C implementation of the administration API. IBM Tioli Access Manager Administration Jaa Classes Deeloper s Reference, SC (am39_adminj_deref.pdf) Proides reference information for using the Jaa language implementation of the administration API to enable an application to perform Access Manager administration tasks. IBM Tioli Access Manager WebSEAL Deeloper s Reference, GC (amweb39_deref.pdf) Proides administration and programming information for the Cross Domain Authentication Serice (CDAS), the Cross Domain Mapping Framework (CDMF), and the Password Strength Module. Technical supplements IBM Tioli Access Manager Capacity Planning Guide, GC (am39_capplan.pdf) Assists planners in determining the number of WebSEAL, LDAP, and backend Web serers needed to achiee a required workload. IBM Tioli Access Manager Error Message Reference, SC (am39_error_ref.pdf) Proides explanations and recommended actions for the messages produced by Access Manager. The Tioli Glossary includes definitions for many of the technical terms related to Tioli software. The Tioli Glossary is aailable, in English only, at the following Web site: Preface ii

10 Related publications This section lists publications related to the Access Manager library. IBM DB2 Uniersal Database IBM DB2 Uniersal Database is required when installing IBM SecureWay Directory, z/os, and OS/390 SecureWay LDAP serers. DB2 information is aailable at the following Web site: IBM Global Security Toolkit Access Manager proides data encryption through the use of IBM Global Security Toolkit (GSKit). GSKit is shipped on the IBM Tioli Access Manager Base CD for your particular platform. The GSKit package installs the ikeyman key management utility (gsk5ikm), which enables you to create key databases, public-priate key pairs, and certificate requests. The following document is aailable in the /doc/gskit directory: Secure Sockets Layer Introduction and ikeyman User s Guide (gskikm5c.pdf) Proides information for network or system security administrators who plan to enable SSL communication in their Access Manager secure domain. IBM SecureWay Directory the following documents are aailable in the /doc/directory path on the IBM Tioli Access Manager Base CD for your particular platform: IBM SecureWay Directory for Linux: Installation, Configuration, and Administration Guide (lparent.pdf) Proides installation, configuration, and migration information for IBM SecureWay Directory components on AIX, Linux, Solaris, and Microsoft Windows operating systems. IBM SecureWay Directory Release Notes (relnote.pdf) Supplements IBM SecureWay Directory, Version 3.2.2, product documentation and describes features and functions made aailable to you in this release. IBM SecureWay Directory Readme Addendum (addendum322.pdf) Proides information about changes and fixes that occurred after the IBM SecureWay Directory documentation had been translated. This file is in English only. IBM SecureWay Directory Client Readme (client.pdf) Proides a description of the IBM SecureWay Directory Client SDK, Version This software deelopment kit (SDK) proides LDAP application deelopment support. IBM SecureWay Directory Configuration Schema (scparent.pdf) Describes the directory information tree (DIT) and the attributes that are used to configure the slapd32.conf file. In IBM SecureWay Directory Version 3.2, the directory settings are stored using the LDAP Directory Interchange Format (LDIF) in the slapd32.conf file. For information about IBM SecureWay Directory, see the following Web site: iii IBM Tioli Access Manager for Linux on zseries: Installation Guide

11 Accessibility Accessing publications online Publications in the product libraries are included in Portable Document Format (PDF) on the product CD. To access these publications using a Web browser, open the infocenter.html file, which is located in the /doc directory on the product CD. When IBM publishes an updated ersion of one or more online or hardcopy publications, they are posted to the Tioli Information Center. The Tioli Information Center contains the most recent ersion of the publications in the product library in PDF or HTML format, or both. Translated documents are also aailable for some products. You can access the Tioli Information Center and other sources of technical information from the following Web site: Information is organized by product, including release notes, installation guides, user s guides, administrator s guides, and deeloper s references. Note: If you print PDF documents on other than letter-sized paper, select the Fit to page check box in the Adobe Acrobat Print dialog (which is aailable when you click File Print) to ensure that the full dimensions of a letter-sized page are printed on the paper that you are using. Ordering publications You can order many Tioli publications online at the following Web site: cgibin/pbi.cgi You can also order by telephone by calling one of these numbers: In the United States: In Canada: In other countries, for a list of telephone numbers, see the following Web site: Proiding feedback about publications We are ery interested in hearing about your experience with Tioli products and documentation, and we welcome your suggestions for improements. If you hae comments or suggestions about our products and documentation, contact us in one of the following ways: Send an to pubs@tioli.com. Complete our customer feedback surey at the following Web site: Accessibility features help a user who has a physical disability, such as restricted mobility or limited ision, to use software products successfully. Preface ix

12 Contacting customer support If you hae a problem with any Tioli product, you can contact Tioli Customer Support. See the Tioli Customer Support Handbook at the following Web site: The handbook proides information about how to contact Tioli Customer Support, depending on the seerity of your problem, and the following information: Registration and eligibility Conentions used in this book Telephone numbers and addresses, depending on the country in which you are located What information to gather before contacting support This guide uses seeral conentions for special terms and actions, operating system-dependent commands and paths, and margin graphics. Typeface conentions The following typeface conentions are used in this book: Bold Italic Monospace Command names and options, keywords, and other information that you must use literally appear in bold. Variables, command options, and alues you must proide appear in italics. Titles of publications and special words or phrases that are emphasized also appear in italics. Code examples, command lines, screen output, file and directory names, and system messages appear in monospace font. x IBM Tioli Access Manager for Linux on zseries: Installation Guide

13 Chapter 1. Installation oeriew Planning for deployment Before you begin installing IBM Tioli Access Manager (Access Manager), Version 3.9 you must become familiar with its components, and installation options, and system requirements. This chapter includes the following sections: Planning for deployment Secure domain oeriew on page 2 Installation components on page 3 System requirements on page 4 Before you implement a particular Access Manager solution, you must determine the specific security and management capabilities that are required of your network. The first step in planning the deployment of an Access Manager security enironment is to define the security requirements for your computing enironment. Defining security requirements means determining the business policies that must apply to users, programs, and data. This includes defining the following: Objects to be secured Actions permitted on each object Users that are permitted to perform the actions Enforcing a security policy requires an understanding of the flow of access requests through your network topology. This includes identifying proper roles and locations for firewalls, routers, and subnets. Deploying an Access Manager security enironment (called a secure domain) also requires identifying the optimal points within the network for installing software that ealuates user access requests, and grants or denies the requested access. Implementation of a security policy requires understanding the quantity of users, data, and throughput that your network must accommodate. You also must ealuate performance characteristics, scalability, and the need for failoer capabilities. Integration of legacy software, databases, and applications with Access Manager software must also be considered. After you hae an understanding of the features that you want to deploy, you can decide which Access Manager components and applications can be combined to best implement your security policy. Note: For useful planning documents, see the IBM Tioli Access Manager Capacity Planning Guide and applicable field guides located at the following Web address: Copyright IBM Corp. 2001,

14 Secure domain oeriew The Access Manager product family is based on a model that combines a set of serers and runtime libraries with one or more applications, such as Access Manager for Operating Systems. The serers and runtime libraries proide a security framework that includes authentication and authorization libraries. The Access Manager secure domain is a secure computing enironment in which Access Manager enforces your security policies for authentication, authorization, and access control. The following graphic represents the systems in a typical secure domain and their associated components. For descriptions of these components, see Installation components on page 3. Table 1 lists required components for the Access Manager systems illustrated aboe. For descriptions of these components, see Installation components on page 3. Table 1. Types of Access Manager systems Type of Access Manager system Policy serer Runtime system Deelopment system Authorization serer Required Components IBM Global Security Toolkit Access Manager runtime IBM SecureWay Directory client Policy serer IBM Global Security Toolkit Access Manager runtime IBM SecureWay Directory client IBM Global Security Toolkit Access Manager runtime IBM SecureWay Directory client Application Deelopment Kit Global Security Toolkit Access Manager runtime IBM SecureWay Directory client Authorization serer 2 IBM Tioli Access Manager for Linux on zseries: Installation Guide

15 Installation components This section proides an oeriew of the installation components that constitute a secure domain. For more information, see System requirements on page 4. Access Manager runtime The Access Manager runtime component contains runtime libraries and supporting files that applications can use to access Access Manager serers. You must install the runtime on eery system that is part of your secure domain. Application deelopment kit The application deelopment kit (ADK) proides a deelopment enironment that enables you to code third-party applications to query the authorization serer for authorization decisions. The ADK contains support for using both C APIs and Jaa classes for authorization and administration functions. This component is optional. Authorization serer The authorization serer offloads access control and authorization decisions from the policy serer. It maintains a replica of the authorization policy database and functions as the authorization decision-making ealuator. A separate authorization serer also proides access to the authorization serice for third-party applications that use the Access Manager authorization API in remote cache mode. This component is optional. IBM Global Security Toolkit Access Manager proides data encryption through the use of IBM Global Security Toolkit (GSKit). The GSKit package installs the ikeyman key management utility (gsk5ikm), which enables you to create key databases, public-priate key pairs, and certificate requests. For more information about this utility and enabling SSL, see Chapter 4, Enabling SSL for LDAP serers on page 35. IBM SecureWay Directory client Access Manager supports the IBM SecureWay Directory client. This client is shipped with IBM SecureWay Directory product on the IBM Tioli Access Manager Base for Linux on zseries CD. The IBM SecureWay Directory client fully supports any of the supported user registries. You must install and configure this client on each system that runs Access Manager. The IBM SecureWay Directory client installation package includes a graphical user interface (GUI). The Directory Management Tool (DMT) enables you to browse and edit information in your directory, such as schema definitions, the directory tree, and data entries. Indepth documentation for this interface is aailable through the online help system. Policy serer The policy serer, preiously referred to as the management serer, maintains the master authorization policy database for the secure domain. This serer is key to the processing of access control, authentication, and authorization requests. It also Chapter 1. Installation oeriew 3

16 System requirements updates authorization database replicas and maintains location information about other Access Manager serers in the secure domain. There can be only one instance of the policy serer and its master authorization database in any secure domain at one time. Howeer, you can hae a second serer in standby mode to proide cold failoer capabilities. The policy serer replicates its access control list (ACL) database to all other Access Manager serers in the secure domain. Access Manager Base for Linux on zseries has specific system prerequisites that must be met before it can be installed and deemed fully functional. The requirements listed in the following sections constitute the recommended enironment for Access Manager components at the time of publication. For the most current information, see the IBM Tioli Access Manager Release Notes for e-business, Version 3.9 on the Tioli Customer Support Web site. Supported operating system Access Manager Base for Linux on zseries is supported on the following platform: SuSE Linux Enterprise Serer 7 for s/390 and zseries (SLES-7) This is SuSE Linux 7.2 for zseries, kernel 2.4.7, 31-bit. It is required to install the compat-libstdc++ package to proide the legacy C++ support required by GSKit. This file, named compat.rpm, is located on the SuSE SLES-7 deelo[per CD 1 in the /suse/a1 directory. This is the only configuration currently supported by IBM. Supported user registry Access Manager Base for Linux on zseries supports the following user registries. The following sections list their supported operating systems and necessary prerequisites. IBM SecureWay Directory serer Access Manager Base for Linux on zseries supports the use of IBM SecureWay Directory, Version 3.2.2, as the user registry. This LDAP serer is supported on the following operating systems: AIX and with the bos.rte.libpthreads patch at leel or greater Note: You can download this patch from the following Web address: Linux 2.2 kernel distributions Solaris 2.7 and 2.8 Windows NT 4.0 with Serice Pack 6a Windows 2000 Adanced Serer with Serice Pack 2 Prerequisite software for the IBM SecureWay Directory serer is as follows: IBM DB2 Uniersal Database Edition, Version 7.2, with Fixpack 5 which currently is only supported on a Linux 2.2 kernel distribution. You can also install IBM DB2 Uniersal Database Edition, Version 7.2, and IBM SecureWay 4 IBM Tioli Access Manager for Linux on zseries: Installation Guide

17 Directory, Version 3.2.2, serer on a Linux 2.2 kernel distribution in a zseries Linux image, separate from the 2.4 kernel images running the Access Manager components. Note: To register and download IBM SecureWay Directory, Version 3.2.2, for S/390 Linux, see the following Web address: Attention: If you hae a preexisting ersion of LDAP from a endor other than IBM, you must remoe it before installing IBM SecureWay Directory. If you attempt to install IBM SecureWay Directory without remoing the other endor s ersion, the resulting file name conflicts might preent either ersion from working. SLES-7 systems are installed with OpenLDAP. Ensure that OpenLDAP is remoed before installing IBM SecureWay Directory. To query if there are installed LDAP packages, enter the following command: rpm -qa grep -i ldap OS/390 Security Serer Access Manager Base for Linux on zseries supports the use of IBM OS/390 Serer, Version 2, Release 10, as a user registry. In addition, the following PTFs are required: APAR OW46344, which proides the configuration files and libraries to support the Access Manager schema APAR OW53402, which proides support for empty attribute replace operations z/os Security Serer Access Manager Base for Linux on zseries supports the use of IBM z/os, Version 1, Release 2 and higher, as a user registry. In addition, the following PTFs are required: APAR OW46344, which proides the configuration files and libraries to support the Access Manager schema APAR OW53402, which proides support for empty attribute replace operations IBM Global Security Toolkit Access Manager Base for Linux on zseries supports IBM Global Security Toolkit (GSKit), Version , which is shipped on the IBM Tioli Access Manager Base for Linux on zseries CD. Version 5 is not compatible with GSKit, Version 4.x but these ersions can coexist on the same system. It is recommended that you also install the newly-released GSKit download aailable at the following Web site: downloads.html The IBM Global Security Toolkit contains a utility called gsk5ikm. This utility has dependencies on two additional pieces of software: Jaa Runtime Enironment (JRE) Version You can obtain this product from the IBM Jaa Deeloper Kit for Linux download site at: Chapter 1. Installation oeriew 5

18 Note: The gsk5ikm utility shipped with GSKit does not support JRE Version 1.3. This utility requires JRE Version The SuSE Linux Enterprise Serer Version 7 compat-libstdc++ software installation package. This package is required to proide the legacy C++ support required by GSKit on SuSE Linux Enterprise Serer Version 7. You can obtain the package from the following location on the SuSE Linux Enterprise Serer Version 7 deeloper CD 1: /suse/a1/compat.rpm To use GSKit serices on SuSE Linux Enterprise Serer Version 7, you must set the LD_PRELOAD enironmental ariable to /usr/lib/libstdc++-libc6.1-2.so.3 by entering the following: export LD_PRELOAD=/usr/lib/libstdc++libc6.1-2.so.3 IBM SecureWay Directory client Access Manager Base for Linux on zseries supports the IBM SecureWay Directory, Version 3.2.2, client with e-fix1. This client is shipped on the IBM Tioli Access Manager Base for Linux on zseries CD. Release Limitations Release Note: It is recommended that you also install the newly-released e-fix 2 patch aailable at the following Web site: Attention: The Directory Management Tool (DMT) is a Jaa-based application installed with the IBM SecureWay Directory client. Because the supported Jaa leel on a SuSE SLES-7 distribution is 1.3.1, Jaa must be installed to use this tool. In addition, the DMT tool is an X-windows application. Therefore, it must be started using an X-windows session. Access Manager Base for Linux on zseries, Version 3.9, limitations are as follows: The only supported directories for this release are IBM SecureWay Directory, OS/390 Security Serer, and z/os Security Serer. Operation on Linux distributions other than 31-bit SuSE SLES-7 is not supported by IBM. Localization support is not aailable. Software and documentation is proided in the English language only. 6 IBM Tioli Access Manager for Linux on zseries: Installation Guide

19 Chapter 2. Installing Access Manager components Installation considerations Installation process This chapter proides information about installing and configuring Access Manager components on Linux for zseries systems. Before you begin, make sure that you reiew the installation process on page Installation process and are familiar with Configuration options on page 10. This chapter contains the following main sections: Installation considerations Installation process Installing the IBM Global Security Toolkit on page 8 Installing the IBM SecureWay Directory client on page 9 Installing and configuring Access Manager on page 9 Configuration options on page 10 Uninstalling Access Manager for Linux on zseries on page 13 Before you begin using the installation process, ensure that the following conditions are met: You must install and configure only one policy serer for each secure domain. If you are installing the policy serer, you must install the runtime enironment first. Howeer, you must not configure the runtime enironment until the policy serer is installed. After configuring the policy serer, you can install and configure the authorization serer, ADK, or both, to any system in the secure domain, including the system that hosts the policy serer. If you are installing the runtime on a different host system than the policy serer and download certificate is not enabled for this policy serer, you must obtain the SSL certificate file from the policy serer system. To do this, use a file transfer program, such as ftp, to place a copy of the file in a location of your choice. On the policy serer, the certificate file is located in the following directory: /ar/policydirector/keytab/pdcacert.b64 Note that you should copy this file after installing the runtime component but before configuring it. In addition, you must hae user and group ownership of imgr. The following procedure shows you how to install all Access Manager components in the appropriate order. Depending on your system requirements, select only the components that you need to install. For example, if you plan to set up a deelopment system, required components include GSKit, the Access Manager runtime, the IBM SecureWay Directory client, and the ADK. To install Access Manager components, follow these basic steps: Note: For descriptions of the configuration alues that you are prompted for during installation, see Configuration options on page 10. Copyright IBM Corp. 2001,

20 1. Plan your Access Manager deployment. Ensure that you understand the business security requirements for which Access Manager is being deployed. For information, see Planning for deployment on page Decide which combination of Access Manager components that you want to install and ensure that you met all system requirements listed on page Install the IBM Global Security Toolkit (GSKit) before installing any other Access Manager component. As part of the GSKit installation, install the compat.rpm utility. GSKit is a prerequisite to the runtime enironment, which is required on all systems in the secure domain. For GSKit installation instructions, see Installing the IBM Global Security Toolkit. 4. Install a supported user registry and perform basic configuration. If you hae an existing LDAP serer that you want to use for Access Manager, see Supported user registry on page 4 for more information. For installation instructions, do one of the following: To install and configure OS/390 or z/os security serers, consult your product documentation. To install and configure the IBM SecureWay Directory serer, see the IBM SecureWay Installation and Configuration Guide for Linux, located in /doc/directory on the IBM Tioli Access Manager Base CD for your particular platform. 5. Install the IBM SecureWay Directory client. This client is required on each system that runs Access Manager. For client installation instructions, see Installing the IBM SecureWay Directory client on page Configure a supported user registry for use with Access Manager. For instructions, see Chapter 3, Configuring supported LDAP serers on page Depending on the type of Access Manager system that you are setting up, install one or more of the following components in this order: IBM Global Security Toolkit (GSKit) IBM SecureWay Directory client Access Manager runtime Policy serer Authorization serer ADK For instructions, see Installing and configuring Access Manager on page 9 8. Optional: To enable SSL communication between your LDAP serer and IBM SecureWay Directory clients, see Chapter 4, Enabling SSL for LDAP serers on page 35. Installing the IBM Global Security Toolkit To install GSKit on a Linux system, follow these steps: 1. Log in to the system as root. 2. Insert the IBM Tioli Access Manager for Linux on zseries, Version 3.9 CD. 3. Change to the directory /mnt/cdrom/zseries where /mnt/cdrom is the mount point for your CD. 4. To install GSKit in the default location, enter the following: rpm i gsk5bas s390.rpm After you install GSKit, no configuration is necessary. 8 IBM Tioli Access Manager for Linux on zseries: Installation Guide

21 Notes: The ikeyman key management utility (gsk5ikm) is installed with the GSKit package. This enables you to create key databases, public-priate key pairs, and certificate requests. To use GSKit serices on SuSE SLES-7 systems, you need to set the LD_PRELOAD enironment ariable to the following: export LD_PRELOAD=/usr/lib/libstdc++-libc6.1-2.so.3 Set the LD_PRELOAD enironment ariable before starting an LDAP client application which uses SSL or before starting the gsk5ikm utility. Installing the IBM SecureWay Directory client To install the IBM SecureWay Directory client on a Linux system, follow these steps. Note: Before installing the IBM SecureWay Directory client on your Linux system, remoe the nss_ldap package, if it is installed. Otherwise, an installation failure occurs. 1. Ensure that you hae installed GSKit. For instructions, see Installing the IBM Global Security Toolkit on page 8. As part of the GSKit installation, make sure you install the compat.rpm utility as follows: rpm -i compat.rpm 2. Log in to the system as root. 3. Obtain access to the Access Manager for Linux on zseries rpm files. This can be done by using ftp to transfer the files to Linux on zseries from a system, or by mounting the CD on a system, and accessing it from Linux on zseries using NFS. 4. Change to the directory /mnt/cdrom/zseries where /mnt/cdrom is the mount point for your CD. 5. To install the IBM SecureWay Directory client in the default location, enter the following: rpm i ldap-clientd s390.rpm After you install the IBM SecureWay Directory client, no configuration is necessary. Installing and configuring Access Manager You must configure the runtime enironment before configuring any other package. For descriptions of configuration options you are prompted for, see Configuration options on page 10. To install Access Manager components on Linux, follow these steps: 1. Log in to the system as root. 2. Obtain access to the Access Manager for Linux on zseries rpm files. This can be done by using ftp to transfer the files to Linux on zseries from a system, or by mounting the CD on a system, and accessing it from Linux on zseries using NFS. 3. Change to the directory /mnt/cdrom/zseries where /mnt/cdrom is the mount point for your CD. 4. To install components in the default location, enter the following: rpm i package Chapter 2. Installing Access Manager components 9

22 Configuration options where package is one of the following: PDRTE-PD s390.rpm Indicates the Access Manager runtime. PDMgr-PD s390.rpm Indicates the policy serer. PDAcld-PD s390.rpm Indicates the authorization serer. PDAuthADK-PD s390.rpm Indicates the ADK. 5. Change to the following directory: cd /opt/policydirector/bin 6. To ensure that the correct C++ library are used by the pdconfig utility or LDAP / GSKit command line programs, enter the following: export LD_PRELOAD=/usr/lib/libstdc++-libc6.1-2.so.3 Note: This command not required to run Access Manager programs. 7. To start the Access Manager configuration utility, enter the following command: pdconfig The Access Manager Setup Menu is displayed. 8. Type the menu number for Configure Package. The Access Manager Configuration Menu is displayed. The list of installed Access Manager packages is displayed. 9. Select the component that you want to configure, one at a time. Depending on the component that you selected, you are prompted for configuration options. For assistance with these configuration options, see Configuration options. 10. When a message appears indicating that the package has been successfully configured, press Enter to configure another component or select the x option twice to close the configuration utility. This section lists configuration information that is required during the natie installation process. It is recommended that you identify these alues before you are prompted during installation. If you are planning to enable Secure Sockets Layer (SSL), configuration options also are proided. Note that the configuration information for the policy serer is used for configuring eery Access Manager component except for GSKit, the IBM SecureWay Directory client, and the application deelopment kit (ADK) where configuration is not required. Access Manager runtime (PDRTE-PD ) During the configuration of the Access Manager runtime component, you are prompted for the following information: User Registry Selection Click to select the type of registry you configured for Access Manager. Note that LDAP registry is the only supported choice for Access Manager for Linux on zseries. 10 IBM Tioli Access Manager for Linux on zseries: Installation Guide

23 LDAP registry During the configuration of the Access Manager runtime enironment, you are prompted for the following information: LDAP serer hostname Specifies the fully qualified host name of the LDAP serer. For example: ldapserer.tioli.com LDAP serer port number Specifies the port number on which the LDAP serer listens. The default port number is 389. If the Access Manager policy serer is not installed on the same system as the Access Manager runtime enironment, then you are also prompted for the following information: Hostname of the Policy Serer machine Specifies the fully qualified host name of the policy serer. For example: pdmgr.tioli.com SSL listening port used by Policy Serer Specifies the port number on which the policy serer listens for SSL requests. The default port number is Policy serer (PDMgr-PD ) During the configuration of the policy serer, you are prompted for the following information: LDAP administratie user DN Specifies the distinguished name of the LDAP administrator. The default name is cn=root. LDAP administratie user password Specifies the password associated with the LDAP administrator ID. Enable SSL communication between the Access Manager Policy Serer and the LDAP serer Specifies whether SSL should be enabled yes or no. Ifyes is specified, the following information is requested. Location of the LDAP SSL client key file Specifies the fully qualified path name where the client GSKit key database file is located on the policy serer. To enable SSL support between your policy serer and LDAP serer, the Access Manager Base CD proides the following sample key file for ealuation use only: /common/pd_ldapkey.kdb This file is not intended for use in a production enironment. To acquire your own certificate, see information about creating a key database file and certificate in Chapter 4, Enabling SSL for LDAP serers on page 35Chapter 8, Enabling Secure Sockets Layer for LDAP registries on page 121. SSL client certificate label (if required) Specifies the label in the client GSKit key database file of the client certificate to be sent to the serer. This label is required if the serer is configured to require client authentication during SSL establishment. If you use the ezinstall_ldap_serer script and the default key file (pd_ldapkey.kdb), then the label should be left blank. Typically, the LDAP serer requires only serer-side certificates that were specified during creation of the client.kbd file. In addition, if the SSL client key file label is not required, leae this field blank when configuring the policy serer. LDAP SSL client key file password Specifies the password of the client GSKit key database file. The pd_ldapkey.kdb file shipped with easy installation has a default password of gsk4ikm. These defaults are usable if you install and configure the IBM SecureWay Directory serer using the Chapter 2. Installing Access Manager components 11

24 ezinstall_ldap_serer script. If you decide to change this password using the gsk5ikm utility, you must recall this default password. LDAP serer SSL port number Specifies the port number on which the LDAP serer listens for SSL requests. The default port number is 636. LDAP DN for GSO database Specifies the distinguished name of where in the LDAP serer directory information tree (DIT) that the Tioli Global Sign-On (GSO) database is located. For example: o=tioli,c=us For more information about the GSO suffix, see LDAP serer configuration oeriew on page 15 LDAP serer configuration oeriew on page 35. Access Manager Administrator Password Specifies the password associated with the sec_master primary administrator ID. You are prompted to confirm this password. SSL serer port for Access Manager Policy Serer Specifies the port number on which the policy serer listens for SSL requests. The default port number is Policy serer SSL certificate lifetime Specifies the number of days that the SSL certificate file is alid. The default number of days is 365. Enable root CA Certificate download Specify yes to enable automatic downloading of the SSL certificate authority file. Regardless of whether you specify yes or no, the SSL certificate authority file is placed in the following directory: /ar/policydirector/keytab/pdcacert.b64 If this option is set to no, you must copy the pdcacert.b64 file on each Access Manager runtime system in your secure domain. Authorization serer (PDAcld-PD ) During the configuration of the authorization serer system, you are prompted for the following information: LDAP administratie user DN Specifies the distinguished name of the LDAP administrator. The default name is cn=root. LDAP administrator user password Specifies the password associated with the LDAP administrator ID. Enable SSL communication between the Access Manager Policy Serer and the LDAP serer Specifies whether SSL should be enabled yes or no. Ifyes is specified, the following information is requested. Location of the LDAP SSL client key file Specifies the fully qualified path name where the client GSKit key database file is located on the policy serer. To enable SSL support between your policy serer and LDAP serer, the Access Manager Base CD proides the following sample key file for ealuation use only: /common/pd_ldapkey.kdb This file is not intended for use in a production enironment. To acquire your own certificate, see information about creating a key database file and certificate in Chapter 4, Enabling SSL for LDAP serers on page 35 SSL client certificate label (if required) Specifies the label in the client GSKit key database file of the client certificate to be sent to the serer. This label is required if the serer is configured to require client authentication during SSL establishment. If you use the ezinstall_ldap_serer script and the default key file (pd_ldapkey.kdb), then the label for configuring the LDAP 12 IBM Tioli Access Manager for Linux on zseries: Installation Guide

25 serer should be PDLDAP. Typically, the LDAP serer requires only serer-side certificates that were specified during creation of the client.kbd file. Note: If the SSL client key file label is not required, leae this field blank when configuring the authorization serer. LDAP SSL client key file password Specifies the password of the client GSKit key database file. The pd_ldapkey.kdb file shipped with easy installation has a default password of gsk4ikm. These defaults are usable if you install and configure the IBM SecureWay Directory serer using the ezinstall_ldap_serer script. If you decide to change this password using the gsk5ikm utility, you must recall this default password. LDAP serer SSL port number Specifies the port number on which the LDAP serer listens for SSL requests. The default port number is 636. Password for the Access Manager Administrator Specifies the password associated with the sec_master primary administrator ID. Default ports Default port numbers are as follows: LDAP serer non-ssl port: 389 LDAP serer SSL port: 636 Policy serer SSL port: 7135 LDAP serer SSL client port: 636 Uninstalling Access Manager for Linux on zseries Uninstalling Access Manager, Version 3.9 is a two-part process. You must unconfigure components and then remoe Access Manager packages. Uninstallation considerations Before you begin the uninstall process, ensure that the following conditions are met: Stop all Access Manager serices and applications before uninstalling components. Unconfigure and remoe the policy serer system last. Unconfigure any other Access Manager applications, such as WebSEAL, before unconfiguring the policy serer and runtime enironment. You do not hae to unconfigure the ADK before remoing it. Unconfiguring Access Manager for Linux on zseries Components Before you remoe Access Manager packages from a Linux system, you must unconfigure components. To do so, follow these steps: 1. Log in as root. 2. Change to the following directory: cd /opt/policydirector/bin 3. Start the Access Manager configuration utility: pdconfig The Access Manager Setup Menu is displayed. Chapter 2. Installing Access Manager components 13

26 4. Type the number of the menu item for the Access Manager component that you want to unconfigure. 5. Repeat this procedure for each package that you want to unconfigure. Remoing Access Manager for Linux on zseries Packages To remoe components from a Linux system, follow these steps: 1. Ensure that you hae unconfigured components. Follow instructions in Unconfiguring Access Manager for Linux on zseries Components on page To remoe one or more packages, enter the following: rpm -e package where package is one or more of the following: PDMgr-PD Indicates the policy serer. PDAcld-PD Indicates the authorization serer. PDAuthADK-PD Indicates the ADK. PDRTE-PD Indicates the runtime enironment. ldap_clientd Indicates the IBM SecureWay Directory client. gsk5bas Indicates GSKit. Package remoal completes silently. The Linux command prompt returns upon successful completion. A message is displayed indicating that the remoal of the software package was successful. 14 IBM Tioli Access Manager for Linux on zseries: Installation Guide

27 Chapter 3. Configuring supported LDAP serers The following chapter shows you how to configure Access Manager data for use with your particular LDAP serer. Main sections are as follows: LDAP serer configuration oeriew Configuring the IBM SecureWay Directory serer on page 16 Configuring z/os or OS/390 LDAP serers on page 19 LDAP serer configuration oeriew Data is stored within the LDAP serer in a hierarchical tree structure called the directory information tree (DIT). The top of the tree is called a suffix (also referred to as a naming context or root). An LDAP serer can contain multiple suffixes to organize the data tree into logical branches or organizational units. The following sections show you how to create Access Manager suffixes for your particular LDAP serer. During the configuration process, Access Manager automatically attempts to add appropriate access control lists (ACLs) to eery suffix that currently exists in the LDAP serer. This is necessary to gie Access Manager needed permission to manage users and groups defined within those suffixes. If you add suffixes after the initial configuration of Access Manager, you must add the appropriate ACLs manually. For more information, see the IBM Tioli Access Manager Base Administrator s Guide. Access Manager requires that you create a suffix named secauthority=default, which maintains Access Manager metadata. You must add this suffix only once when you first configure the LDAP serer. This suffix enables Access Manager to easily locate and manage the data. It also secures access to the data, thus aoiding integrity or corruption problems. Additionally, you are prompted for a Global Sign-On (GSO) distinguished name (DN) during configuration of the policy serer. To store GSO metadata, you can either create a suffix or specify the distinguished name of an existing LDAP DIT location. You can store the GSO metadata anywhere you choose within the LDAP DIT, but the location must already exist. If you decide to create a suffix, you might consider storing both GSO metadata and your user definitions in a single suffix. For instance, the following sections use o=tioli,c=us as an example to store both GSO metadata and user definitions. Note that you also can create additional suffixes to maintain user and group definitions. After you create suffixes, you also must create directory entries for each suffix. This is necessary to instantiate the suffix. Otherwise, Access Manager is unable to attach ACLs when it is being configured. ACLs gie Access Manager needed permission to manage users and groups defined within those suffixes. Note: For complete instructions about creating suffixes, see the product documentation shipped with your particular LDAP serer. The following instructions sere as a general guide to creating suffixes. It is recommended that you create suffixes that mirror your organizational structure. Copyright IBM Corp. 2001,

28 Configuring the IBM SecureWay Directory serer 1. To configure the IBM SecureWay serer, you must manually modify the slapd32.conf file to add required suffixes. In the following example, the dn: cn=directory section of the slapd32.conf file is modified to add the required Access Manager suffix and use the suffix o=ibm,c=us for GSO metadata and user definitions. dn: cn=directory,cn=rdbm Backends,cn=IBM SecureWay,cn=Schemas,cn=Configuration objectclass: top objectclass: ibm-slapdrdbmbackend cn: Directory # The following attributes must match the database being used ibm-slapddbinstance: ldapdb2 ibm-slapddbname: ldapdb2 ibm-slapddbuserid: ldapdb2 # You MUST set the DB2 user password ibm-slapddbuserpw: pass4db2 # The following suffix is used by /usr/ldap/examples/sample.ldif ibm-slapdsuffix: o=ibm,c=us ibm-slapdsuffix: secauthority=default ibm-slapdplugin: database /lib/libback-rdbm.so rdbm_backend_init ibm-slapddbconnections: 30 ibm-slapdsuffix: cn=localhost ibm-slapdreadonly: FALSE 2. To create directory entries for suffixes added to the slapd32.conf file, enter dmt from a command prompt to start the directory management tool (DMT). The following window is displayed: 16 IBM Tioli Access Manager for Linux on zseries: Installation Guide

29 3. Click Add serer in the bottom portion of the frame. A window similar to the following is displayed: 4. Do one of the following: If you want to use Secure Sockets Layer (SSL) between the DMT and the LDAP serer, follow these steps: a. Select Simple in the Authentication type field. b. In the Serer name field, type your LDAP serer name, for example, dliburd2.tioli.com. You can use either the IP address or the domain name. c. In the User DN field, type the LDAP administrator ID used to connect to the serer, for example: cn=root d. In the User password field, type the LDAP administrator password. e. Select the Use SSL check box. f. In the Port field, enter the SSL port number. g. Complete the Keyclass file name and the Keyclass file password fields. The certificate name is optional based on how you set up the LDAP serer and the kdb file. h. Click OK. If you do not want to use SSL between the DMT and the LDAP serer, follow these steps: a. Select Simple in the Authentication type field. b. In the Serer name field, type your LDAP serer name, for example, dliburd2.tioli.com. You can use either the IP address or the domain name. c. In the User DN field, type the LDAP administrator ID used to connect to the serer, for example: cn=root d. In the User password field, type the LDAP administrator password. e. Click OK. 5. Select Browse Tree from the left frame. Warning messages are displayed indicating that the suffixes that you created do not contain data. Click OK to Chapter 3. Configuring supported LDAP serers 17

30 dismiss these messages. A window similar to the following is displayed: 6. Select the host name in the list on the right and click Add. For example, the host name is ldap://dliburd2.tioli.com:389 in the preious example. 7. In the Add an LDAP Entry window, complete the fields and click OK. For example, if you are adding a directory entry for the GSO suffix, a window similar to the following is displayed: 8. Enter alues for the attributes and then click Add. For example, the GSO suffix example appears as shown: 9. When you hae completed adding directory entries for the suffixes you created, click Exit to close the IBM SecureWay Directory Management Tool window. 18 IBM Tioli Access Manager for Linux on zseries: Installation Guide

31 Configuring z/os or OS/390 LDAP serers This section describes the configuration steps necessary to prepare the LDAP serer on z/os or OS/390 for Access Manager. Particular emphasis is gien to configuring Access Manager against a natie security authorization facility (SAF) user registry. These guidelines assume a new LDAP serer instance dedicated to the Access Manager user registry. For more information, consult the OS/390 SecureWay Security Serer LDAP and z/os SecureWay Security Serer LDAP product documentation. For system requirements and applicable program temporary fixes (PTFs), see Supported user registry on page 4. Note: If you are using an existing LDAP serer, some of these guidelines might already be met. Howeer, you must add the Access Manager schema to the z/os LDAP directory. This chapter includes the following sections. Sample configuration files are also proided. Create a DB2 database for the TDBM backend Create an LDAP configuration file for a TDBM backend Start the serer Update and load schema files Enabling LDAP replication Configuring Access Manager for LDAP Create a DB2 database for the TDBM backend Create a DB2 database for the TDBM backend. To do this, follow instructions in the README file located in the following directory of your LDAP installation: /usr/lpp/ldap/examples/sample_serer Steps are as follows: 1. Bind the Call Leel Interface (CLI). The CLI proides an abstraction layer to SQL commands. This step establishes the enironment needed for the LDAP serer to use the CLI. The sample serer proides a job file to bind the CLI. An administrator must moe the file to an MVS partition before it is possible to execute the job. See Sample CLI bind batch job on page 32 for a copy of this file. 2. Create a CLI initialization file. The initialization file proides the LDAP serer a facility and the data source for the CLI. An example of this file is found with the sample serer. It is referred to in the LDAP configuration file. See Sample CLI initialization file on page 34 for a copy of this file. 3. Create a new database. Use SQL Processor Using File Input (SPUFI) scripts to run with DB2 Interactie (DB2I) on OS/390 to perform SQL commands. To create a new database and associated tablespaces, run the SPUFI file located in Sample DB2 database and tablespace script for SPUFI on page 24. To create the indexes for the new database, run the SPUFI located in Sample DB2 index script for SPUFI on page 30. Note that to execute a SPUFI script, you must inoke DB2I and select SPUFI from the Primary Option Menu. Chapter 3. Configuring supported LDAP serers 19

32 Create an LDAP configuration file for a TDBM backend A sample configuration file can be found in Sample LDAP configuration on page 23. The following entries are required for a TDBM: database TDBM GLDBTDBM Specifies the database type and library name. This entry marks the beginning of the TDBM section for the configuration file. databasename dbname Specifies the name of the DB2 database used for the backend. It is specified in the CREATE DATABASE option of the SPUFI used to create the database and tablespaces. See Step 3 on page 19 dsnaoini dataset Specifies the DB2 initialization file. See Step 2 on page 19 for details about creating this file. The alue of this option is of the form USERID.FILENAME. dbuserid userid Specifies the OS/390 user that owns the DB2 tables. The userid is the same as the administrator who ran the SPUFI scripts (per Step 2 on page 19) serername string Specifies the name of the DB2 serer location that manages the tables for the LDAP serer. The string is the alue specified in the DATA SOURCE stanza of the CLI initialization file. attroerflowsize num-of-bytes Specifies the size at which the entries of attributes are loaded in separate DB2 tables. Choose a alue such that large binary data is stored in the separate table space. suffix dn_suffix Specifies the root of a subtree in the namespace managed by this serer within this backend. Include both the organization suffix DN for your user registry and the secauthority=default, which specifies the DN for the Access Manager security registry. The following additional entries are required to make use of natie authentication. For detailed explanations about these entries, see the OS/390 LDAP Serer Administration and Usage publication. UseNatieAuth [SELECTED ALL OFF] The SELECTED option specifies that user entries with a alue for the ibm-natieid attribute are authenticated against SAF. Choosing SELECTED proides the most flexibility and minimizes additional administratie duties. The ALL option specifies that the SAF authentication is made against the user name found in an entry s UID attribute (if no ibm-natieid attribute is specified). NatieAuthSubTree dn_suffix Specifies the root of a subtree or trees in the namespace for which natie authentication applies. natieauthupdateallowed YES Enables Access Manager users to update their SAF passwords through the pkmspasswd utility. 20 IBM Tioli Access Manager for Linux on zseries: Installation Guide

33 Start the serer Proide the location of the configuration file created in Configuring Access Manager for LDAP on page 22. The LDAP serer searches for and loads a number of dynamic load libraries (DLLs) during its startup processing. The DLLs are located in a PDS file system. When starting slapd from the z/os shell, the correct PDS must be referenced in the STEPLIB enironment ariable as follows: export STEPLIB=GLD.SGLDLNK export PATH=$PATH:/usr/lpp/ldap/sbin GLDSLAPD f slapd.conf Update and load schema files Copy the following schema files to your working directory: schema.user.ldif upgrade3.7_ibm_schema390.def The schema files contain the objects and attributes used to organize data for the Access Manager serices, as well as the SAF natie authentication objectclass. Note: The following required schema files are automatically added in the /usr/lpp/etc/ldap directory. schema.ibm.ldif PolicyDirector.ldif Modify each schema file to match the organization DN suffix in the LDAP configuration file. There is a single line describing the DN of the schema to be updated. Edit each file and change the following: dn: cn=schema, suffix to (for example): dn: cn=schema,o=ibm,c=us Load the files using the ldapmodify command as follows: ldapmodify h hostname p port D bind_dn w bind_pwd f schema_file Attention: The fix for APAR OW46344 adds the Access Manager required schema for a TDBM database to the schema.ibm.ldif file in the /usr/lpp/etc/ldap directory. The fix also adds the file PolicyDirector.ldif to the /usr/lpp/etc/ldap directory. This file contains only the Access Manager required schema for a TDBM database and cannot be used on a pre-existing LDAP directory. To load the PolicyDirector.ldif file, modify the suffix alue at the top of the file to a alid suffix, and run the ldapmodify command using the ldif file as input. The changes proided in the fix for APAR OW46344 are included in z/os 1.3. Enabling LDAP replication This section describes how to enable LDAP replication. LDAP serers behae in the master-slae model for replication tasks. The master serer forwards directory updates to the slae. The slae, or replica serer, can share the load for read requests and act as a backup serer. Chapter 3. Configuring supported LDAP serers 21

34 By default, an LDAP serer is configured to run as a master serer. Proiding the master with an object detailing the location of one or more replica serers enables replication. Add a stanza to the replica LDAP serer s configuration file To add a stanza to the replica LDAP serer s configuration file, see the stanza example in Sample LDAP configuration on page 23. Required entries for a replica LDAP serer are as follows: masterserer ldapurl Specifies the LDAP URL in the form ldap://serername:port. This option refers to the FQDN and port of the master serer. mastersererdn DN Specifies the DN that you proide the replicabinddn in Add an object to the master LDAP serer s backend. mastersererpw string Specifies the password that you proide the replicacredentials in Add an object to the master LDAP serer s backend. Add an object to the master LDAP serer s backend An example of a ldif file representing such an object is as follows: dn: cn=replicas objectclass: replicaobject cn: replicas replicahost: hostname replicaport: port replicabinddn: any_unique_dn_to_bind_with replicacredentials: password_to_bind_with description:"description Here" This object can be loaded with an ldapmodify command as follows: ldapmodify h hostname p port D bind_dn w bind_pwd f schema_file Configuring Access Manager for LDAP The procedure to configure Access Manager serers for LDAP on OS/390 is the same as the directory on any other platform. To use natie authentication, you must turn off auth-using-compare. To do so, edit the [ldap] stanza of the imgrd.conf file and change the line as follows: auth-using-compare = no By default, authentications to LDAP are made with a compare operation, rather than a bind. Access Manager supports LDAP failoer and load-balancing for read operations. Access Manager read operations include authentication requests and queries for GSO data. If you configured a replica serer (see Enabling LDAP replication on page 21), you may proide the replica hostname to Access Manager in the ldap.conf file. Natie authentication user administration The majority of administratie tasks remain unchanged with the addition of natie authentication. Operations such as user create, user show, adding a user to an ACL entry or group, and all user modify commands (except password) work the same as Access Manager configured against a standard LDAP registry. Users can change their own SAF passwords with the pkmspasswd utility. 22 IBM Tioli Access Manager for Linux on zseries: Installation Guide

35 Natie authentication proides the added feature of many-to-one mapping of Access Manager users to SAF user IDs. Multiple users may hae the same ibm-natieid, and all bind with the same password. For this reason, it may be prudent to preent many-to-one mapped users from changing the SAF password (lest users inadertently lock their peers out of their accounts). pdadmin> group modify SAFusers add user1 pdadmin> acl create deny_pkms pdadmin> acl modify deny_pkms set group user1 T pdadmin> acl attach /Webseal/<serer name>/pkmspasswd deny_pkms OS/390 LDAP natie authentication bind does not proide the authority to perform a password reset. For example, with natie authentication enabled, the following Access Manager administration command does not work: pdadmin> user modify user1 password ChangeMe1 Furthermore, there is no out-of-the-box administration command to set the ibm-natieid entry for a user. To that end, the following instructions assist the management of Access Manager users with an associated natieid. The user create command does not change: pdadmin> user create user1 cn=user1,o=ibm,c=us user1 user1 ChangeMe1 pdadmin> user modify user1 account-alid yes The password (ChangeMe1, in this example) is set to the user s userpassword entry in LDAP, which has no effect with natie authentication enabled. In production, it might be a good idea to make this password something long and difficult to guess-in case natie authentication is eer inadertently disabled. To set the ibm-natieid entry for a user, create a ldif file similar to the following: cn=user1,o=ibm,c=us objectclass=inetorgperson objectclass=ibm-natieauthentication ibm-natieid=saf_username You can load the ldif file using the ldapmodify command as follows: ldapmodify h hostname p port D bind_dn w bind_pwd f schema_file The SAF command to reset a user s password is as follows: subsystem_prefix ALTUSER userid PASSWORD password Sample LDAP configuration ######################################################################## ## The alues proided in this configuration file may reflect the ## generic alues gien in the example DB2 setup files. Make sure you ## use alues appropriate for a production installation. ######################################################################## ######################################################################## ## Global definitions ######################################################################## port 3389 admindn "cn=root" adminpw password1 ######################################################################## ## tdbm database definitions ######################################################################## database tdbm GLDBTDBM serername LOC1 Chapter 3. Configuring supported LDAP serers 23

36 dbuserid LDAPSRV databasename LDAPR10 dsnaoini SUADMIN.DSNAOINI.DB2INI suffix "o=ibm,c=us" suffix "secauthority=default" AttrOerflowSize 80 ######################################################################## ## Natie (SAF) Authentication for TDBM ######################################################################## usenatieauth SELECTED natieauthsubtree "o=ibm,c=us" natieupdateallowed YES ######################################################################## ## SSL definitions ######################################################################## secureport 6636 security SSL sslkeyringfile "/usr/lpp/ldap/etc/ldapserer.kdb" sslkeyringfilepw password1 sslcipherspecs ######################################################################## ## Replica definitions ######################################################################## masterserer "ldap://jeff.endicott.ibm.com:3389" mastersererdn cn=master mastersererpw password1 Sample DB2 database and tablespace script for SPUFI *********************************************************************/ * This file contains sample code. IBM PROVIDES THIS CODE ON AN */ * AS IS BASIS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS */ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES */ * OF MERCHANT ABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */ *********************************************************************/ Use the following statements to create your LDAP Serer DB2 database and tablespaces in SPUFI. The database and tablespace names you create will be used to update the database section of the LDAP Serer configuration file. You also need to make DB2 decisions, in terms of buffer pool size selection for tablespaces and column size selection, all of which will be directly related to the data that will be stored in the database. See the instructions below for more information. ************************* Database Name Information ************************* Change LDAPR10 to the name of the LDAP database name you want to create. Be sure this name is updated to match what is defined for databasename in the serer configuration file. ************************** DataBase Owner Information ************************** Change the LDAPSRV to the MVS database owner id. This ID will be the highleel qualifier for the tables ********************** Tablespace Information ********************** ********************************************************************* NOTE: Refer to the DB2 manuals for a complete listing of alid buffer pool names. ********************************************************************* 24 IBM Tioli Access Manager for Linux on zseries: Installation Guide

37 Change the ENTRYTS to the LDAP entry tablespace name you want to create. Change the BP0 to the buffer pool name for the LDAP entry tablespace. The size of the buffer pool can be determined with the formula: result = 62 bytes + <dn column trunc size (from below)> + <maximum full size of a DN (from below)> + <size of entry data (which includes creator s DN and modifiers DN)> There is also a concept of a "spill oer" table, where if the entry data does not fit into the row size, it will be broken up in order to fit into a row. Entry data may be spread across multiple rows if needed. So in the aboe formula, the <size of entry data> does not need to be the maximum size of the data, maybe the median size of the data would be a better choice. See the long entry tablespace description below. The default suggested size is 4K. Change the LENTRYTS to the LDAP long entry tablespace name you want to create. Change the BP0 to the buffer pool name for the LDAP long entry tablespace. The long entry table space will hold "spill oer" rows for entry data that does not fit into the entry table tablespace. To minimize the number of spill oer rows, choose a large buffer pool size. The default suggested size is 4K. Change the LATTRTS to the LDAP long attribute tablespace name you want to create. Change the BP0 to the buffer pool name for the LDAP long attribute tablespace. The long attribute table space will hold "spill oer" rows for attribute data that does not fit into the entry table tablespace. To minimize the number of spill oer rows, choose a large buffer pool size. The default suggested size is 4K. Change the MISCTS to the LDAP miscellaneous tablespace name you want to create. Change the DESCTS to the LDAP descendants tablespace name you want to create. Change the SEARCHTS to the LDAP search tablespace name you want to create. Change the BP0 to the buffer pool name for the LDAP search tablespace. The size of the buffer pool can be determined with the simple formula: result = 16 bytes + <search column trunc size (from below)> + <maximum size of attribute alue you would like to search for> The result alue is the maximum number of bytes a row in the search table containing an attribute alue will occupy. Choose a buffer pool size which will accommodate this size. The default suggested size is 4K. Change the REPTS to the LDAP replica tablespace name you want to create. ********************************* Column Size Selection Information ********************************* Chapter 3. Configuring supported LDAP serers 25

38 All searchable attributes of a gien entry will be stored in two forms. The first will be a truncated ersion, which will be used as part of a DB2 index. The second ersion will be the entire attribute alue, potentially truncated by the buffer pool size you choose. The reason two ersions are stored is so that LDAP/DB2 can use indexes to increase search performance. The reason we do not index the entire searchable attribute alue is because the cost (in terms of DASD) associated with haing indexes on a large column where there is a large amount of data. The choice of the search column trunc size should take into account system limits you may hae (as described in the aboe), and should account for the typical size of the attribute alues that are stored in LDAP. For example, if most of your data is only 20 bytes long, choosing 20 for this trunc size would be wise. Change 32 to the search column trunc size you determine best fits your attribute data. The default suggested size is 32. Another search performance enhancement is related to the DN attribute. The DN attribute alue is stored separately from the entry data to allow a fast path lookup. It is also stored in two ersions as well. The reasons are similar to those mentioned aboe for the attribute column. Since the DN data is stored in it s own column, you need to define the maximum DN attribute alue size here. You also need to choose a dn column trunc size that best fits your data. Change 32 to the dn trunc size you determine best fits your dn data. The default suggested size is 32. Change 512 to the maximum size of a DN. This alue includes the null terminator, so the actual maximum length of a DN will be one less than this alue. The default suggested size is 512. ************************* Storage Group Information ************************* Change the SYSDEFLT to the storage group you want to contain the LDAP DB2 tablespaces. Use SYSDEFLT to choose the default storage group. NOTE: The alues proided below for PRIQTY and SECQTY probably need to be modified depending on the projected size of the Directory information to be stored. *************************************************************************** Use the following statements if you need to delete your LDAP Serer DB2 database and tablespaces in SPUFI. You need to remoe the from each line before you can run these statements. Change the ENTRYTS to the LDAP entry tablespace name you want to delete. Change the LENTRYTS to the LDAP long entry tablespace name you want to delete. Change the LATTRTS to the LDAP long attr tablespace name you want to delete. Change the MISCTS to the LDAP miscellaneous tablespace name you want to delete. Change the SEARCHTS to the LDAP search tablespace name you want to delete. Change the REPTS to the LDAP replica tablespace name you want to delete. Change the DESCTS to the LDAP descendants tablespace name you want to delete. Change the LDAPR10 to the LDAP database name you want to delete. *************************************************************************** 26 IBM Tioli Access Manager for Linux on zseries: Installation Guide

39 DROP TABLESPACE LDAPR10.ENTRYTS; DROP TABLESPACE LDAPR10.LENTRYTS; DROP TABLESPACE LDAPR10.LATTRTS; DROP TABLESPACE LDAPR10.MISCTS; DROP TABLESPACE LDAPR10.SEARCHTS; DROP TABLESPACE LDAPR10.REPTS; DROP TABLESPACE LDAPR10.DESCTS; DROP DATABASE LDAPR10; COMMIT; ************************ Create the LDAP database ************************ CREATE DATABASE LDAPR10 STOGROUP SYSDEFLT; ******************************** Create the LDAP entry tablespace ******************************** CREATE TABLESPACE ENTRYTS IN LDAPR10 USING STOGROUP SYSDEFLT BUFFERPOOL BP0; ************************************* Create the LDAP long entry tablespace ************************************* CREATE TABLESPACE LENTRYTS IN LDAPR10 USING STOGROUP SYSDEFLT BUFFERPOOL BP0; ************************************ Create the LDAP long attr tablespace ************************************ CREATE TABLESPACE LATTRTS IN LDAPR10 USING STOGROUP SYSDEFLT BUFFERPOOL BP0; ***************************** Create the LDAP 4K tablespace ***************************** CREATE TABLESPACE MISCTS IN LDAPR10 SEGSIZE 4 USING STOGROUP SYSDEFLT BUFFERPOOL BP0; ********************************* Create the LDAP search tablespace ********************************* CREATE TABLESPACE SEARCHTS IN LDAPR10 USING STOGROUP SYSDEFLT BUFFERPOOL BP0; ********************************* Create the LDAP replica tablespace ********************************* CREATE TABLESPACE REPTS IN LDAPR10 USING STOGROUP SYSDEFLT BUFFERPOOL BP0; ***************************** Create the LDAP descendants tablespace ***************************** CREATE TABLESPACE DESCTS IN LDAPR10 USING STOGROUP SYSDEFLT BUFFERPOOL BP0; ********************* Create the DB2 tables Chapter 3. Configuring supported LDAP serers 27

40 ********************* ************************** Create the DIR_ENTRY table ************************** CREATE TABLE LDAPSRV.DIR_ENTRY ( EID DECIMAL(15, 0) NOT NULL, PEID DECIMAL(15, 0), ENTRY_SIZE INTEGER, LEVEL INTEGER, ACLSRC DECIMAL(15, 0), ACLPROP CHAR(1), OWNSRC DECIMAL(15, 0), OWNPROP CHAR(1), CREATE_TIMESTAMP TIMESTAMP, MODIFY_TIMESTAMP TIMESTAMP, DN_TRUNC CHAR(32) FOR BIT DATA, DN VARCHAR(512) FOR BIT DATA, ENTRYDATA LONG VARCHAR FOR BIT DATA, PRIMARY KEY( EID ) ) IN LDAPR10.ENTRYTS; ****************************** Create the DIR_LONGENTRY table ****************************** CREATE TABLE LDAPSRV.DIR_LONGENTRY ( EID DECIMAL(15, 0) NOT NULL, SEQ INTEGER NOT NULL, ENTRYDATA LONG VARCHAR FOR BIT DATA, PRIMARY KEY( EID, SEQ ) ) IN LDAPR10.LENTRYTS; ***************************** Create the DIR_LONGATTR table ***************************** CREATE TABLE LDAPSRV.DIR_LONGATTR ( EID DECIMAL(15, 0) NOT NULL, ATTR_ID INTEGER NOT NULL, VALUENUM INTEGER NOT NULL, SEQ INTEGER NOT NULL, ATTRDATA LONG VARCHAR FOR BIT DATA, PRIMARY KEY( EID, ATTR_ID, VALUENUM, SEQ ) ) IN LDAPR10.LATTRTS; ***************************** Create the DIR_MISC table ***************************** CREATE TABLE LDAPSRV.DIR_MISC ( NEXT_EID DECIMAL(15, 0), NEXT_ATTR_ID INTEGER, DB_VERSION CHAR(10), DB_CREATE_VERSION CHAR(10) ) IN LDAPR10.MISCTS; ************************** Create the DIR_CACHE table ************************** CREATE TABLE LDAPSRV.DIR_CACHE ( CACHE_NAME CHAR(25) NOT NULL, MODIFY_TIMESTAMP TIMESTAMP NOT NULL, PRIMARY KEY( CACHE_NAME, MODIFY_TIMESTAMP ) ) IN LDAPR10.MISCTS; *************************** Create the DIR_ATTRID table *************************** CREATE TABLE LDAPSRV.DIR_ATTRID ( 28 IBM Tioli Access Manager for Linux on zseries: Installation Guide

41 ATTR_ID INTEGER, ATTR_NOID VARCHAR(200) NOT NULL, PRIMARY KEY( ATTR_NOID ) ) IN LDAPR10.MISCTS; ************************* Create the DIR_DESC table ************************* CREATE TABLE LDAPSRV.DIR_DESC ( DEID DECIMAL(15, 0) NOT NULL, AEID DECIMAL(15, 0) NOT NULL, PRIMARY KEY( DEID, AEID ) ) IN LDAPR10.DESCTS; *************************** Create the DIR_SEARCH table *************************** CREATE TABLE LDAPSRV.DIR_SEARCH ( EID DECIMAL(15, 0) NOT NULL, ATTR_ID INTEGER NOT NULL, VALUE CHAR(32) FOR BIT DATA, LVALUE LONG VARCHAR FOR BIT DATA ) IN LDAPR10.SEARCHTS; ***************************** Create the DIR_REGISTER table ***************************** CREATE TABLE LDAPSRV.DIR_REGISTER ( ID INTEGER NOT NULL, SRV VARCHAR(125) NOT NULL, PRIMARY KEY( ID, SRV ) ) IN LDAPR10.MISCTS; ***************************** Create the DIR_PROGRESS table ***************************** CREATE TABLE LDAPSRV.DIR_PROGRESS ( ID INTEGER NOT NULL, PRG VARCHAR(125) NOT NULL, SRV VARCHAR(125) NOT NULL, PRIMARY KEY( ID, PRG, SRV ) ) IN LDAPR10.MISCTS; *************************** Create the DIR_CHANGE table *************************** CREATE TABLE LDAPSRV.DIR_CHANGE ( ID INTEGER NOT NULL, TYPE INTEGER NOT NULL, LONGENTRY_SIZE INTEGER, DIN VARCHAR(512) NOT NULL, LDIF LONG VARCHAR NOT NULL, PRIMARY KEY( ID ) ) IN LDAPR10.REPTS; ******************************* Create the DIR_LONGCHANGE table ******************************* CREATE TABLE LDAPSRV.DIR_LONGCHANGE ( ID INTEGER NOT NULL, SEQ INTEGER NOT NULL, LDIF LONG VARCHAR, PRIMARY KEY( ID, SEQ ) ) IN LDAPR10.REPTS; Chapter 3. Configuring supported LDAP serers 29

42 *********************************** Commit all the aboe SQL statements *********************************** COMMIT; Sample DB2 index script for SPUFI *********************************************************************/ * This file contains sample code. IBM PROVIDES THIS CODE ON AN */ * AS IS BASIS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS */ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES */ * OF MERCHANT ABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */ *********************************************************************/ Use the following statements to create your LDAP Serer DB2 indexes in SPUFI. See the instructions below for more information. ************************** DataBase Owner Information ************************** Change the LDAPSRV to the MVS database owner id. This ID will be the highleel qualifier for the tables. This alue should correspond with the alue chosen in the LDAP Serer DB2 database and tablespace SPUFI script. ************************* Storage Group Information ************************* Change the SYSDEFLT to the storage group you want to contain the LDAP DB2 indexes. Use SYSDEFLT to choose the default storage group. NOTE: The alues proided below for PRIQTY and SECQTY probably need to be modified depending on the projected size of the Directory information to be stored. ************************* Miscellaneous Information ************************* All indexes hae been defined DEFER YES, which means they need to be recoered at some point. It is suggested to do the recoery after the database has been populated for databases with large amounts of data. Use of this option is strictly optional though. To NOT use the DEFER YES option, simply remoe DEFER YES globally. **************************** Create the DIR_ENTRY indexes **************************** CREATE UNIQUE INDEX LDAPSRV.DIR_ENTRYX0 ON LDAPSRV.DIR_ENTRY( EID ) USING STOGROUP SYSDEFLT DEFER YES; CREATE INDEX LDAPSRV.DIR_ENTRYX1 ON LDAPSRV.DIR_ENTRY( PEID, EID ) USING STOGROUP SYSDEFLT DEFER YES; CREATE INDEX LDAPSRV.DIR_ENTRYX2 ON LDAPSRV.DIR_ENTRY( EID, DN_TRUNC ) USING STOGROUP SYSDEFLT DEFER YES; CREATE INDEX LDAPSRV.DIR_ENTRYX3 ON LDAPSRV.DIR_ENTRY( DN_TRUNC, EID ) USING STOGROUP SYSDEFLT DEFER YES; ******************************** Create the DIR_LONGENTRY indexes ******************************** CREATE UNIQUE INDEX LDAPSRV.DIR_LONGENTRYX1 30 IBM Tioli Access Manager for Linux on zseries: Installation Guide

43 ON LDAPSRV.DIR_LONGENTRY( EID, SEQ ) USING STOGROUP SYSDEFLT DEFER YES; ******************************* Create the DIR_LONGATTR indexes ******************************* CREATE UNIQUE INDEX LDAPSRV.DIR_LONGATTRX1 ON LDAPSRV.DIR_LONGATTR( EID, ATTR_ID, VALUENUM, SEQ ) USING STOGROUP SYSDEFLT DEFER YES; **************************** Create the DIR_CACHE indexes **************************** CREATE UNIQUE INDEX LDAPSRV.DIR_CACHEX1 ON LDAPSRV.DIR_CACHE( CACHE_NAME, MODIFY_TIMESTAMP ) USING STOGROUP SYSDEFLT DEFER YES; ***************************** Create the DIR_ATTRID indexes ***************************** CREATE UNIQUE INDEX LDAPSRV.DIR_ATTRIDX1 ON LDAPSRV.DIR_ATTRID( ATTR_NOID ) USING STOGROUP SYSDEFLT DEFER YES; *************************** Create the DIR_DESC indexes *************************** CREATE UNIQUE INDEX LDAPSRV.DIR_DESCX1 ON LDAPSRV.DIR_DESC( DEID, AEID ) USING STOGROUP SYSDEFLT DEFER YES; ***************************** Create the DIR_SEARCH indexes ***************************** CREATE INDEX LDAPSRV.DIR_SEARCHX1 ON LDAPSRV.DIR_SEARCH( ATTR_ID, VALUE, EID ) USING STOGROUP SYSDEFLT DEFER YES; CREATE INDEX LDAPSRV.DIR_SEARCHX2 ON LDAPSRV.DIR_SEARCH( EID, ATTR_ID ) USING STOGROUP SYSDEFLT CLUSTER DEFER YES; ******************************* Create the DIR_REGISTER indexes ******************************* CREATE UNIQUE INDEX LDAPSRV.DIR_REGISTERX1 ON LDAPSRV.DIR_REGISTER( ID, SRV ) USING STOGROUP SYSDEFLT DEFER YES; ******************************* Create the DIR_PROGRESS indexes ******************************* CREATE UNIQUE INDEX LDAPSRV.DIR_PROGRESSX1 ON LDAPSRV.DIR_PROGRESS( ID, PRG, SRV ) USING STOGROUP SYSDEFLT DEFER YES; ***************************** Create the DIR_CHANGE indexes Chapter 3. Configuring supported LDAP serers 31

44 ***************************** CREATE UNIQUE INDEX LDAPSRV.DIR_CHANGEX1 ON LDAPSRV.DIR_CHANGE( ID ) USING STOGROUP SYSDEFLT DEFER YES; ********************************* Create the DIR_LONGCHANGE indexes ********************************* CREATE UNIQUE INDEX LDAPSRV.DIR_LONGCHANGEX1 ON LDAPSRV.DIR_LONGCHANGE( ID, SEQ ) USING STOGROUP SYSDEFLT DEFER YES; *********************************** Commit all the aboe SQL statements *********************************** COMMIT; Sample CLI bind batch job //DSNTIJCL JOB (DB2), // PGMRNAME, // CLASS=A,MSGCLASS=H,MSGLEVEL=(1,1), // REGION=4M //* //*********************************************************************/ //* This file contains sample code. IBM PROVIDES THIS CODE ON AN */ //* AS IS BASIS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS */ //* OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES */ //* OF MERCHANT ABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */ //*********************************************************************/ //*********************************************************************/ //* JOB NAME = DSNTIJCL */ //* DESCRIPTIVE NAME = INSTALLATION JOB STREAM */ //* LICENSED MATERIALS - PROPERTY OF IBM */ //* 5655-DB2 */ //* (C) COPYRIGHT 1982, 1997 IBM CORP. ALL RIGHTS RESERVED. */ //* STATUS = VERSION 5 */ //* FUNCTION = SAMPLE CLI BIND */ //* PSEUDOCODE = BINDCLI STEP BIND CLI DEFAULT PACKAGES AND PLAN */ //* DEPENDENCIES = CLI MUST BE INSTALLED */ //* MEMBER DSNCLIQR CAN ONLY BE BOUND SUCCESSFULLY TO DRDA SERVERS */ //* THAT SUPPORT QUERY RESULT SET SQL (I.E. DESCRIBE PROCEDURE). */ //* CURRENTLY THAT IS DB2 FOR OS/390 V5. */ //* */ //* NOTES = */ //* BEFORE RUNNING THIS JOB: */ //* - CHANGE ALL OCCURRENCES OF DSN5 TO THE PREFIX OF YOUR DB2 V5.1 */ //* SDSNLOAD AND SDSNDBRM DATA SETS */ //* - CHANGE THE SYSTEM(DSN5) STATEMENT TO MATCH YOUR DB2 V5.1 SSID */ //* */ //* CLI CAN BE BOUND TO REMOTE SERVERS BY INCLUDING THE LOCATION NAME.*/ //* */ //* FOR REMOTE SERVERS OTHER THAN DB2 FOR OS/390, ALSO ADD THE */ //* APPROPRIATE BIND PACKAGE MEMBER STATEMENTS, LISTED BELOW, */ //* BASED ON THE SERVER TYPE: */ //* BIND PACKAGE (<COMMON SERVER V1 LOCATION NAME>.DSNAOCLI) - */ //* MEMBER(DSNCLIV1) */ //* BIND PACKAGE (<COMMON SERVER V2 LOCATION NAME>.DSNAOCLI) - */ //* MEMBER(DSNCLIV2) */ //* BIND PACKAGE (<AS400 LOCATION NAME>.DSNAOCLI) - */ //* MEMBER(DSNCLIAS) */ //* BIND PACKAGE (<SQLDS LOCATION NAME>.DSNAOCLI) - */ //* MEMBER(DSNCLIVM) */ //* ALSO INCLUDE ANY ADDED PACKAGE NAMES TO THE PKLIST KEYWORD OF */ //* BIND PLAN STATEMENT FOLLOWING THE BIND PACKAGE STATEMENTS. */ 32 IBM Tioli Access Manager for Linux on zseries: Installation Guide

45 //* */ //*********************************************************************/ //JOBLIB DD DISP=SHR, // DSN=DSN510.SDSNLOAD //BINDCLI EXEC PGM=IKJEFT01,DYNAMNBR=20 //DBRMLIB DD DISP=SHR, // DSN=DSN510.SDSNDBRM //SYSTSPRT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSTSIN DD * DSN SYSTEM(DSN5) BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLICS) ISOLATION(CS) BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLINC) ISOLATION(NC) BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIRR) ISOLATION(RR) BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIRS) ISOLATION(RS) BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIUR) ISOLATION(UR) BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIC1) BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIC2) BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIF4) BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIMS) BIND PACKAGE (DSNAOCLI) MEMBER(DSNCLIQR) BIND PLAN(DSNACLI) - PKLIST(DSNAOCLI.DSNCLICS - DSNAOCLI.DSNCLINC - DSNAOCLI.DSNCLIRR - DSNAOCLI.DSNCLIRS - DSNAOCLI.DSNCLIUR - DSNAOCLI.DSNCLIC1 - DSNAOCLI.DSNCLIC2 - DSNAOCLI.DSNCLIF4 - DSNAOCLI.DSNCLIMS - DSNAOCLI.DSNCLIQR ) END /* ECLI Initialization File ; This is a comment line... ;/*********************************************************************/ ;/* This file contains sample code. IBM PROVIDES THIS CODE ON AN */ ;/* AS IS BASIS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS */ ;/* OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES */ ;/* OF MERCHANT ABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */ ;/*********************************************************************/ ; Example COMMON stanza ; ; The MVSDEFAULTSSID option indicates what DB2 ; subsystem should be used for interacting with ; DB2 tables. This alue is installation dependent. ; It is assumed to be DSN5 for this example. [COMMON] MVSDEFAULTSSID=DSN5 ; Example SUBSYSTEM stanza for DSN5 subsystem ; ; NOTE: the PLANNAME option below must match the ; plan name that was specified when running the ; DSNTIJCL batch job to create the plan. It is ; assumed to be DSNACLI for this example. [DSN5] ;MVSATTACHTYPE=CAF MVSATTACHTYPE=RRSAF Chapter 3. Configuring supported LDAP serers 33

46 PLANNAME=DSNACLI ; Example DATA SOURCE stanza ; ; The DATA SOURCE name is installation dependent. ; It is assumed to be LOC1 for this example. [LOC1] AUTOCOMMIT=0 CONNECTTYPE=1 Sample CLI initialization file ; This is a comment line... ;/*********************************************************************/ ;/* This file contains sample code. IBM PROVIDES THIS CODE ON AN */ ;/* AS IS BASIS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS */ ;/* OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES */ ;/* OF MERCHANT ABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */ ;/*********************************************************************/ ; Example COMMON stanza ; ; The MVSDEFAULTSSID option indicates what DB2 ; subsystem should be used for interacting with ; DB2 tables. This alue is installation dependent. ; It is assumed to be DSN5 for this example. [COMMON] MVSDEFAULTSSID=DSN5 ; Example SUBSYSTEM stanza for DSN5 subsystem ; ; NOTE: the PLANNAME option below must match the ; plan name that was specified when running the ; DSNTIJCL batch job to create the plan. It is ; assumed to be DSNACLI for this example. [DSN5] ;MVSATTACHTYPE=CAF MVSATTACHTYPE=RRSAF PLANNAME=DSNACLI ; Example DATA SOURCE stanza ; ; The DATA SOURCE name is installation dependent. ; It is assumed to be LOC1 for this example. [LOC1] AUTOCOMMIT=0 CONNECTTYPE=1 34 IBM Tioli Access Manager for Linux on zseries: Installation Guide

47 Chapter 4. Enabling SSL for LDAP serers It is recommended that you enable Secure Sockets Layer (SSL) communication between your LDAP serer and IBM SecureWay Directory clients that support Access Manager software. To enable SSL communication, you must first configure SSL on the LDAP serer, and then configure SSL on the IBM SecureWay Directory client. During SSL configuration, you are prompted to choose one of the following authentication types: Serer authentication The serer sends its certificate to the client and the client authenticates the serer. Serer and client authentication After the serer has sent its certificate to the client and has been authenticated by the client, the serer requests the client s certificate. In this case, a certificate needs to be established for the client system as well as the serer. If you choose to implement serer authentication only, you must configure your LDAP serer and IBM SecureWay Directory clients for SSL access. Howeer, if you choose to implement serer and client authentication, you must configure SSL on the serer, configure SSL on the client, and then follow instructions in Configuring LDAP serer and client authentication on page 44. This chapter contains the following main sections: Configuring the IBM SecureWay Directory serer for SSL access Configuring OS/390 or z/os SecureWay LDAP serers for SSL access on page 38 Configuring the IBM SecureWay Directory client for SSL access on page 41 Configuring LDAP serer and client authentication on page 44 Configuring the IBM SecureWay Directory serer for SSL access You can enable the use of SSL to protect communication between the Tioli SecureWay Access Manager serers and the LDAP serer. This step needs to be done only the first time SSL communication is set up between the LDAP serer and the IBM SecureWay Directory client. If you preiously enabled SSL access to the LDAP serer during the LDAP serer configuration, you must copy a client and serer key ring pair to each additional Tioli SecureWay Access Manager system that uses SSL access. If SSL access is required by your LDAP serer, use GSKit to perform SSL key management. GSKit proides a graphical key management utility named gsk5ikm. Note: For complete instructions on how to use the gsk5ikm utility to enable SSL, see the IBM SecureWay Installation and Configuration Guide. To enable SSL access on the IBM SecureWay Directory serer, complete the instructions in the following sections: Copyright IBM Corp. 2001,

48 Creating the key database file and the certificate on page 36 Obtaining a personal certificate from a certificate authority on page 37 or Creating and extracting a self-signed certificate on page 37 Enabling SSL access on page 38 Creating the key database file and the certificate To enable SSL support on the LDAP serer, the serer must hae a certificate that identifies it and that it can use as a personal certificate. This personal certificate is the certificate that the serer sends to the client to allow the client to authenticate the serer. The certificates and the public and priate key pair are stored in a key database file. A user typically acquires a signed certificate from a certificate authority, such as VeriSign. Alternatiely, a user can use a self-signed certificate. If the user is using a self-signed certificate, the system on which the certificate is generated becomes the certificate authority. Use the gsk5ikm utility to create the key database file and the certificate. To create the key database file and certificate (self-signed or signed), follow these steps: 1. Ensure that GSKit, Version , and gsk5ikm are installed on both the LDAP serer and any IBM SecureWay Directory clients that will be using SSL. 2. On a SuSE SLES kernel system, ensure that the correct C++ library are used by the GSKit command line programs by entering the following: export LD_PRELOAD=/usr/lib/libstdc++-libc6.1-2.so.3 Note: This enironment ariable is not required if you are running gsk5ikm on a 2.2 kernel system. 3. Start the gsk5ikm utility, which is located in the following directory: /usr/local/ibm/gsk5/bin/gsk5ikm Note: In order to run gsk5ikm, an X-windows session is required and IBM Jaa, Version 1.3.1, must be accessible through the PATH enironment ariable as follows: export PATH=/usr/jaa/IBMJaa2-s /jre/bin:/usr/ \ jaa/ibmjaa2-s /bin:$path IBM Jaa, Version 1.3.1, can be downloaded at the following Web address: 4. To create a new key database file, select Key Database File New. 5. Verify that the CMS key database file is the selected key database type. 6. Type the information in the File Name and Location fields where you want the key database file to be located. A key database file s extension is.kdb. 7. Click OK. 8. Enter the key database file password, and confirm it. Remember this password because it is required when the key database file is edited. 9. Accept the default expiration time, or change it to your organization s requirements. 10. If you want the password to be masked and stored into a stash file, select Stash the password to a file. 36 IBM Tioli Access Manager for Linux on zseries: Installation Guide

49 A stash file can be used by some applications so that the application does not hae to know the password to use the key database file. The stash file has the same location and name as the key database file and has an extension of.sth. 11. Click OK. This completes the creation of the key database file. There is set of default signer certificates. These signer certificates are the default certificate authorities that are recognized. Obtaining a personal certificate from a certificate authority If you plan to use a certificate from a certificate authority instead of a self-signed certificate, you must request the certificate from the certificate authority and then receie it after it has been completed. If you plan to use a self-signed certificate, skip this section and go to Creating and extracting a self-signed certificate. To request and receie a certificate, follow these steps: 1. Use gsk5ikm to request a certificate from a certificate authority and then receie the new certificate into your key database file. 2. Click the Personal Certificate Requests section of the key database file. 3. Click New. 4. To produce a request that can be sent to the certificate authority, complete the information and then click OK. 5. To install the certificate to your key database file after the certificate authority returns it, click the Personal Certificates section and then click Receie. 6. After you hae the LDAP serer s certificate in the key database file, configure the LDAP serer to enable SSL. Continue Enabling SSL access on page 38. Creating and extracting a self-signed certificate If you obtained a certificate from a known certificate authority, as described in the preious section Obtaining a personal certificate from a certificate authority, skip this section and go to Enabling SSL access on page 38. To create a new self-signed certificate and store it into the key database file, follow these steps: 1. Select Create New Self-Signed Certificate. 2. Type a name in the Key Label field that GSKit can use to identify this new certificate in the key database. For example, the label can be the system name of the LDAP serer. 3. Accept the defaults for the Version field (X509 V3) and for the Key Size field. 4. Either accept the default system name or enter a different distinguished name in the Common Name field for this certificate. 5. Enter a company name in the Organization field. 6. Complete any optional fields or leae them blank. 7. Either accept the defaults for the Country field and 365 for the Validity Period field or change them to suit your organization s requirements. 8. Click OK. GSKit generates a new public and priate key pair and creates the certificate. If you hae more than one personal certificate in the key database file, GSKit queries if you want this key to be the default key in the database. You can Chapter 4. Enabling SSL for LDAP serers 37

50 accept one of them as the default. The default certificate is used at runtime when a label is not proided to select which certificate to use. This completes the creation of the LDAP serer s personal certificate. It is displayed in the Personal Certificates section of the key database file. Use the middle bar of the key management utility to select between the types of certificates kept in the key database file. Next, you must extract your LDAP serer s certificate to a Base64-encoded ASCII data file. 9. Use gsk5ikm to extract your LDAP serer s certificate to a Base64-encoded ASCII data file. This file is used in Adding a signer certificate on page Highlight the self-signed certificate that you just created. 11. Click Extract Certificate. 12. Click Base64-encoded ASCII data as the data type. 13. Type a certificate file name for the newly extracted certificate. The certificate file s extension is usually.arm. 14. Type the location where you want to store the extracted certificate. 15. Click OK. 16. Copy this extracted certificate to the IBM SecureWay Directory client system. You can now configure the LDAP serer to enable SSL. Continue to Enabling SSL access. Enabling SSL access To configure the LDAP serer to enable SSL, you must manually update the sladp32.conf file. To do so, insert the following lines at the end of the slapd.conf file, leaing a blank line separating these entries from other configuration entries as follows: Note: For additional information on configuring the LDAP serer for SSL, see the IBM SecureWay Directory for Linux: Installation, Configuration, and Administration Guide (lparent.pdf dn: cn=ssl,cn=configuration cn: SSL objectclass: top objectclass: ibm-slapdssl ibm-slapdsecureport: 636 (default port LDAP uses for SSL requests) ibm-slapdsecurity: SSL (choices are none, SSL, or SSLOnly) ibm-slapdsslauth: sererauth (choices are sererauth, or sererclientauth) ibm-slapdsslcipherspecs: ibm-slapdsslkeydatabase: /usr/ldap/etc/key.kdb (location of the key file database) ibm-slapdsslkeydatabasepw: pass4key (password assigned to the key file database) Configuring OS/390 or z/os SecureWay LDAP serers for SSL access When Access Manager and LDAP serices are not on the same protected network, it is recommended that you enable SSL communication between the LDAP serer and the clients that support Access Manager software. This protocol proides secure, encrypted communications between each serer and client. Access Manager uses these communications channels as part of the process for making authentication and authorization decisions. 38 IBM Tioli Access Manager for Linux on zseries: Installation Guide

51 This section proides an example of how to set up serer and client authentication on a Windows NT platform using a self-signed certificate. This procedure requires the use of gsk5ikm, a graphical key management tool proided with IBM Global Security Toolkit (GSKit). Before you begin enabling SSL, ensure that supported ersions of GSKit and gsk5ikm are installed on both the LDAP serer and any LDAP client systems that will be using SSL. In addition, keep in mind that you can create both the client and serer certificates on your system and then copy the files to the requisite serers. For detailed information about enabling SSL, see the product documentation that came with your LDAP serer. Create a key database file for the serer Start the key management tool (gsk5ikm). Then select Key Database File New and complete fields as shown: Proide a database password when prompted. Note that it is not necessary to stash the password or set a password expiration time. Create a self-signed certificate To create a new self-signed certificate and store it in the key database file, select Create New Self-Signed Certificate and complete fields for your installation as Chapter 4. Enabling SSL for LDAP serers 39

52 shown: Note that this certificate is displayed in both the Personal Certificates section and Signer Certificates section of the key database file. Store the serer certificate The next step is to extract your LDAP serer s certificate to a Base64-encoded ASCII data file. Do this by highlighting the self-signed certificate that you created and click Extract Certificate as shown: Click Base64-encoded ASCII data as the data type and then type a certificate file name for the newly extracted certificate. Note that the certificate file s extension is.arm. Type the location where you want to store the extracted certificate and click OK. Next, copy this extracted certificate to the LDAP client system. This is needed when you add a signer certificate to the client key database file (as described on page 7). Add a security stanza to the LDAP configuration file To add a stanza to the LDAP configuration file, see Sample LDAP configuration on page 23 for example definitions for the stanza. Required entries to enable SSL are as follows: 40 IBM Tioli Access Manager for Linux on zseries: Installation Guide