IBM Security Access Manager for Web Version 7.0. Installation Guide GC

Similar documents
IBM Security Access Manager for Web Version 7.0. Upgrade Guide SC

Authorization C API Developer Reference

Shared Session Management Administration Guide

Performance Tuning Guide

IBM Security Access Manager for Web Version 7.0. Command Reference SC

Deployment Overview Guide

Web Security Developer Reference

WebSEAL Installation Guide

Troubleshooting Guide

IBM Tivoli Access Manager for WebSphere Application Server. User s Guide. Version 4.1 SC

IBM i Version 7.2. Connecting to IBM i IBM i Access for Web IBM

IBM Tivoli Storage Manager for Windows Version Tivoli Monitoring for Tivoli Storage Manager

Tivoli Tivoli Intelligent ThinkDynamic Orchestrator

License Administrator s Guide

IBM Operational Decision Manager Version 8 Release 5. Installation Guide

IBM Tivoli Access Manager for Linux on zseries. Installation Guide. Version 3.9 GC

Tivoli Tivoli Provisioning Manager

Web Services Security Management Guide

IBM Security Identity Manager Version 6.0. Installation Guide GC

Tivoli Tivoli Provisioning Manager

Error Message Reference

Tivoli Tivoli Intelligent ThinkDynamic Orchestrator

IBM. Installing. IBM Emptoris Suite. Version

Installation and Configuration Guide

Administration Java Classes Developer Reference

IBM. Connecting to IBM i IBM i Access for Web. IBM i 7.1

IBM Security Access Manager for Web Version Application Development Kit Installation Topics

IBM Tivoli Access Manager forweblogicserver. User s Guide. Version 3.9 GC

BEA WebLogic Server Integration Guide

Installation and Configuration Guide

IBM Tivoli Access Manager Plug-in for Edge Server. User s Guide. Version 3.9 GC

Extended Search Administration

Administration Java Classes Developer Reference

Managing Server Installation and Customization Guide

IBM. Installing and configuring. Version 6.4

Installation and Setup Guide

WebSphere MQ Configuration Agent User's Guide

IBM Tivoli Monitoring for Business Integration. User s Guide. Version SC

IBM Tivoli Access Manager WebSEAL for Linux on zseries. Installation Guide. Version 3.9 GC

IBM Tivoli Federated Identity Manager Version Installation Guide GC

IBM Tivoli Storage Manager for Windows Version Installation Guide

Product Overview Guide

Tivoli System Automation Application Manager

Planning and Installation

Registration Authority Desktop Guide

IBM Agent Builder Version User's Guide IBM SC

Tivoli IBM Tivoli Advanced Catalog Management for z/os

IBM Security Role and Policy Modeler Version 1 Release 1. Planning Guide SC

Jazz for Service Management Version 1.1 FIx Pack 3 Beta. Configuration Guide Draft

IBM Cognos Dynamic Query Analyzer Version Installation and Configuration Guide IBM

IBM Tivoli Storage Manager for Windows Version 7.1. Installation Guide

IBM Director Virtual Machine Manager 1.0 Installation and User s Guide

WebSphere Message Broker Monitoring Agent User's Guide

Tivoli Application Dependency Discovery Manager Version 7.3. Installation Guide IBM

IBM Tivoli Storage Manager for Virtual Environments Version Data Protection for VMware Installation Guide IBM

Troubleshooting Guide

Installing and Configuring Tivoli Enterprise Data Warehouse

IBM Tivoli Netcool Performance Manager Wireline Component October 2015 Document Revision R2E1. Pack Upgrade Guide IBM

IBM Workplace Collaboration Services Installation and Upgrade Guide

Installation and Setup Guide

IBM. Installing, configuring, using, and troubleshooting. IBM Operations Analytics for z Systems. Version 3 Release 1

Installing and Configuring IBM Case Manager with FileNet P8 Platform on a Single Server

IBM Tivoli Privacy Manager for e-business. Installation Guide. Version 1.1 SC

IBM Security Identity Manager Version Installation Topics IBM

Tivoli Monitoring: Windows OS Agent

IBM Workplace Collaboration Services Installation and Upgrade Guide

IBM Security Access Manager for Web Version 7.0. Administration Guide SC

Installation and Configuration Guide

Tivoli Access Manager for e-business

Road Map for the Typical Installation Option of IBM Tivoli Monitoring Products, Version 5.1.0

Federated Identity Manager Business Gateway Version Configuration Guide GC

IBM i Version 7.2. Security Service Tools IBM

High Availability Guide for Distributed Systems

Tivoli IBM Tivoli Advanced Catalog Management for z/os

IBM Tivoli Storage Manager for AIX Version Tivoli Monitoring for Tivoli Storage Manager

High Availability Guide for Distributed Systems

Tivoli Identity Manager

Tivoli IBM Tivoli Advanced Audit for DFSMShsm

IBM Tivoli Storage Manager for Linux Version Tivoli Monitoring for Tivoli Storage Manager

IBM. Planning and Installation. IBM Tivoli Workload Scheduler. Version 9 Release 1 SC

IBM Security Identity Manager Version Product Overview Topics

Solutions for BSM Version 1.1. Solutions for BSM Guide

IBM Interact Version 9 Release 1 October 25, Installation Guide

Problem Determination Guide

IBM Tivoli Directory Server. System Requirements SC

IBM Tivoli Monitoring: AIX Premium Agent Version User's Guide SA

Monitor Developer s Guide

Tivoli Storage Manager for Enterprise Resource Planning

IBM Tivoli Composite Application Manager for Microsoft Applications: Microsoft Exchange Server Agent Fix Pack 13.

Tivoli Application Dependency Discovery Manager Version 7 Release 2.1. Installation Guide

Version 10 Release 0 February IBM Marketing Platform Installation Guide IBM

IBM Sterling Gentran:Server for Windows. Installation Guide. Version 5.3.1

Monitoring: Windows OS Agent Version Fix Pack 2 (Revised May 2010) User s Guide SC

IBM Tivoli Enterprise Console. User s Guide. Version 3.9 SC

Netcool Configuration Manager Version Installation and Configuration Guide R2E6 IBM

Connectivity Guide for Oracle Databases

IBM Tivoli Monitoring for Messaging and Collaboration: Lotus Domino. User s Guide. Version SC

IBM Security Identity Governance and Intelligence Version Product Overview Topics IBM

IBM Security Access Manager Version December Release information

Workload Automation Version 8.6. Overview SC

Transcription:

IBM Security Access Manager for Web Version 7.0 Installation Guide GC23-6502-02

IBM Security Access Manager for Web Version 7.0 Installation Guide GC23-6502-02

Note Before using this information and the product it supports, read the information in Notices on page 417. Edition notice Note: This edition applies to ersion 7, release 0, modification 0 of IBM Security Access Manager (product number 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2001, 2012. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents Figures............... ix Tables............... xi About this publication........ xiii Intended audience............ xiii Access to publications and terminology..... xiii Related publications.......... xi Accessibility............. xii Technical training............ xii Support information........... xiii Part 1. Planning for installation... 1 Chapter 1. Installation oeriew.... 3 Planning for deployment.......... 3 Secure domain oeriew.......... 4 Security Access Manager installation components.. 4 Security Access Manager base components... 4 Security Access Manager Web security components.............. 7 Security Access Manager distributed sessions management components......... 7 Prerequisite products.......... 8 Supported registries........... 11 IBM Tioli Directory Serer........ 11 IBM Tioli Directory Serer for z/os..... 12 Microsoft Actie Directory........ 12 Microsoft Actie Directory Lightweight Directory Serice (ADLDS)........... 12 Sun Jaa System Directory Serer...... 12 Noell edirectory........... 12 Components and prerequisites for Security Access Manager systems............ 13 Security Access Manager base systems.... 13 Security Access Manager Web security systems 15 Security Access Manager distributed sessions management systems.......... 16 Chapter 2. Installation methods.... 19 Chapter 3. Installation roadmap.... 21 Part 2. Installing prerequisite software............. 25 Chapter 4. Installing and configuring component prerequisites....... 27 Preparing your operating system for installation.. 28 Preparing an AIX system......... 28 Preparing a Linux system......... 30 Preparing a Windows system....... 31 Preparing a Solaris system........ 31 Installing IBM Jaa Runtime......... 31 AIX: Installing IBM Jaa Runtime...... 32 Linux: Installing IBM Jaa Runtime..... 32 Solaris: Installing IBM Jaa Runtime..... 33 Windows: Installing IBM Jaa Runtime.... 34 Installing the IBM Global Security Kit (GSKit)... 34 AIX: Installing the IBM Global Security Kit (GSKit)............... 35 Linux: Installing the IBM Global Security Kit (GSKit)............... 35 Solaris: Installing the IBM Global Security Kit (GSKit)............... 36 Windows: Installing the IBM Global Security Kit (GSKit)............... 37 Installing the IBM Security Access Manager License 37 AIX, Linux, Solaris: Installing the IBM Security Access Manager License......... 37 Windows: Installing the IBM Security Access Manager License........... 39 Installing the IBM Security Utilities...... 39 AIX: Installing the IBM Security Utilities... 39 Linux: Installing IBM Security Utilities.... 40 Solaris: Installing IBM Security Utilities.... 41 Windows: Installing IBM Security Utilities... 41 Installing the IBM Tioli Directory Serer client.. 42 AIX: Installing the IBM Tioli Directory Serer client............... 43 Linux: Installing the IBM Tioli Directory Serer client............... 44 Solaris: Installing the IBM Tioli Directory Serer client............... 45 Windows: Installing the IBM Tioli Directory Serer client............. 46 Installing WebSphere Application Serer..... 46 Chapter 5. Setting up the registry serer............... 51 User registry differences.......... 51 General considerations......... 52 LDAP considerations.......... 52 URAF considerations.......... 53 Length of names............ 56 Setting up Tioli Directory Serer....... 58 Setting up IBM Tioli Directory Serer using the Tioli Directory Serer installation wizard... 58 Setting up Tioli Directory Serer using script files................ 61 Setting up Tioli Directory Serer using the Launchpad (Windows only)........ 67 Configuring IBM Tioli Directory Serer for SSL access............... 69 Setting up IBM Tioli Directory Serer for z/os.. 75 Updating schema files.......... 75 Adding suffixes............ 76 Copyright IBM Corp. 2001, 2012 iii

Configuring Security Access Manager for LDAP 76 Natie authentication user administration... 77 Configuring IBM Tioli Directory Serer for z/os for SSL access.......... 78 Setting up Microsoft Actie Directory...... 81 Configuring Microsoft Actie Directory for SSL access............... 82 Setting up Microsoft Actie Directory Lightweight Directory Serice (AD LDS)......... 83 Installing and configuring Actie Directory Lightweight Directory Serice (ADLDS) for Security Access Manager (Oeriew)..... 83 Installing Security Access Manager with support for Actie Directory Lightweight Directory Serice (AD LDS)........... 83 Configuring the Security Access Manager schema for Actie Directory Lightweight Directory Serice (AD LDS)........... 84 Configuring a default Security Access Manager directory partition........... 86 Adding an administrator to the Security Access Manager metadata directory partition.... 87 Allowing anonymous bind........ 89 Configuring Actie Directory Lightweight Directory Serice (AD LDS) to use SSL.... 90 Setting up Noell edirectory........ 91 Configuring the Noell edirectory for Security Access Manager............ 92 When using Noell edirectory....... 94 Management domain location....... 95 Configuring Noell edirectory serer for SSL access............... 96 Setting up the Sun Jaa System Directory Serer.. 99 Configuring Sun Jaa System Directory Serer for SSL access............ 100 Part 3. Installing base system components........... 103 Chapter 6. Setting up a policy serer 105 LDAP data format selection........ 105 Security Access Manager management domains 106 Creating a management domain location (example).............. 107 Management domain location for an Actie Directory Lightweight Directory Serice (AD LDS) registry............ 108 Setting up a policy serer using the command line 108 AIX: Installing the policy serer...... 109 Linux: Installing the policy serer..... 110 Solaris: Installing the policy serer..... 113 Windows: Installing the policy serer.... 115 Setting up a policy serer using the Launchpad (Windows).............. 116 Setting up a policy serer using script files... 118 Automating the installation of a policy serer (AIX, Linux, or Solaris)......... 119 Automating the installation of a policy serer (Windows)............. 119 Automating the configuration of a policy serer 121 Chapter 7. Setting up an authorization serer.............. 123 Setting up an authorization serer using the command line............. 123 AIX: Installing an authorization serer.... 124 Linux: Installing an authorization serer... 125 Solaris: Installing an authorization serer... 127 Windows: Installing an authorization serer.. 129 Setting up an authorization serer using the Launchpad (Windows).......... 130 Setting up an authorization serer using script files 131 Automating the installation of an authorization serer (AIX, Linux, or Solaris)....... 131 Automating the installation of an authorization serer (Windows)........... 132 Automating the configuration of an authorization serer.......... 133 Chapter 8. Setting up a deelopment system.............. 137 Setting up a deelopment system using the command line............. 137 AIX: Installing a deelopment (ADK) system 138 Linux: Installing a deelopment (ADK) system 139 Solaris: Installing a deelopment (ADK) system 140 Windows: Installing a deelopment (ADK) system.............. 141 Setting up a deelopment system using the Launchpad (Windows).......... 142 Setting up a deelopment system using script files 144 Automating the installation of a deelopment system (AIX, Linux, or Solaris)...... 144 Automating the installation of a deelopment system (Windows)........... 145 Chapter 9. Setting up a IBM Security Access Manager Runtime for Jaa system.............. 147 Setting up a Security Access Manager Runtime for Jaa system using the command line..... 147 AIX: Installing IBM Security Access Manager Runtime for Jaa........... 148 Linux: Installing IBM Security Access Manager Runtime for Jaa........... 149 Solaris: Installing IBM Security Access Manager Runtime for Jaa........... 150 Windows: Installing IBM Security Access Manager Runtime for Jaa........ 152 Setting up a runtime for Jaa system using the Launchpad (Windows).......... 153 Setting up a runtime for Jaa serer using script files................ 154 Automating the installation of a runtime for Jaa system (AIX, Linux, or Solaris)..... 154 Automating the installation of a runtime for Jaa system (Windows)......... 155 Automating the configuration of a runtime for Jaa system............. 156 i IBM Security Access Manager for Web Version 7.0: Installation Guide

Chapter 10. Setting up a policy proxy serer system........... 159 Setting up a policy proxy serer using the command line............. 159 AIX: Installing a policy proxy serer.... 160 Linux: Installing a policy proxy serer.... 161 Solaris: Installing a policy proxy serer.... 163 Windows: Installing a policy proxy serer... 164 Setting up a policy proxy serer using the Launchpad (Windows).......... 165 Setting up a policy proxy serer using script files 167 Automating the installation of a policy proxy serer system (AIX, Linux, or Solaris).... 167 Automating the installation of a policy proxy system (Windows)........... 168 Automating the configuration of a policy proxy serer............... 169 Chapter 11. Setting up a runtime system.............. 171 Setting up a runtime serer using the command line................. 171 AIX: Installing Security Access Manager Runtime.............. 172 Linux: Installing Security Access Manager Runtime.............. 173 Solaris: Installing Security Access Manager Runtime.............. 175 Windows: Installing Security Access Manager Runtime.............. 176 Setting up a runtime serer using the Launchpad (Windows).............. 177 Setting up a runtime serer using script files... 179 Automating the installation of a runtime system (AIX, Linux, or Solaris)......... 179 Automating the installation of a runtime system (Windows)............. 180 Automating the configuration of a runtime system.............. 181 Chapter 12. Setting up a Web Portal Manager system.......... 183 Setting up a Web Portal Manager system using the command line............. 183 AIX: Installing a Web Portal Manager system 184 Linux: Installing a Web Portal Manager system 186 Solaris: Installing a Web Portal Manager system 189 Windows: Installing a Web Portal Manager system.............. 191 Setting up a Web Portal Manager system using the Launchpad (Windows).......... 194 Setting up a Web Portal Manager using script files 197 Setting up WebSphere Application Serer using script files............. 197 Automating the installation of a Web Portal Manager system (AIX, Linux, or Solaris)... 202 Automating the installation of a Web Portal Manager (Windows).......... 203 Automating the configuration of Web Portal Manager.............. 204 Configuring WebSphere Application Serer security 205 Part 4. Installing web security system components....... 207 Chapter 13. Setting up the Security Access Manager Attribute Retrieal Serice.............. 209 Setting up the Attribute Retrieal Serice using the command line............. 209 AIX: Installing the Security Access Manager Attribute Retrieal Serice using the command line................ 210 Linux: Installing the Security Access Manager Attribute Retrieal Serice using the command line................ 211 Solaris: Installing the Security Access Manager Attribute Retrieal Serice using the command line................ 212 Windows: Installing the Security Access Manager Attribute Retrieal Serice using the command line............ 213 Chapter 14. Setting up the plug-in for Web serers............ 215 Preinstallation requirements........ 215 Installing the plug-in for Apache Web Serer using the command line............ 216 AIX: plug-in for Apache Web Serer..... 216 Linux on x86-64: plug-in for Apache Web Serer 218 Linux on System z: plug-in for Apache Web Serer............... 219 Solaris: plug-in for Apache Web Serer.... 221 Installing the plug-in for IBM HTTP Serer using the command line............ 222 AIX: plug-in for IBM HTTP Serer..... 223 Linux: plug-in for IBM HTTP Serer.... 224 Solaris: plug-in for IBM HTTP Serer.... 226 Installing the plug-in for Internet Information Serices using the command line....... 228 Setting up a plug-in for Internet Information Serices using the Launchpad (Windows).... 230 Setting up the plug-in for Web serers using script files................ 231 Automating installation of the Apache Serer plug-in or IBM HTTP Serer plug-in.... 231 Automating configuration of the Apache Serer plug-in or IBM HTTP Serer plug-in.... 232 Automating installation of the Internet Information Serices plug-in....... 233 Automating configuration of the Internet Information Serice plug-in........ 234 Chapter 15. Setting up a Web security deelopment system........ 237 Setting up a Web security deelopment system using the command line.......... 237 AIX: Installing a Web security deelopment (WebADK) system using the command line.. 238 Contents

Linux: Installing a Web security deelopment (WebADK) system using the command line.. 239 Solaris: Installing a Web security deelopment (WebADK) system using the command line.. 240 Windows: Installing a Web security deelopment (WebADK) system using the command line............ 242 Setting up a Web security deelopment system using the Launchpad (Windows)....... 243 Setting up the Web security deelopment system using script files............ 245 Automating installation of a Web security deelopment system (AIX, Linux, Solaris)... 245 Automating the installation of a Web security deelopment system (Windows)...... 246 Chapter 16. Setting up WebSEAL... 249 Setting up a WebSEAL system using the command line................. 249 AIX: Installing WebSEAL using the command line................ 250 Linux: Installing WebSEAL using the command line................ 251 Solaris: Installing WebSEAL using the command line................ 253 Windows: Installing WebSEAL using the command line............ 254 Setting up a WebSEAL system using the Launchpad (Windows).......... 256 Setting up the WebSEAL system using script files 257 Automating installation of a WebSEAL system (AIX, Linux, Solaris).......... 257 Automating the installation of a WebSEAL system (Windows)........... 258 Automating configuration of a WebSEAL system 259 Part 5. Installing session management system components. 263 Chapter 17. Setting up a session management serer........ 265 Preinstallation requirements........ 266 Setting up the session management serer using the command line............ 267 AIX: Installing a session management serer system.............. 268 Linux: Installing a session management serer system.............. 269 Solaris: Installing a session management serer system.............. 270 Windows: Installing a session management serer system............ 271 Creating the login history database..... 271 Deploying the console extension...... 273 Logging in and logging out of the Session Management Serer console....... 274 Deploying the Session Management Serer application............. 275 Configuring the session management serer.. 276 Setting up a session management serer with the Launchpad (Windows).......... 278 Setting up a session management serer using script files.............. 282 Setting up WebSphere Application Serer using script files............. 283 Automating the installation of a session management serer (AIX, Linux, or Solaris).. 287 Automating the installation of a session management serer (Windows)...... 288 Automating configuration of a session management serer.......... 289 Chapter 18. Setting up the session management command line..... 293 Preinstallation requirements........ 293 Setting up the session management command line using the command-line utilities....... 293 AIX: Installing the session management command line............ 294 Linux: Installing the session management command line............ 295 Solaris: Installing the session management command line............ 297 Windows: Installing the session management command line............ 298 Setting up a session management command line using the Launchpad (Windows)....... 300 Setting up a session management command line using script files............ 301 Automating the installation of a session management command line (AIX, Linux, or Solaris).............. 301 Automating the installation of a session management command line (Windows)... 302 Automating configuration of a session management command line....... 303 Part 6. Appendixes........ 305 Appendix A. Enabling Secure Sockets Layer (SSL) security........ 307 Configuring SSL on the Security Access Manager serers............... 307 Creating a database and adding the signer certificate.............. 307 Configuring SSL communications...... 308 Testing SSL access........... 309 Configuring Tioli Directory Serer client for client authentication............. 309 Testing SSL access when using serer and client authentication............. 310 Appendix B. Groups and administrator identities on AIX, Linux, and Solaris systems........ 313 Appendix C. Default port numbers 317 i IBM Security Access Manager for Web Version 7.0: Installation Guide

Appendix D. pdconfig options.... 319 Security Access Manager Runtime: LDAP.... 319 Security Access Manager Runtime: Actie Directory 322 Security Access Manager Attribute Retrieal Serice............... 327 Security Access Manager Authorization Serer.. 328 IBM Security Access Manager Runtime for Jaa 329 Security Access Manager Plug-in for Web Serers on AIX, Linux, or Solaris......... 330 Security Access Manager Plug-in for Web Serers on Windows.............. 332 Security Access Manager Policy Serer..... 332 Security Access Manager Policy Proxy Serer... 334 Security Access Manager Web Portal Manager.. 335 Security Access Manager WebSEAL...... 338 Appendix E. Installing language support.............. 341 Language support oeriew........ 341 Installing language support packages for Security Access Manager............ 342 Installing language support packages for IBM Tioli Directory Serer.......... 345 Locale enironment ariables........ 346 LANG ariable on AIX, Linux, or Solaris systems.............. 346 LANG ariable on Windows systems.... 347 Using locale ariants.......... 347 Message catalogs............ 347 Text encoding (code set) support....... 348 Location of code set files........ 349 Uninstalling Security Access Manager language support packages............ 349 Appendix F. Managing automated configuration passwords...... 353 Obfuscating passwords on AIX, Linux, or Solaris 354 Obfuscating passwords on Windows..... 355 Deleting a stored password on AIX, Linux, and Solaris................ 356 Deleting a stored password on Windows.... 357 Appendix G. Setting up a standby policy serer (AIX)......... 359 IBM PowerHA enironment scenario..... 360 Install and Configure IBM PowerHA for AIX 360 Creating a standby policy serer enironment.. 361 Script: Setting UIDs for both the primary and standby systems........... 365 Script: Linking files and directories on the primary system............ 367 Example: Verifying the primary serer directories, soft links, and permissions.... 368 Script: Linking from the AIX system files to the shared directory on the standby system... 370 Example: Verifying standby serer directories, soft links and permissions........ 371 High aailability management........ 372 Verify the policy serer setup for high aailability............. 372 Reiew log files........... 373 Appendix H. Setting up a standby policy serer with IBM Tioli System Automation for Multiplatforms.... 375 Scenario components........... 375 Preinstallation requirements........ 376 LDAP and Load Balancer requirements.... 377 Primary serer requirements....... 377 Standby serer requirements....... 377 Runtime serer requirements....... 377 Installing the LDAP and the load balancer.... 378 Installing the primary serer........ 378 Installing the standby serer........ 379 Verifying Security Access Manager serers... 381 Configuring the Load Balancer....... 385 Installing and configuring the runtime serer... 385 Installing and configuring Tioli System Automation for Multiplatforms....... 386 Enabling failoer automation........ 388 Polup script for the primary serer..... 390 Polup script for the standby serer..... 391 Poldown script for the primary serer.... 392 Poldown script for the standby serer.... 393 Polmon script for the primary serer.... 394 Polmon script for the standby serer.... 395 Appendix I. Setting up a Tioli Directory Serer proxy enironment with Security Access Manager.... 397 Adding the Security Access Manager suffix to the proxy................ 398 Configuring Security Access Manager to use the proxy................ 399 Redirecting the policy serer to the proxy... 399 Setting access controls for the proxy..... 400 Unconfiguring Security Access Manager from the proxy................ 401 Appendix J. Security Access Manager registry adapter for WebSphere federated repositories........ 403 Appendix K. Uninstalling components 405 Unconfiguring Security Access Manager components.............. 405 Unconfiguring IBM Tioli Directory Serer... 406 Unconfiguring the database....... 406 Deleting a directory serer instance..... 407 Remoing packages........... 408 Uninstalling IBM Tioli Directory Serer... 408 AIX: Remoing packages........ 409 Linux: Remoing packages........ 411 Solaris: Remoing packages....... 413 Windows: Remoing packages...... 414 Notices.............. 417 Contents ii

Index............... 421 iii IBM Security Access Manager for Web Version 7.0: Installation Guide

Figures 1. Primary policy serer after initial configuration........... 362 2. Primary policy serer after you incorporate use of the shared file system...... 363 3. Completed primary/standby policy serer enironment............ 365 Copyright IBM Corp. 2001, 2012 ix

x IBM Security Access Manager for Web Version 7.0: Installation Guide

Tables 1. Required components for the Security Access Manager base systems......... 13 2. Required components for the Security Access Manager Web security systems...... 15 3. Required components for the Security Access Manager session management systems... 17 4. Installation methods for AIX, Linux, or Solaris 19 5. Installation methods for Windows..... 19 6. Planning tasks........... 21 7. Prerequisite tasks.......... 21 8. Policy serer tasks.......... 21 9. Base system component tasks...... 22 10. Web security system component tasks.... 22 11. Session management tasks....... 22 12. Tasks for installing and configuring prerequisite software......... 27 13. Client packages for AIX........ 43 14. Client packages for Linux platforms.... 44 15. Client packages for Solaris....... 45 16. Maximum lengths for names by user registry and the optimal length across user registries. 57 17. Compliance alues for the keyfile..... 70 18. Compliance attribute alues....... 73 19. SSL configuration alues........ 309 20. Users and groups required by Security Access Manager............. 313 21. Default port numbers used during Security Access Manager installation....... 317 22. Security Access Manager Runtime configuration options: LDAP...... 319 23. Security Access Manager Runtime configuration options: Actie Directory... 322 24. Security Access Manager Attribute Retrieal Serice.............. 327 25. Security Access Manager Authorization Serer configuration options...... 328 26. IBM Security Access Manager Runtime for Jaa configuration options....... 329 27. Plug-in for Web Serers on AIX, Linux, or Solaris.............. 330 28. Plug-in for Web Serers on Windows 332 29. Security Access Manager Policy Serer configuration options......... 333 30. Security Access Manager Policy Proxy Serer configuration options......... 334 31. Security Access Manager Web Portal Manager configuration options......... 335 32. Security Access Manager WebSEAL configuration options......... 338 33. Automated configuration password tasks 353 34. Default component options template files on AIX, Linux, or Solaris......... 354 35. Scenario components that use IBM Tioli System Automation for Multiplatforms... 376 36. Methods for uninstalling Tioli Directory Serer.............. 409 Copyright IBM Corp. 2001, 2012 xi

xii IBM Security Access Manager for Web Version 7.0: Installation Guide

About this publication Intended audience IBM Security Access Manager for Web, formerly called IBM Tioli Access Manager for e-business, is a user authentication, authorization, and web single sign-on solution for enforcing security policies oer a wide range of web and application resources. IBM Security Access Manager for Web Installation Guide explains how to install and configure Security Access Manager, including Security Access Manager systems, session management systems, and web security systems. This guide is for system administrators responsible for the installation and deployment of Security Access Manager. Readers should be familiar with the following topics: Supported operating systems Database architecture and concepts Security management Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and Telnet Lightweight Directory Access Protocol (LDAP) and directory serices Authentication and authorization If you are enabling Secure Sockets Layer (SSL) communication, you also should be familiar with SSL protocol, key exchange (public and priate), digital signatures, cryptographic algorithms, and certificate authorities. Access to publications and terminology This section proides: A list of publications in the IBM Security Access Manager for Web library. Links to Online publications on page x. A link to the IBM Terminology website on page x. IBM Security Access Manager for Web library The following documents are in the IBM Security Access Manager for Web library: IBM Security Access Manager for Web Quick Start Guide, GI11-9333-01 Proides steps that summarize major installation and configuration tasks. IBM Security Web Gateway Appliance Quick Start Guide Hardware Offering Guides users through the process of connecting and completing the initial configuration of the WebSEAL Hardware Appliance, SC22-5434-00 IBM Security Web Gateway Appliance Quick Start Guide Virtual Offering Guides users through the process of connecting and completing the initial configuration of the WebSEAL Virtual Appliance. IBM Security Access Manager for Web Installation Guide, GC23-6502-02 Copyright IBM Corp. 2001, 2012 xiii

Explains how to install and configure Security Access Manager. IBM Security Access Manager for Web Upgrade Guide, SC23-6503-02 Proides information for users to upgrade from ersion 6.0, or 6.1.x to ersion 7.0. IBM Security Access Manager for Web Administration Guide, SC23-6504-02 Describes the concepts and procedures for using Security Access Manager. Proides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin utility. IBM Security Access Manager for Web WebSEAL Administration Guide, SC23-6505-02 Proides background material, administratie procedures, and reference information for using WebSEAL to manage the resources of your secure Web domain. IBM Security Access Manager for Web Plug-in for Web Serers Administration Guide, SC23-6507-02 Proides procedures and reference information for securing your Web domain by using a Web serer plug-in. IBM Security Access Manager for Web Shared Session Management Administration Guide, SC23-6509-02 Proides administratie considerations and operational instructions for the session management serer. IBM Security Access Manager for Web Shared Session Management Deployment Guide, SC22-5431-00 Proides deployment considerations for the session management serer. IBM Security Web Gateway Appliance Administration Guide, SC22-5432-00 Proides administratie procedures and technical reference information for the WebSEAL Appliance. IBM Security Web Gateway Appliance Configuration Guide for Web Reerse Proxy, SC22-5433-00 Proides configuration procedures and technical reference information for the WebSEAL Appliance. IBM Security Web Gateway Appliance Web Reerse Proxy Stanza Reference, SC27-4442-00 Proides a complete stanza reference for the IBM Security Web Gateway Appliance Web Reerse Proxy. IBM Security Access Manager for Web WebSEAL Configuration Stanza Reference, SC27-4443-00 Proides a complete stanza reference for WebSEAL. IBM Global Security Kit: CapiCmd Users Guide, SC22-5459-00 Proides instructions on creating key databases, public-priate key pairs, and certificate requests. IBM Security Access Manager for Web Auditing Guide, SC23-6511-02 Proides information about configuring and managing audit eents by using the natie Security Access Manager approach and the Common Auditing and Reporting Serice. You can also find information about installing and configuring the Common Auditing and Reporting Serice. Use this serice for generating and iewing operational reports. IBM Security Access Manager for Web Command Reference, SC23-6512-02 Proides reference information about the commands, utilities, and scripts that are proided with Security Access Manager. xi IBM Security Access Manager for Web Version 7.0: Installation Guide

IBM Security Access Manager for Web Administration C API Deeloper Reference, SC23-6513-02 Proides reference information about using the C language implementation of the administration API to enable an application to perform Security Access Manager administration tasks. IBM Security Access Manager for Web Administration Jaa Classes Deeloper Reference, SC23-6514-02 Proides reference information about using the Jaa language implementation of the administration API to enable an application to perform Security Access Manager administration tasks. IBM Security Access Manager for Web Authorization C API Deeloper Reference, SC23-6515-02 Proides reference information about using the C language implementation of the authorization API to enable an application to use Security Access Manager security. IBM Security Access Manager for Web Authorization Jaa Classes Deeloper Reference, SC23-6516-02 Proides reference information about using the Jaa language implementation of the authorization API to enable an application to use Security Access Manager security. IBM Security Access Manager for Web Web Security Deeloper Reference, SC23-6517-02 Proides programming and reference information for deeloping authentication modules. IBM Security Access Manager for Web Error Message Reference, GI11-8157-02 Proides explanations and correctie actions for the messages and return code. IBM Security Access Manager for Web Troubleshooting Guide, GC27-2717-01 Proides problem determination information. IBM Security Access Manager for Web Performance Tuning Guide, SC23-6518-02 Proides performance tuning information for an enironment that consists of Security Access Manager with the IBM Tioli Directory Serer as the user registry. Online publications IBM posts product publications when the product is released and when the publications are updated at the following locations: IBM Security Access Manager for Web Information Center The http://pic.dhe.ibm.com/infocenter/tiihelp/2r1/topic/ com.ibm.isam.doc_70/welcome.html site displays the information center welcome page for this product. IBM Publications Center The http://www-05.ibm.com/e-business/linkweb/publications/serlet/ pbi.wss site offers customized search functions to help you find all the IBM publications that you need. IBM Terminology website The IBM Terminology website consolidates terminology for product libraries in one location. You can access the Terminology website at http://www.ibm.com/ software/globalization/terminology. About this publication x

Related publications This section lists the IBM products that are related to and included with the Security Access Manager solution. Note: The following middleware products are not packaged with IBM Security Web Gateway Appliance. IBM Global Security Kit Security Access Manager proides data encryption by using Global Security Kit (GSKit) ersion 8.0.x. GSKit is included on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. GSKit ersion 8 includes the command-line tool for key management, GSKCapiCmd (gsk8capicmd_64). GSKit ersion 8 no longer includes the key management utility, ikeyman (gskikm.jar). ikeyman is packaged with IBM Jaa ersion 6 or later and is now a pure Jaa application with no dependency on the natie GSKit runtime. Do not moe or remoe the bundled jaa/jre/lib/gskikm.jar library. The IBM Deeloper Kit and Runtime Enironment, Jaa Technology Edition, Version 6 and 7, ikeyman User's Guide for ersion 8.0 is aailable on the Security Access Manager Information Center. You can also find this document directly at: Note: http://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/ 60/iKeyman.8.User.Guide.pdf GSKit ersion 8 includes important changes made to the implementation of Transport Layer Security required to remediate security issues. The GSKit ersion 8 changes comply with the Internet Engineering Task Force (IETF) Request for Comments (RFC) requirements. Howeer, it is not compatible with earlier ersions of GSKit. Any component that communicates with Security Access Manager that uses GSKit must be upgraded to use GSKit ersion 7.0.4.42, or 8.0.14.26 or later. Otherwise, communication problems might occur. IBM Tioli Directory Serer IBM Tioli Directory Serer ersion 6.3 FP17 (6.3.0.17-ISS-ITDS-FP0017) is included on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. You can find more information about Tioli Directory Serer at: http://www.ibm.com/software/tioli/products/directory-serer/ IBM Tioli Directory Integrator IBM Tioli Directory Integrator ersion 7.1.1 is included on the IBM Tioli Directory Integrator Identity Edition V 7.1.1 for Multiplatform product image or DVD for your particular platform. xi IBM Security Access Manager for Web Version 7.0: Installation Guide

You can find more information about IBM Tioli Directory Integrator at: http://www.ibm.com/software/tioli/products/directory-integrator/ IBM DB2 Uniersal Database IBM DB2 Uniersal Database Enterprise Serer Edition, ersion 9.7 FP4 is proided on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. You can install DB2 with the Tioli Directory Serer software, or as a stand-alone product. DB2 is required when you use Tioli Directory Serer or z/os LDAP serers as the user registry for Security Access Manager. For z/os LDAP serers, you must separately purchase DB2. You can find more information about DB2 at: http://www.ibm.com/software/data/db2 IBM WebSphere products The installation packages for WebSphere Application Serer Network Deployment, ersion 8.0, and WebSphere extreme Scale, ersion 8.5.0.1, are included with Security Access Manager ersion 7.0. WebSphere extreme Scale is required only when you use the Session Management Serer (SMS) component. WebSphere Application Serer enables the support of the following applications: Web Portal Manager interface, which administers Security Access Manager. Web Administration Tool, which administers Tioli Directory Serer. Common Auditing and Reporting Serice, which processes and reports on audit eents. Session Management Serer, which manages shared session in a Web security serer enironment. Attribute Retrieal Serice. You can find more information about WebSphere Application Serer at: http://www.ibm.com/software/webserers/appser/was/library/ Accessibility Technical training Accessibility features help users with a physical disability, such as restricted mobility or limited ision, to use software products successfully. With this product, you can use assistie technologies to hear and naigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. Visit the IBM Accessibility Center for more information about IBM's commitment to accessibility. For technical training information, see the following IBM Education website at http://www.ibm.com/software/tioli/education. About this publication xii

Support information IBM Support proides assistance with code-related problems and routine, short duration installation or usage questions. You can directly access the IBM Software Support site at http://www.ibm.com/software/support/probsub.html. The IBM Security Access Manager for Web Troubleshooting Guide proides details about: What information to collect before you contact IBM Support. The arious methods for contacting IBM Support. How to use IBM Support Assistant. Instructions and problem-determination resources to isolate and fix the problem yourself. Note: The Community and Support tab on the product information center can proide more support resources. xiii IBM Security Access Manager for Web Version 7.0: Installation Guide

Part 1. Planning for installation Copyright IBM Corp. 2001, 2012 1

2 IBM Security Access Manager for Web Version 7.0: Installation Guide

Chapter 1. Installation oeriew Planning for deployment It is important that you create a deployment plan before you install Security Access Manager software on the systems in your distributed enironment If you already hae Security Access Manager software installed, reiew your preious deployment plan to determine the best method for upgrading to the most current ersion. Follow the instructions that are proided in the IBM Security Access Manager for Web Upgrade Guide. Note: For the latest release information, including system requirements, disk space and memory requirements, and known defects and limitations, see the Release Notes section of the IBM Security Access Manager for Web Information Center or Technotes in the support knowledge database. Before you implement a particular Security Access Manager solution, you must determine the specific security and management capabilities that are required for your network. The first step in planning the deployment of a Security Access Manager security enironment is to define the security requirements for your computing enironment. Defining security requirements means determining the business policies that must apply to users, programs, and data. This definition includes: Objects to be secured Actions that are permitted on each object Users that are permitted to perform the actions Enforcing a security policy requires an understanding of the flow of access requests through your network topology. In your plan, identify correct roles and locations for firewalls, routers, and subnets. Deploying a Security Access Manager security enironment also requires identifying the optimal points within the network for installing software that ealuates user access requests, and grants or denies the requested access. Implementation of a security policy requires understanding the number of users, quantity of data, and throughput that your network must accommodate. You must ealuate performance characteristics, scalability, and the need for failoer capabilities. Integration of preious ersions of software, databases, and applications with Security Access Manager software must also be considered. After you hae an understanding of the features that you want to deploy, you can decide which Security Access Manager systems you need in your enironment. For useful planning documentation, including actual business scenarios, see supplemental product information at the following websites: http://www.ibm.com/redbooks/ http://www.ibm.com/software/sysmgmt/products/support/field_guides.html Copyright IBM Corp. 2001, 2012 3

Secure domain oeriew The computing enironment in which Security Access Manager enforces security policies for authentication, authorization, and access control is called a secure domain. The initial secure domain, called the management domain, is created when you install and configure the following systems: Policy serer Maintains the master authorization database for the management domain. In addition, it updates authorization database replicas and maintains location information about other Security Access Manager serers. Registry Proides a database of the user identities that are known to Security Access Manager. It also proides a representation of groups in Security Access Manager roles that are associated with users. These core systems must exist for Security Access Manager to complete fundamental operations, such as permitting or denying user access to protected objects (resources). All other Security Access Manager serices and components are built on this base. You can deploy Security Access Manager on multiple systems or install all the software necessary to configure and use the management domain on one stand-alone system. A single system setup is useful only when prototyping a deployment or deeloping and testing an application. After you configure the policy serer and registry serer, you can set up more systems in the management domain, such as an authorization serer or application deelopment system. You can also create more secure domains (if you use an LDAP registry) to securely partition data into separate, logical groupings. For information about creating multiple domains, see the IBM Security Access Manager for Web Administration Guide. Security Access Manager installation components Security Access Manager includes base and prerequisite components that are generally common to all Security Access Manager installations. Use these components to set up Security Access Manager systems that are listed in Components and prerequisites for Security Access Manager systems on page 13. Note: When you install Security Access Manager on a Windows operating system, you can specify a nondefault installation path. Ensure that the installation path that you specify does not include any national language ersion (NLV) characters. Security Access Manager base components The Security Access Manager base system includes specific installation components. These components are on the product media for the supported platforms. Use these installation components to set up base systems that are listed in Components and prerequisites for Security Access Manager systems on page 13. 4 IBM Security Access Manager for Web Version 7.0: Installation Guide

Security Access Manager Application Deelopment Kit The Security Access Manager Application Deelopment Kit proides a deelopment enironment in which you can code third-party applications to query the authorization serer for authorization decisions. This kit contains support for using both C APIs and Jaa classes for authorization and administration functions. To run the Jaa program or to compile and run your own Jaa programs, you must install and configure a Security Access Manager Runtime for Jaa system. Security Access Manager Authorization Serer The Security Access Manager Authorization Serer proides access to the authorization serice for third-party applications that use the Security Access Manager authorization API in remote cache mode. The authorization serer also acts as a logging and auditing collection serer to store records of serer actiity. Security Access Manager Policy Proxy Serer The Security Access Manager Policy Proxy Serer is used to set up a proxy serer, which acts as an intermediary between a less trusted network and a more trusted network. This serer ensures security and proides administratie control and caching serices. It is associated with, or part of, a gateway serer that separates the enterprise network from the outside network, and a firewall serer that protects the enterprise network from outside intrusion. In a Security Access Manager enironment, the proxy serer runs on behalf of the policy serer for a specified number of authorization applications and administratie functions, such as pdadmin commands. Security Access Manager Policy Serer The Security Access Manager Policy Serer maintains the master authorization database for the management domain and the policy databases associated with other secure domains that you might decide to create. This serer is key to the processing of access control, authentication, and authorization requests. It also updates authorization database replicas and maintains location information about other Security Access Manager serers. Security Access Manager supports the use of one standby policy serer on a supported platform. In enironments with a standby policy serer, if the primary policy serer goes down, the standby policy serer takes oer and acts as the primary policy serer until the primary policy serer assumes its original role. In turn, the standby policy serer reerts to a standby role. At any time, there is only one actie policy serer and only one shared copy of the policy databases. If you want to set up a standby policy serer, complete one of the following procedures: Appendix G, Setting up a standby policy serer (AIX), on page 359 Appendix H, Setting up a standby policy serer with IBM Tioli System Automation for Multiplatforms, on page 375 Chapter 1. Installation oeriew 5

Security Access Manager Runtime The Security Access Manager Runtime contains runtime libraries and supporting files that applications can use to access Security Access Manager serers. You must install and configure the Security Access Manager Runtime component on each system that runs Security Access Manager, except for IBM Security Access Manager Runtime for Jaa systems, the Security Access Manager Attribute Retrieal Serice, and the distributed sessions management systems. IBM Security Utilities The IBM Security Utilities proides common utilities that are required by Security Access Manager Runtime. This component is proided separately for each supported platform. IBM Security Access Manager Runtime for Jaa The IBM Security Access Manager Runtime for Jaa offers a reliable enironment for deeloping and deploying Jaa applications in a Security Access Manager secure domain. Use it to add Security Access Manager authorization and security serices to new or existing Jaa applications. You can use the pdjrtecfg command to configure a Jaa Runtime Enironment (JRE) to use Security Access Manager Jaa security. If you plan to install the Web Portal Manager interface, this component is required. It is also required with the Security Access Manager Application Deelopment Kit component if you are a deeloper using IBM Security Access Manager Runtime for Jaa classes. For more information, see the IBM Security Access Manager for Web: Administration Jaa Classes Deeloper Reference and the IBM Security Access Manager for Web: Authorization Jaa Classes Deeloper Reference. Security Access Manager Web Portal Manager The Security Access Manager Web Portal Manager is a web-based graphical user interface (GUI) used for Security Access Manager administration. The GUI counterpart to the pdadmin command-line interface, Web Portal Manager proides management of users, groups, roles, permissions, policies, and other Security Access Manager tasks. A key adantage of using Web Portal Manager is that you can complete these tasks remotely, without requiring any special network configuration. The Web Portal Manager interface also includes a set of delegated management serices that enables a business to delegate user administration, group and role administration, security administration, and application access proisioning to participants (subdomains) in the business system. These subdomains can further delegate management and administration to trusted subdomains under their control. See the Release Notes in the Security Access Manager Information Center for a list of browsers that you can use with Web Portal Manager. Security Access Manager License This component contains license information for Security Access Manager. This component is proided separately for each supported platform. 6 IBM Security Access Manager for Web Version 7.0: Installation Guide

Security Access Manager Web security components Security Access Manager Web security includes seeral installation components. These components are proided on the product media for each supported platforms. Use these installation components to set up Web security systems that are listed in Security Access Manager Web security systems on page 15. Security Access Manager Attribute Retrieal Serice The Security Access Manager Attribute Retrieal Serice is used with the WebSEAL authorization decision information (ADI) feature. This serice proides communication and format translation serices between the WebSEAL entitlement serice library and an external proider of authorization decision information. For more information, see the IBM Security Access Manager for Web WebSEAL Administration Guide. Security Access Manager Plug-in for Web Serers Security Access Manager Plug-in for Web Serers manages the security of your web-based resources by acting as the gateway between your clients and secure Web space. The plug-in implements the security policies that protect your Web object space. The plug-in can proide single sign-on solutions, support Web serers running as irtual hosts and incorporate Web application serer resources into its security policy. For more information, see the IBM Security Access Manager for Web: Plug-in for Web Serers Administration Guide. Security Access Manager Web Security Runtime The Security Access Manager Web Security Runtime contains shared authentication library files that are used for Web Security systems These shared files include Security Access Manager WebSEAL and the Security Access Manager Plug-in for Web Serers. Security Access Manager Web Security Application Deelopment Kit The Security Access Manager Web Security ADK contains deelopment APIs for Web Security components. The APIs include Security Access Manager cross-domain authentication serice (CDAS), the Security Access Manager cross-domain mapping framework (CDMF), and the Security Access Manager password strength module. Security Access Manager WebSEAL Security Access Manager WebSEAL is a security manager for Web-based resources. WebSEAL is a high performance, multithreaded Web serer that applies fine-grained security policy to the protected Web object space. WebSEAL can proide single sign-on solutions and incorporate backend Web application serer resources into its security policy. Security Access Manager distributed sessions management components The Security Access Manager distributed sessions management systems includes seeral installation components. Chapter 1. Installation oeriew 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback