Windows 2000 Agent Installation Guide

IBM Tioli Identity Manager Windows 2000 Agent Installation Guide Version 4.5.1 SC32-1153-04

Note: Before using this information and the product it supports, read the information in Appendix F, Notices, on page 83. Fifth Edition (January 2004) This edition applies to ersion 4.5.1 of this agent and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 2004. All rights resered. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents Preface............... Who should read this book......... Publications.............. Tioli Identity Manager Library....... Prerequisite Product Publications......i Related Publications.......... ii Accessing Publications Online....... ii Accessibility.............. iii Contacting Software Support........ iii Conentions Used in this Book....... iii Typeface Conentions......... iii Chapter 1. Oeriew......... 1 Basic Installation.............1 Chapter Descriptions...........1 Chapter 2. Agent Installation...... 3 Requirements..............3 Information Worksheet...........3 Step 1: Installing the Agent........4 Step 2: Actiating the Agent as a Serice....4 Step 3: Configuring the Agent....... 4 Step 4: Installing the Agent s Certificate.... 4 Step 5: Installing the Agent s Profile..... 4 Step 6: Ensuring Agent Communication.... 4 Step 7: Configuring the Agent s Forms..... 4 Step 8: Extending Supported Attributes.... 4 Step 1: Installing the Agent.........5 Step 2: Actiating the Agent as a Serice.....6 Step 3: Configuring the Agent........6 Step 4: Installing the Agent s Certificate..... 6 Step 5: Installing the Agent s Profile...... 6 Step 6: Configuring the Agent for Eent Notification 7 Step 7: Configuring the Agent s Forms...... 7 Step 8: Extending Supported Attributes..... 8 Chapter 3. Agent Profile Installation... 9 Requirements..............9 Installing the Agent Profile.........9 Verifying the Agent Profile is Installed.....10 Chapter 4. Supported Attribute Expansion............. 13 Background Information..........13 SCHEMA.DSML File..........13 XFORMS.XML File...........15 CustomLabels.properties File.......16 Example Files............17 Updating Agent Supported Attributes....18 Step 1: Extending the Schema and Adding Extended Attributes..........18 Step 2. Modifying the exschema.txt File.... 19 Step 3: Updating the schema.dsml File.... 19 Step 4: Updating the xforms.xml File..... 20 Step 5: Modifying the CustomLabels.properties File................21 Step 6: Installing the New Attributes on the Tioli Identity Manager Serer.......21 Modifying the Agent Form........21 Chapter 5. Agent Parameters Modification............ 23 Accessing the Agent Configuration Tool Main Menu 23 Viewing Configuration Settings........24 Changing Protocol Configuration Settings....24 Adding a Protocol...........25 Remoing a Protocol..........25 Configuring a Protocol.........25 Setting Eent Notification.........27 Setting Attributes to be Reconciled.....29 Modifying an Eent Notification Context...30 Changing the Configuration Key.......31 Changing Actiity Logging Settings......32 Changing Registry Settings.........33 Modifying Non-encrypted Registry Settings..34 Changing Adanced Settings........34 Viewing Statistics............36 Accessing Help and Additional Options.....36 Chapter 6. Certificate Installation... 39 Oeriew of SSL and Digital Certificates....39 Basic Configuration for Serer-to-Agent SSL..40 Clustered Tioli Identity Manager Configuration 40 Accessing the Certificate Configuration Tool Main Menu................40 Generating a Priate Key and Certificate Request..42 Example of Certificate Request Script.....43 Example of request.pem File........43 Installing the Certificate from a File......44 Installing the Certificate and Key from a PKCS12 File.................44 Viewing Installed Certificates........44 Viewing CA Certificates..........44 Installing a CA Certificate.........45 Deleting a CA Certificate..........45 Viewing Registered Certificates........45 Registering a Certificate..........45 Unregistering a Certificate.........46 Appendix A. Agent Variables..... 47 Variable Descriptions...........47 Variables by Windows 2000 Agent Actions....56 System Login Add...........56 System Login Change..........56 System Login Delete..........56 System Login Suspend.........56 System Login Restore..........56 Reconciliation............57 PostalCountry Values...........59 Copyright IBM Corp. 2003 iii

Appendix B. Additional Installation Options.............. 63 Installation Options............63 Console Option............63 Setup Arguments...........63 Agent Remoal.............63 Appendix C. Standard SCHEMA.DSML File................ 65 Appendix E. Standard CustomLabels.properties File..... 81 Appendix F. Notices......... 83 Trademarks..............84 Index............... 87 Appendix D. Standard XFORMS.XML File................ 77 i IBM Tioli Identity Manager: Windows 2000 Agent Installation Guide

Preface Who should read this book Publications The Tioli Identity Manager Windows 2000 Agent (Windows 2000 Agent) enables connectiity between the IBM Tioli Identity Manager Serer and a network of systems running the Windows 2000 resources. After the agent is installed and prepared, Tioli Identity Manager manages access to Windows 2000 resources with your site s security system. This manual describes how to install and prepare a Windows 2000 Agent. This manual is intended for Windows 2000 system and security administrators responsible for installing software on their site s computer systems. Readers are expected to understand Windows 2000 concepts. The person completing the installation procedure should also be familiar with their site s system standards. Readers should be able to perform routine Windows 2000 system and security administration tasks. Read the descriptions of the Tioli Identity Manager library, the prerequisite publications, and the related publications to determine which publications you might find helpful. After you determine the publications you need, refer to the instructions for accessing publications online. Tioli Identity Manager Library The publications in the Tioli Identity Manager technical documentation library are organized into the following categories: Release Information Online User Assistance Serer Installation Administration and Configuration Technical Supplements Agent Installation Release Information: Tioli Identity Manager Serer Release Notes Proides software and hardware requirements for Tioli Identity Manager, and additional fix, patch, and other support information. Tioli Identity Manager Read This First Card Online User Assistance: Online user assistance for Tioli Identity Manager Proides integrated online help topics for all Tioli Identity Manager administratie tasks. Serer Installation: IBM Tioli Identity Manager Serer Installation Guide on UNIX and Linux using WebSphere Copyright IBM Corp. 2003

Proides installation information for Tioli Identity Manager. IBM Tioli Identity Manager Serer Installation Guide on Windows using WebSphere Proides installation information for Tioli Identity Manager. IBM Tioli Identity Manager Serer Installation Guide on UNIX using WebLogic Proides installation information for Tioli Identity Manager. IBM Tioli Identity Manager Serer Installation Guide on Windows 2000 using WebLogic Proides installation information for Tioli Identity Manager. Administration and Configuration: Tioli Identity Manager Policy and Organization Administration Guide Proides topics for Tioli Identity Manager administratie tasks. Tioli Identity Manager End User Guide Proides beginning user information for Tioli Identity Manager. Tioli Identity Manager Serer Configuration Guide Proides configuration information for single-serer and cluster Tioli Identity Manager configurations. Technical Supplements: Tioli Identity Manager Troubleshooting Guide Proides additional problem soling information for the Tioli Identity Manager product. Agent Installation: The Tioli Identity Manager technical documentation library also includes an eoling set of platform-specific installation documents for the Agent component of a Tioli Identity Manager implementation. Prerequisite Product Publications To use the information in this book effectiely, you must hae knowledge of the products that are prerequisites for Tioli Identity Manager. Publications are aailable from the following locations: WebSphere Application Serer http://www.ibm.com/software/webserers/appser/support.html Note: The following brief list of Redbooks describes installing and configuring WebSphere Application Serer and proiding additional security. Although the list was current when this publication went to production, publications may become obsolete. Contact your customer representatie for a recommended list of resource information. IBM WebSphere Application Serer V5.0 System Management and Configuration, an IBM Redbook IBM WebSphere Application Serer V5.0 Security, an IBM Redbook WebLogic Application Serer http://e-docs.bea.com/ Database serers IBM DB2 http://www.ibm.com/software/data/db2/udb/support.html http://www.ibm.com/software/data/db2 i IBM Tioli Identity Manager: Windows 2000 Agent Installation Guide

Oracle http://otn.oracle.com/tech/index.html Microsoft SQL Serer 2000 (SP3) http://msdn.microsoft.com/library/ Directory serer applications IBM Directory Serer http://www.ibm.com/software/network/directory Sun ONE Directory Serer http://wwws.sun.com/software/products/directory_srr/5.1/index.html WebSphere embedded messaging support (or IBM MQSeries) http://www.ibm.com/software/ts/mqseries Web Proxy Serer IBM HTTP Serer http://www.ibm.com/software/webserers/httpserers/library.html Microsoft IIS HTTP Serer http://www.microsoft.com/technet/prodtechnol/iis/default.asp Apache HTTP Serer http://httpd.apache.org/docs-project Related Publications Information related to Tioli Identity Manager Serer is aailable in the following publications: The Tioli Software Library proides a ariety of Tioli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tioli Software Library is aailable on the Web at: http://www.ibm.com/software/tioli/library/ The Tioli Software Glossary includes definitions for many of the technical terms related to Tioli software. The Tioli Software Glossary is aailable, in English only, from the Glossary link on the left side of the Tioli Software Library Web page at: http://www.ibm.com/software/tioli/library/ Accessing Publications Online The publications for this product are aailable online in Portable Document Format (PDF) or Hypertext Markup Language (HTML) format, or both in the Tioli software library: http://www.ibm.com/software/tioli/library To locate product publications in the library, click the Product manuals link on the left side of the library page. Then, locate and click the name of the product on the Tioli software information center page. Product publications include release notes, installation guides, user s guides, administrator s guides, and deeloper s references. Note: To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is aailable when you click File Print). Preface ii

Accessibility Contacting Software Support The product documentation includes the following features to aid accessibility: Documentation is aailable in both HTML and conertible PDF formats to gie the maximum opportunity for users to apply screen-reader software. All images in the documentation are proided with alternatie text so that users with ision impairments can understand the contents of the images. Before contacting IBM Tioli Software Support with a problem, refer to the IBM Tioli Software Support site by clicking the Tioli support link at the following Web site: http://www.ibm.com/software/support/ If you need additional help, contact software support by using the methods described in the IBM Software Support Guide at the following Web site: http://techsupport.serices.ibm.com/guides/handbook.html The guide proides the following information: Conentions Used in this Book Registration and eligibility requirements for receiing support Telephone numbers, depending on the country in which you are located A list of information you should gather before contacting customer support This reference uses seeral conentions for special terms and actions. Typeface Conentions The following typeface conentions are used in this reference: Bold Italic Lowercase commands or mixed case commands that are difficult to distinguish from surrounding text, keywords, parameters, options, names of Jaa classes, and objects are in bold. Variables, titles of publications, and special words or phrases that are emphasized are in italic. Monospace Code examples, command lines, screen output, file and directory names that are difficult to distinguish from surrounding text, system messages, text that the user must type, and alues for arguments or command options are in monospace. iii IBM Tioli Identity Manager: Windows 2000 Agent Installation Guide

Chapter 1. Oeriew Basic Installation Chapter Descriptions This installation guide proides all of the basic information necessary to install and configure the Windows 2000 Agent components. This chapter proides a simple oeriew of the installation process and a brief oeriew of the information in each chapter. The following lists the basic procedures necessary to install, configure, and run the agent: Install the agent software. Actiate the Windows 2000 Agent as a serice on the agent s system. Configure the agent s communication protocols to enable the Windows 2000 Agent to communicate with the Tioli Identity Manager Serer. Install the agent s profile on the Tioli Identity Manager Serer. Configure the Tioli Identity Manager Serer to recognize the agent as a serice. Add the extended attributes to the agent s schema. The Windows 2000 Agent Installation Guide contains information pertinent to the proper installation and configuration of the Windows 2000 Agent in the following chapters and appendices: Chapter 1, Oeriew Chapter 2, Agent Installation Chapter 3, Agent Profile Installation Chapter 4, Supported Attribute Expansion Chapter 5, Agent Parameters Modification Chapter 6, Certificate Installation Appendix A, Agent Variables Appendix B, Additional Installation Options Proides an oeriew of this document and the basic procedures necessary to install and configure this agent. Contains detailed information about installing the agent. This chapter also contains additional steps required to configure the agent properly. Contains detailed information about installing the agent s profile on the Tioli Identity Manager Serer. Installing the agent s profile on the Tioli Identity Manager Serer allows the Tioli Identity Manager Serer to recognize the agent. If the agent profile is not installed on the Tioli Identity Manager Serer, the Tioli Identity Manager Serer will not be able to manage access to the Windows 2000 resources. Contains detailed information about configuring the Windows 2000 Agent to support extended attributes in the Windows 2000 Actie Directory. The procedures in this chapter are optional, based on your site s configuration. Contains information about using the agentcfg tool. The agentcfg tool proides an easy way to configure arious properties specific to the agent, such as communication protocols, logging settings, and so on. Contains information about using the CertTool tool. The CertTool tool proides an easy way to request, install, and register certificates for use with the agent. Contains information about the agent ariables. Contains additional installation options information and information about uninstalling the agent. Copyright IBM Corp. 2003 1

Appendix C, Standard SCHEMA.DSML File Appendix D, Standard XFORMS.XML File Appendix E, Standard CustomLabels.properties File Appendix F, Notices Contains information about the standard SCHEMA.DSML file. Contains information about the standard XFORMS.XML file. Contains information about the standard CustomLabels.properties file. Contains legal notices for this agent. 2 IBM Tioli Identity Manager: Windows 2000 Agent Installation Guide

Chapter 2. Agent Installation Requirements This chapter describes the procedure to install and configure the Windows 2000 Agent software. Each step includes a short procedure that completes one aspect of the oerall agent installation process. You must complete the steps in the order they are listed. Before you begin the installation, create an account on the managed resource for the agent to use. The following table identifies hardware, software, and authorization requirements to install the Windows 2000 Agent. Verify that all of the requirements hae been met before installing the Windows 2000 Agent. Table 1. Requirements to install the agent System Operating System Network Connectiity The agent must be installed on a serer with a 32-bit x86-based microprocessor, at least 128 MB of memory, and at least 100 MB of free disk space. One of the following operating systems must be operational on the system where the agent is installed. Windows 2000 Serer running Actie Directory Windows 2003 Serer Windows XP Professional The agent must be installed on a system that can communicate with the Tioli Identity Manager Serer through a TCP/IP network. System Administrator Authority Serer Communication For security purposes, IBM recommends installing the agent on a Windows NT file system. The person completing the Windows 2000 Agent installation procedure must hae system administrator authority to complete the steps in this chapter. Communication between the Tioli Identity Manager Application Serer and the Windows 2000 Serer should be tested before installing any IBM software. This makes troubleshooting easier if you encounter installation problems. Information Worksheet Use the following worksheet to document information required to install and configure the Windows 2000 Agent. Complete this worksheet before starting the installation procedure. The worksheet includes default alues used by the agent and identifies the information you need to modify during installation. Make a copy of the worksheet for each serer where you are installing the Windows 2000 Agent. For example, if you hae fie Windows serers where you are installing the Windows 2000 Agent, you need fie copies of the worksheet. Copyright IBM Corp. 2003 3

Step 1: Installing the Agent The Tioli Identity Manager Windows 2000 Agent installation files are aailable for download from IBM s Web site. Contact your IBM account representatie for the Web address and download instructions. Create a dedicated account for the agent to use to access the Windows 2000 resources and then proceed to install the Windows 2000 Agent using the proided executable installation program. For more information, see Step 1: Installing the Agent on page 5. The Windows 2000 Agent destination directory default is the C:\Tioli\Agents\Win2000Agent directory. For more information, see Step 1: Installing the Agent on page 5. Step 2: Actiating the Agent as a Serice Start the Windows 2000 Agent as a serice and configure it to start automatically. For more information, see Step 2: Actiating the Agent as a Serice on page 6. Step 3: Configuring the Agent Configure the agent s communication protocol to use the DAML protocol to communicate with the Tioli Identity Manager Serer. For more information, see Step 3: Configuring the Agent on page 6. Step 4: Installing the Agent s Certificate Install the agent s certificate. This certificate is used by the DAML protocol during communication with the Tioli Identity Manager Serer. For more information, see Step 4: Installing the Agent s Certificate on page 6. Step 5: Installing the Agent s Profile Install the agent s profile on the Tioli Identity Manager Serer. For more information, see Step 5: Installing the Agent s Profile on page 6. Step 6: Ensuring Agent Communication Ensure the Windows 2000 Agent is in communication with the Tioli Identity Manager Serer. For more information, see Step 6: Configuring the Agent for Eent Notification on page 7. Step 7: Configuring the Agent s Forms Configure the agent s forms on the Tioli Identity Manager Serer. For more information, see Step 7: Configuring the Agent s Forms on page 7. Step 8: Extending Supported Attributes Note: This is an optional step and should only be completed if required based on your site s configuration. Extend the agent s schema to support the extended attributes in the Windows 2000 Actie Directory. For more information, see Step 8: Extending Supported Attributes on page 8. 4 IBM Tioli Identity Manager: Windows 2000 Agent Installation Guide

Step 1: Installing the Agent An executable installation program is proided for the Windows 2000 Agent. When you run the installation program, you can accept the default settings or select new alues. TheTioli Identity Manager Windows 2000 Agent installation files are aailable for download from IBM s Web site. Contact your IBM account representatie for the Web address and download instructions. Prior to installing the agent, create a dedicated account for the agent to use to access the Windows 2000 resources. To install the agent, do the following: 1. Download the Windows 2000 Agent installation zip file from IBM s Web site. 2. Extract the contents of the Windows 2000 Agent installation zip file into a temporary directory. 3. Select Run... from the Start menu and type the path to the temporary directory followed by Setup.exe. For example: C:\Temp\Setup.exe The Welcome dialog window appears. 4. Click Next. The License Agreement window opens. 5. Read the license agreement and decide whether to accept its terms. If you do, click Accept. 6. Click Next. The Select Destination Directory dialog window appears. Installer Click Next to install < agentname> to this directory, or click Browse to install to a different directory. Directory Name: C:\tioli\agents\< agentname> Browse... InstallShield < Back Next > Cancel Figure 1. Select Destination Directory dialog window Chapter 2. Agent Installation 5

7. Accept the default or select an alternate destination path and click Next. The Install Summary dialog window appears. 8. Click Next. The agent components are installed and the Installation Completed dialog window appears. 9. Click Finish. Step 2: Actiating the Agent as a Serice The Windows 2000 Agent is installed on the Windows 2000 Serer and automatically starts wheneer the serer is rebooted. Howeer, the serice is not actie after installation. Select the Windows 2000 Agent serice to start the Windows 2000 Agent software on the target platform. Step 3: Configuring the Agent The Windows 2000 Agent uses the DAML protocol to ensure secure communication with the Tioli Identity Manager Serer. Default protocol alues are proided. Howeer, you must configure the DAML protocol for your site s systems. See Changing Protocol Configuration Settings on page 24 for more information. Note: A certificate must be installed for the DAML protocol. Refer to Chapter 6, Certificate Installation, on page 39 for more information about installing certificates. Step 4: Installing the Agent s Certificate A certificate must also be installed for the DAML protocol. You must obtain a production certificate from a well-known Certificate Authority or create your own certificate using your own Certificate Authority. The Windows 2000 Agent does not come prepackaged with a certificate. See Chapter 6, Certificate Installation, on page 39 for more information about installing certificates. When you install the new certificate, you will also need to install the new Certificate Authority on the Tioli Identity Manager Serer. Refer to the Tioli Identity Manager Serer Configuration Guide for more information. Note: You must configure the DAML protocol before installing your certificate. Stop and restart the agent after the certificate is installed. Step 5: Installing the Agent s Profile Before an agent can be added as a serice to the Tioli Identity Manager Serer, the serer must hae a serice profile to recognize the agent as a serice. Refer to Chapter 3, Agent Profile Installation, on page 9 for more information on installing the agent s profile on the Tioli Identity Manager Serer. Note: If this is an upgrade of an existing agent, the new agent schema will not be reflected immediately. The Tioli Identity Manager system stores the agent schema in memory. Howeer, this cache is periodically refreshed and the new agent schema will be reflected after the cache is refreshed. Re-boot the Tioli Identity Manager system to refresh the agent schema immediately. 6 IBM Tioli Identity Manager: Windows 2000 Agent Installation Guide

Step 6: Configuring the Agent for Eent Notification You can choose to configure eent notification for agents configured to use the DAML protocol. Complete this step only if you want to monitor agent attributes for changes that will trigger eent notifications. Note: This step is optional. The agent can accept requests from the Tioli Identity Manager Serer whether you configure eent notification or not. To do this, identify the Tioli Identity Manager Serer. 1. Select Configure Protocol from the Agent Protocol Configuration Menu. For more information, see Changing Protocol Configuration Settings on page 24. 2. Select DAML as the protocol to configure. 3. Select SRV_NODENAME. 4. Specify the IP address or fully-qualified hostname that identifies the Tioli Identity Manager Serer and press Enter. The Protocol Properties menu reappears and displays your new settings. 5. Select SRV_PORTNUMBER. 6. Specify the port number the Tioli Identity Manager Serer uses to connect to the agent and press Enter. The Protocol Properties menu reappears and displays your new settings. 7. Select SRV_USERNAME. 8. Specify the username the Tioli Identity Manager Serer uses to connect to the agent and press Enter. The Protocol Properties menu reappears and displays your new settings. 9. Select SRV_PASSWORD 10. Specify the password for the username the Tioli Identity Manager Serer uses to connect to the agent and press Enter. The Protocol Properties menu reappears and displays your new settings. Step 7: Configuring the Agent s Forms Configure the agent s serice maintenance and account maintenance forms on the Tioli Identity Manager Serer. Refer to the Tioli Identity Manager Policy and Organization Administration Guide for more information. The Base Point for the Windows 2000 Agent is the point in the directory serer that is used as the root for the agent. This point can be an OU or DC point. The Base Point is an optional alue. If it is left blank, the agent will use the default domain of the machine on which it is installed. The following is an example of a Base Point defined from the root of the directory serer: dc=irine,dc=ibm,dc=com The following is an example of a Base Point defined from an organizational unit leel: dc=engineering,dc=irine,dc=ibm,dc=com The Admin User Account and the Admin User Password are optional alues that are only required if an administrator account is defined for the agent s Base Point and Chapter 2. Agent Installation 7

you want to use this account for logging purposes. If these alues are not defined, the agent will use the account assigned to the agent serice. Note: Do not create serice instances that oerlap in scope in the directory tree. Serice instances that contain other serice instances of the same type will return duplicate accounts during reconciliations. Step 8: Extending Supported Attributes If your site extended user attributes in the Windows 2000 Actie Directory, you can modify the Windows 2000 Agent schema to allow the Tioli Identity Manager Agent to support these attributes. Refer to Chapter 4, Supported Attribute Expansion, on page 13 for more information about this process. 8 IBM Tioli Identity Manager: Windows 2000 Agent Installation Guide

Chapter 3. Agent Profile Installation Requirements Before an agent can be added as a serice to the Tioli Identity Manager Serer, the serer must hae a serice profile to recognize the agent as a serice. The Windows 2000 Agent comes with a second installation script that installs the agent s profile on the Tioli Identity Manager Serer as a serice profile. This chapter describes the procedure to install and configure the Windows 2000 Agent profile on the Tioli Identity Manager Serer. Each step includes a short procedure that completes one aspect of the oerall profile installation process. You must complete the steps in the order they are listed. Notes: 1. If you intend to install multiple agent profiles on the Tioli Identity Manager Serer, it is important that you install them one at a time. You must wait for a single profile installation to complete before starting the next profile installation. 2. If you are upgrading the agent software, you must also upgrade the agent profile on the Tioli Identity Manager Serer. 3. In a WebLogic Application Serer cluster, the agent profile must be installed on eery managed serer. If the agent profile is not installed on eery member of the cluster, the managed serer that did not hae the agent profile installed will not recognize the agent as a serice if the other managed serers become unaailable. 4. In a WebSphere Application Serer cluster, you should install the agent profile on the computer on which Network Deployment Manager is installed, although the agent profile can be installed on any serer in the cluster. The profile information is pushed into the directory and becomes aailable to all cluster members. The following table identifies hardware, software, and authorization requirements to install the Windows 2000 Agent profile on the Tioli Identity Manager Serer. Verify that all the requirements hae been met before installing the Windows 2000 Agent profile. Table 2. Requirements before installing an agent profile Serer System Administrator Authority The Tioli Identity Manager Serer must be installed and running before the agent s profile can be installed. The person completing the Windows 2000 Agent profile installation must hae root access to the Tioli Identity Manager Serer to complete the procedures in this chapter. Installing the Agent Profile 1. Log in to the Tioli Identity Manager Serer using an administratie account. 2. Download the Windows 2000 Agent installation zip file from IBM s Web site and extract the contents of the zip file into a temporary directory. Copyright IBM Corp. 2003 9

Note: Contact your IBM account representatie for the Web address and download instructions for agent installation files. 3. Complete one of the following: For a Tioli Identity Manager Serer installed on a UNIX platform: Change the working directory to the temporary directory where you extracted the agent installation files. # cd /tmp where tmp is the path of the directory containing the agent installation files. Run the Windows 2000 Agent profile installation script that is appropriate for your operating system. #./w2kprofile_<operating system>.bin where <operating system> is the name of your operating system, such as aix, solaris, linux, or hpxxxx. A graphical user interface appears. For Tioli Identity Manager Serers installed on Windows: Select Run... from the Start menu, type the path to the temporary directory where you extracted the agent installation followed by w2kprofile.exe. For example: C:\temp\w2kprofile.exe The Language Selection dialog window appears. 4. Select a language for your installation wizard session and click OK. The Welcome dialog window appears. 5. Click Next. The Select Tioli Identity Manager Home Directory screen appears. 6. Type the Tioli Identity Manager Serer home directory in the text field and click Next. You can also select the directory by clicking Browse... and browsing to the correct directory. You must install the agent profile in the same home directory in which the Tioli Identity Manager Serer is installed. Note: If the installation program cannot determine whether the Tioli Identity Manager Serer home directory that you entered is correct, the ITIM Not Found dialog window is displayed. The Install Summary dialog window appears. 7. Click Next. The Installation Progress dialog window appears. Upon successful installation, the Applying Schema Updates window appears, and any schema updates will be applied. The Install Complete dialog window appears after installation is complete. 8. Click Finish to conclude the installation process. Verifying the Agent Profile is Installed To ensure that the agent profile installed correctly, naigate to the directory where agent profile files are installed. If the agent profile installation was successful, an agent profile directory will be created in the remote_resources folder. Examples are proided below: 10 IBM Tioli Identity Manager: Windows 2000 Agent Installation Guide

For Windows: C:\itim\data\remote_resources\nt40profile\ For UNIX: /itim/data/remote_resources/nt40profile/ Chapter 3. Agent Profile Installation 11

12 IBM Tioli Identity Manager: Windows 2000 Agent Installation Guide

Chapter 4. Supported Attribute Expansion Background Information The Windows 2000 Actie Directory can support custom attributes for the user class. The Windows 2000 Agent only supports standard Windows 2000 attributes out of the box. Howeer, the agent can be modified to supported custom (extended) attributes. This chapter describes how to customize the Windows 2000 Agent to support these extended attributes. Note: The steps in this chapter must be completed in the order they are listed. There are four basic steps to customize the Windows 2000 Agent to support extended attributes in the Windows Actie Directory. Update the schema.dsml file on the Tioli Identity Manager Serer. Add the extended attributes to the xforms.xml file. Update the customlabels.properties file. Run the configure_remote_serices script. Additional steps can be completed as desired to utilize the attributes during basic operation of the Tioli Identity Manager Serer. The following sections describe the arious files that must be modified to customize the Windows 2000 Agent. SCHEMA.DSML File The schema.dsml file defines the attributes and objects that the agent supports. The schema.dsml file has the following format: <?xml ersion= 1.0 encoding= UTF-8?> <dsml> <directory-schema> (List of attributes) (List of classes follow the attributes) </directory-schema> </dsml> Object Identifier The Tioli Identity Manager Serer uses LDAP directory serices to add, delete, modify, and search Tioli Identity Manager data. Each data item in an LDAP Directory Serer must hae a unique Object Identifier (OID). Therefore, each attribute and class in Tioli Identity Manager has an OID. OIDs hae the following syntax: enterprise ID.product ID.agent ID.object ID.instance ID The enterprise ID is always 1.3.6.1.4.1.6054 for IBM. The product ID is always 3 because these schema.dsml files are used with agents. Copyright IBM Corp. 2003 13

The agent ID is 26 for the Windows 2000 Agent. The object ID is 2. An attribute uses 2 as the object ID. The instance ID is a sequential number of the object. Attribute Definition The Tioli Identity Manager Serer has a common schema.dsml file that contains all of the attributes common to all agents. This common schema.dsml file also contains Tioli Identity Manager Serer attributes that can be used by any agent. Note: Before defining unique attributes for the agent, erify that the attribute does not exist in the common schema.dsml file. The following is an example of how an attribute is defined:    <attribute-type single-alue = true > <name>ersamplehome</name> <description>user home directory</description> <object-identifier>1.3.6.1.4.1.6054.3.26.2.100</object-identifier> <syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax> Note: Comment lines are denoted by the <!... > markers. The attribute type is defined as single-alue or multi-alue. A single-alue attribute is denoted by the line: <attribute-type single-alue = true >. To denote a multi-alued attribute, change the true alue to false. The name of the attribute used by the Tioli Identity Manager Serer is identified by the <name>...</name> tags. IBM recommends using erw2k as a preface for all new attributes so they can be identified easily in your Windows 2000 Actie Directory. When attributes hae already been defined in the Windows Actie Directory and they do not conflict with existing attributes, they can be used without changing their names. These attribute names are transformed into agent attribute names by the xforms.xml file. See XFORMS.XML File on page 15 for more information about serer/agent attribute translations. The description of the attribute is denoted by the <description>...</description> tags. The OID is defined using the <object-identifier>...</object-identifier> tags. Because OIDs are already assigned to the existing, standard attributes, the OID can be copied from the last attribute in the list. Howeer, the last number must be incremented by one for each new attribute added to the schema.dsml file. The data type is defined using the <syntax>...</syntax> tags. The following table lists arious syntaxes and the corresponding data types. Table 3. Data types and syntaxes Data Type Syntax Bit string 1.3.6.1.4.1.1466.115.121.1.6 Boolean 1.3.6.1.4.1.1466.115.121.1.7 Directory String 1.3.6.1.4.1.1466.115.121.1.15 14 IBM Tioli Identity Manager: Windows 2000 Agent Installation Guide

Table 3. Data types and syntaxes (continued) Data Type Syntax UTC Coded Time 1.3.6.1.4.1.1466.115.121.1.24 Integer 1.3.6.1.4.1.1466.115.121.1.27 Classes The schema.dsml file defines all of the classes used by the agent. The classes are used to declare accounts, serices, and supporting data. At least one account class and one serice class must be defined in the schema.dsml file. Each class requires a name attribute which is used to identify it.. Additional attributes may be required depending on the class defined. The following displays the syntax for defining a class: <class superior= top > <name>... </name> <description>... </description> <object-identifier>... </object-identifier> <attribute ref =... required = true /> <attribute ref =... required = true /> </class> To make an attribute optional for a class, change required = true to required = false in the attribute ref tag. Account Class An account class defines which attributes are used to describe an account. An account class must be defined in the schema.dsml file. The following is an example of an account class: <class superior= top > <name>ersampleaccount</name> <description>sample Account</description> <object-identifier>1.3.6.1.4.1.6054.3.26.1.101</object-identifier> <attribute ref = eruid required = true /> <attribute ref = eraccountstatus required = false /> <attribute ref = ersamplegroups required = false /> <attribute ref = ersamplehome required = false /> <attribute ref = ersampledesc required = false /> <attribute ref = erpassword required = false /> </class> In this example, the class name is ersampleaccount and the only required attribute is eruid. Howeer, eraccountstatus is a required attribute to suspend or restore accounts. XFORMS.XML File The xforms.xml file translates Tioli Identity Manager Serer attributes to Windows 2000 Agent attributes. Eery parameter that Windows 2000 Agent accepts must be identified in the xforms.xml file. The xforms.xml file has the following format: Chapter 4. Supported Attribute Expansion 15

<?xml ersion= 1.0 encoding= UTF-8?> <EnRoleTransformations> (attribute transformations) </EnRoleTransformations> Attributes are transformed in the xforms.xml file using the following syntax: <EnRoleAttribute Name= eruid RemoteName= eruid /> If a new attribute defined on the Windows Actie Directory Serer is a multi-alued attribute, the following line must be added to the xforms.xml file on the Tioli Identity Manager Serer for the Windows 2000 Agent: <EnroleAttribute Name= attributename RemoteName= attributename ConertReplaceToAddDelete= true > where attributename is the name of the new attributes on the Windows Actie Directory Serer. Note: If the new attribute is a multi-alued attribute, the multi-alued attribute must hae ConertReplaceToAddDelete= true added to its definition. Attributes Attribute names must be translated between the Tioli Identity Manager Serer and the agent. Attributes are identified in the xforms.xml file with the EnRoleAttribute tag. The alue of EnroleAttribute Name is the name of the attribute in the Windows Actie Directory. The RemoteName is the name of the attribute in the Tioli Identity Manager Serer. For example, if the agent used an attribute called GROUP to identify the group a user belongs to, the GROUP attribute is declared as follows: <EnRoleAttribute Name= ergroup RemoteName= GROUP /> Location The Windows 2000 Agent xforms.xml file is located in two places after the agent is installed: on the agent s system and on the Tioli Identity Manager Serer. Both copies of this file must be updated to include the new attributes. The Windows 2000 Agent s copy of the xforms.xml file is located in the $Agent_Install\data directory. The Tioli Identity Manager Serer s copy of the xforms.xml file is located in the $ENROLE_HOME/data/remote_resources/w2kprofile directory. CustomLabels.properties File The CustomLabels.properties file is an ASCII file that defines the labels (or prompts) on the agent s form. The syntax for the information in the file is: Attribute=Text Attribute is the same attribute defined in the xforms.xml file. Text is the label or prompt that appears on the agent s form. Note: The Attribute must be in lower case. This is an Tioli Identity Manager Serer requirement. 16 IBM Tioli Identity Manager: Windows 2000 Agent Installation Guide

Example CustomLabels.properties File # #Sample Agent Label Definitions # ersamplegroups=groups ersamplehome=home Directory ersampledesc=description Example Files The following sections proide examples of the changes made to each file for a set of new attributes. ERSCHEMA.TXT File W2KString1 W2KInteger W2KDate W2KBoolean W2KMultiValueString SCHEMA.DSML File SCHEMA.DSML File <?xml ersion= 1.0 encoding= UTF-8?>  <dsml>    <directory-schema>...    <attribute-type single-alue= true > <name>erw2kstring1</name> <description/> <object-identifier>1.3.6.1.4.1.6054.3.26.2.100</object-identifier> <syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax>    <attribute-type single-alue= true > <name>erw2kinteger</name> <description/> <object-identifier>1.3.6.1.4.1.6054.3.26.2.101</object-identifier> <syntax>1.3.6.1.4.1.1466.115.121.1.27</syntax>    <attribute-type single-alue= true > <name>erw2kdate</name> <description/> <object-identifier>1.3.6.1.4.1.6054.3.26.2.102</object-identifier> <syntax>1.3.6.1.4.1.1466.115.121.1.24</syntax>    <attribute-type single-alue= true > <name>erw2kboolean</name> <description/> <object-identifier>1.3.6.1.4.1.6054.3.26.2.103</object-identifier> <syntax>1.3.6.1.4.1.1466.115.121.1.7</syntax> Chapter 4. Supported Attribute Expansion 17

<attribute-type> <name>erw2kmultivaluestring</name> <description>list of string alues</description> <object-identifier>1.3.6.1.4.1.6054.3.26.2.104</object-identifier> <syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax>...    <class superior= top > <name>erw2kaccount</name> <description>windows account.</description> <object-identifier>1.3.6.1.4.1.6054.3.26.1.1</object-identifier>... <attribute ref= erw2kboolean required= false /> <attribute ref= erw2kdate required= false /> <attribute ref= erw2kinteger required= false /> <attribute ref= erw2kmultivaluestring required= false /> <attribute ref= erw2kstring1 required= false /> </class>... </directory-schema> </dsml> XFORMS.XML File <?xml ersion= 1.0 encoding= UTF-8?> -  -  - <EnRoleTransformations>... <EnRoleAttribute Name= erw2kstring1 RemoteName= erw2kstring1 /> <EnRoleAttribute Name= erw2kinteger RemoteName= erw2kinteger /> <EnRoleAttribute Name= erw2kdate RemoteName= erw2kdate /> <EnRoleAttribute Name= erw2kboolean RemoteName= erw2kboolean /> <EnRoleAttribute Name= erw2kmultivaluestring RemoteName= erw2kmultivaluestring ConertToAddDelete= true /> </EnRoleTransformations> CustomLabels.properties File # # Win2KAgent Labels definitions #... erw2kstring1=w2kstring1 erw2kinteger=w2kinteger erw2kdate=w2kdate erw2kboolean=w2kboolean erw2kmultivaluestring=w2kmultivaluestring Updating Agent Supported Attributes The following steps proided detailed procedures to update the arious Windows 2000 Agent files to support extended Windows Actie Directory attributes. The steps must be completed in the order they are listed. Step 1: Extending the Schema and Adding Extended Attributes Extend the Windows Actie Directory schema and add custom attributes to the Windows Actie Directory Serer using the tools proided by Windows. Refer to 18 IBM Tioli Identity Manager: Windows 2000 Agent Installation Guide

the Microsoft Windows serer documentation for more information about adding new attributes to the Windows Actie Directory. The Windows 2000 Agent supports the following types of custom attributes: boolean integer case insensitie string UTC coded time IBM recommends prefixing the attribute names with erw2k to easily identify the attributes used with Tioli Identity Manager. Step 2. Modifying the exschema.txt File The exschema.txt file lists all extended attributes in the Windows Actie Directory Serer. This file must be modified to allow the Windows 2000 Agent to recognize an extended attribute in the Windows Actie Directory Serer. 1. Log into the system where the Windows 2000 Agent is located. 2. Open the agent s data directory. 3. Create or open the exschema.txt file in a text editor. This file is located in the Windows 2000 Agent s data directory. 4. Add the extended attributes to the file. Note: List only 1 attribute per line. 5. Sae the changes and close the file. 6. Restart the agent. The agent can be restarted using the Windows Serices Console. Step 3: Updating the schema.dsml File The Windows 2000 Agent schema.dsml file identifies all of the standard Windows account attributes. This file must be modified to identify the new extended attributes in the Windows Actie Directory Serer. This file is located in the following directory on the Tioli Identity Manager Serer: $ENROLE_HOME/data/remote_resources/w2kprofile/schema.dsml See SCHEMA.DSML File on page 13 for more information about adding attributes to this file. 1. Log into the system where the Tioli Identity Manager Serer is located. Note: You must log in as a superuser. 2. Change to the $ENROLE_HOME/data/remote_resources/w2kprofile directory. 3. Open the schema.dsml file in a text editor. 4. Add an attribute definition for each extended attribute. The OID should be incremented by 1, based on the last entry in the file. For example, the last attribute in the file uses the OID 1.3.6.1.4.1.6054.3.26.2.67, the first new attribute should use the OID 1.3.6.1.4.1.6054.3.26.2.68. Note: IBM recommends starting with a new range of numbers for the custom attributes. For example, start custom attributes with the following OID: Chapter 4. Supported Attribute Expansion 19

1.3.6.1.4.1.6054.3.26.2.100. This preents duplicate OIDs if the agent is upgraded to support new attributes that are standard for newer ersions of Windows. 5. Add the each of the new attributes to the account class. 6. Sae and close the schema.dsml file. Step 4: Updating the xforms.xml File The xforms.xml file on both the Windows 2000 Agent and the Tioli Identity Manager Serer must be updated to include the new attributes. See XFORMS.XML File on page 15 for more information. The following sections describe how to update both the agent s xforms.xml file and the xforms.xml file for the Tioli Identity Manager Serer. Updating the Agent s xforms.xml File 1. Log into the system where the Windows 2000 Agent is located. 2. Open the agent s data directory. 3. Open the xforms.xml file in an editor. 4. Add each of the new attributes to the end of the attribute list using the following format: <EnroleAttribute Name= attributename RemoteName= attributename /> where attributename is the name of the new attribute. The alue of EnroleAttribute Name is the name of the attribute in the Windows Actie Directory. The RemoteName is the name of the attribute in the Tioli Identity Manager Serer. Note: If the new attribute is a multi-alued attribute, the multi-alued attribute must hae ConertReplaceToAddDelete= true added to its definition. 5. Sae and close the xforms.xml file. Updating the Tioli Identity Manager Serer s xforms.xml File IBM recommends copying the attributes added to the agent s xforms.xml file and pasting it into the Tioli Identity Manager Serer s xforms.xml file. The following procedures describes how to manually update the xforms.xml file on the Tioli Identity Manager Serer. Note: If the Tioli Identity Manager Serer s xforms.xml must be manually updated, the changes must match the changes made to xforms.xml file for the Windows 2000 Agent. 1. Log into the system where the Tioli Identity Manager Serer is located. Note: You must log in as a superuser. 2. Change to the $ENROLE_HOME/data/remote_resources/w2kprofile directory. 3. Open the xforms.xml file in an editor. 4. Add each of the new attributes to the end of the attribute list using the following format: <EnroleAttribute Name= attributename RemoteName= attributename /> where attributename is the name of the new attribute. The alue of EnroleAttribute Name is the name of the attribute in the Windows Actie Directory. The RemoteName is the name of the attribute in the Tioli Identity Manager Serer. 20 IBM Tioli Identity Manager: Windows 2000 Agent Installation Guide