ibm tivoli access manager for e-business - e ibm tivoli composite
TRANSCRIPT
IBM
Tivoli
Access
Manager
for
e-business
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Version
5.1
SC32-1364-00
���
IBM
Tivoli
Access
Manager
for
e-business
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Version
5.1
SC32-1364-00
���
Note
Before
using
this
information
and
the
product
it
supports,
read
the
information
in
“Notices,”
on
page
71.
First
Edition
(November
2003)
This
edition
applies
to
version
5.1
of
IBM
Tivoli
Access
Manager
(product
number
5724-C08)
and
to
all
subsequent
releases
and
modifications
until
otherwise
indicated
in
new
editions.
©
Copyright
International
Business
Machines
Corporation
2003.
All
rights
reserved.
US
Government
Users
Restricted
Rights
–
Use,
duplication
or
disclosure
restricted
by
GSA
ADP
Schedule
Contract
with
IBM
Corp.
Contents
Preface
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. v
Who
should
read
this
book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. v
What
this
book
contains
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. v
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vi
Release
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vi
Base
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vi
Web
security
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Developer
references
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Technical
supplements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Related
publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Accessing
publications
online
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xii
Accessibility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xii
Contacting
software
support
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xii
Conventions
used
in
this
book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xii
Typeface
conventions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xii
Operating
system
differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiii
Chapter
1.
Overview
of
integration
tasks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
Basic
integration
tasks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
Tivoli
Identity
Manager
tasks
related
to
the
integration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 2
Specialized
integration
tasks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 4
Chapter
2.
Installing
the
Provisioning
Fast
Start
collection
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
Before
running
the
Installer
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
Requirements
for
the
Installer
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
Requirements
for
the
tasks
and
samples
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 6
Choosing
automated
tasks
and
samples
to
install
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 6
Running
the
Installer
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 11
Prerequisite
checking
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 11
Selection
of
items
to
install
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 14
Configuration
and
installation
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 15
After
running
the
Installer
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 15
Uninstalling
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 15
Chapter
3.
Creating
a
Tivoli
Access
Manager
service
and
default
provisioning
policy
17
Automated
configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
Service
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
Default
provisioning
policy
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 18
Post-configuration
tasks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
Viewing
or
modifying
the
service
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
Customizing
the
default
provisioning
policy
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
Chapter
4.
Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL
.
.
.
. 21
Automated
configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
WebSEAL
junction
for
single
sign-on
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
Tivoli
Identity
Manager
properties
files
related
to
single
sign-on
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
Post-configuration
tasks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 23
Running
the
automated
tasks
in
a
clustered
environment
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 23
Changing
the
Tivoli
Identity
Manager
timeout
session
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 24
Configuring
the
SSL
certificate
for
an
SSL
junction
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 24
Modifying
the
ACLs
for
the
junction
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
Addressing
security
concerns
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
Changing
the
configured
Logoff
page
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
Accessing
the
Tivoli
Identity
Manager
Logon
page
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
©
Copyright
IBM
Corp.
2003
iii
Chapter
5.
Importing
and
synchronizing
user
data
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 29
IBM
Directory
Integrator
AssemblyLine
samples
utility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 29
Installation
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
Requirements
for
installation
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
Installed
components
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
Configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 32
Creating
the
IDI
Data
Feed
Service
in
Tivoli
Identity
Manager
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 32
Configuring
the
properties
files
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
Configuring
connectors
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 38
Addressing
security
concerns
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 38
Addressing
performance
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 38
Running
the
utility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 38
Importing
Tivoli
Access
Manager
users
(in
a
single
domain)
into
Tivoli
Identity
Manager
.
.
.
.
.
.
.
. 39
Importing
Tivoli
Access
Manager
users
(in
multi-domains)
into
Tivoli
Identity
Manager
.
.
.
.
.
.
.
.
. 41
Importing
users
from
an
existing
a
corporate
directory
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 42
Synchronizing
Tivoli
Identity
Manager
user
attributes
with
Tivoli
Access
Manager
user
attributes
.
.
.
.
. 44
Chapter
6.
Creating
a
Web
interface
for
user
self-management
.
.
.
.
.
.
.
.
.
.
. 47
The
Web
Application
Sample
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 47
Prerequisite
knowledge
for
using
the
Sample
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 47
Prerequisite
software
and
configurations
for
using
the
Sample
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 48
Functions
of
the
Sample
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 48
Installation
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 48
Installation
requirements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 48
Installation
methods
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 49
Configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 53
Ensuring
proper
access
to
the
JSPs
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 54
Configuring
notification
in
Tivoli
Identity
Manager
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 54
Configuring
the
Logon
function
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 54
Configuring
the
Main
(Home)
page
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 55
Configuring
Password
functions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 55
Configuring
the
Self-Registration
function
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 59
Configuring
the
Self-Care
function
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 62
Configuring
the
Application
Subscription
function
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 63
Configuring
the
Challenge/Response
function
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 65
Configuring
the
Logout
function
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 66
Configuring
the
Sample
for
use
with
WebSEAL
single
sign-on
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 66
Customization
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 68
Customizing
the
banner
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 68
Customizing
the
cascading
style
sheets
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 69
Customizing
the
JSPs
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 69
Customizing
the
servlets
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 69
Appendix.
Notices
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 71
Trademarks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 72
Index
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 75
iv
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Preface
IBM®
Tivoli®
Access
Manager
(Tivoli
Access
Manager)
is
the
base
software
that
is
required
to
run
applications
in
the
IBM
Tivoli
Access
Manager
product
suite.
It
enables
the
integration
of
IBM
Tivoli
Access
Manager
applications
that
provide
a
wide
range
of
authorization
and
management
solutions.
Sold
as
an
integrated
solution,
these
products
provide
an
access
control
management
solution
that
centralizes
network
and
application
security
policy
for
e-business
applications.
Note:
IBM
Tivoli
Access
Manager
is
the
new
name
of
the
previously
released
software
entitled
Tivoli
SecureWay®
Policy
Director.
Also,
for
users
familiar
with
the
Tivoli
SecureWay
Policy
Director
software
and
documentation,
the
management
server
is
now
referred
to
as
the
policy
server.
Tivoli
Access
Manager
can
be
integrated
with
IBM
Tivoli
Identity
Manager
to
take
advantage
of
its
identity
management
and
provisioning
functions.
Following
a
brief
overview
of
the
tasks
you
might
perform
to
integrate
IBM
Tivoli
Identity
Manager
and
IBM
Tivoli
Access
Manager
for
e-business,
this
guide
provides
instructions
for
installing
and
using
the
Provisioning
Fast
Start
collection.
The
Provisioning
Fast
Start
collection
consists
of
automated
tasks,
utilities,
and
samples
that
you
might
find
helpful
when
integrating
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
for
e-business.
Who
should
read
this
book
This
guide
is
for
system
administrators
and
security
administrators
responsible
for
integrating
Tivoli
Access
Manager
with
Tivoli
Identity
Manager.
Readers
of
this
book
should
be
experienced
with
advanced
administration
of:
v
Tivoli
Access
Manager
for
e-business
and
its
prerequisites
v
Tivoli
Identity
Manager
and
its
prerequisites
Note:
Chapter
6,
“Creating
a
Web
interface
for
user
self-management,”
on
page
47
is
written
for
Web
application
developers
who
have
experience
with
WebSphere®
Application
Server,
Java™
servlets,
and
Java
Server
Pages.
What
this
book
contains
This
guide
contains
the
following
sections:
v
Chapter
1,
“Overview
of
integration
tasks,”
on
page
1.
Provides
an
overview
of
the
tasks
related
to
integrating
Tivoli
Access
Manager
and
Tivoli
Identity
Manager
and
introduces
the
Provisioning
Fast
Start
collection.
v
Chapter
2,
“Installing
the
Provisioning
Fast
Start
collection,”
on
page
5.
Describes
how
to
install
the
Provisioning
Fast
Start
collection
through
the
use
of
the
Provisioning
Fast
Start
Installer.
v
Chapter
3,
“Creating
a
Tivoli
Access
Manager
service
and
default
provisioning
policy,”
on
page
17.
Describes
the
automated
task
for
creating
a
Tivoli
Access
Manager
service
and
a
provisioning
policy.
©
Copyright
IBM
Corp.
2003
v
v
Chapter
4,
“Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL,”
on
page
21.
Describes
the
automated
task
for
enabling
Tivoli
Identity
Manager
to
use
single
sign-on
with
WebSEAL.
v
Chapter
5,
“Importing
and
synchronizing
user
data,”
on
page
29.
Describes
the
IBM
Directory
Integrator
AssemblyLine
Samples
utility
and
how
to
use
the
utility
to
import
and
synchronize
user
data.
v
Chapter
6,
“Creating
a
Web
interface
for
user
self-management,”
on
page
47.
Describes
the
Web
Application
Sample
and
how
you
can
use
the
sample
so
that
your
users
can
manage
their
own
user
IDs
and
passwords
in
Tivoli
Identity
Manager.
Publications
Review
the
descriptions
of
the
Tivoli
Access
Manager
library,
the
prerequisite
publications,
and
the
related
publications
to
determine
which
publications
you
might
find
helpful.
After
you
determine
the
publications
you
need,
refer
to
the
instructions
for
accessing
publications
online.
Additional
information
about
the
IBM
Tivoli
Access
Manager
for
e-business
product
itself
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/
The
Tivoli
Access
Manager
library
is
organized
into
the
following
categories:
v
“Release
information”
v
“Base
information”
v
“Web
security
information”
on
page
vii
v
“Developer
references”
on
page
vii
v
“Technical
supplements”
on
page
viii
Release
information
v
IBM
Tivoli
Access
Manager
for
e-business
Read
This
First
(GI11-4155-00)
Provides
information
for
installing
and
getting
started
using
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Release
Notes
(GI11-4156-00)
Provides
late-breaking
information,
such
as
software
limitations,
workarounds,
and
documentation
updates.
Base
information
v
IBM
Tivoli
Access
Manager
Base
Installation
Guide
(SC32-1362-00)
Explains
how
to
install
and
configure
the
Tivoli
Access
Manager
base
software,
including
the
Web
Portal
Manager
interface.
This
book
is
a
subset
of
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
and
is
intended
for
use
with
other
Tivoli
Access
Manager
products,
such
as
IBM
Tivoli
Access
Manager
for
Business
Integration
and
IBM
Tivoli
Access
Manager
for
Operating
Systems.
v
IBM
Tivoli
Access
Manager
Base
Administration
Guide
(SC32-1360-00)
Describes
the
concepts
and
procedures
for
using
Tivoli
Access
Manager
services.
Provides
instructions
for
performing
tasks
from
the
Web
Portal
Manager
interface
and
by
using
the
pdadmin
command.
vi
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Web
security
information
v
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
(SC32-1361-00)
Provides
installation,
configuration,
and
removal
instructions
for
the
Tivoli
Access
Manager
base
software
as
well
as
the
Web
Security
components.
This
book
is
a
superset
of
IBM
Tivoli
Access
Manager
Base
Installation
Guide.
v
IBM
Tivoli
Access
Manager
Upgrade
Guide
(SC32-1369-00)
Explains
how
to
upgrade
from
Tivoli
SecureWay
Policy
Director
Version
3.8
or
previous
versions
of
Tivoli
Access
Manager
to
Tivoli
Access
Manager
Version
5.1.
v
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide
(SC32-1359-00)
Provides
background
material,
administrative
procedures,
and
technical
reference
information
for
using
WebSEAL
to
manage
the
resources
of
your
secure
Web
domain.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Application
Server
Integration
Guide
(SC32-1368-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
IBM
WebSphere®
Application
Server.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Edge
Server
Integration
Guide
(SC32-1367-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
the
IBM
WebSphere
Edge
Server
application.
v
IBM
Tivoli
Access
Manager
for
e-business
Plug-in
for
Web
Servers
Integration
Guide
(SC32-1365-00)
Provides
installation
instructions,
administration
procedures,
and
technical
reference
information
for
securing
your
Web
domain
using
the
plug-in
for
Web
servers.
v
IBM
Tivoli
Access
Manager
for
e-business
BEA
WebLogic
Server
Integration
Guide
(SC32-1366-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
BEA
WebLogic
Server.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
(SC32-1364-00)
Provides
an
overview
of
the
tasks
related
to
integrating
Tivoli
Access
Manager
and
Tivoli
Identity
Manager
and
explains
how
to
use
and
install
the
Provisioning
Fast
Start
collection.
Developer
references
v
IBM
Tivoli
Access
Manager
for
e-business
Authorization
C
API
Developer
Reference
(SC32-1355-00)
Provides
reference
material
that
describes
how
to
use
the
Tivoli
Access
Manager
authorization
C
API
and
the
Tivoli
Access
Manager
service
plug-in
interface
to
add
Tivoli
Access
Manager
security
to
applications.
v
IBM
Tivoli
Access
Manager
for
e-business
Authorization
Java
Classes
Developer
Reference
(SC32-1350-00)
Provides
reference
information
for
using
the
Java™
language
implementation
of
the
authorization
API
to
enable
an
application
to
use
Tivoli
Access
Manager
security.
Preface
vii
v
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference
(SC32-1357-00)
Provides
reference
information
about
using
the
administration
API
to
enable
an
application
to
perform
Tivoli
Access
Manager
administration
tasks.
This
document
describes
the
C
implementation
of
the
administration
API.
v
IBM
Tivoli
Access
Manager
for
e-business
Administration
Java
Classes
Developer
Reference
(SC32-1356-00)
Provides
reference
information
for
using
the
Java
language
implementation
of
the
administration
API
to
enable
an
application
to
perform
Tivoli
Access
Manager
administration
tasks.
v
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Developer
Reference
(SC32-1358-00)
Provides
administration
and
programming
information
for
the
cross-domain
authentication
service
(CDAS),
the
cross-domain
mapping
framework
(CDMF),
and
the
password
strength
module.
Technical
supplements
v
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
(SC32-1354-00)
Provides
information
about
the
command
line
utilities
and
scripts
provided
with
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
Error
Message
Reference
(SC32-1353-00)
Provides
explanations
and
recommended
actions
for
the
messages
produced
by
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide
(SC32-1352-00)
Provides
problem
determination
information
for
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Performance
Tuning
Guide
(SC32-1351-00)
Provides
performance
tuning
information
for
an
environment
consisting
of
Tivoli
Access
Manager
with
the
IBM
Tivoli
Directory
server
as
the
user
registry.
Related
publications
This
section
lists
publications
related
to
the
Tivoli
Access
Manager
library.
The
Tivoli
Software
Library
provides
a
variety
of
Tivoli
publications
such
as
white
papers,
datasheets,
demonstrations,
redbooks,
and
announcement
letters.
The
Tivoli
Software
Library
is
available
on
the
Web
at:
http://www.ibm.com/software/tivoli/library/
The
Tivoli
Software
Glossary
includes
definitions
for
many
of
the
technical
terms
related
to
Tivoli
software.
The
Tivoli
Software
Glossary
is
available,
in
English
only,
from
the
Glossary
link
on
the
left
side
of
the
Tivoli
Software
Library
Web
page
http://www.ibm.com/software/tivoli/library/
IBM
Global
Security
Kit
Tivoli
Access
Manager
provides
data
encryption
through
the
use
of
the
IBM
Global
Security
Kit
(GSKit)
Version
7.0.
GSKit
is
included
on
the
IBM
Tivoli
Access
Manager
Base
CD
for
your
particular
platform,
as
well
as
on
the
IBM
Tivoli
Access
Manager
Web
Security
CDs,
the
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
CDs,
and
the
IBM
Tivoli
Access
Manager
Directory
Server
CDs.
The
GSKit
package
provides
the
iKeyman
key
management
utility,
gsk7ikm,
which
is
used
to
create
key
databases,
public-private
key
pairs,
and
certificate
requests.
viii
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
The
following
document
is
available
on
the
Tivoli
Information
Center
Web
site
in
the
same
section
as
the
IBM
Tivoli
Access
Manager
product
documentation:
v
IBM
Global
Security
Kit
Secure
Sockets
Layer
and
iKeyman
User’s
Guide
(SC32-1363-00)
Provides
information
for
network
or
system
security
administrators
who
plan
to
enable
SSL
communication
in
their
Tivoli
Access
Manager
environment.
IBM
Tivoli
Directory
Server
IBM
Tivoli
Directory
Server,
Version
5.2,
is
included
on
the
IBM
Tivoli
Access
Manager
Directory
Server
CD
for
the
desired
operating
system.
Note:
IBM
Tivoli
Directory
Server
is
the
new
name
for
the
previously
released
software
known
as:
v
IBM
Directory
Server
(Version
4.1
and
Version
5.1)
v
IBM
SecureWay
Directory
Server
(Version
3.2.2)
IBM
Directory
Server
Version
4.1,
IBM
Directory
Server
Version
5.1,
and
IBM
Tivoli
Directory
Server
Version
5.2
are
all
supported
by
IBM
Tivoli
Access
Manager
Version
5.1.
Additional
information
about
IBM
Tivoli
Directory
Server
can
be
found
at:
http://www.ibm.com/software/network/directory/library/
IBM
DB2
Universal
Database
IBM
DB2®
Universal
Database™
Enterprise
Server
Edition,
Version
8.1
is
provided
on
the
IBM
Tivoli
Access
Manager
Directory
Server
CD
and
is
installed
with
the
IBM
Tivoli
Directory
Server
software.
DB2
is
required
when
using
IBM
Tivoli
Directory
Server,
z/OS™,
or
OS/390®
LDAP
servers
as
the
user
registry
for
Tivoli
Access
Manager.
Additional
information
about
DB2
can
be
found
at:
http://www.ibm.com/software/data/db2/
IBM
WebSphere
Application
Server
IBM
WebSphere
Application
Server,
Advanced
Single
Server
Edition
5.0,
is
included
on
the
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
CD
for
the
desired
operating
system.
WebSphere
Application
Server
enables
the
support
of
both
the
Web
Portal
Manager
interface,
which
is
used
to
administer
Tivoli
Access
Manager,
and
the
Web
Administration
Tool,
which
is
used
to
administer
IBM
Tivoli
Directory
Server.
IBM
WebSphere
Application
Server
Fix
Pack
2
is
also
required
by
Tivoli
Access
Manager
and
is
provided
on
the
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
CD.
Additional
information
about
IBM
WebSphere
Application
Server
can
be
found
at:
http://www.ibm.com/software/webservers/appserv/infocenter.html
IBM
Tivoli
Access
Manager
for
Business
Integration
IBM
Tivoli
Access
Manager
for
Business
Integration,
available
as
a
separately
orderable
product,
provides
a
security
solution
for
IBM
MQSeries®,
Version
5.2,
and
IBM
WebSphere®
MQ
for
Version
5.3
messages.
IBM
Tivoli
Access
Manager
for
Business
Integration
allows
WebSphere
MQSeries
applications
to
send
data
with
privacy
and
integrity
by
using
keys
associated
with
sending
and
receiving
applications.
Like
WebSEAL
and
IBM
Tivoli
Access
Manager
for
Operating
Preface
ix
Systems,
IBM
Tivoli
Access
Manager
for
Business
Integration,
is
one
of
the
resource
managers
that
use
the
services
of
IBM
Tivoli
Access
Manager.
Additional
information
about
IBM
Tivoli
Access
Manager
for
Business
Integration
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
Business
Integration
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Administration
Guide
(SC23-4831-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Problem
Determination
Guide
(GC23-1328-00)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Release
Notes
(GI11-0957-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First
(GI11-4202-00)
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers,
available
as
part
of
IBM
Tivoli
Access
Manager
for
Business
Integration,
provides
a
security
solution
for
WebSphere
Business
Integration
Message
Broker,
Version
5.0
and
WebSphere
Business
Integration
Event
Broker,
Version
5.0.
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
operates
in
conjunction
with
Tivoli
Access
Manager
to
secure
JMS
publish/subscribe
applications
by
providing
password
and
credentials-based
authentication,
centrally-defined
authorization,
and
auditing
services.
Additional
information
about
IBM
Tivoli
Access
Manager
for
WebSphere
Integration
Brokers
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
WebSphere
Integration
Brokers,
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
Administration
Guide
(SC32-1347-00)
v
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
Release
Notes
(GI11-4154-00)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First
(GI11-4202-00)
IBM
Tivoli
Access
Manager
for
Operating
Systems
IBM
Tivoli
Access
Manager
for
Operating
Systems,
available
as
a
separately
orderable
product,
provides
a
layer
of
authorization
policy
enforcement
on
UNIX
systems
in
addition
to
that
provided
by
the
native
operating
system.
IBM
Tivoli
Access
Manager
for
Operating
Systems,
like
WebSEAL
and
IBM
Tivoli
Access
Manager
for
Business
Integration,
is
one
of
the
resource
managers
that
use
the
services
of
IBM
Tivoli
Access
Manager.
Additional
information
about
IBM
Tivoli
Access
Manager
for
Operating
Systems
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/
x
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
Operating
Systems
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Installation
Guide
(SC23-4829-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide
(SC23-4827-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Problem
Determination
Guide
(SC23-4828-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Release
Notes
(GI11-0951-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Read
Me
First
(GI11-0949-00)
IBM
Tivoli
Identity
Manager
IBM
Tivoli
Identity
Manager
Version
4.5,
available
as
a
separately
orderable
product,
enables
you
to
centrally
manage
users
(such
as
user
IDs
and
passwords)
and
provisioning
(that
is,
providing
or
revoking
access
to
applications,
resources,
or
operating
systems.)
Tivoli
Identity
Manager
can
be
integrated
with
Tivoli
Access
Manager
through
the
use
of
the
Tivoli
Access
Manager
Agent.
Contact
your
IBM
account
representative
for
more
information
about
purchasing
the
Agent.
Additional
information
about
IBM
Tivoli
Identity
Manager
can
be
found
at:
http://www.ibm.com/software/tivoli/products/identity-mgr/
The
following
documents
associated
with
IBM
Tivoli
Identity
Manager
Version
4.5
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Identity
Manager
Release
Notes
(GI11-4212-00)
v
IBM
Tivoli
Identity
Manager
Server
Installation
Guide
on
UNIX
using
WebSphere
(SC32-1147-02)
v
IBM
Tivoli
Identity
Manager
Server
Installation
Guide
on
Windows
2000
using
WebSphere
(SC32-1148-01)
v
IBM
Tivoli
Identity
Manager
Server
Installation
Guide
on
UNIX
using
WebLogic
(SC32-1334-00)
v
IBM
Tivoli
Identity
Manager
Server
Installation
Guide
on
Windows
2000
using
WebLogic
(SC32-1335-00)
v
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide
(SC32-1149-01)
v
IBM
Tivoli
Identity
Manager
End
User
Guide
(SC32-1152-01)
v
IBM
Tivoli
Identity
Manager
Server
Configuration
Guide
(SC32-1150-02)
v
IBM
Tivoli
Identity
Manager
Server
Troubleshooting
Guide
(SC32-1151-01)
v
IBM
Tivoli
Identity
Manager
Access
Manager
Agent
for
Windows
Installation
Guide
(SC32-1165-03)
v
IBM
Tivoli
Identity
Manager
Lotus
Notes
Agent
Installation
Guide
(SC32-1157-03)
v
IBM
Tivoli
Identity
Manager
Sybase
Agent
for
Windows
Installation
Guide
(SC32-1161-03)
v
IBM
Tivoli
Identity
Manager
Oracle
Agent
for
Windows
Installation
Guide
(SC32-1155-03)
v
IBM
Tivoli
Identity
Manager
Windows
2000
Agent
Installation
Guide
(SC32-1153-03)
v
IBM
Tivoli
Identity
Manager
Windows
NT
Agent
Installation
Guide
(SC32-1154-03)
v
IBM
Tivoli
Identity
Manager
AIX
Agent
Installation
Guide
(SC32-1162-03)
v
IBM
Tivoli
Identity
Manager
Exchange
2000
Agent
Installation
Guide
(SC32-1156-03)
Preface
xi
v
IBM
Tivoli
Identity
Manager
Novell
NetWare
Agent
Installation
Guide
(SC32-1158-03)
v
IBM
Tivoli
Identity
Manager
Universal
Provisioning
Agent
Installation
Guide
(SC32-1159-03)
Accessing
publications
online
The
publications
for
this
product
are
available
online
in
Portable
Document
Format
(PDF)
or
Hypertext
Markup
Language
(HTML)
format,
or
both
in
the
Tivoli
software
library:
http://www.ibm.com/software/tivoli/library
To
locate
product
publications
in
the
library,
click
the
Product
manuals
link
on
the
left
side
of
the
library
page.
Then,
locate
and
click
the
name
of
the
product
on
the
Tivoli
software
information
center
page.
Product
publications
include
release
notes,
installation
guides,
user’s
guides,
administrator’s
guides,
and
developer’s
references.
Note:
To
ensure
proper
printing
of
publications,
select
the
Fit
to
page
check
box
in
the
Adobe
Acrobat
window
(which
is
available
when
you
click
File
→
Print).
Accessibility
Accessibility
features
help
a
user
who
has
a
physical
disability,
such
as
restricted
mobility
or
limited
vision,
to
use
software
products
successfully.
With
this
product,
you
can
use
assistive
technologies
to
hear
and
navigate
the
interface.
You
also
can
use
the
keyboard
instead
of
the
mouse
to
operate
all
features
of
the
graphical
user
interface.
Contacting
software
support
Before
contacting
IBM
Tivoli
Software
Support
with
a
problem,
refer
to
the
IBM
Tivoli
Software
Support
site
by
clicking
the
Tivoli
support
link
at
the
following
Web
site:
http://www.ibm.com/software/support/
If
you
need
additional
help,
contact
software
support
by
using
the
methods
described
in
the
IBM
Software
Support
Guide
at
the
following
Web
site:
http://techsupport.services.ibm.com/guides/handbook.html
The
guide
provides
the
following
information:
v
Registration
and
eligibility
requirements
for
receiving
support
v
Telephone
numbers,
depending
on
the
country
in
which
you
are
located
v
A
list
of
information
you
should
gather
before
contacting
customer
support
Conventions
used
in
this
book
This
reference
uses
several
conventions
for
special
terms
and
actions
and
for
operating
system-dependent
commands
and
paths.
Typeface
conventions
The
following
typeface
conventions
are
used
in
this
reference:
Bold
Lowercase
commands
or
mixed
case
commands
that
are
difficult
to
distinguish
from
surrounding
text,
keywords,
parameters,
options,
names
of
Java
classes,
and
objects
are
in
bold.
xii
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Italic
Variables,
titles
of
publications,
and
special
words
or
phrases
that
are
emphasized
are
in
italic.
Monospace
Code
examples,
command
lines,
screen
output,
file
and
directory
names
that
are
difficult
to
distinguish
from
surrounding
text,
system
messages,
text
that
the
user
must
type,
and
values
for
arguments
or
command
options
are
in
monospace.
Operating
system
differences
This
book
uses
the
UNIX
convention
for
specifying
environment
variables
and
for
directory
notation.
When
using
the
Windows
command
line,
replace
$variable
with
%variable%
for
environment
variables
and
replace
each
forward
slash
(/)
with
a
backslash
(\)
in
directory
paths.
If
you
are
using
the
bash
shell
on
a
Windows
system,
you
can
use
the
UNIX
conventions.
Preface
xiii
xiv
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Chapter
1.
Overview
of
integration
tasks
IBM®
Tivoli®
Access
Manager
for
e-business
provides
policy-based
access
control
of
enterprise
applications,
Web
applications,
and
resources.
IBM
Tivoli
Identity
Manager
provides
policy-based
identity
management
(managing
user
IDs
and
passwords)
and
provisioning
(providing
or
revoking
access
to
applications,
resources,
or
operating
systems)
within
an
enterprise.
When
you
use
these
products
together
in
an
integrated
environment,
you
will
continue
to
manage
access
to
applications
and
resources
using
Tivoli
Access
Manager
but
you
will
use
Tivoli
Identity
Manager
to
manage
Tivoli
Access
Manager
users
and
to
manage
the
provisioning
of
applications
and
resources
to
those
users.
To
integrate
these
products,
you
must
perform
some
basic
integration
tasks
and
some
Tivoli
Identity
Manager
tasks.
Depending
on
your
integrated
environment,
you
might
need
to
perform
some
specialized
integration
tasks.
Some
of
these
tasks
have
been
automated
and
are
provided
in
a
collection
of
utilities
called
the
Provisioning
Fast
Start
collection.
The
use
of
the
utilities
in
the
collection
is
optional;
however,
you
might
find
that
they
will
save
you
time
and
effort.
The
collection
and
its
Installer
are
included
on
the
IBM
Tivoli
Access
Manager
Base
CD
in
IBM
Tivoli
Access
Manager
for
e-business
version
5.1.
This
overview
chapter
provides
summaries
of
the
tasks
you
need
to
perform
to
integrate
Tivoli
Access
Manager
and
Tivoli
Identity
Manager.
However,
the
remainder
of
this
guide
describes
only
the
tasks
that
are
supported
by
the
Provisioning
Fast
Start
collection.
Basic
integration
tasks
Tivoli
Identity
Manager
can
be
integrated
with
numerous
types
of
systems
(such
as
a
Lotus®
Notes®
system,
a
Novell
NetWare
system,
a
Tivoli
Access
Manager
system,
and
others).
The
integration
process
consists
of
several
basic
tasks,
regardless
of
the
type
of
system
that
is
being
integrated.
These
basic
tasks
are:
1.
Install
and
configure
Tivoli
Identity
Manager
version
4.5.
(You
might
also
want
to
install
IBM
Directory
Integrator
that
comes
with
Tivoli
Identity
Manager.)
2.
Install
and
configure
the
software
for
the
other
system,
such
as
Tivoli
Access
Manager
for
e-business.
3.
Locate
and
install
the
agent
software.
Agents
are
components
of
Tivoli
Identity
Manager
and
are
available
for
each
type
of
system
that
can
be
integrated
with
Tivoli
Identity
Manager.
Agents
are
required
for
the
integration
because
they
enable
connectivity
between
the
Tivoli
Identity
Manager
server
and
the
system
that
will
be
managed
by
Tivoli
Identity
Manager.
The
Tivoli
Access
Manager
Agent
is
available
at
the
IBM
Web
site.
Contact
your
IBM
account
representative
for
the
Web
address
and
the
instructions
for
downloading
the
agent.
4.
Activate
the
agent.
5.
Configure
the
agent’s
communication
protocols
to
enable
the
agent
to
communicate
with
the
Tivoli
Identity
Manager
server.
6.
Install
the
agent’s
profile
on
the
Tivoli
Identity
Manager
server.
©
Copyright
IBM
Corp.
2003
1
A
profile
defines
a
type
of
system
that
will
be
managed
by
Tivoli
Identity
Manager.
For
example,
if
Tivoli
Identity
Manager
will
manage
one
or
more
Tivoli
Access
Manager
systems,
the
Tivoli
Access
Manager
profile
must
be
installed
on
the
Tivoli
Identity
Manager
server
so
that
Tivoli
Identity
Manager
will
recognize
Tivoli
Access
Manager.
Detailed
information
for
performing
these
preceding
steps
is
in
the
IBM
Tivoli
Identity
Manager:
IBM
Tivoli
Access
Manager
Agent
Installation
Guide.
If
you
are
integrating
Tivoli
Identity
Manager
with
more
than
one
Tivoli
Access
Manager
domain,
you
will
need
to
repeat
these
steps
for
each
domain.
The
last
step
in
the
Agent
Guide
is
to
configure
the
Tivoli
Identity
Manager
server
to
recognize
the
agent
as
a
service.
This
step
begins
the
next
phase
of
the
integration.
Tivoli
Identity
Manager
tasks
related
to
the
integration
For
the
next
phase
in
the
integration,
you
will
need
to
use
Tivoli
Identity
Manager
and
its
interface
to
perform
the
following
tasks.
Tasks
that
can
be
performed
using
an
automated
task
or
a
sample
provided
by
the
Provisioning
Fast
Start
collection
are
indicated
with
the
label
Fast
start.
Attention
At
the
completion
of
this
phase,
you
should
use
Tivoli
Identity
Manager
instead
of
Web
Portal
Manager
or
pdadmin
in
Tivoli
Access
Manager
to
manage
the
users
of
the
Tivoli
Access
Manager
system.
1.
Add
a
Tivoli
Access
Manager
service
to
Tivoli
Identity
Manager,
so
that
Tivoli
Identity
Manager
can
manage
Tivoli
Access
Manager
accounts.
Each
system
that
will
be
managed
by
Tivoli
Identity
Manager
must
be
assigned
to
Tivoli
Identity
Manager
as
a
service.
If
Tivoli
Identity
Manager
will
manage
more
than
one
Tivoli
Access
Manager
system,
you
will
need
to
create
a
service
for
each
Tivoli
Access
Manager
system.
Fast
start:
You
can
perform
this
task
using
the
corresponding
automated
task
available
in
the
Provisioning
Fast
Start
collection.
For
more
information,
refer
to
Chapter
3,
“Creating
a
Tivoli
Access
Manager
service
and
default
provisioning
policy,”
on
page
17.
Note:
If
your
Tivoli
Access
Manager
environment
includes
resources
that
permit
global
sign-on
access
(that
is,
GSO
resources
and
GSO
resource
groups),
be
sure
to
install
the
Tivoli
Access
Manager
GSO
Agent.
This
agent
enables
you
to
create
services
for
GSO
resources
and
GSO
resource
groups.
The
agent
and
its
documentation
are
available
from
the
IBM
Web
site.
Contact
your
IBM
account
representative
for
more
information.
2.
Create
an
identity
policy
for
the
Tivoli
Access
Manager
system,
to
define
how
Tivoli
Identity
Manager
will
create
user
IDs.
3.
Create
a
password
policy
for
the
Tivoli
Access
Manager
system,
so
that
Tivoli
Identity
Manager
knows
how
to
manage
password
strength,
logins,
and
synchronization.
Note:
If
you
have
a
password
policy
for
Tivoli
Identity
Manager
and
a
password
policy
for
Tivoli
Access
Manager,
you
will
need
to
make
sure
they
are
consistent
with
each
other.
2
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
If
you
are
using
WebSEAL
and
want
to
synchronize
password
changes
that
are
initiated
through
WebSEAL,
install
the
Reverse
Password
Synchronization
for
Tivoli
Access
Manager
WebSEAL
Agent,
which
is
available
as
part
of
the
Tivoli
Access
Manager
Agent
package
at
the
IBM
Web
site.
Contact
your
IBM
account
representative
for
more
information.
4.
Create
a
provisioning
policy
for
the
Tivoli
Access
Manager
system.
Fast
start:
You
can
get
a
head
start
on
the
creation
of
your
own
provisioning
policy
by
using
the
automated
task
(available
in
the
Provisioning
Fast
Start
collection)
that
creates
a
basic
provisioning
policy.
For
more
information,
refer
to
Chapter
3,
“Creating
a
Tivoli
Access
Manager
service
and
default
provisioning
policy,”
on
page
17.
5.
Create
Person
entities
(users)
in
Tivoli
Identity
Manager.
In
order
to
manage
users
with
Tivoli
Identity
Manager,
you
must
define
the
users
in
the
Tivoli
Identity
Manager
user
registry
by
creating
Person
entities.
Fast
start:
To
create
Person
entities
in
Tivoli
Identity
Manager
from
an
existing
Tivoli
Access
Manager
user
registry
or
from
an
existing
corporate
directory,
consider
using
the
IBM
Directory
Integrator
AssemblyLine
samples
utility.
This
utility
is
part
of
the
Provisioning
Fast
Start
collection
and
is
described
in
“Specialized
integration
tasks”
on
page
4
and
in
Chapter
5,
“Importing
and
synchronizing
user
data,”
on
page
29.
In
addition,
after
you
have
defined
users
in
Tivoli
Identity
Manager
and
have
managed
those
users
using
Tivoli
Identity
Manager,
you
can
also
use
the
IBM
Directory
Integrator
AssemblyLine
samples
to
synchronize
the
changes
you’ve
made
in
the
Tivoli
Identity
Manager
user
(Person)
records
with
matching
Tivoli
Access
Manager
user
records
or
corporate
directory
user
records.
6.
Create
accounts
for
the
Tivoli
Access
Manager
users
that
you
will
manage
with
Tivoli
Identity
Manager.
One
way
to
create
accounts
for
existing
users
is
through
the
use
of
the
reconciliation
function
in
Tivoli
Identity
Manager.
For
more
information
on
reconciliation,
see
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.
Most
of
these
tasks
are
manual
procedures,
which
are
described
in
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.
However,
the
Provisioning
Fast
Start
collection
and
Installer
provides
automated
tasks
for
creating
a
service
and
for
creating
a
basic
provisioning
policy
that
you
can
use
as
the
basis
for
your
own
policy.
It
also
provides
a
utility
that
can
help
you
create
Person
records.
Use
of
the
automated
tasks
or
utility
is
optional,
but
they
are
intended
to
make
your
integration
easier.
Chapter
2,
“Installing
the
Provisioning
Fast
Start
collection,”
on
page
5
provides
the
details
for
running
these
tasks
and
installing
the
utility.
Chapter
3,
“Creating
a
Tivoli
Access
Manager
service
and
default
provisioning
policy,”
on
page
17
provides
details
about
what
happens
when
the
tasks
are
run
and
what
tasks
should
be
performed
after
running
the
tasks.
Chapter
5,
“Importing
and
synchronizing
user
data,”
on
page
29
provides
the
details
about
using
the
utility
to
create
users
in
Tivoli
Identity
Manager.
Chapter
1.
Overview
of
integration
tasks
3
Specialized
integration
tasks
Depending
on
the
complexity
of
your
integrated
environment
or
your
existing
Tivoli
Access
Manager
system,
you
might
need
to
complete
specialized
tasks
that
are
related
to
the
integration.
Some
examples
of
specialized
tasks
include:
v
Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL.
v
Importing
user
data
into
Tivoli
Identity
Manager
from
an
existing
Tivoli
Access
Manager
environment
or
an
existing
corporate
directory.
v
Synchronizing
Tivoli
Identity
Manager
user
data
with
Tivoli
Access
Manager
user
data.
v
Creating
a
Web
interface
from
which
users
can
self-manage
their
user
IDs
and
passwords
and
request
access
to
applications
or
resources.
To
help
you
perform
these
tasks,
the
Provisioning
Fast
Start
collection
provides
the
following
task,
utility,
and
samples:
v
Single
Sign
On
Enablement
See
Chapter
4,
“Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL,”
on
page
21.
v
IBM
Directory
Integrator
AssemblyLine
samples
utility
See
Chapter
5,
“Importing
and
synchronizing
user
data,”
on
page
29.
v
Web
Application
Sample
See
Chapter
6,
“Creating
a
Web
interface
for
user
self-management,”
on
page
47.
Chapter
2,
“Installing
the
Provisioning
Fast
Start
collection,”
on
page
5
can
help
you
decide
which
items
in
the
collection
to
install,
ensure
that
you
have
the
prerequisite
software
that
each
item
requires,
and
install
the
items.
The
remaining
chapters
in
this
guide
describe
the
tasks
that
are
either
automated
in
the
collection
or
that
are
supported
by
the
utilities
and
samples
in
the
collection.
4
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Chapter
2.
Installing
the
Provisioning
Fast
Start
collection
To
help
make
the
integration
of
Tivoli
Access
Manager
and
Tivoli
Identity
Manager
easier,
a
collection
of
automated
tasks
and
samples
(called
the
Provisioning
Fast
Start
collection)
is
provided
with
Tivoli
Access
Manager
for
e-business
version
5.1.
Although
use
of
the
items
in
the
collection
is
optional,
you
might
find
that
they
will
save
you
time
and
effort.
To
run
the
tasks
or
install
the
samples
or
utilities
in
the
collection
you
will
use
the
Provisioning
Fast
Start
Installer
(referred
to
as
the
Installer.)
Before
running
the
Installer
Before
you
run
the
Provisioning
Fast
Start
Installer
from
the
IBM
Tivoli
Access
Manager
Base
CD,
you
need
to:
1.
Make
sure
that
you
have
the
prerequisites
for
running
the
Installer
and
that
you
have
met
the
general
requirements
for
installing
the
tasks
and
samples.
2.
Decide
which
automated
tasks
and
samples
will
meet
your
needs.
As
part
of
this
step,
you
also
need
to:
a.
Make
sure
that
you
have
the
prerequisite
software
or
configuration
that
those
tasks,
utilities,
and
samples
require.
b.
Decide
where
to
install
those
tasks
and
samples.
(Each
task
and
sample
has
specific
requirements
for
where
it
should
be
installed.)
Requirements
for
the
Installer
You
need
the
following
hardware,
software,
and
authorization
to
run
the
Installer:
Operating
system
The
Installer
can
be
run
on
the
following
operating
systems:
v
Microsoft®
Windows®
2000
or
Windows
NT®
v
Sun
Solaris
Operating
Environment
version
7
or
later
v
AIX®
version
4.3
or
later
Hardware
requirements
The
Installer
is
included
on
the
Tivoli
Access
Manager
Base
CD
of
Tivoli
Access
Manager
for
e-business
version
5.1.
To
use
this
CD,
you
need
a
CD-ROM
drive
that
can
read
CD-R
(CD-Recordable)
CDs.
Java
Runtime
requirement
You
must
have
IBM
Java
Runtime
Environment
version
1.3.1
or
higher
(with
the
ibmjceprovider.jar
file
and
the
jaas.jar
file)
installed.
(Version
1.3.1
is
included
with
Tivoli
Access
Manager
for
e-business).
Note:
If
you
run
the
Installer
on
a
system
on
which
the
Java
Runtime
Environment
(JRE)
version
1.3.1
is
part
of
your
WebSphere
Application
Server
installation,
you
will
receive
an
error
message.
As
a
result,
you
will
need
to
take
the
following
additional
steps
to
run
the
Installer:
1.
Locate
the
PD.jar
file
in
the
$WAS_HOME/AppServer/java/jre/lib/ext
directory
(where
$WAS_HOME
is
the
directory
where
WebSphere
Application
Server
is
installed).
©
Copyright
IBM
Corp.
2003
5
2.
If
WebSphere
Application
Server
is
running
on
a
Windows
system,
stop
the
WebSphere
Application
Server
before
taking
the
next
step;
otherwise,
a
sharing
violation
error
will
occur.
3.
Move
the
PD.jar
out
of
$WAS_HOME/AppServer/java/jre/lib/ext
directory
(where
$WAS_HOME
is
the
directory
where
WebSphere
Application
Server
is
installed).
In
most
cases
after
running
the
Installer,
you
can
move
the
PD.jar
back
to
its
original
location.
However,
during
the
installation,
you
might
have
the
option
to
create
a
new
JRE
configuration
(for
the
JRE
that
will
be
used
in
support
of
the
tasks
or
samples
you
install).
If
you
choose
to
create
a
new
JRE
configuration,
do
not
move
the
old
PD.jar
back
to
its
original
location
because
you
will
overwrite
the
new
PD.jar
that
was
created
in
the
new
configuration.
System
administrator
authority
You
must
have
system
administrator
authority
(root
or
administrator)
on
the
system
where
you
are
running
the
Installer.
Requirements
for
the
tasks
and
samples
The
tasks
and
samples
in
the
Provisioning
Fast
Start
collection
are
related
to
the
integration
of
Tivoli
Identity
Manager
and
Tivoli
Access
Manager.
As
a
result,
the
use
of
many
of
the
tasks
and
samples
require
that
the
following
software
be
installed:
v
Tivoli
Access
Manager
for
e-business,
version
5.1
(and
its
prerequisites)
v
Tivoli
Identity
Manager,
version
4.5
(and
its
prerequisites)
v
Tivoli
Access
Manager
agent
However,
for
a
list
of
the
specific
prerequisites
for
each
item
in
the
Provisioning
Fast
Start
collection,
refer
to
the
sections
that
correspond
to
the
tasks
in
“Choosing
automated
tasks
and
samples
to
install.”
Choosing
automated
tasks
and
samples
to
install
Deciding
which
tasks
and
samples
to
install
and
use
depends
on
how
your
Tivoli
Access
Manager
and
Tivoli
Identity
Manager
environments
are
set
up.
All
of
the
tasks
and
samples
in
the
Provisioning
Fast
Start
collection
are
optional.
They
are
provided
to
fully
or
partially
automate
some
of
the
manual
steps
you
would
otherwise
need
to
perform.
As
with
any
new
tool
or
configuration,
consider
running
these
tasks
or
installing
these
samples
and
utilities
in
a
test
or
proof
of
concept
environment
before
using
them
in
your
production
environment.
The
following
sections
list
the
specialized
or
automated
task
you
might
want
to
complete,
the
corresponding
item
you
should
select
in
the
Installer,
the
action
performed
by
the
Installer,
and
the
additional
prerequisite
software
that
the
task
or
sample
requires.
Note:
The
Provisioning
Fast
Start
Installer
determines
the
software
and
agent
configuration
on
your
system
before
it
presents
a
list
of
items
for
you
to
select.
As
a
result,
the
Installer
will
display
only
the
items
that
can
be
run
or
installed
on
your
system.
6
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Creating
a
Tivoli
Access
Manager
service
and
a
basic
provisioning
policy
This
automated
task
can
be
used
instead
of
the
manual
tasks
for
adding
a
service
and
adding
a
provisioning
policy
in
Tivoli
Identity
Manager.
(The
manual
tasks
are
described
in
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.)
The
basic
provisioning
policy
created
by
this
task
includes
the
minimum
attributes
needed
in
a
provisioning
policy
and
is
designed
for
you
to
use
as
the
basis
for
creating
your
own
provisioning
policy.
Item
to
select
in
the
Installer:
To
run
this
automated
task,
select
the
following
item
in
the
Installer:
Access
Manager
service
and
provisioning
policy
Prerequisites:
The
following
environments
must
be
in
place
before
running
this
task:
v
Tivoli
Access
Manager
for
e-business,
version
5.1
v
Tivoli
Identity
Manager
version
4.5
v
Tivoli
Access
Manager
agent
(and
profile,
which
is
created
as
part
of
the
agent
installation
procedure)
v
Connection
to
the
Tivoli
Identity
Manager
user
registry.
(You
must
know
the
password
to
this
registry.)
Location
to
run
the
Installer:
Run
this
task
on
the
Tivoli
Identity
Manager
server.
Actions
taken
by
the
Installer:
When
you
select
Access
Manager
service
and
provisioning
policy,
the
Installer
performs
the
following
configuration:
v
Adds
a
Tivoli
Access
Manager
service
to
Tivoli
Identity
Manager,
if
one
has
not
already
been
created.
v
Installs
a
basic
provisioning
policy
to
get
you
started.
Note:
You
will
want
to
customize
this
basic
policy
after
it
is
installed.
For
more
information
about
the
service
and
provisioning
policy
that
are
created,
see
Chapter
3,
“Creating
a
Tivoli
Access
Manager
service
and
default
provisioning
policy,”
on
page
17.
Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL
This
automated
task
corresponds
to
two
selections
in
the
Installer.
It
replaces
many
of
the
steps
in
the
manual
procedure
for
″Configuring
single
sign-on
with
WebSEAL,″
which
is
documented
in
the
IBM
Tivoli
Identity
Manager
Server
Configuration
Guide.
Attention:
Before
running
this
task
in
the
Installer,
review
the
overall
task
in
Chapter
4,
“Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL,”
on
page
21.
Items
to
select
in
the
Installer:
To
run
this
automated
task,
select
the
following
items
in
the
Installer:
v
Single
Sign-On
Enablement
Chapter
2.
Installing
the
Provisioning
Fast
Start
collection
7
–
WebSEAL
Junction
Configuration
–
Identity
Manager
Configuration
Prerequisites:
The
following
environments
must
be
in
place
before
running
this
task:
v
Tivoli
Access
Manager
for
e-business,
version
5.1
(with
WebSEAL
installed
and
configured)
v
Tivoli
Identity
Manager
version
4.5
(The
server
to
be
managed
by
WebSEAL.)
v
Tivoli
Access
Manager
agent
v
Tivoli
Access
Manager
service
and
account
(installed
and
configured)
v
A
Tivoli
Access
Manager
account
must
be
assigned
to
the
Tivoli
Identity
Manager
administrator.
Additional
prerequisites
for
this
task
are
described
in
IBM
Tivoli
Identity
Manager
Server
Configuration
Guide.
Location
to
run
the
Installer:
Run
this
task
on
the
Tivoli
Identity
Manager
server.
Actions
taken
by
the
Installer:
When
you
select
Single
Sign-On
Enablement:
WebSEAL
Junction
Configuration,
the
Installer
performs
the
following
configuration:
v
Configures
either
a
WebSEAL
TCP
junction
or
a
WebSEAL
SSL
junction
to
enable
single
sign-on
capability
for
Tivoli
Identity
Manager.
For
more
information
about
WebSEAL
junctions,
refer
to
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
v
In
addition,
this
automated
task
creates
default
ACLs
for
the
junction.
For
more
information
about
the
junction
that
is
created,
see
Chapter
4,
“Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL,”
on
page
21.
When
you
select
Single
Sign-On
Enablement:
Identity
Manager
Configuration,
the
Installer
performs
the
following
configuration:
v
Updates
the
Tivoli
Identity
Manager
properties
files
to
support
single
sign-on
with
WebSEAL.
For
more
information
about
the
properties
configured,
see
Chapter
4,
“Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL,”
on
page
21.
Importing
or
synchronizing
user
data
To
perform
this
task,
you
will
first
need
to
use
the
Installer
to
install
the
IBM
Directory
Integrator
AssemblyLine
samples
utility
that
is
available
in
the
Provisioning
Fast
Start
collection.
You
can
use
the
utility
to:
v
Import
Tivoli
Access
Manager
users
(in
a
single
domain)
into
Tivoli
Identity
Manager.
v
Import
Tivoli
Access
Manager
users
(in
a
multi-domain)
into
Tivoli
Identity
Manager.
v
Import
users
from
an
existing
corporate
directory
into
Tivoli
Identity
Manager.
v
Synchronize
Tivoli
Identity
Manager
user
attributes
with
Tivoli
Access
Manager
user
attributes.
Item
to
select
in
the
Installer:
To
install
the
utility,
select
the
following
item
in
the
Installer:
8
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
IBM
Directory
Integrator
AssemblyLine
samples
Prerequisites:
To
install
the
utility,
you
must
already
have
IBM
Directory
Integrator
5.1.2
or
later
installed.
In
addition,
the
following
environments
must
be
in
place,
depending
on
the
tasks
you
plan
to
complete
when
using
the
utility:
v
Tivoli
Access
Manager
for
e-business,
version
5.1
and
a
connection
to
the
Tivoli
Access
Manager
user
registry
(if
you
will
import
Tivoli
Access
Manager
users
to
Tivoli
Identity
Manager
or
you
will
synchronize
the
Tivoli
Identity
Manager
user
registry
with
the
Tivoli
Access
Manager
user
registry).
v
Tivoli
Identity
Manager
version
4.5
with
the
IDI
Data
Feed
Service
created
(as
described
in
“Creating
the
IDI
Data
Feed
Service
in
Tivoli
Identity
Manager”
on
page
32.)
v
Connection
to
the
corporate
directory
(if
you
are
importing
users
from
a
corporate
directory
into
Tivoli
Identity
Manager).
v
Enablement
of
the
LDAP
changelog
of
the
Tivoli
Identity
Manager
user
registry,
if
you
are
synchronizing
Tivoli
Identity
Manager
users
with
Tivoli
Access
Manager
users.
See
“Synchronizing
Tivoli
Identity
Manager
user
attributes
with
Tivoli
Access
Manager
user
attributes”
on
page
44
for
more
information.
Location
to
run
the
Installer:
To
install
the
utility
files
in
the
proper
place,
run
the
Installer
on
the
machine
where
IBM
Directory
Integrator
is
installed.
In
addition,
if
LDAP
or
Active
Directory
is
the
user
registry
for
Tivoli
Access
Manager,
the
IBM
Directory
Integrator
and
the
utility
should
be
installed
on
a
server
or
workstation
that
can
remotely
access
the
Tivoli
Access
Manager
registries
and
the
Tivoli
Identity
Manager
server.
If
a
Lotus
Domino®
server
is
the
user
registry
for
Tivoli
Access
Manager,
IBM
Directory
Integrator
and
the
utility
should
be
installed
together
on
a
Lotus
Notes
client
that
can
access
the
Domino
server.
Actions
taken
by
the
Installer:
When
you
select
IBM
Directory
Integrator
AssemblyLine
samples,
the
Installer
creates
the
following
directory
and
copies
the
utility
files
to
it:
$IDI_HOME/TAMTIMIntegration
(where
$IDI_HOME
is
the
root
directory
for
the
IBM
Directory
Integrator.
For
more
information
about
the
utility,
see
Chapter
5,
“Importing
and
synchronizing
user
data,”
on
page
29.
Creating
a
Web
interface
for
user
self-management
through
Tivoli
Identity
Manager
If
you
are
using
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
in
an
integrated
environment
and
you
would
like
your
users
to
be
able
to
manage
their
own
user
IDs
and
passwords
and
to
make
requests
for
accessing
company
applications
that
are
protected
by
Tivoli
Access
Manager,
you
could
benefit
from
using
a
self-management
Web
portal
page.
The
Provisioning
Fast
Start
collection
provides
a
set
of
samples
(collectively
called
the
Web
Application
Sample)
that
you
can
use
to
create
the
Web
portal
page.
You
can
use
the
Installer
to
install
the
Web
Application
Sample.
However,
if
you
need
to
install
the
Sample
in
a
clustered
environment
or
you
want
to
install
the
Sample
on
Chapter
2.
Installing
the
Provisioning
Fast
Start
collection
9
a
machine
on
which
Tivoli
Identity
Manager
is
not
installed,
refer
to
the
additional
installation
instructions
in
Chapter
6,
“Creating
a
Web
interface
for
user
self-management,”
on
page
47.
Item
to
select
in
the
Installer:
To
install
the
Sample,
select
the
following
item
in
the
Installer:
Tivoli
Identity
Manager
Web
Application
Sample
Prerequisites:
You
must
have
the
following
software
installed
to
use
the
Sample:
v
WebSphere
Application
Server
5.0.2,
and
the
patches
specified
in
the
IBM
Tivoli
Identity
Manager
Version
4.5
Release
Notes.
Note:
Make
sure
that
Security
on
the
WebSphere
server
is
disabled
before
you
run
the
Installer.
The
Installer
will
not
install
the
Sample
if
Security
is
enabled
because
when
Security
is
enabled,
the
Installer
cannot
determine
the
status
of
the
WebSphere
Application
Servers.
v
Tivoli
Identity
Manager
version
4.5
You
can
use
additional
features
in
the
Sample
if
you
also
have
the
following
environments
configured:
v
Tivoli
Access
Manager
for
e-business,
version
5.1
v
WebSEAL
(to
use
for
single
sign-on
to
Tivoli
Identity
Manager)
v
Tivoli
Access
Manager
agent
Location
to
run
the
Installer:
To
install
the
Sample,
run
the
Installer
on
the
machine
where
WebSphere
Application
Server
version
5.0.2
is
installed.
Note:
If
you
want
to
install
the
Sample
in
a
clustered
environment
or
if
you
want
to
install
the
Sample
on
a
machine
that
does
not
have
Tivoli
Identity
Manager
installed,
see
“Installation
methods”
on
page
49.
Actions
taken
by
the
Installer:
When
you
select
Tivoli
Identity
Manager
Web
Application
Sample,
the
Installer
installs
the
Sample
pages
and
servlets
so
they
can
interface
with
Tivoli
Identity
Manager.
For
more
information
about
the
Sample,
see
Chapter
6,
“Creating
a
Web
interface
for
user
self-management,”
on
page
47.
After
you
have
determined
which
tasks
you
want
to
complete
and
you
have
installed
the
prerequisite
software,
you
might
want
to
review
the
chapters
in
this
guide
that
correspond
to
those
tasks.
The
information
in
those
chapters
will
help
you
understand
the
tasks
and
make
you
aware
of
any
additional
installation
instructions
and
post-configuration
steps.
After
reviewing
this
information,
you
are
ready
to
run
the
Installer.
Refer
to
“Running
the
Installer”
on
page
11
for
installation
instructions.
10
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Running
the
Installer
The
following
instructions
explain
how
to
run
the
Installer.
As
you
use
the
Installer,
view
online
help
by
clicking
the
Help
button
in
the
Installer
panels.
The
help
window
will
remain
open
and,
as
you
move
through
the
Installer
panels,
the
help
text
will
change
to
correspond
with
the
panel
that
is
displayed.
To
start
the
Tivoli
Access
Manager
Provisioning
Fast
Start
Installer:
1.
If
you
will
run
the
Installer
on
a
machine
where
WebSphere
Application
Server
is
installed,
be
sure
to
disable
Security
in
the
WebSphere
Server
before
continuing
with
this
procedure.
For
more
information,
see
“Installation
requirements”
on
page
48.
2.
Review
the
prerequisites
for
the
items
you
want
to
install.
Then
insert
the
Tivoli
Access
Manager
Base
CD
into
the
CD-ROM
drive
of
the
appropriate
machine.
Note:
If
you
need
to
install
items
on
different
machines,
you
will
need
to
run
the
Installer
on
each
of
those
machines.
3.
Locate
and
double-click
the
install_ampfs
icon
or
open
a
command
prompt,
change
to
the
CD-ROM
drive,
and
type
install_ampfs.
The
language
selection
window
is
displayed.
4.
Select
your
language.
The
Welcome
panel
is
displayed.
5.
To
continue
the
installation,
click
Next.
A
license
panel
is
displayed.
You
are
asked
to
accept
the
terms
of
the
license
agreement.
Accept
the
terms
if
you
want
to
continue
with
the
installation.
6.
Click
Next.
After
this
step
in
the
installation
process,
the
following
phases
take
place
in
the
order
shown:
1.
Prerequisite
checking
2.
Selection
of
items
to
install
3.
Configuration
and
installation
Prerequisite
checking
Note:
The
Provisioning
Fast
Start
Installer
determines
the
software
and
agent
configuration
on
your
system
before
it
presents
a
list
of
items
for
you
to
select.
As
a
result,
the
Installer
will
display
only
the
items
that
can
be
run
or
installed
on
your
system.
You
will
not
be
able
to
select
items
to
install
until
the
Prerequisite
Checking
phase
has
completed.
During
the
Prerequisite
Checking
phase,
the
Installer
determines
if
you
have
specific
software
or
configurations.
You
should
know
what
items
you
plan
to
install
and
be
familiar
with
the
prerequisites
for
those
items
before
continuing.
Refer
to
“Choosing
automated
tasks
and
samples
to
install”
on
page
6
if
you
need
help.
Check
1:
WebSphere
Application
Server
WebSphere
Application
Server
is
required
by
the
Web
Application
Sample.
The
Installer
determines
if
you
have
WebSphere
Application
Server
installed.
If
you
do,
the
Installer
retrieves
a
list
of
the
WebSphere
servers
in
your
environment
and
starts
any
servers
that
are
not
already
started.
Chapter
2.
Installing
the
Provisioning
Fast
Start
collection
11
If
you
don’t
have
WebSphere
Application
Server
installed
in
the
environment
where
you
are
running
the
Installer,
or
if
the
WebSphere
servers
cannot
be
started,
you
will
not
be
able
to
install
the
Web
Application
Sample.
This
outcome
might
be
acceptable
to
you
if
you
don’t
plan
to
install
the
Sample.
After
prerequisite
check,
the
Installer
displays
the
next
prerequisite
check
automatically.
Check
2:
Valid
connection
to
the
Tivoli
Identity
Manager
user
registry
Note:
This
prerequisite
check
is
required
if
you
want
to
install
the
Access
Manager
service
and
provisioning
policy.
The
information
requested
here
can
also
be
used
as
part
of
the
configuration
of
the
Web
Application
Sample,
although
it
is
not
required
for
it.
If
you
will
not
be
installing
the
Access
Manager
service
and
provisioning
policy
or
if
you
don’t
need
this
information
automatically
configured
for
the
Web
Application
Sample,
click
Next
until
you
reach
the
panel
that
checks
for
the
Tivoli
Access
Manager
Java
Runtime
Environment,
which
is
described
in
“Check
3:
Tivoli
Access
Manager
Java
Runtime
Environment.”
If
the
Installer
locates
the
administrator
account
for
the
user
registry,
it
requests
the
password
for
this
account
to
validate
the
connection
to
the
repository.
1.
Type
the
password
in
the
password
fields.
2.
Click
Next.
If
you
click
Next
before
you
provide
the
password,
you
will
not
be
able
to
install
Access
Manager
service
and
provisioning
policy.
Check
3:
Tivoli
Access
Manager
Java
Runtime
Environment
The
Installer
looks
for
the
Tivoli
Access
Manager
Java
Runtime
Environment,
which
is
required
to
install
the
Single
Sign-On
Enablement.
The
panel
that
is
displayed
during
this
prerequisite
check,
depends
on
which
of
the
following
conditions
apply
to
the
Tivoli
Access
Manager
Java
Runtime
Environment:
v
Installed
and
configured
v
Installed
but
not
configured
v
Not
installed
12
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Installed
and
configured
Note:
If
you
will
not
be
installing
Single
Sign-On
Enablement,
skip
this
prerequisite
check
by
clicking
Next
until
you
reach
the
panel
that
says
the
prerequisite
checks
have
been
completed.
If
the
Tivoli
Access
Manager
Java
Runtime
Environment
is
already
installed
and
configured,
a
panel
asks
you
to
enter
information
to
establish
communication
between
the
Installer
and
Tivoli
Access
Manager
Policy
Server
that
is
using
the
Tivoli
Access
Manager
Runtime
Environment.
You
have
two
options
for
completing
this
panel:
v
Create
a
new
configuration
file:
Choose
this
option
if
you
cannot
specify
the
information
for
an
existing
configuration.
1.
Select
the
Create
a
new
configuration
check
box
and
click
Next.
2.
On
the
next
panel,
you
are
asked
to
provide
configuration
information
for
the
Tivoli
Access
Manager
Application
Server.
Complete
the
fields.
Click
the
Help
button
if
you
need
descriptions
of
the
fields.
3.
When
you
have
completed
the
fields,
click
Next.
Continue
with
the
steps
in
“Selection
of
items
to
install”
on
page
14.v
Use
an
existing
configuration
file:
If
you
want
to
use
the
existing
configuration
of
the
Tivoli
Access
Manager
Java
Runtime
Environment:
1.
Complete
the
fields.
Refer
to
the
online
help
if
you
need
descriptions
of
the
fields.
2.
Then
click
Next.
Continue
with
the
steps
in
“Selection
of
items
to
install”
on
page
14.
Installed
but
not
configured
Note:
If
you
will
not
be
installing
Single
Sign-On
Enablement,
skip
this
prerequisite
check
by
clicking
Next
until
you
reach
the
panel
that
says
the
prerequisite
checks
have
been
completed.
If
the
Tivoli
Access
Manager
Java
Runtime
Environment
is
already
installed
but
is
not
configured:
1.
A
panel
asks
you
to
enter
information
to
configure
the
runtime.
Complete
the
fields.
Click
the
Help
button
for
descriptions
of
the
fields.
2.
Click
Next.
3.
Then,
you
will
be
asked
to
establish
communication
with
the
Tivoli
Access
Manager
Runtime
Environment.
Follow
the
steps
in
“Installed
and
configured.”
Chapter
2.
Installing
the
Provisioning
Fast
Start
collection
13
Not
installed
Note:
If
you
will
not
be
installing
Single
Sign-On
Enablement,
skip
this
prerequisite
check
by
clicking
No
when
you
are
prompted
to
install
the
Java
Runtime
Environment
and
then
click
Next
until
you
reach
the
panel
that
says
the
prerequisite
checks
have
been
completed.
If
the
Tivoli
Access
Manager
Java
Runtime
Environment
is
not
installed,
a
panel
asks
if
you
want
the
Java
Runtime
Environment
to
be
installed.
Click
either
the
Yes
or
No
radio
button.
v
If
you
click
No,
Single
Sign-On
Enablement
will
not
be
in
the
list
of
installable
items.
Click
Next
and
continue
with
the
steps
in
“Selection
of
items
to
install.”
v
If
you
click
Yes,
the
Tivoli
Access
Manager
Java
Runtime
Environment
will
be
installed
on
your
system.
When
the
installation
has
completed,
a
message
indicates
whether
the
installation
was
successful.
Complete
the
appropriate
step:
–
If
the
installation
was
successful,
click
OK.
The
configuration
panel
is
displayed.
Follow
the
steps
in
“Installed
but
not
configured”
on
page
13.
–
If
the
Tivoli
Access
Manager
Java
Runtime
Environment
installation
failed,
you
can
try
to
reinstall
it,
or
you
can
continue
with
the
overall
installation,
by
clicking
Next
until
you
reach
the
panel
that
says
prerequisite
checking
is
complete;
however,
if
you
do
not
install
it,
you
cannot
install
Single
Sign-On
Enablement.
Selection
of
items
to
install
When
all
of
the
prerequisite
checks
have
been
completed,
the
panel
displayed
will
list
any
items
that
you
will
not
be
able
to
install
because
prerequisites
are
missing.
The
missing
prerequisites
are
also
identified.
On
this
panel,
do
one
of
the
following:
v
Click
Cancel
to
exit
from
the
Installer
and
install
any
missing
prerequisites,
and
then
restart
the
Installer.
v
Click
Back
to
make
changes
to
information
you
supplied
during
the
prerequisite
checks.
v
Click
Next
to
continue
with
the
installation.
If
you
click
Next,
the
panel
displayed
will
list
the
items
that
you
can
install.
On
this
panel:
1.
Check
marks
indicate
which
items
are
already
selected
for
installation
(selections
were
made
based
on
the
prerequisite
checks).
Clear
the
check
mark
from
any
item
you
don’t
want
to
install.
Keep
in
mind
that
the
Installer
has
determined
the
software
and
agent
configuration
on
your
system
before
it
presents
these
selections.
As
a
result,
the
Installer
will
display
only
the
items
that
can
be
run
or
installed
on
your
system.
Some
of
the
selections
listed
below
might
not
be
displayed.
v
IBM
Directory
Integrator
AssemblyLine
samples
v
Web
Application
Sample
v
Single
Sign-On
Enablement
–
WebSEAL
Junction
Configuration
(Single
Sign-On
Enablement
must
be
selected
in
order
to
select
this
item.)
14
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
–
Identity
Manager
Configuration
(Single
Sign-On
Enablement
must
be
selected
in
order
to
select
this
item.)v
Access
Manager
service
and
provisioning
policy
2.
After
you
have
made
your
selections,
you
will
have
the
opportunity
to
return
to
this
panel
and
change
your
selections
before
you
continue.
3.
Click
Next
when
you
are
ready
to
provide
any
configuration
information
required
for
the
items
you
selected.
Configuration
and
installation
If
you
selected
any
of
the
following
items,
the
Installer
will
ask
you
for
additional
configuration
information:
v
Single
Sign-On
Enablement
(with
WebSEAL
Junction
Configuration)
v
Access
Manager
service
and
provisioning
policy
v
Tivoli
Identity
Manager
Web
Application
Sample
Note:
In
addition,
if
you
selected
the
Web
Application
Sample
and
the
Tivoli
Identity
Manager
server
was
not
detected,
you
will
be
prompted
to
provide
information
about
it
during
this
configuration
phase.
For
help
with
completing
these
configuration
panels,
refer
to
the
online
help.
When
you
are
done,
click
Next
on
the
last
configuration
panel
to
complete
the
installation.
After
running
the
Installer
Depending
on
the
tasks
you
ran
or
the
samples
you
installed,
you
might
have
to
perform
additional
configuration
tasks.
For
more
information,
refer
to
the
chapters
in
this
guide
that
correspond
to
the
task
you
ran
or
samples
you
installed:
v
Access
Manager
service
and
provisioning
policy.
See
Chapter
3,
“Creating
a
Tivoli
Access
Manager
service
and
default
provisioning
policy,”
on
page
17.
v
Single
Sign-On
Enablement:
WebSEAL
Junction
and
Identity
Manager
Configuration.
See
Chapter
4,
“Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL,”
on
page
21.
v
IBM
Directory
Integrator
AssemblyLine
samples.
See
Chapter
5,
“Importing
and
synchronizing
user
data,”
on
page
29.
v
Web
Application
Sample.
See
Chapter
6,
“Creating
a
Web
interface
for
user
self-management,”
on
page
47.
Uninstalling
If
you
uninstall
the
Provisioning
Fast
Start
collection,
the
following
installed
items
will
be
removed:
v
IBM
Directory
Integrator
AssemblyLine
samples
v
Web
Application
Sample
v
Single
Sign-On
Enablement
–
WebSEAL
Junction
Configuration
(The
junction
is
removed.
However,
the
ACLs
are
removed
only
if
they
are
not
in
use.)
–
Identity
Manager
Configuration
(The
values
in
the
properties
files
that
were
changed
when
you
ran
the
Installer
are
returned
to
their
default
values.)
Note:
The
Access
Manager
service
and
provisioning
policy
are
not
uninstalled.
Chapter
2.
Installing
the
Provisioning
Fast
Start
collection
15
To
uninstall
the
Provisioning
Fast
Start
collection:
v
On
Windows
do
one
of
the
following:
–
Run
uninstaller.exe
in
the
C:\Program
Files\IBM\TivoliAccessManagerProvisioningFastStart\_uninst
directory.
–
In
the
Control
Panel
folder,
click
Add/Remove
programs.
Select
Provisioning
Fast
Start.
Then
click
OK.v
On
AIX
or
Solaris:
Run
uninstaller.bin
in
the
/opt/IBM/TivoliAccessManagerProvisioningFastStart/_uninst.
After
running
the
uninstall
program,
you
can
remove
the
/opt/IBM/TivoliAccessManagerProvisioningFastStart
directory
and
its
subdirectories.
16
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Chapter
3.
Creating
a
Tivoli
Access
Manager
service
and
default
provisioning
policy
This
automated
task,
which
is
run
using
the
Installer,
takes
the
place
of
the
manual
tasks
for
adding
a
service
and
adding
a
provisioning
policy
in
Tivoli
Identity
Manager.
(The
manual
tasks
are
described
in
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.)
The
steps
for
running
the
automated
task
are
in
Chapter
2,
“Installing
the
Provisioning
Fast
Start
collection,”
on
page
5.
An
explanation
of
what
occurred
after
running
this
automated
task
is
described
in
“Automated
configuration.”
Steps
you
might
need
to
complete
after
running
this
automated
task
are
described
in
“Post-configuration
tasks”
on
page
19.
Automated
configuration
If
you
selected
the
Access
Manager
service
and
provisioning
policy
task
when
you
ran
the
Installer,
a
Tivoli
Access
Manager
service
and
a
default
provisioning
policy
were
added
to
Tivoli
Identity
Manager.
Service
After
running
the
service
creation
task
in
the
Installer,
a
Tivoli
Access
Manager
service
has
been
added
to
Tivoli
Identity
Manager,
just
as
if
you
had
followed
the
″Adding
a
Service″
procedure
described
in
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.
The
following
fields
were
configured
with
the
values
you
provided
in
the
configuration
and
installation
phase
of
the
Installer
process:
Service
name
URL
User
ID
Password
CA
Certificate
Store
Certificate
File
The
following
fields,
which
are
used
for
some
services,
were
not
used
in
the
Tivoli
Access
Manager
service:
Private
Key
File
Owner
Service
Prerequisite
Remote
Time
Zone
Domain
Server
Name
©
Copyright
IBM
Corp.
2003
17
Default
provisioning
policy
After
running
the
provisioning
policy
creation
task
in
the
Installer,
a
provisioning
policy
is
created,
just
as
if
you
had
followed
the
″Adding
a
Provisioning
Policy″
procedure
described
in
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.
This
default
provisioning
policy
was
configured
with
the
following
information:
v
General
information
v
Memberships
v
Entitlements
General
information
The
settings
for
the
general
information
of
the
default
provisioning
policy
are:
Policy
name
Set
to
a
custom
value
that
you
defined
when
you
ran
the
Installer.
Caption
Not
set.
Description
Not
set.
Status
Set
to
a
default
value
of
enabled.
Keywords
Not
set.
Service
Resolution
Scope
Not
set.
Priority
Set
to
a
default
value
of
1;
the
lowest
priority
number
takes
precedence
if
you
have
more
than
one
provisioning
policy
Membership
Membership
specifies
who
is
governed
by
the
provisioning
policy.
The
membership
in
the
default
provisioning
policy
is
ALL;
this
value
specifies
that
membership
to
the
policy
can
be
given
to
all
people
in
an
organization.
Entitlements
Entitlements
specify:
v
Whether
the
policy
is
enforced
manually
or
automatically
v
The
service
or
service
types
used
in
the
provisioning
policy
v
The
provisioning
parameters
(values
that
are
applied
to
an
account
when
it
is
provisioned
to
a
user)
v
The
association
with
a
workflow
The
entitlements
in
the
default
provisioning
policy
are:
Type
Set
to
a
custom
value
that
you
defined
when
you
ran
the
Installer.
Target
Type
Set
to
a
default
value
of
service.
Service
Type
and
Service
Name
Set
to
a
default
value
of
Access
Manager
Service.
Provisioning
Parameters
List
Not
set.
18
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Advanced
Provisioning
Parameters
List
Set
to
the
following:
sn:
subject.getProperty("cn")[0]
erpassword:
subject.getProperty("sn")[0]
ertam4dn:
"cn="+subject.getProperty("cn")[0]+","+tamDn
ertam4passwordpolicy:
TRUE
ertam4singlesign:
TRUE
cn:
subject.getProperty("cn")[0]
Process
Definition
Not
set.
Priority
Set
to
a
default
value
of
1;
the
lowest
priority
number
takes
precedence
if
you
have
more
than
one
provisioning
policy.
For
more
information
about
viewing
and
modifying
a
provisioning
policy,
see
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.
Post-configuration
tasks
Before
using
the
service
and
provisioning
policy,
you
might
need
to
complete
the
following
additional
tasks:
v
Viewing
or
modifying
the
service
v
Customizing
the
default
provisioning
policy
Viewing
or
modifying
the
service
No
further
configuration
of
this
service
is
required;
however,
using
the
Tivoli
Identity
Manager
interface,
you
can
add
other
services
or
modify
or
delete
this
service.
For
more
information
about
managing
services,
refer
to
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.
Customizing
the
default
provisioning
policy
Because
this
provisioning
policy
configures
only
the
minimum
values,
you
will
want
to
modify
the
policy
after
it
has
been
created.
For
more
information
about
modifying
provisioning
policies,
see
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.
Chapter
3.
Creating
a
Tivoli
Access
Manager
service
and
default
provisioning
policy
19
20
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Chapter
4.
Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL
The
Provisioning
Fast
Start
collection
provides
two
automated
tasks
that
are
part
of
the
overall
task
for
configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL.
An
explanation
of
why
you
might
want
to
perform
this
overall
task
and
the
manual
steps
for
performing
this
task
are
described
in
the
″Configuring
Single
Sign-on
Solutions″
chapter
of
the
IBM
Tivoli
Identity
Manager
Server
Configuration
Guide.
If
you
use
the
automated
task
provided
in
the
Provisioning
Fast
Start
collection,
the
steps
in
the
overall
task
are
as
follows:
1.
Review
the
″Configuring
Single
Sign-on
Solutions″
chapter
in
the
IBM
Tivoli
Identity
Manager
Server
Configuration
Guide.
2.
Configure
WebSEAL
as
follows:
v
Pass
all
domain
attributes
in
cookie
headers.
v
Recognize
UTF-8
encoded
strings
only
Refer
to
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide
for
more
information.
3.
Provision
a
Tivoli
Identity
Manager
administrator
with
a
Tivoli
Access
Manager
account.
Refer
to
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide
for
more
information.
Note:
You
cannot
log
in
to
Tivoli
Access
Manager
with
the
default
Tivoli
Identity
Manager
administrator
ID,
itim
manager,
because
Tivoli
Access
Manager
does
not
support
user
IDs
that
contain
spaces.
You
can
assign
any
Tivoli
Access
Manager
user
ID
to
the
default
itim
manager
administrator
ID
if
you
have
configured
Tivoli
Identity
Manager
properties
file,
enRoleAuthentication.properties,
to
enable
an
internal
identity
mapping
algorithm.
See
“Tivoli
Identity
Manager
properties
files
related
to
single
sign-on”
on
page
22
for
more
information.
4.
Run
the
Provisioning
Fast
Start
Installer
as
described
in
Chapter
2,
“Installing
the
Provisioning
Fast
Start
collection,”
on
page
5
and
select:
v
Single
Sign-On:
WebSEAL
Junction
Configuration,
which
creates
either
a
WebSEAL
TCP
junction
or
a
WebSEAL
SSL
junction
and
two
default
ACLs
for
the
junction.
v
Single
Sign-On:
Identity
Manager
Configuration,
which
updates
the
Tivoli
Identity
Manager
properties
files
as
needed
to
support
single
sign-on.5.
Modify
the
default
ACLs
that
were
created
for
the
junction.
For
example,
you
might
want
to
add
groups
and
permissions
to
the
ACLs.
(For
details,
see
“Modifying
the
ACLs
for
the
junction”
on
page
25.)
6.
Change
the
Tivoli
Identity
Manager
timeout
session.
(For
details,
see
“Changing
the
Tivoli
Identity
Manager
timeout
session”
on
page
24.)
7.
If
the
Installer
installs
an
SSL
junction,
be
sure
to
update
and
configure
your
SSL
certificates.
For
details,
see
“Configuring
the
SSL
certificate
for
an
SSL
junction”
on
page
24.)
©
Copyright
IBM
Corp.
2003
21
The
steps
for
running
the
automated
tasks
are
in
Chapter
2,
“Installing
the
Provisioning
Fast
Start
collection,”
on
page
5.
An
explanation
of
what
occurred
after
running
these
automated
tasks
is
described
in
“Automated
configuration.”
Steps
that
you
might
need
to
complete
after
running
this
automated
task
(such
as
step
5,
step
6,
and
step
7
on
page
21)
are
described
in
“Post-configuration
tasks”
on
page
23.
Automated
configuration
If
you
selected
Single
Sign-On:
WebSEAL
Junction
Configuration
when
you
ran
the
Installer,
a
WebSEAL
junction
was
configured
and
ACLs
were
associated
with
the
junction.
See
“WebSEAL
junction
for
single
sign-on.”
If
you
selected
Single
Sign-On:
Identity
Manager
Configuration
when
you
ran
the
Installer,
the
Tivoli
Identity
Manager
properties
files
were
updated
to
enable
single
sign-on.
See
“Tivoli
Identity
Manager
properties
files
related
to
single
sign-on.”
WebSEAL
junction
for
single
sign-on
After
running
the
Single
Sign-on:
WebSEAL
Junction
Configuration
automated
task,
either
a
WebSEAL
TCP
junction
or
a
WebSEAL
SSL
junction
was
created
with
the
following
ACLs
associated:
v
ItimProtected,
for
authenticated
access.
This
ACL
is
associated
with
all
applications
in
the
WebSEAL
protected
object
space
that
require
a
user
to
log
in.
The
Tivoli
Identity
Manager
server
and
its
interface
are
associated
with
this
ACL.
v
ItimUnprotected,
for
unauthenticated
access.
This
ACL
is
associated
with
all
applications
that
the
user
can
access
without
logging
in.
These
ACLs
do
not
have
groups
assigned.
If
you
want
to
assign
Tivoli
Access
Manager
groups
to
them,
you
will
need
to
modify
the
ACLs.
See
“Modifying
the
ACLs
for
the
junction”
on
page
25.
Note:
The
WebSEAL
junction
that
is
created
by
this
task
will
also
support
single
sign-on
for
the
Web
Application
Sample
(which
is
described
in
Chapter
6,
“Creating
a
Web
interface
for
user
self-management,”
on
page
47)
and
for
the
Web
Portal
Manager
that
comes
with
Tivoli
Access
Manager.
If
you
are
using
WebSEAL
to
manage
Web
Portal
Manager,
you
can
use
this
junction
and
complete
the
following
steps
to
enable
SSO
for
Web
Portal
Manager:
1.
Locate
pdwpm.conf
on
the
Tivoli
Access
Manager
server
and
open
it
in
a
text
editor.
2.
Change
the
value
of
the
authMethod
attribute
to
SSO.
3.
Save
your
changes
and
close
the
file.
4.
Stop
and
then
restart
the
WebSphere
Application
Server.
Tivoli
Identity
Manager
properties
files
related
to
single
sign-on
After
running
the
Identity
Manager
Configuration
automated
task,
some
Tivoli
Identity
Manager
properties
files
(in
the
$ITIM_HOME/data
directory)
and
attributes
are
updated
to
enable
single
sign-on
as
follows:
v
Properties
file:
ui.properties
–
enrole.ui.ssoEnabled=true
22
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
–
enrole.ui.logoffURL=ssoLogout.jsp
v
Properties
file:
enRoleAuthentication.properties
–
enrole.authentication.idsEqual=
You
selected
a
value
for
this
attribute
when
you
ran
the
Installer.
true
Specifies
that
the
Tivoli
Access
Manager
user
ID
is
always
the
same
as
the
Tivoli
Identity
Manager
user
ID.
Note:
In
single
sign-on
with
WebSEAL,
the
users
will
use
their
user
IDs
for
their
Tivoli
Access
Manager
accounts.
However,
Tivoli
Identity
Manager
will
need
to
authenticate
the
user.
false
Specifies
that
the
Tivoli
Access
Manager
user
ID
is
not
always
the
same
as
the
Tivoli
Identity
Manager
user
ID.
If
you
selected
false,
an
internal
identity
mapping
algorithm
is
used
to
map
the
user
ID
of
the
user’s
Tivoli
Access
Manager
account
to
the
user
ID
of
user’s
Tivoli
Identity
Manager
account.
Post-configuration
tasks
After
you
have
run
these
automated
tasks
in
the
Installer,
you
might
need
to
complete
additional
tasks,
depending
on
your
environment:
v
Running
the
automated
tasks
in
a
clustered
environment
v
Changing
the
timeout
session
v
Configuring
the
SSL
certificate
for
an
SSL
junction
v
Modifying
the
ACLs
for
the
junction
v
Addressing
security
concerns
v
Configuring
the
logoff
page
v
Accessing
the
Tivoli
Identity
Manager
logon
page
Running
the
automated
tasks
in
a
clustered
environment
Tivoli
Identity
Manager
Server
can
be
installed
in
either
a
single-server
or
cluster
configuration.
In
either
case,
a
single
WebSEAL
junction
is
able
to
support
SSO
for
the
entire
Tivoli
Identity
Manager
Server
configuration.
The
″Configuring
single
sign-on
with
WebSEAL″
procedure
in
the
IBM
Tivoli
Identity
Manager
Server
Configuration
Guide
and
the
two
automated
tasks
described
in
Chapter
2,
“Installing
the
Provisioning
Fast
Start
collection,”
on
page
5
of
this
guide,
presents
the
steps
required
for
a
single-server
configuration.
The
enablement
of
Tivoli
Identity
Manager
for
WebSEAL
single
sign-on
in
a
clustered
environment
requires
that
you
perform
tasks
on
multiple
systems
as
follows:
1.
Review
the
″Configuring
Single
Sign-on
Solutions″
chapter
in
the
IBM
Tivoli
Identity
Manager
Server
Configuration
Guide.
2.
Configure
WebSEAL
as
follows:
v
Pass
all
domain
attributes
in
cookie
headers.
v
Recognize
UTF-8
encoded
strings
only
Refer
to
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide
for
more
information.
3.
Provision
a
Tivoli
Identity
Manager
administrator
with
a
Tivoli
Access
Manager
account.
Chapter
4.
Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL
23
Refer
to
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide
for
more
information.
4.
On
one
of
the
systems
in
the
cluster:
v
Run
the
Provisioning
Fast
Start
Installer
as
described
in
Chapter
2,
“Installing
the
Provisioning
Fast
Start
collection,”
on
page
5
and
select:
–
WebSEAL
Junction
Configuration,
which
creates
either
a
WebSEAL
TCP
junction
or
a
WebSEAL
SSL
junction.
–
Identity
Manager
Configuration,
which
updates
the
Tivoli
Identity
Manager
properties
files
as
needed
to
support
single
sign-on.v
Change
the
Tivoli
Identity
Manager
timeout
session.
(For
details,
see
the
″Configuring
Single
Sign-On
with
WebSEAL″
chapter
of
the
IBM
Tivoli
Identity
Manager
Server
Configuration
Guide.)
v
If
the
Installer
creates
an
SSL
junction,
be
sure
to
update
and
configure
your
SSL
certificates.
See
“Configuring
the
SSL
certificate
for
an
SSL
junction.”5.
On
the
remaining
Tivoli
Identity
Manager
Server
systems
in
the
cluster
use
the
Tivoli
Access
Manager
Provisioning
Fast
Start
Installer
and
select
Identity
Manager
Configuration,
which
will
update
the
Tivoli
Identity
Manager
properties
files.
See
Chapter
2,
“Installing
the
Provisioning
Fast
Start
collection,”
on
page
5
for
detailed
installation
steps.
6.
Also,
on
all
machines
in
the
clustered
environment
be
sure
to
configure
the
timeout
session.
See
“Changing
the
Tivoli
Identity
Manager
timeout
session.”
Changing
the
Tivoli
Identity
Manager
timeout
session
To
prevent
a
security
exposure
in
a
shared
workstation
environment,
you
should
change
the
default
value
of
the
Tivoli
Identity
Manager
timeout
session
value
to
a
value
equivalent
to
one
of
the
following:
v
Tivoli
Identity
Manager
will
timeout
due
to
inactivity
v
Tivoli
Identity
Manager
will
timeout
at
the
same
time
or
before
a
WebSEAL
timeout
due
to
inactivity
To
change
the
setting:
1.
Open
the
WebSphere
Administrative
Console.
2.
Click
Applications.
3.
Click
Enterprise
Applications.
4.
Click
enRole.
Scroll
down
to
Additional
Properties
and
click
Session
Management.
5.
Change
the
value
of
the
session
timeout
to
the
appropriate
value
(as
described
above).
6.
Save
changes.
7.
Stop
and
start
enRole.
Configuring
the
SSL
certificate
for
an
SSL
junction
If
the
Installer
created
a
WebSEAL
SSL
junction
when
you
ran
this
task,
you
need
to
use
GSKit
to
configure
the
SSL
certificate
before
you
can
use
the
junction.
Note:
Before
beginning
this
procedure,
make
sure
that
you
configure
GSKit
as
described
in
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide,
which
is
available
as
part
of
the
IBM
Tivoli
Access
Manager
for
e-business
library.
24
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
1.
Start
the
iKeyman
utility
for
the
WebSphere
Application
Server.
2.
Select
Open
in
the
Key
Database
File
task.
3.
Open
the
DummyServerKeyFile.jks
file
located
in
the
$WAS_HOME/etc
directory.
A
password
prompt
is
displayed.
If
you
are
using
the
dummy
file,
the
password
is
″WebAS″.
4.
Select
the
websphere
dummy
server
certificate
and
then
click
Extract
Certificate.
5.
On
the
Extract
Certificate
to
a
File
window,
enter
the
following:
v
Data
type:
Select
Base64-encoded
ASCII
data.
v
Certificate
file
name:
Enter
the
file
name
for
the
certificate.
v
Location:
Enter
the
directory
path
where
the
certificate
is
to
be
stored.
For
this
example,
enter
WebSphereServerCert.arm
for
the
Certificate
file
name
and
store
the
certificate
in
the
$WAS_HOME/etc
directory.
6.
Click
OK.
After
the
certificate
is
saved,
the
certificate
needs
to
be
transferred
to
the
WebSEAL
server.
If
you
defined
your
own
keyfiles
for
WebSphere
and
obtained
a
certificate
from
a
CA,
you
must
use
the
root
CA’s
certificate
that
signed
your
WebSphere
certificate
in
the
following
steps
instead.
7.
Close
the
WebSphere
IBM
Key
Management
GUI.
8.
On
the
WebSEAL
server,
start
the
GSKit
iKeyman
executable.
9.
Select
Open
in
the
Key
Database
File
task.
10.
This
example
uses
the
WebSEAL
default
database.
Navigate
to
the
$WebSEAL_root/www-WebSEAL_instance/certs/pdsrv.kdb
file
and
click
Open.
(where
$WebSEAL_root
is
the
directory
where
WebSEAL
is
installed
and
WebSEAL_instance
is
the
name
of
the
WebSEAL
instance
where
the
database
is
located).
11.
Enter
the
password
when
a
password
prompt
window
appears.
(The
password
for
the
default
WebSEAL
database
is
pdsrv.)
12.
When
the
database
opens,
select
Signer
Certificates.
13.
Click
Add.
The
Add
CA’s
Certificate
from
a
File
window
is
displayed.
14.
Do
the
following
in
the
Add
CA’s
Certificate
from
a
File
window:
v
Data
type:
Select
Base64-encoded
ASCII
v
Certificate
file
name:
Click
Browse
to
navigate
to
the
certificate
file
name.
This
example
uses
the
WebSphereServerCert.arm
file
located
in
the
$WAS_HOME/etc
directory.15.
Click
OK.
A
prompt
for
a
label
name
to
store
the
certificate
is
displayed.
This
example
uses
the
entry
WAS
5
Server.
16.
Click
OK.
The
IBM
Key
Management
panel
is
displayed
with
a
list
of
Signer
Certificates,
including
the
label
name
that
you
specified.
17.
Close
the
GSKit
IBM
Key
Management
GUI.
Modifying
the
ACLs
for
the
junction
If
you
want
to
modify
the
default
ACLs
that
were
created
when
the
junction
was
created,
use
the
acl
modify
command
using
either
pdadmin
as
described
in
the
IBM
Tivoli
Access
Manager
Command
Reference
or
using
Web
Portal
Manager
as
described
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
Chapter
4.
Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL
25
Addressing
security
concerns
When
configured
for
single
sign-on,
the
Tivoli
Identity
Manager
server
uses
an
HTTP
header,
iv_user,
to
identify
the
authenticated
user.
There
is
not,
however,
an
independent
mechanism
to
verify
that
this
HTTP
header
was
received
from
a
trusted
source
such
as
Tivoli
Access
Manager
WebSEAL
or
plug-ins.
If
users
have
direct
network
access
to
the
Tivoli
Identity
Manager
server,
it
would
be
possible
to
impersonate
another
user.
This
could
be
done
by
creating
an
HTTP
request
with
iv_user
equal
to
another
user
ID
and
sending
that
request
to
the
Tivoli
Identity
Manager
Server’s
logon
page.
To
address
this
security
concern,
refer
to
the
″Overview
of
Single
Sign-on
Capability″
section
of
the
″Configuring
Single
Sign-on
Solutions″
chapter
of
the
IBM
Tivoli
Identity
Manager
Server
Configuration
Guide.
Changing
the
configured
Logoff
page
Tivoli
Identity
Manager
comes
with
several
files,
each
of
which
can
be
specified
as
the
logoff
page
for
the
Tivoli
Identity
Manager
GUI.
The
files
are
in
the
$WAS_HOME/AppServer/installedApps/$NODE_NAME/enRole.ear/app_web.war
directory
(where
$WAS_HOME
is
the
directory
where
WebSphere
Application
Server
is
installed).
When
you
ran
the
Installer,
the
ssoLogout.jsp
was
set
as
the
logoff
page.
If
you
want
to
use
a
different
page,
you
will
need
to
modify
the
ui.properties
file,
as
follows:
1.
Open
the
Tivoli
Identity
Manager
$ITIM_HOME/data/ui.properties
file
in
a
text
editor.
2.
For
the
enrole.ui.logoffURL
property,
specify
one
of
the
logoff
pages
described
in
the
following
table.
Note:
The
ssoLogout.jsp
and
websealLogout.jsp
files
are
sample
files
that
show
the
sample
code
required
to
use
the
Tivoli
Identity
Manager
GUI
logout
button
when
WebSEAL
single
sign-on
is
enabled.
You
can
edit
these
files
(including
language)
to
perform
any
functions
appropriate
to
your
environment.
Table
1.
Logoff
pages
websealLogout.jsp
This
sample
file
is
the
most
secure.
Use
it
when
you
want
the
following
combined
behavior
when
the
user
clicks
the
Logoff
button:
v
Terminate
the
Tivoli
Identity
Manager
logon
session.
v
Terminate
the
Tivoli
Access
Manager
logon
session
(pkmslogout
function
is
invoked).
pkmslogout
only
works
for
clients
who
use
an
authentication
mechanism
that
does
not
supply
authentication
data
with
each
request.
For
example,
pkmslogout
does
not
work
for
clients
using
Basic
Authentication,
certificates,
or
IP
address
information.
In
these
cases,
you
must
close
the
browser
to
log
out.
pkmslogout
provides
this
information
to
the
user
in
a
message
that
appears
on
the
logout
page.
You
can
edit
this
file
to
customize
the
sample
logoff
functionality.
26
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Table
1.
Logoff
pages
(continued)
logoff.html
Default
Tivoli
Identity
Manager
logoff
behavior:
SSO
disabled:
v
After
the
user
clicks
the
Logoff
button,
the
Tivoli
Identity
Manager
logon
page
is
displayed.
SSO
enabled:
v
After
the
user
clicks
the
Logoff
button,
the
user
is
returned
to
the
Tivoli
Identity
Manager
GUI
because
the
authentication
information
from
Tivoli
Access
Manager
(in
the
iv-user
HTTP
header)
is
still
available.
ssoLogout.jsp
Use
this
sample
file
when
you
want
the
following
combined
behavior
when
the
user
clicks
the
Logoff
button:
v
Terminate
the
current
Tivoli
Identity
Manager
logon
session
and
provide
a
link
to
return
to
the
Tivoli
Identity
Manager
GUI.
v
Remain
logged
in
to
Tivoli
Access
Manager
(iv-user
HTTP
header
information
is
still
available).
This
allows,
for
example,
continued
use
of
a
portal
page
or
to
return
to
Tivoli
Identity
Manager
without
a
logon
prompt.
You
can
edit
this
file
to
customize
the
sample
logoff
functionality.
Accessing
the
Tivoli
Identity
Manager
Logon
page
After
the
WebSEAL
junction
has
been
created,
the
URL
for
accessing
the
logon
page
for
the
Tivoli
Identity
Manager
interface
was
changed.
The
new
URL
is
either
http://hostname/JunctionName/enrole/logon
https://hostname/JunctionName/enrole/logon
(where
hostname
is
the
location
of
the
Tivoli
Identity
Manager
server
and
JunctionName
is
the
name
that
you
specified
for
the
junction
when
you
ran
the
Installer.
Chapter
4.
Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL
27
28
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Chapter
5.
Importing
and
synchronizing
user
data
Tivoli
Identity
Manager
is
designed
to
be
a
central
location
for
corporate
identity
management.
However,
in
your
environment,
other
IBM
Tivoli
security
applications
with
user
management
(such
as
Tivoli
Access
Manager)
might
have
already
been
installed
and
might
co-exist
with
Tivoli
Identity
Manager.
Therefore,
several
user
data
records
might
exist
for
the
same
user.
Because
Tivoli
Identity
Manager
requires
its
own
user
registry
and
it
cannot
share
the
user
objects
that
are
in
the
user
registry
of
another
application
(such
as
Tivoli
Access
Manager
or
a
corporate
directory),
you
will
have
to
create
new
user
records
in
Tivoli
Identity
Manager
or
import
existing
user
data
records
from
other
data
resources
to
Tivoli
Identity
Manager,
if
you
want
Tivoli
Identity
Manager
to
manage
those
users.
If
Tivoli
Access
Manager
or
other
applications
with
user
data
records
co-exist
with
Tivoli
Identity
Manager
and
up-to-date
user
attributes
are
needed
for
these
applications,
Tivoli
Identity
Manager
data
will
need
to
be
dynamically
synchronized
with
the
user
records
in
these
applications.
IBM
Directory
Integrator
AssemblyLine
samples
utility
The
IBM
Directory
Integrator
AssemblyLine
samples
utility
is
included
in
the
Provisioning
Fast
Start
collection.
The
utility
uses
IBM
Directory
Integrator,
which
is
supported
in
Tivoli
Identity
Manager
version
4.5,
to
import
Tivoli
Access
Manager
and
corporate
directory
users
to
Tivoli
Identity
Manager
and
to
synchronize
Tivoli
Identity
Manager
user
attributes
with
those
in
Tivoli
Access
Manager.
Directory
Integrator
is
designed
to
synchronize
identity
data
located
in
directories,
databases,
collaborative
systems,
applications
used
for
human
resources
(HR),
customer
relationship
management
(CRM),
Enterprise
Resource
Planning
(ERP),
and
other
corporate
applications.
In
Tivoli
Identity
Manager
version
4.5,
a
provisioning
service
type
called
an
IBM
Directory
Integrator
(IDI)
Data
Feed
is
supported
for
user
data
exchange
between
Directory
Integrator
and
Tivoli
Identity
Manager
server.
The
IDI
Data
Feed
service
uses
Directory
Services
Markup
Language
version
2
(DSMLv2)
format
to
communicate
with
the
Directory
Integrator.
While
in
Directory
Integrator
version
5.1.2,
the
DSMLv2
EventHandler
and
the
DSMLv2
support
in
JNDI
connector
are
added.
This
greatly
enhances
the
integration
capability
between
the
Directory
Integrator
and
Tivoli
Identity
Manager.
In
this
utility,
a
JNDI
connector
with
DSML2InitialContextFactory
driver
is
used
to
import
the
user
entries
in
to
Tivoli
Identity
Manager.
Note:
Before
using
the
utility,
you
need
to
be
familiar
with
IBM
Directory
Integrator
concepts,
including
AssemblyLines,
connectors,
configuration
files,
and
properties
files.
For
more
information,
refer
to
IBM
Directory
Integrator
Getting
Started
Guide.
Go
to
the
following
Web
site:
http://www.ibm.com/software/tivoli/library.
Click
Product
manuals
and
then
locate
and
click
the
IBM
Directory
Integrator
link.
©
Copyright
IBM
Corp.
2003
29
The
utility
uses
the
IBM
Directory
Integrator
LDAP
connector,
the
DSMLv2
JNDI
connector,
and
so
forth
to
retrieve
Tivoli
Access
Manager
user
data
or
corporate
Human
Resources
data
from
a
registry
server
and
directly
feeds
it
to
Tivoli
Identity
Manager.
The
main
functions
of
this
utility
include:
v
Importing
Tivoli
Access
Manager
users
(in
a
single
domain)
into
Tivoli
Identity
Manager.
See
“Importing
Tivoli
Access
Manager
users
(in
a
single
domain)
into
Tivoli
Identity
Manager”
on
page
39.
v
Importing
Tivoli
Access
Manager
users
(in
a
multi-domain)
into
Tivoli
Identity
Manager.
See
“Importing
Tivoli
Access
Manager
users
(in
multi-domains)
into
Tivoli
Identity
Manager”
on
page
41.
v
Importing
users
from
an
existing
corporate
directory
into
Tivoli
Identity
Manager.
See
“Importing
users
from
an
existing
a
corporate
directory”
on
page
42.
v
Synchronizing
Tivoli
Identity
Manager
user
attributes
with
Tivoli
Access
Manager
user
attributes.
See
“Synchronizing
Tivoli
Identity
Manager
user
attributes
with
Tivoli
Access
Manager
user
attributes”
on
page
44.
Installation
Install
the
utility
using
the
instructions
in
Chapter
2,
“Installing
the
Provisioning
Fast
Start
collection,”
on
page
5.
Requirements
for
installation
As
described
in
“Importing
or
synchronizing
user
data”
on
page
8,
the
Tivoli
Access
Manager
Provisioning
Fast
Start
Installer
copies
the
utility
files
to
the
proper
location
when
you
select
IBM
Directory
Integrator
AssemblyLine
samples.
Note:
The
Installer
will
determine
if
IBM
Directory
Integrator
is
installed
and
if
it
is
the
correct
version.
If
it
is
not
installed
or
is
not
the
correct
version,
the
installation
selection
for
IBM
Directory
Integrator
AssemblyLine
utility
will
not
be
displayed.
As
described
in
“Importing
or
synchronizing
user
data”
on
page
8,
you
should
have
considered
the
following
conditions
before
running
the
Installer
to
ensure
that
the
utility
will
be
placed
in
the
correct
location:
v
Install
the
utility
on
the
server
or
workstation
where
IBM
Directory
Integrator
5.1.2
or
later
is
installed.
v
If
LDAP
or
Active
Directory
is
the
user
registry
for
Tivoli
Access
Manager,
install
IBM
Directory
Integrator
(if
it
is
not
installed)
and
the
utility
on
any
server
or
workstation
in
the
corporate
intranet
network
that
can
remotely
access
the
Tivoli
Access
Manager
registries
and
Tivoli
Identity
Manager
server.
v
If
Lotus
Domino
server
is
the
user
registry
for
Tivoli
Access
Manager,
Lotus
Notes
connector
is
used
to
access
the
user
data
in
the
Domino
server.
In
this
case,
install
IBM
Directory
Integrator
(if
it
is
not
installed)
and
the
utility
on
the
Notes
client
that
can
access
the
Domino
server.
You
can
use
either
the
Notes
client
installed
for
the
Tivoli
Access
Manager
policy
server
or
a
newly
installed
and
configured
Notes
client.
Installed
components
After
you
run
the
Installer,
a
subdirectory
is
created
and
the
utility
files
are
placed
in
that
subdirectory.
30
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
TIMTAMIntegration
subdirectory
The
Provisioning
Fast
Start
Installer
creates
the
TIMTAMIntegration
subdirectory
under
the
IBM
Directory
Integrator
root
directory
$IDI_HOME.
For
example:
C:\Progra~1\ibm\IDI_HOME\TIMTAMIntegration
Utility
files
The
Installer
copies
all
the
utility
files
into
this
subdirectory.
The
utility
files
include
one
configuration
file
and
one
corresponding
properties
file
for
each
major
task.
As
listed
previously,
there
are
four
major
tasks.
These
tasks
and
their
related
configuration
files
and
properties
files
are
as
follows:
Task:
Import
single
domain
Tivoli
Access
Manager
user
data
to
Tivoli
Identity
Manager:
v
Properties
file:
TAMtoTIMImport.properties
See
“TAMtoTIMImport.properties”
on
page
33
for
more
information.
v
Configuration
file:
TAMtoTIMImport.xml,
which
contains
the
following
AssemblyLines:
–
AssemblyLine:
LDAPImport
–
AssemblyLine:
ADImport
–
AssemblyLine:
DominoImport
Task:
Import
multi-domain
Tivoli
Access
Manager
user
data
to
Tivoli
Identity
Manager:
Note:
Tivoli
Access
Manager
supports
multi-domain
only
on
an
LDAP
directory.
v
Properties
file:
MDTAMtoTIMImport.properties
See
“MDTAMtoTIMImport.properties”
on
page
34
for
more
information.
v
Configuration
file:
MDTAMtoTIMImport.xml,
which
contains
the
following
AssemblyLine:
–
AssemblyLine:
LDAPMDImport
Task:
Import
Directory
user
data
to
Tivoli
Identity
Manager:
v
Properties
file:
DirectorytoTIMImport.properties
See
“DirectorytoTIMImport.properties”
on
page
36
for
more
information.
v
Configuration
file:
DirectorytoTIMImport.xml,
which
contains
the
following
AssemblyLines:
–
AssemblyLine:
LDAPUserstoTIM
–
AssemblyLine:
ADUserstoTIM
Task:
Synchronize
Tivoli
Identity
Manager
user
attributes
with
Tivoli
Access
Manager
users:
v
Properties
file:
TIMtoTAMsync.properties
v
Configuration
file:
TIMtoTAMSync.xml,
which
contains
the
following
AssemblyLines:
–
AssemblyLine:
synchtamdirect
–
AssemblyLine:
synctambychangelogv
Exit
file:
TIMtoTAMsyncexit,
which
contains
the
default
and
dynamic
changelog
number
for
TIMtoTAMsync.
See
“TIMtoTAMsync.properties”
on
page
37
for
more
information.
Chapter
5.
Importing
and
synchronizing
user
data
31
Note:
To
understand
how
configuration
files
and
properties
files
are
used,
refer
to
the
IBM
Directory
Integrator:
Getting
Started
Guide.
All
of
these
properties
files
must
be
configured
before
you
run
the
utility.
Configuration
After
you
install
the
utility,
you
will
need
to
perform
some
additional
configuration
before
you
can
use
it.
Creating
the
IDI
Data
Feed
Service
in
Tivoli
Identity
Manager
Before
using
this
utility
to
import
users,
you
need
to
create
an
IDI
Data
Feed
Service
in
Tivoli
Identity
Manager
4.5.
Note:
The
IDI
Data
Feed
Service
is
not
required
to
perform
the
synchronizing
task.
To
create
the
service:
1.
Log
in
to
Tivoli
Identity
Manager
as
the
Tivoli
Identity
Manager
administrator.
2.
Go
to
Provisioning
→
Manage
Services
→
Add,
and
select
IDI
Data
Service
as
the
service
type.
3.
Define
the
following
parameters
for
the
service:
Service
name:
Any
value.
URL:
Directory
Integrator
server
URL,
optional
User
ID:
Any
Password:
Any
value.
Naming
Context:
Any
value.
Name
Attribute:
Use
uid
as
the
default.
Use
the
values
you
have
defined
in
this
service
as
the
values
for
the
corresponding
attributes
in
the
properties
file
for
the
importing
tasks
(namely,
TAMtoTIMImport.properties,
MDTAMtoTIMImport.properties,
and
DirectorytoTIMImport.properties).
For
example,
in
the
MDTAMtoTIMImport.properties
file,
the
following
corresponding
attributes
should
have
the
same
values:
MDTAMtoTIMImport.properties
file
attribute
Corresponding
service
value
TIM_DSMLv2_URL
URL
TIM_DSMLv2_Login
User
ID
TIM_DSMLv2_PW
Password
TIM_DSMLv2_SearchBase
Naming
Context
For
more
information
about
configuring
the
properties
files,
see
“Configuring
the
properties
files”
on
page
33.
32
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Configuring
the
properties
files
The
four
properties
files
for
the
four
different
tasks
in
the
utility
contain
the
customer
environment
parameters
and
program
initial
settings.
The
properties
file
names
match
the
configuration
file
names.
Before
you
run
the
utility,
you
need
to
customize
these
properties
files.
View
and
edit
the
properties
files
using
a
text
editor,
such
as
Notepad.
The
settings
of
the
properties
files
are
described
in
the
following
tables.
TAMtoTIMImport.properties
The
following
table
describes
the
attributes
used
in
this
properties
file.
Table
2.
Attributes
in
the
TAMtoTIMImport.properties
file
Attribute
Description
TIM_DSMLv2_URL
The
remote
Tivoli
Identity
Manager
DSMLv2
handler
URL
in
the
format
of:
http://hostname:portname/enrole/
dsml2_event_handler/tenant
where:
v
The
hostname
is
the
host
name
of
the
Tivoli
Identity
Manager
server.
v
The
portname
is
the
port
name
of
the
Tivoli
Identity
Manager,
the
default
is
9080
v
The
tenant
is
the
domain
name
of
the
Tivoli
Identity
Manager
server
TIM_DSMLv2_Login
Tivoli
Identity
Manager
IDI
Data
Feed
Service
user
ID.
TIM_DSMLv2_PW
Tivoli
Identity
Manager
IDI
Data
Feed
Service
user
password.
TIM_DSMLv2_SearchBase
The
naming
contexts
of
the
Tivoli
Identity
Manager
IDI
Data
Feed
Service.
Note:
The
Tivoli
Identity
Manager
IDI
Data
Feed
Service
user
ID,
password,
and
naming
contexts
are
defined
in
the
Tivoli
Identity
Manager
server
when
the
IDI
Data
Feed
Service
is
created.
Refer
to
the
README
for
IDI
Integration
Examples
for
detailed
information.
This
Readme
is
located
in:
$ITIM_HOME/extensions/examples/idi_integration/Readme.html
where
$ITIM_HOME
is
the
directory
where
Tivoli
Identity
Manager
was
installed.
The
following
table
describes
the
attributes
that
are
required
if
the
Tivoli
Access
Manager
user
registry
is
in
an
LDAP
directory:
Table
3.
Attributes
required
in
TAMtoTIMImport.properties
for
an
LDAP
Tivoli
Access
Manager
user
registry
Attribute
Description
TAM_LDAP_URL
The
remote
Tivoli
Access
Manager
LDAP
URL
in
the
format
of:
ldap://hostname:portnumber
TAM_LDAP_Login
The
remote
Tivoli
Access
Manager
LDAP
user
ID,
for
example,
cn=root.
Chapter
5.
Importing
and
synchronizing
user
data
33
Table
3.
Attributes
required
in
TAMtoTIMImport.properties
for
an
LDAP
Tivoli
Access
Manager
user
registry
(continued)
Attribute
Description
TAM_LDAP_PW
The
remote
Tivoli
Access
Manager
LDAP
user
password.
The
following
table
describes
the
attributes
that
are
required
if
the
Tivoli
Access
Manager
user
registry
is
in
an
Active
Directory
registry:
Table
4.
Attributes
required
in
TAMtoTIMImport.properties
for
a
Tivoli
Access
Manager
Active
Directory
user
registry
Attribute
Description
TAM_AD_URL
The
remote
Active
Directory
URL
in
the
format
of:
ldap://hostname:portnumber
TAM_AD_Username
The
remote
Active
Directory
user
name.
TAM_AD_password
The
remote
Active
Directory
user
password.
TAM_AD_SearchBase
The
remote
Tivoli
Access
Manager
Active
Directory
domain
name
in
the
format
of:
cn=Users,cn=default,cn=tivoli
pdomains,dc=domainname,dc=com.
Note
that
you
need
to
replace
only
the
domainname
here.
TAM_AD_SearchFilter
The
remote
Tivoli
Access
Manager
Active
Directory
search
filter
in
the
format
of
:
objectCategory=cn=urafuser,
cn=schema,cn=configuration,
dc=domainname,dc=com
Note
that
you
need
to
replace
only
the
domainname
here.
TAM_AD_RetrieveBase
The
remote
Tivoli
Access
Manager
Active
Directory
domain
name
in
the
format
of
dc=domainname,dc=com.
Note
that
you
need
to
replace
only
the
domainname
here.
The
following
table
describes
the
attributes
that
are
required
if
the
Tivoli
Access
Manager
user
registry
is
in
a
Domino
registry:
Table
5.
Attributes
required
in
TAMtoTIMImport.properties
for
a
Tivoli
Access
Manager
Domino
user
registry
Attribute
Description
TAM_Domino_Hostname
The
remote
Domino
server
hostname.
TAM_Domino_UserID
The
remote
Domino
server
User
ID.
TAM_Domino_Password
The
remote
Domino
server
user
password.
TAM_Domino_Servername
The
remote
Domino
server
name.
MDTAMtoTIMImport.properties
The
following
table
describes
the
attributes
used
in
this
properties
file.
34
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Note:
Tivoli
Access
Manager
supports
multi-domain
only
on
an
LDAP
directory.
Table
6.
Attributes
in
the
MDTAMtoTIMImport.properties
file
Attribute
Description
TIM_DSMLv2_URL
The
remote
Tivoli
Identity
Manager
DSMLv2
handler
URL
in
the
format
of:
http://hostname:portname/enrole/
dsml2_event_handler/tenant
where:
v
The
hostname
is
the
host
name
of
the
Tivoli
Identity
Manager
server.
v
The
portname
is
the
port
name
of
the
Tivoli
Identity
Manager,
the
default
is
9080
v
The
tenant
is
the
domain
name
of
the
Tivoli
Identity
Manager
server
TIM_DSMLv2_Login
Tivoli
Identity
Manager
IDI
Data
Feed
Service
user
ID.
TIM_DSMLv2_PW
Tivoli
Identity
Manager
IDI
Data
Feed
Service
user
password
TIM_DSMLv2_SearchBase
The
naming
contexts
of
the
Tivoli
Identity
Manager
IDI
Data
Feed
Service
Note:
The
Tivoli
Identity
Manager
IDI
Data
Feed
Service
user
ID,
password,
and
naming
contexts
are
defined
in
the
Tivoli
Identity
Manager
server
when
the
IDI
Data
Feed
Service
is
created.
Refer
to
the
README
for
IDI
Integration
Examples
for
detailed
information.
This
Readme
is
located
in:
$ITIM_HOME/extensions/examples/idi_integration/Readme.html
where
$ITIM_HOME
is
the
directory
where
Tivoli
Identity
Manager
was
installed.
TAM_LDAP_URL
The
remote
Tivoli
Access
Manager
LDAP
URL
in
the
format
of:
ldap://hostname:portnumber
TAM_LDAP_Login
The
remote
Tivoli
Access
Manager
LDAP
user
ID,
for
example,
cn=root.
TAM_LDAP_PW
The
remote
Tivoli
Access
Manager
LDAP
user
password.
Chapter
5.
Importing
and
synchronizing
user
data
35
DirectorytoTIMImport.properties
The
following
table
describes
the
attributes
used
in
this
properties
file.
Table
7.
Attributes
in
the
DirectorytoTIMImport.properties
file
Attribute
Description
TIM_DSMLv2_URL
The
remote
Tivoli
Identity
Manager
DSMLv2
handler
URL
in
the
format
of:
http://hostname:portname/enrole/
dsml2_event_handler/tenant
where:
v
The
hostname
is
the
host
name
of
the
Tivoli
Identity
Manager
server.
v
The
portname
is
the
port
name
of
the
Tivoli
Identity
Manager,
the
default
is
9080
v
The
tenant
is
the
domain
name
of
the
Tivoli
Identity
Manager
server
TIM_DSMLv2_Login
Tivoli
Identity
Manager
IDI
Data
Feed
Service
user
ID.
TIM_DSMLv2_PW
Tivoli
Identity
Manager
IDI
Data
Feed
Service
user
password.
TIM_DSMLv2_SearchBase
The
naming
contexts
of
the
Tivoli
Identity
Manager
IDI
Data
Feed
Service.
Note:
The
Tivoli
Identity
Manager
IDI
Data
Feed
Service
user
ID,
password,
and
naming
contexts
are
defined
in
the
Tivoli
Identity
Manager
server
when
the
IDI
Data
Feed
Service
is
created.
Refer
to
the
README
for
IDI
Integration
Examples
for
detailed
information.
This
Readme
is
located
in:
$ITIM_HOME/extensions/examples/idi_integration/Readme.html
where
$ITIM_HOME
is
the
directory
where
Tivoli
Identity
Manager
was
installed.
The
following
table
describes
the
attributes
that
are
required
if
the
user
registry
is
in
an
LDAP
directory:
Table
8.
Attributes
required
in
DirectorytoTIMImport.properties
for
an
LDAP
user
registry
Attribute
Description
LDAP_URL
The
remote
corporate
LDAP
URL
in
the
format
of:
ldap//:hostname:portnumber
LDAP_Login
The
remote
corporate
LDAP
user
ID.
LDAP_PW
The
remote
corporate
LDAP
user
password
LDAP_SearchBase
The
remote
corporate
LDAP
search
base.
The
following
table
describes
the
attributes
that
are
required
if
the
user
registry
is
in
an
Active
Directory
registry:
Table
9.
Attributes
required
in
DirectorytoTIMImport.properties
for
an
Active
Directory
user
registry
Attribute
Description
AD_URL
The
remote
Active
Directory
URL
in
the
format
of:
ldap//:hostname:portnumber
36
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Table
9.
Attributes
required
in
DirectorytoTIMImport.properties
for
an
Active
Directory
user
registry
(continued)
Attribute
Description
AD_Username
The
remote
Active
Directory
user
name.
AD_password
The
remote
Active
Directory
user
password.
AD_SearchBase
The
remote
Active
Directory
domain
name
in
the
format
of:
cn=Users,cn=default,cn=tivoli
pdomains,dc=domainname,dc=com.
Note
that
you
need
to
replace
only
the
domainname
here.
TIMtoTAMsync.properties
The
following
table
describes
the
attributes
used
in
this
properties
file.
Note:
The
synchronization
function
can
be
used
only
with
LDAP
directories.
Table
10.
Attributes
in
the
TIMtoTAMsync.properties
file
Attribute
Description
TIM_LDAP_URL
The
remote
Tivoli
Identity
Manager
LDAP
URL
in
the
format
of:
ldap://hostname:portnumber
TIM_LDAP_Login
Tivoli
Identity
Manager
LDAP
user
login.
TIM_LDAP_PW
Tivoli
Identity
Manager
LDAP
user
password.
TAM_LDAP_URL
The
remote
Tivoli
Access
Manager
LDAP
URL
in
the
format
of:
ldap://hostname:portnumber
TAM_LDAP_Login
The
remote
Tivoli
Access
Manager
LDAP
user
ID,
for
example,
cn=root.
TAM_LDAP_PW
The
remote
Tivoli
Access
Manager
LDAP
user
password.
SYNC_Start
Scheduled
start
time
for
synchronization.
Use
the
format:
<month><day><weekday><hour><minute>
v
month
0–11
v
day
1–31
v
weekday
1–7
v
hour
0–23
v
minute
0–59
There
is
a
space
between
each
variable.
Use
*
for
any
value
of
that
variable.
For
example,
*
*
*
*
15
defines
the
scheduled
starting
time
is
at
15
minutes
passed
every
hour.
SYNC_Timeout
Specifies
the
maximum
time
in
seconds
for
the
changelog
connector
to
wait
for
the
next
new
changelog.
Chapter
5.
Importing
and
synchronizing
user
data
37
Table
10.
Attributes
in
the
TIMtoTAMsync.properties
file
(continued)
Attribute
Description
SYNC_Sleeptime
Specifies
the
number
of
seconds
for
the
changelog
connector
to
sleep
if
no
new
changelog
is
there.
Notes:
1.
If
SYNC_Timout
is
set
to
0
and
SYNC_Sleeptime
is
set
to
a
non-zero
value,
the
changelog
connector
will
wait
for
the
new
changelog
indefinitely.
In
this
case,
the
change
number
will
not
be
updated
if
the
AL
is
stopped
manually.
2.
The
format
and
range
of
SYNC_Timout
and
SYNC_Sleeptime
are
defined
by
IBM
Directory
Integrator.
They
are
integers
and
the
range
is
very
large.
You
can
also
use
the
IDI
Admin
Tool
to
view
and
encrypt
these
properties
files,
if
necessary.
Refer
to
the
IBM
Directory
Integrator:
Administrator
Interface
for
more
information.
Configuring
connectors
Most
of
the
connectors
that
work
with
the
utility
are
ready
for
use.
However,
if
you
are
using
Lotus
Notes
as
your
data
source,
you
must
copy
the
Notes.jar
file
to
$IDI_HOME/jars
(where
$IDI_HOME
is
the
location
where
Directory
Integrator
is
installed).
You
should
also
modify
the
classpath
in
the
IBM
Directory
Integrator
startup
script
ibmditk
to
include
these
new
JAR
files
so
that
the
Lotus
Notes
connector
will
work
properly.
Addressing
security
concerns
To
enhance
security
when
using
this
utility
to
import
or
synchronize
user
data,
perform
the
following
procedures:
v
Secure
the
configuration
file
and
customer
settings.
You
can
set
the
password
for
the
configuration
file
and
select
the
encryption
option
for
the
properties
file.
Refer
to
the
IBM
Directory
Integrator
Reference
Guide
for
instructions.
v
Enable
SSL
between
the
directory
and
the
Directory
Integrator.
Refer
to
the
IBM
Directory
Integrator
Reference
Guide
for
instructions.
v
Enable
SSL
between
the
Directory
Integrator
and
Tivoli
Identity
Manager.
Refer
to
the
IBM
Tivoli
Identity
Manager
Server
Configuration
Guide
for
instructions.
Addressing
performance
considerations
To
ensure
the
best
performance,
review
the
information
in
the
IBM
Directory
Integrator
Reference
Guide.
In
addition,
while
running
the
IBM
Directory
Integrator
AssemblyLine
sample
utility,
enable
error
logging
only
when
you
are
debugging.
Running
the
utility
The
four
tasks
you
can
run
using
this
utility
are:
v
“Importing
Tivoli
Access
Manager
users
(in
a
single
domain)
into
Tivoli
Identity
Manager”
on
page
39.
v
“Importing
Tivoli
Access
Manager
users
(in
multi-domains)
into
Tivoli
Identity
Manager”
on
page
41.
38
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
v
“Importing
users
from
an
existing
a
corporate
directory”
on
page
42.
v
“Synchronizing
Tivoli
Identity
Manager
user
attributes
with
Tivoli
Access
Manager
user
attributes”
on
page
44.
Note:
Before
using
the
utility
in
a
production
environment,
use
a
simulated
environment
to
run
a
verification
test
for
each
of
the
four
tasks
that
you
plan
to
use
in
a
production
environment.
When
you
run
the
verification
test,
you
will
want
to
verify:
v
Environment
settings
v
Directory
server
connections
v
Tivoli
Identity
Manager
server
DSMLv2EventHandler
connections
v
Attribute
availabilities
and
mapping
Importing
Tivoli
Access
Manager
users
(in
a
single
domain)
into
Tivoli
Identity
Manager
This
task
assumes
that
you
would
start
with
an
existing
Tivoli
Access
Manager
single
domain
environment
that
has
users
defined
in
a
user
registry,
then
install
Tivoli
Identity
Manager,
and
then
import
all
the
defined
Tivoli
Access
Manager
users
into
Tivoli
Identity
Manager
so
that
Tivoli
Identity
Manager
can
manage
these
users.
(It
is
necessary
to
import
all
the
defined
Tivoli
Access
Manager
users
into
Tivoli
Identity
Manager
so
that
Tivoli
Identity
Manager
can
manage
these
users.)
The
utility
will
extract
all
the
user
information
from
the
Tivoli
Access
Manager
registry,
map
the
user
attributes
from
Tivoli
Access
Manager
users
to
Tivoli
Identity
Manager
users
(Person
entities)
and
create
valid
input
that
the
Tivoli
Identity
Manager
service
can
recognize.
You
can
then
assign
accounts
to
the
Person
entities
by
performing
a
reconciliation
as
described
in
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.
Before
you
can
import
Tivoli
Access
Manager
users
into
Tivoli
Identity
Manager,
the
following
is
assumed:
v
Tivoli
Access
Manager
has
been
installed
and
configured.
v
A
number
of
users
have
been
created
in
one
of
the
following
Tivoli
Access
Manager
user
registry
directories:
–
IBM
Tivoli
Directory
Server
5.2
–
IBM
Directory
Server
5.1
–
IBM
Directory
Server
4.1
–
IBM
SecureWay
Directory
3.2
–
SUN
ONE
Directory
(iPlanet)
5.0
and
above
–
Novell
eDirectory
–
Microsoft
Active
Directory
in
Windows
2000
servers
–
Domino
server
5.0
and
above
(You
want
to
import
all
the
Tivoli
Access
Manager
users
from
the
user
registry
to
Tivoli
Identity
Manager.)
v
Tivoli
Access
Manager
agent
has
been
installed
and
configured.
v
Tivoli
Identity
Manager
has
been
installed
and
configured.
v
IBM
Directory
Integrator
and
this
utility
have
been
installed.
Chapter
5.
Importing
and
synchronizing
user
data
39
v
The
IDI
Data
Feed
Service
is
created
and
configured,
as
described
in
“Creating
the
IDI
Data
Feed
Service
in
Tivoli
Identity
Manager”
on
page
32.
The
configuration
file
for
this
task
is
TAMtoTIMImport.xml.
The
utility
will
retrieve
the
Tivoli
Access
Manager
user
data
from
Tivoli
Access
Manager
user
registries,
such
as
LDAP,
Active
Directory
and
Domino
directory,
and
import
it
to
Tivoli
Identity
Manager.
Using
the
Directory
Integrator
Admin
Tool
To
run
this
task:
1.
Start
the
Directory
Integrator
Admin
Tool:
v
In
Windows,
click
Start
→
Programs
→
IBM
Directory
Integrator
→
IBM
Directory
Integrator.
v
In
AIX
or
Solaris,
at
a
command
prompt,
change
to
the
IBM
Tivoli
Directory
Integrator
installation
directory
and
type
./ibmditk
2.
Click
File
→
Open.
Then
select
the
TIMTAMIntegration
subdirectory.
3.
Open
the
configuration
file
TAMtoTIMImport.xml.
4.
Select
the
AssemblyLine
for
the
task:
v
If
you
want
to
import
user
data
from
an
LDAP
user
registry
in
a
single
domain
environment,
select
LDAPImport.
v
If
you
want
to
import
user
data
from
an
Active
Directory
user
registry
in
a
single
domain
environment,
select
ADImport.
v
If
you
want
to
import
user
data
from
a
Domino
user
registry
in
a
single
domain
environment,
select
DominoImport.5.
Click
Run
in
the
upper
right-hand
corner.
The
running
information
is
displayed
in
the
execution
window.
Using
the
command
line
To
run
this
task
using
the
command
line:
1.
Start
the
AssemblyLine
from
the
command
line.
2.
Type
the
following
command
from
the
Directory
Integrator
installation
directory:
ibmdisrv
-c"Configuration_file_name"
-r"AssemblyLine_name"
-m
Note:
The
command
line
options
must
have
their
values
following
immediately
after
the
options.
Do
not
insert
a
space
between
the
option
and
its
value.
-c
Configuration
file;
TAMtoTIMImport.xml
-l
Log
file
(default
console
output).
To
change
the
log
file
for
most
of
the
logging,
change
the
log4j.properties
file.
-r
List
of
AssemblyLine
names
to
start:
v
If
you
want
to
import
user
data
from
an
LDAP
user
registry
in
a
single
domain
environment,
use
-rLDAPImport.
v
If
you
want
to
import
user
data
from
an
Active
Directory
user
registry
in
a
single
domain
environment,
use
-rADImport.
v
If
you
want
to
import
user
data
from
a
Domino
user
registry
in
a
single
domain
environment,
use
-rDominoImport.
-P
Password.
Input
a
password
if
the
configuration
file
is
encrypted
and
protected
by
a
password.
-m
Start
the
Administration
and
Monitor
Console
(AMC)
server.
40
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
After
Tivoli
Identity
Manager
users
are
created,
you
can
run
the
Tivoli
Identity
Manager
reconciliation
operation
to
create
the
matched
Tivoli
Access
Manager
accounts
in
Tivoli
Identity
Manager.
The
matching
between
the
Tivoli
Identity
Manager
user
and
the
Tivoli
Access
Manager
account
is
set
by
the
aliases
attribute
in
the
Tivoli
Identity
Manager
user
record
that
is
defined
by
the
utility.
After
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
are
integrated,
if
you
need
to
synchronize
the
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
user
attributes,
you
can
use
the
synchronization
task
to
directly
or
dynamically
implement
this
task.
See
“Synchronizing
Tivoli
Identity
Manager
user
attributes
with
Tivoli
Access
Manager
user
attributes”
on
page
44.
Importing
Tivoli
Access
Manager
users
(in
multi-domains)
into
Tivoli
Identity
Manager
This
task
assumes
that
you
would
start
with
an
existing
Tivoli
Access
Manager
multi-domain
environment
that
has
users
defined
in
a
user
registry,
then
install
Tivoli
Identity
Manager,
and
then
import
all
the
defined
Tivoli
Access
Manager
users
into
Tivoli
Identity
Manager
so
that
Tivoli
Identity
Manager
can
manage
these
users.
(It
is
necessary
to
import
all
the
defined
Tivoli
Access
Manager
users
into
Tivoli
Identity
Manager
so
that
Tivoli
Identity
Manager
can
manage
these
users.)
The
utility
will
extract
all
the
user
information
from
the
Tivoli
Access
Manager
registry,
map
the
user
attributes
from
Tivoli
Access
Manager
users
to
Tivoli
Identity
Manager
users
(Person
entities)
and
create
valid
input
that
the
Tivoli
Identity
Manager
service
can
recognize.
You
can
then
assign
accounts
to
the
Person
entities
by
performing
a
reconciliation
as
described
in
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.
Before
you
can
import
Tivoli
Access
Manager
users
into
Tivoli
Identity
Manager,
the
following
is
assumed:
v
Tivoli
Access
Manager
has
been
installed
and
configured.
v
A
number
of
users
have
been
created
in
one
of
the
following
Tivoli
Access
Manager
LDAP
user
registry
directories:
–
IBM
Tivoli
Directory
Server
5.2
–
IBM
Directory
Server
5.1
–
IBM
Directory
Server
4.1
–
IBM
SecureWay
Directory
3.2
–
SUN
ONE
Directory
(iPlanet)
5.0
and
above
–
Novell
eDirectory
(You
want
to
import
all
the
Tivoli
Access
Manager
users
from
the
user
registry
to
Tivoli
Identity
Manager.)
v
Tivoli
Access
Manager
agent
has
been
installed
and
configured.
v
Tivoli
Identity
Manager
has
been
installed
and
configured.
v
IBM
Directory
Integrator
and
this
utility
have
been
installed.
v
You
have
configured
the
IDI
Data
Feed
Service,
as
described
in
“Creating
the
IDI
Data
Feed
Service
in
Tivoli
Identity
Manager”
on
page
32.
The
configuration
file
for
this
task
is
MDTAMtoTIMImport.xml.
Chapter
5.
Importing
and
synchronizing
user
data
41
The
utility
will
retrieve
the
Tivoli
Access
Manager
user
data
from
the
Tivoli
Access
Manager
LDAP
user
registries
and
import
it
to
Tivoli
Identity
Manager.
Using
the
Directory
Integrator
Admin
Tool
To
run
this
task:
1.
Start
the
Directory
Integrator
Admin
Tool:
v
In
Windows,
click
Start
→
Programs
→
IBM
Directory
Integrator
→
IBM
Directory
Integrator.
v
In
AIX
or
Solaris,
at
a
command
prompt,
change
to
the
IBM
Tivoli
Directory
Integrator
installation
directory
and
type
./ibmditk
2.
Click
File
→
Open.
Then
select
the
TIMTAMIntegration
subdirectory.
3.
Open
the
configuration
file
MDTAMtoTIMImport.xml.
4.
Select
the
AssemblyLine
LDAPMDImport.
5.
Click
Run
in
the
upper
right-hand
corner.
The
running
information
is
displayed
in
the
execution
window.
Using
the
command
line
To
run
this
task
using
the
command
line:
1.
Start
the
AssemblyLine
from
the
command
line.
2.
Type
the
following
command
from
the
Directory
Integrator
installation
directory:
ibmdisrv
-c"Configuration_file_name"
-r"AssemblyLine_name"
-m
Note:
The
command
line
options
must
have
their
values
following
immediately
after
the
options.
Do
not
insert
a
space
between
the
option
and
its
value.
-c
Configuration
file:
MDTAMtoTIMImport.xml
-l
Log
file
(default
console
output).
To
change
the
log
file
for
most
of
the
logging,
change
the
log4j.properties
file.
-r
List
of
AssemblyLine
names
to
start:
-rLDAPMDImport
-P
Password.
Input
a
password
if
the
configuration
file
is
encrypted
and
protected
by
a
password.
-m
Start
the
Administration
and
Monitor
Console
(AMC)
server.
After
Tivoli
Identity
Manager
users
are
created,
you
can
run
the
Tivoli
Identity
Manager
reconciliation
operation
to
create
the
matched
Tivoli
Access
Manager
accounts
in
Tivoli
Identity
Manager.
The
matching
between
the
Tivoli
Identity
Manager
user
and
the
Tivoli
Access
Manager
account
is
set
by
the
aliases
attribute
in
the
Tivoli
Identity
Manager
user
record
that
is
defined
by
the
utility.
For
more
information
about
reconciliation,
see
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.
After
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
are
integrated,
if
you
need
to
synchronize
the
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
user
attributes,
you
can
use
the
synchronization
task
to
directly
or
dynamically
implement
this
task.
See,
“Synchronizing
Tivoli
Identity
Manager
user
attributes
with
Tivoli
Access
Manager
user
attributes”
on
page
44.
Importing
users
from
an
existing
a
corporate
directory
This
task
assumes
that
your
company
uses
a
registry,
such
as
LDAP,
to
manage
its
Human
Resources
or
corporate
directory
data.
The
utility
can
be
used
to
import
all
or
part
of
the
existing
user’s
data
from
this
corporate
registry
into
an
integrated
42
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Tivoli
Identity
Manager
environment.
Tivoli
Identity
Manager
users
(Person
entities)
will
be
created
through
the
utility
and
Tivoli
Access
Manager
accounts
or
other
accounts
can
be
created
for
each
Person
using
the
Tivoli
Identity
Manager
provisioning
policy.
For
this
task,
the
utility
uses
the
DirectorytoTIMImport.xml
configuration
file
to
map
the
user
attributes
and
import
them
to
Tivoli
Identity
Manager.
Before
you
can
import
the
directory
users
into
Tivoli
Identity
Manager,
the
following
is
assumed:
v
A
number
of
users
have
been
created
in
one
of
the
following
user
registry
directories:
–
IBM
Tivoli
Directory
Server
5.2
–
IBM
Directory
Server
5.1
–
IBM
Directory
Server
4.1
–
IBM
SecureWay
Directory
3.2
–
SUN
ONE
Directory
(iPlanet)
5.0
and
above
–
Novell
eDirectory
–
Microsoft
Active
Directory
in
Windows
2000
servers
(You
want
to
import
all
the
Tivoli
Access
Manager
users
from
the
user
registry
to
Tivoli
Identity
Manager.)
v
You
can
access
the
corporate
directory
and
you
know
the
data
tree.
v
You
know
how
to
map
the
directory
user
attributes
to
Tivoli
Identity
Manager
attributes.
v
Tivoli
Identity
Manager
is
installed.
v
IBM
Directory
Integrator
and
this
utility
have
been
installed.
v
You
have
configured
the
IDI
Data
Feed
Service,
as
described
in
“Creating
the
IDI
Data
Feed
Service
in
Tivoli
Identity
Manager”
on
page
32.
v
Also,
you
should
have
Tivoli
Access
Manager
installed
and
you
should
have
completed
the
following
steps
for
the
Tivoli
Access
Manager
environment:
1.
Install
a
Tivoli
Access
Manager
service
profile
in
Tivoli
Identity
Manager
(by
installing
and
configuring
the
agent
as
described
in
IBM
Tivoli
Identity
Manager
IBM
Tivoli
Access
Manager
Agent
Installation
Guide).
2.
Create
a
Tivoli
Access
Manager
service
in
Tivoli
Identity
Manager.
3.
Define
the
provisioning
policy
in
Tivoli
Identity
Manager
to
create
a
Tivoli
Access
Manager
account
when
Tivoli
Identity
Manager
users
are
created.
This
way
when
using
DirectorytoTIMImport.xml
to
import
the
corporate
directory
users
into
an
integrated
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
environment,
Tivoli
Identity
Manager
users
and
Tivoli
Access
Manager
accounts
will
be
created
for
every
user
record.
Tivoli
Access
Manager
users
will
also
be
created
automatically
when
a
Tivoli
Identity
Manager
person
is
created.
Using
the
Directory
Integrator
Admin
Tool
To
run
this
task:
1.
Start
the
Directory
Integrator
Admin
Tool:
v
In
Windows,
click
Start
→
Programs
→
IBM
Directory
Integrator
→
IBM
Directory
Integrator.
v
In
AIX
or
Solaris,
at
a
command
prompt,
change
to
the
IBM
Tivoli
Directory
Integrator
installation
directory
and
type
./ibmditk
Chapter
5.
Importing
and
synchronizing
user
data
43
2.
Click
File
→
Open.
Then
select
the
TIMTAMIntegration
subdirectory.
3.
Open
the
configuration
file:
DirectorytoTIMImport.xml.
4.
Select
the
AssemblyLine
or
EventHandler
for
the
task:
v
If
you
want
to
import
user
data
from
an
LDAP
user
registry
in
a
single
domain
environment,
select
LDAPUserstoTIM.
v
If
you
want
to
import
user
data
from
an
Active
Directory
user
registry
in
a
single
domain
environment,
select
ADUserstoTIM.5.
Click
Run
in
the
upper
right-hand
corner.
The
running
information
is
displayed
in
the
execution
window.
Using
the
command
line
1.
Start
the
AssemblyLine
from
the
command
line.
2.
Type
the
following
command
from
the
Directory
Integrator
installation
directory:
ibmdisrv
-c"Configuration_file_name"
-r"AssemblyLine_name"
-m
Note:
The
command
line
options
must
have
their
values
following
immediately
after
the
options.
Do
not
insert
a
space
between
the
option
and
its
value.
-c
Configuration
file;
use
DirectorytoTIMImport.xml
-l
Log
file
(default
console
output).
To
change
the
log
file
for
most
of
the
logging,
change
the
log4j.properties
file.
-r
List
of
AssemblyLine
names
to
start:
v
If
you
want
to
import
user
data
from
an
LDAP
user
registry
in
a
single
domain
environment,
use
-rLDAPUserstoTIM.
v
If
you
want
to
import
user
data
from
an
Active
Directory
user
registry
in
a
single
domain
environment,
use-rADUserstoTIM.
-P
Password.
Input
a
password
if
the
configuration
file
is
encrypted
and
protected
by
a
password.
-m
Start
the
Administration
and
Monitor
Console
(AMC)
server.
Synchronizing
Tivoli
Identity
Manager
user
attributes
with
Tivoli
Access
Manager
user
attributes
If
you
have
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
already
installed
and
integrated,
automatic
synchronization
of
Tivoli
Identity
Manager
user
attributes
with
Tivoli
Access
Manager
user
attributes
can
be
useful
so
that
WebSEAL
and
other
Tivoli
Access
Manager-based
applications
can
use
the
Tivoli
Identity
Manager-synchronized
attributes
to
set
the
user
accessing
authentications
or
for
other
purposes.
In
addition,
because
Tivoli
Access
Manager
does
not
provide
a
way
to
update
user
attributes,
you
can
use
this
synchronization
task
to
change
the
attributes
in
Tivoli
Identity
Manager
and
then
synchronize
those
attribute
changes
into
the
Tivoli
Access
Manager
user
registry.
Before
you
can
synchronize
the
Tivoli
Identity
Manager
user
attributes
into
matching
Tivoli
Access
Manager
user
records,
the
following
is
assumed:
v
One
or
more
of
the
Tivoli
Identity
Manager
users
have
been
created
or
modified
in
the
Tivoli
Identity
Manager
user
registry
directory.
44
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
v
You
want
to
import
all
the
user
attributes
from
the
Tivoli
Identity
Manager
user
registry
to
matching
user
records
in
one
of
the
following
Tivoli
Access
Manager
user
directories:
–
IBM
Tivoli
Directory
Server
5.2
–
IBM
Directory
Server
5.1
–
IBM
Directory
Server
4.1
–
IBM
SecureWay
Directory
3.2
–
SUN
ONE
Directory
(iPlanet)
5.0
and
above
–
Novell
eDirectoryv
IBM
Directory
Integrator
and
this
utility
have
been
installed.
Using
the
Directory
Integrator
Admin
Tool
To
synchronize
user
attributes:
1.
Start
the
Directory
Integrator
Admin
Tool:
v
In
Windows,
click
Start
→
Programs
→
IBM
Directory
Integrator
→
IBM
Directory
Integrator.
v
In
AIX
or
Solaris,
at
a
command
prompt,
change
to
the
IBM
Tivoli
Directory
Integrator
installation
directory
and
type
./ibmditk
2.
Click
File
→
Open.
Then
select
the
TIMTAMIntegration
subdirectory.
3.
Open
the
configuration
file:
TIMtoTAMSync.xml.
4.
Select
the
AssemblyLine
or
EventHandler
for
the
task:
v
If
you
want
to
synchronize
Tivoli
Identity
Manager
user
data
with
Tivoli
Access
Manager
users
data,
select
synchtamdirect.
v
If
you
want
to
monitor
changes
to
Tivoli
Identity
Manager
user
attributes
and
automatically
update
Tivoli
Access
Manager
user
attributes
with
the
changes
(that
is,
automatically
synchronize),
select
synchtamchangelog.
Note:
To
use
this
AssemblyLine,
the
LDAP
changelog
must
be
turned
on.
Use
the
LDAP
interface
to
turn
on
the
changelog.
You
could
also
start
this
task
by
using
the
ScheduleSync
event
handler.
See
the
IBM
Directory
Integrator
Getting
Started
Guide
for
more
information
about
scheduling
events
with
ScheduleSync.5.
Click
Run
in
the
upper
right-hand
corner.
The
running
information
is
displayed
in
the
execution
window.
Using
the
command
line
1.
Start
the
AssemblyLine
from
the
command
line.
2.
Type
the
following
command
from
the
Directory
Integrator
installation
directory:
ibmdisrv
-c"Configuration_file_name"
-r"AssemblyLine_name"
-m
Note:
The
command
line
options
must
have
their
values
following
immediately
after
the
options.
Do
not
insert
a
space
between
the
option
and
its
value.
-c
Configuration
file;
use
TIMtoTAMSync.xml
-l
Log
file
(default
console
output).
To
change
the
log
file
for
most
of
the
logging,
change
the
log4j.properties
file.
-r
List
of
AssemblyLine
names
to
start:
v
If
you
want
to
synchronize
Tivoli
Identity
Manager
user
data
with
Tivoli
Access
Manager
users
data,
use
-rsynchtamdirect.
Chapter
5.
Importing
and
synchronizing
user
data
45
v
If
you
want
to
monitor
changes
to
Tivoli
Identity
Manager
user
attributes
and
automatically
update
Tivoli
Access
Manager
user
attributes
with
the
changes
(that
is,
automatically
synchronize),
use
-rsynchtamchangelog.
Note:
To
use
this
AssemblyLine,
the
LDAP
changelog
must
be
turned
on.
Use
the
LDAP
interface
to
turn
on
the
changelog.
You
could
also
start
this
task
by
using
the
ScheduleSync
event
handler.
See
the
IBM
Directory
Integrator
Getting
Started
Guide
for
more
information
about
scheduling
events
with
ScheduleSync.
-P
Password.
Input
a
password
if
the
configuration
file
is
encrypted
and
protected
by
a
password.
-m
Start
the
Administration
and
Monitor
Console
(AMC)
server.
By
default,
the
following
attributes
are
mapped
when
you
run
the
synchtamdirect
AssemblyLine:
GivenName
Homephone
Homepostaladdress
Mobile
Pager
Postaladdress
Postalcode
Roomnumber
St
Street
Telephonenumber
title
You
can
view,
modify,
or
delete
these
mapping
attributes
using
the
Directory
Integrator
Admin
Tool.
Refer
to
the
IBM
Directory
Integrator
Reference
Manual
for
more
information.
46
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Chapter
6.
Creating
a
Web
interface
for
user
self-management
If
you
are
using
Tivoli
Identity
Manager
to
manage
user
accounts
and
you
would
like
your
users
to
be
able
to
manage
their
own
user
IDs
and
passwords,
you
could
benefit
from
using
a
self-management
Web
portal
page.
By
allowing
users
to
perform
these
types
of
self-management
tasks,
the
number
of
help
desk
calls
to
request
these
tasks
could
be
reduced.
The
Provisioning
Fast
Start
collection
provides
a
set
of
Java
servlets,
Java
Server
Pages,
and
HTML
files
(collectively
called
the
Web
Application
Sample)
that
demonstrate
how
to
create
a
Web
application
for
user
self-care,
including
self-registration,
update
of
personal
data,
password
change,
password
reset
through
challenge/response,
and
requests
for
application
access.
The
Web
Sample
uses
the
Tivoli
Identity
Manager
version
4.5
API
and
standard
WebSphere
interfaces
for
Web
applications.
The
Web
Application
Sample
The
Web
Application
Sample:
v
Can
be
used
as
an
example
of
how
to
create
Web
applications
using
the
Tivoli
Identity
Manager
4.5
APIs
v
Can
be
customized
in
appearance
and
function
to
fit
your
business
needs
v
Supports
single
sign-on
(SSO)
from
WebSEAL
(if
SSO
has
been
enabled
in
Tivoli
Identity
Manager)
The
Sample
is
provided
for
user
self-management
and
is
not
meant
to
replace
the
Tivoli
Identity
Manager
graphical
user
interface
that
is
provided
for
administrative
purposes.
Prerequisite
knowledge
for
using
the
Sample
To
use
this
Sample,
you
should
be
an
experienced
Web
application
developer
who
is
familiar
with:
v
WebSphere
Application
Server
v
Java
Platform
2
Enterprise
Edition
(J2EE),
including
Java
servlets
and
Java
Server
Pages
(JSPs)
v
Java
Authentication
and
Authorization
Service
v
Tivoli
Identity
Manager
version
4.5
APIs:
–
Refer
to
the
javadocs
in
the
following
location
of
the
directory
where
you
installed
Tivoli
Identity
Manager:
$ITIM_HOME/extensions/api/index.html
(where
$ITIM_HOME
is
the
directory
where
Tivoli
Identity
Manager
was
installed).
–
Also
refer
to
the
Tivoli
Identity
Manager
overview
document
in
the
following
location
of
the
directory
where
you
installed
Tivoli
Identity
Manager:
$ITIM_HOME/extensions/doc/applications/applications.html
(where
$ITIM_HOME
is
the
directory
where
Tivoli
Identity
Manager
was
installed).
When
the
Web
Application
Sample
is
protected
by
Tivoli
Access
Manager
(through
WebSEAL
or
the
Plug-in
for
Web
Servers),
you
must
be
familiar
with
the
integrated
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
environment
in
which
you
will
use
these
pages.
©
Copyright
IBM
Corp.
2003
47
Prerequisite
software
and
configurations
for
using
the
Sample
To
use
the
functions
in
the
Sample,
the
following
environments
should
also
be
installed
and
configured:
v
WebSphere
Application
Server
version
5.0
with
patch
2
(also
referred
to
as
5.0.2),
and
any
additional
patches
that
are
specified
in
the
IBM
Tivoli
Identity
Manager
Version
4.5
Release
Notes.
v
Tivoli
Identity
Manager
version
4.5
(and
its
prerequisites).
v
Tivoli
Access
Manager
version
5.1
(and
its
prerequisites)
and
Tivoli
Access
Manager
agent,
if
Tivoli
Identity
Manager
is
managing
Tivoli
Access
Manager
accounts.
v
The
users
who
will
use
the
Web
pages
in
the
Sample
must
have
a
Tivoli
Identity
Manager
account.
v
If
the
Sample
will
be
accessed
through
single
sign-on
with
WebSEAL,
the
users
must
also
have
a
Tivoli
Access
Manager
account.
Note:
If
you
want
to
enable
the
Sample
to
use
single
sign-on
with
WebSEAL,
you
will
need
to
have
WebSEAL
installed
and
configured
and
you
will
need
to
enable
Tivoli
Identity
Manager
to
use
single
sign-on,
as
described
in
Chapter
4,
“Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL,”
on
page
21.
In
addition,
when
you
use
single
sign-on
with
WebSEAL,
do
not
use
the
Change
Password
function
in
the
Sample.
Instead,
you
should
install
and
use
the
function
provided
by
the
Reverse
Password
Synchronization
for
Tivoli
Access
Manager
WebSEAL
agent,
which
is
part
of
the
Tivoli
Access
Manager
agent
package
that
is
available
from
the
IBM
Web
site.
Contact
your
IBM
account
representative
for
more
information.
Functions
of
the
Sample
The
Web
Application
Sample
provides
the
following
functions:
v
Logon
(which
can
support
either
user
ID
and
password
authentication
or
single
sign-on
through
WebSEAL),
see
“Configuring
the
Logon
function”
on
page
54.
v
Main
(Home),
see
“Configuring
the
Main
(Home)
page”
on
page
55.
v
Change
Password,
see
“Configuring
Password
functions”
on
page
55.
v
Forgot
My
Password
(using
Challenge
Response),
see
“Configuring
Password
functions”
on
page
55.
v
Self-Care,
see
“Configuring
the
Self-Care
function”
on
page
62.
v
Self-Registration,
see
“Configuring
the
Self-Registration
function”
on
page
59
v
Application
Subscription,
see
“Configuring
the
Application
Subscription
function”
on
page
63.
v
Set
Challenge
Response,
see
“Configuring
the
Challenge/Response
function”
on
page
65
v
Logout,
see
“Configuring
the
Logout
function”
on
page
66.
Installation
Before
you
install
the
Sample,
you
should
be
familiar
with
the
requirements
for
installing
it
and
the
methods
you
can
choose
for
installation.
Installation
requirements
You
must
install
the
Sample
on
a
system
that
has
WebSphere
Application
Server
version
5.0.2
already
installed.
In
addition,
you
must
have
installed
the
WebSphere
48
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Application
Server
patches
that
are
specified
in
the
IBM
Tivoli
Identity
Manager
Version
4.5
Release
Notes.
Use
the
installation
instructions
in
those
Release
Notes
to
install
the
patches.
Note:
If
you
will
use
the
Provisioning
Fast
Start
Installer
as
your
installation
method,
you
must
disable
Security
in
WebSphere
Application
Server.
As
such,
you
will
need
to
take
the
following
steps
before
and
after
the
installation:
1.
Disable
Security
in
WebSphere
Application
Server.
Refer
to
the
WebSphere
documentation
for
instructions.
2.
Install
the
Sample
(as
described
in
Chapter
2,
“Installing
the
Provisioning
Fast
Start
collection,”
on
page
5).
3.
Manually
configure
the
Sample
as
follows
(so
that
it
can
run
with
WebSphere
Security
enabled):
a.
Create
a
file
called
was.policy
in
the
following
path:
$WAS_HOME/AppServer/config/cells/cellname/applications/
itim_expi.ear/deployments/enrole/META-INF/
where
$WAS_HOME
is
the
directory
where
WebSphere
Application
Server
is
installed
and
cellname
is
the
name
of
the
cell.
b.
Add
the
following
lines
to
the
was.policy
file:
grant
codeBase
"file:$application"
{
permission
java.security.AllPermission;
};
where
application
is
the
name
of
the
Web
application
that
the
policy
refers
to.4.
Re-enable
Security
in
the
WebSphere
Application
Server
using
the
WebSphere
Administrative
Console.
Refer
to
the
Administrative
Console
documentation
for
instructions.
Installation
methods
You
can
use
one
of
the
following
options
for
installing
the
Sample:
v
Basic
installation
using
the
Provisioning
Fast
Start
Installer
v
Installation
on
a
system
where
Tivoli
Identity
Manager
is
not
installed
v
Installation
in
a
clustered
environment
Choose
the
method
that
is
appropriate
for
your
environment.
Basic
installation
using
the
Provisioning
Fast
Start
Installer
Installation
of
the
Web
Application
Sample
is
provided
through
an
EAR
file
that
is
imbedded
in
the
Provisioning
Fast
Start
Installer.
See
Chapter
2,
“Installing
the
Provisioning
Fast
Start
collection,”
on
page
5
for
more
information.
If
you
have
used
this
basic
installation
method,
the
Web
Application
Sample
can
be
uninstalled
when
the
Provisioning
Fast
Start
collection
is
uninstalled.
See
“Uninstalling”
on
page
15
for
details.
Note:
When
you
run
the
Installer,
the
password
that
is
set
in
the
Tivoli
Identity
Manager
enrole.appServer.ejbuser.credentials
property
is
copied
into
the
properties
file
for
the
Sample.
However,
if
you
have
used
the
runConfig
command
in
Tivoli
Identity
Manager
to
encrypt
the
password,
the
Sample
won’t
be
able
to
use
it.
In
this
case,
you
will
need
to
manually
add
the
unencrypted
password
into
the
properties
file
for
the
Sample
as
follows:
Chapter
6.
Creating
a
Web
interface
for
user
self-management
49
1.
After
running
the
Installer,
open
the
itim_expi.properties
file
in
a
text
editor.
2.
For
the
value
of
the
platform.credentials
property,
type
the
enRole
password
that
is
specified
in
the
enrole.appServer.ejbuser.credentials
property
of
the
enrole.properties
file.
3.
Save
and
close
the
file.
4.
Use
the
WebSphere
Administrative
Console
to
stop
and
start
itim_expi.ear.
Installation
where
Tivoli
Identity
Manager
is
not
installed
To
install
the
Web
Application
Sample
on
a
system
on
which
Tivoli
Identity
Manager
is
not
installed,
follow
the
instructions
in
Chapter
2,
“Installing
the
Provisioning
Fast
Start
collection,”
on
page
5.
Then,
when
the
installation
is
complete,
you
must:
1.
Copy
the
Tivoli
Identity
Manager
API
JAR
files
from
a
system
where
Tivoli
Identity
Manager
is
installed
to
the
system
where
the
Sample
Web
Application
is
installed.
The
JAR
files
are
located
in
the
Tivoli
Identity
Manager
EAR
directory
under
$WAS_HOME/AppServer/InstalledApps/enRole.ear/
(where
$WAS_HOME
is
the
directory
where
WebSphere
Application
Server
is
installed.)
Following
is
the
list
of
JAR
files
that
must
be
copied:
v
api_ejb.jar
v
itim_api.jar
v
ldapjdk.jar
2.
Place
these
JAR
files
on
the
system
where
the
Web
Application
Sample
is
installed
under:
$WAS_HOME/AppServer/InstalledApps/
itim_expi.ear/itim_expi.war/WEB-INF/lib
(where
$WAS_HOME
is
the
directory
where
WebSphere
Application
Server
is
installed.)
3.
Copy
the
file
itim_expi.properties
from
itim_expi.ear/itim_expi.war/WEB-INF/lib
to
WebSphere/AppServer/properties.
4.
Edit
the
itim_expi.properties
file
and
set
the
key
elements
as
follows:
Tenant
and
Tenant
DN
setup:
tenantid=<your
tenant
ID>
tenantdn=<your
tenant
DN>
Default
organization
(root
in
Tivoli
Identity
Manager):
default.org=root
organization
in
Tivoli
Identity
Manager
platform.url=iiop://host
name
of
Tivoli
Identity
Manager
server:port
(URL
where
Tivoli
Identity
Manager
is
installed)
platform.principal=EJB
user
name
(default=
"rasweb")
platform.credentials=EJB
user
credentials
(default
=
<blank>)
You
can
determine
the
values
for
these
elements
by
looking
at
the
corresponding
values
in
the
enrole.properties
file,
which
is
located
in
the
$ITIM_HOME/data/
directory
(where
$ITIM_HOME
is
the
directory
where
Tivoli
Identity
Manager
is
installed).
The
elements
and
corresponding
values
are
described
in
the
following
table.
50
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Element
in
itim_expi.properties
file
Corresponding
value
in
the
enrole.properties
file
tenantid
Use
the
value
for
enrole.defaulttenant.id.
tenantdn
Use
the
value
’ou=tenantid’
combined
with
the
value
of
enrole.ldapserver.root.
For
example,
"tenantdn=ou=myco,dc=com".
default.org
Use
’ou=tenantid’.
platform.url
Use
the
URL
for
the
Tivoli
Identity
Manager
server
with
the
port
used
by
the
WebSphere
Server
for
IIOP.
platform.principal
Use
the
name
of
the
user
who
has
been
assigned
as
the
ITIM_SYSTEM
role.
(Usually
this
value
is
the
same
as
the
enrole.appServer.ejbuser.principal.)
platform.credentials
Use
the
password
of
the
platform.principal
user.
(Usually
this
value
is
the
same
as
the
enrole.appServer.ejbuser.credentials.)
Note:
If
you
have
used
the
runConfig
command
in
Tivoli
Identity
Manager
to
encrypt
the
password
set
in
the
enrole.appServer.ejbuser.credentials,
you
will
need
to
manually
add
the
unencrypted
password
as
the
value
for
the
platform.credentials
property.
Following
are
example
values
for
these
key
elements
in
the
itim_expi.properties
file:
#------------------------------------------------------
#
Organizational
information
#------------------------------------------------------
tenantid=myco
tenantdn=ou=myco,dc=com
default.org=ou=myco
#
Application
Server
platform.url=iiop://itimserver.myco.com:2809
platform.principal=enroleUser
platform.credentials=enroleUserPassword
Installation
in
a
clustered
environment
To
install
the
Sample
in
a
clustered
environment:
1.
Change
the
extension
of
the
Provisioning
Fast
Start
Installer
to
.jar.
2.
Open
the
Installer
file
using
an
unzip
utility
(such
as
WinZip)
and
extract
the
itim_expi.ear
file.
3.
On
the
Network
Deployment
Manager,
use
WebSphere
to
manually
install
the
EAR
file
on
the
cluster
or
on
a
single
node:
v
If
Tivoli
Identity
Manager
is
deployed
using
the
″regular
cluster″
model,
install
the
Sample
on
to
the
same
cluster.
v
If
Tivoli
Identity
Manager
is
deployed
using
the
″functional
cluster″
model,
install
the
Sample
on
to
the
Tivoli
Identity
Manager
user
interface
cluster.
Use
the
WebSphere
Administrative
Console
to
install
the
EAR
manually.
See
the
Administrative
Console
documentation
for
instructions.
Chapter
6.
Creating
a
Web
interface
for
user
self-management
51
4.
Copy
the
following
JAR
files
from
a
Tivoli
Identity
Manager
server
to
itim_expi.ear/itim_expi.war/WEB-INF/lib
on
the
WebSphere
Application
Server
(appserver),
on
all
application
servers
that
are
members
of
the
cluster:
v
itim_api.jar
v
ldapjdk.jar
v
api_ejb.jar
5.
Copy
the
file
itim_expi.properties
from
itim_expi.ear/itim_expi.war/WEB-INF/lib
to
WebSphere/AppServer/properties
on
all
application
servers
that
are
members
of
the
cluster.
6.
Edit
the
itim_expi.properties
file
and
set
the
key
elements
as
follows:
Tenant
and
Tenant
DN
setup:
tenantid=<your
tenant
ID>
tenantdn=<your
tenant
DN>
Default
organization
(root
in
Tivoli
Identity
Manager):
default.org=root
organization
in
Tivoli
Identity
Manager
platform.url=iiop://host
name
of
Tivoli
Identity
Manager
server:port/
cell/clusters/cluster_name
(URL
where
Tivoli
Identity
Manager
is
installed)
platform.principal=EJB
user
name
(default=
"rasweb")
platform.credentials=EJB
user
credentials
(default
=
<blank>)
You
can
determine
the
values
for
these
elements
by
looking
at
the
corresponding
values
in
the
enrole.properties
file,
which
is
located
in
the
$ITIM_HOME/data/
directory
(where
$ITIM_HOME
is
the
directory
where
Tivoli
Identity
Manager
is
installed).
The
elements
and
corresponding
values
are
described
in
the
following
table.
Element
in
itim_expi.properties
file
Corresponding
value
in
the
enrole.properties
file
tenantid
Use
the
value
for
enrole.defaulttenant.id.
tenantdn
Use
the
value
’ou=tenantid’
combined
with
the
value
of
enrole.ldapserver.root.
For
example,
"tenantdn=ou=myco,dc=com".
default.org
Use
’ou=tenantid’.
platform.url
Use
the
URL
for
the
Tivoli
Identity
Manager
server
with
the
port
used
by
the
WebSphere
Server
for
IIOP.
platform.principal
Use
the
name
of
the
user
who
has
been
assigned
as
the
ITIM_SYSTEM
role.
(Usually
this
value
is
the
same
as
the
enrole.appServer.ejbuser.principal.)
platform.credentials
Use
the
password
of
the
platform.principal
user.
(Usually
this
value
is
the
same
as
the
enrole.appServer.ejbuser.credentials.)
Following
are
example
values
for
these
key
elements
in
the
itim_expi.properties
file:
#------------------------------------------------------
#
Organizational
information
#------------------------------------------------------
tenantid=myco
tenantdn=ou=myco,dc=com
default.org=ou=myco
52
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
#
Application
Server
platform.url=iiop://itimserver.myco.com:2809/cell/clusters/ITIM-UI-CLUSTER
platform.principal=enroleUser
platform.credentials=enroleUserPassword
7.
Start
the
itim_expi
application
using
the
WebSphere
Administrative
Console.
Configuration
The
following
functions
(and
their
related
JSPs
and
corresponding
servlets)
were
installed
during
the
installation
of
the
Sample:
v
Logon
v
Main
(Home)
v
Change
Password
v
Forgot
My
Password
(using
Challenge
Response)
v
Self-Care
v
Self-Registration
v
Application
Subscription
v
Set
Challenge
Response
v
Logout
This
section
describes
the
configuration
performed
by
the
Installer
and
any
additional
configuration
you
need
to
make
if
you
did
not
install
the
Sample
using
the
Installer.
All
of
the
properties
that
you’ll
need
to
configure
for
these
functions
are
stored
in
the
properties
file,
itim_expi.properties,
which
was
installed
in
the
/WebSphere/Appserver/properties
directory.
(This
directory
is
part
of
the
standard
CLASSPATH,
which
is
used
to
find
the
properties
file.)
The
properties
file
contains:
v
Properties
for
the
following
functions:
–
Change
password
–
Forgot
my
password
–
Self-care
–
Self-registrationv
The
names
of
the
URLs
(JSPs)
for
each
of
the
pages.
For
example:
logonpage=expilogon.jsp
homepage=home.html
challengeresponseanswer=cranswer.html
changepassword=changepassword.jsp
v
Attributes
for
Tivoli
Access
Manager
Groups
and
application
names.
v
Attributes
for
enabling
the
Sample
for
use
with
WebSEAL
and
Tivoli
Identity
Manager.
v
Comments
to
help
you
understand
the
properties
and
what
the
properties
configure.
The
properties
file
is
a
plain
text
file
and
you
should
use
a
text
editor
to
change
the
properties
it
contains.
Chapter
6.
Creating
a
Web
interface
for
user
self-management
53
After
making
changes
to
the
properties
file,
use
the
WebSphere
Administrative
Console
to
stop
and
start
the
itim_expi.ear.
Ensuring
proper
access
to
the
JSPs
Several
of
the
pages
require
the
user
to
be
authenticated:
v
Change
Password
v
Self-Care
v
Main
page
v
Challenge/Response
v
Logout
Unauthenticated
access
is
sufficient
for
the
following
pages:
v
Logon
v
Self-Registration
v
Forgot
My
Password
Configuring
notification
in
Tivoli
Identity
Manager
You
might
want
to
change
the
notification
that
users
receive
from
Tivoli
Identity
Manager
so
that
it
has
the
URL
of
the
Samples
logon
page.
To
change
the
notification:
1.
Edit
the
notifytemplate.html
file
in
the
$ITIM_HOME/data/workflow_systemprocess
directory.
2.
Replace
the
URL
in
the
template
with
the
URL
of
the
logon
page
that
you
are
using
for
this
Sample.
3.
Save
and
close
the
file.
4.
Stop
and
then
restart
Tivoli
Identity
Manager.
Configuring
the
Logon
function
The
files
associated
with
the
Logon
function
are:
JSP:
logon.jsp
Servlet:
logonServlet.java
The
Logon
function
supports
two
types
of
authentication:
v
User
ID
and
password.
v
Single
sign-on
through
WebSEAL.
(This
function
requires
that
Single
Sign-On
is
enabled
in
Tivoli
Identity
Manager.
For
more
information,
see
Chapter
4,
“Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL,”
on
page
21.)
When
you
ran
the
Installer,
the
ssoenabled
attribute
in
the
itim_expi.properties
file
was
set
to
one
of
the
following
values.
If
you
did
not
run
the
Installer,
you
can
modify
this
attribute
by
editing
the
properties
file.
v
To
use
User
ID
and
password
authentication,
the
attribute
must
be
set
to
false.
The
Logon
function
will
use
JAAS
to
authenticate
to
Tivoli
Identity
Manager
v
To
use
SSO
from
WebSEAL,
the
attribute
must
be
set
to
true.
The
authentication
will
be
performed
by
WebSEAL
and
the
Login
servlet
will
look
in
the
request
header
for
the
value
specified
for
iv-user.
In
addition,
you
should
not
use
the
54
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Change
Password
function
in
the
Sample.
Instead,
you
should
use
the
Reverse
Password
Synchronization
agent
and
the
WebSEAL
change
password
function.
For
more
information,
see
“Configuring
Password
functions.”
The
Logon
page
also
provides
links
to
the
following
other
pages
in
the
Sample:
v
Change
Password
v
Forgot
My
Password
v
Self-Registration
Configuring
the
Main
(Home)
page
The
files
associated
with
the
Main
(Home)
page
are:
JSP:
main.jsp
Servlet:
main.java
This
Main
page
is
referred
to
as
the
″Home
page″
on
other
JSPs.
It
is
a
simple
JSP
that
functions
as
a
″Welcome″
page
in
the
Sample
and
contains
links
to
other
JSPs
in
the
Sample:
v
Self-care
page
v
Change
password
page
v
Logout
page
v
Application
Subscription
page
(if
you
have
Tivoli
Access
Manager
configured)
You
can
add
other
links
to
this
page
to
fit
your
needs.
However,
no
other
configuration
is
required.
Configuring
Password
functions
Before
you
configure
the
Change
Password
function
or
the
Forgot
My
Password
function,
consider
the
following
password
management
practices
that
relate
to
the
use
of
the
Samples
in
an
integrated
environment:
v
Password
strength
rules
Make
sure
the
password
strength
rules
(which
are
part
of
the
password
policy)
match
in
both
Tivoli
Identity
Manager
and
Tivoli
Access
Manager.
To
ensure
that
these
rules
match,
consider
the
following:
–
Password
rules
are
not
configured
in
Tivoli
Identity
Manager
by
default.
However,
they
are
configured
by
default
in
Tivoli
Access
Manager.
If
you
use
Tivoli
Identity
Manager
APIs
to
change
the
user’s
Tivoli
Access
Manager
password,
without
making
sure
the
password
rules
match,
the
password
change
might
succeed
in
Tivoli
Identity
Manager
but
fail
in
Tivoli
Access
Manager.
–
If
you
are
using
a
WebSEAL
environment
and
you
do
not
want
to
maintain
two
sets
of
rules
(one
in
Tivoli
Identity
Manager
and
one
in
Tivoli
Access
Manager),
you
can
turn
off
the
password
rules
in
Tivoli
Access
Manager
if
you
can
ensure
that
users
can
change
their
passwords
only
through
the
use
of
the
Reverse
Password
Synchronization
for
Tivoli
Access
Manager
WebSEAL
agent
(if
you
are
using
WebSEAL)
or
through
Tivoli
Identity
Manager
if
you
are
not
using
WebSEAL.
The
Reverse
Password
Synchronization
agent
checks
the
password
against
the
Tivoli
Identity
Manager
password
rules.
The
Reverse
Password
Synchronization
agent
is
available
in
the
Tivoli
Access
Manager
agent
package.
Contact
your
IBM
account
representative
for
more
information.
Chapter
6.
Creating
a
Web
interface
for
user
self-management
55
v
Password
synchronization
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
account
passwords
should
be
synchronized
at
all
times.
To
ensure
this
synchronization:
–
Enable
password
synchronization
in
Tivoli
Identity
Manager.
Refer
to
the
″Configuration
Properties″
chapter
in
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.
In
the
Sample,
the
Tivoli
Identity
Manager
APIs
that
are
used
to
change
a
user’s
password
check
the
Tivoli
Identity
Manager
configuration
to
determine
whether
to
change
all
of
the
user’s
passwords
or
only
the
Tivoli
Identity
Manager
password.
–
Keep
in
mind
that
if
you
will
configure
the
Sample
for
use
with
single
sign-on,
the
user
signs
on
with
the
password
for
the
Tivoli
Access
Manager
account,
however,
the
Tivoli
Identity
Manager
APIs
that
are
used
to
change
the
user’s
password
require
the
password
for
the
Tivoli
Identity
Manager
account.
–
Ensure
that
the
passwords
generated
for
new
Tivoli
Identity
Manager
accounts
and
new
Tivoli
Access
Manager
accounts
are
the
same.
Refer
to
“Synchronizing
passwords
when
using
single
sign-on
with
Self-Registration”
on
page
60
for
more
information.v
Special
considerations
about
using
the
Password
functions
in
a
WebSEAL
single
sign-on
environment
If
you
will
be
using
this
Sample
in
a
WebSEAL
single
sign-on
environment,
install
and
configure
the
Reverse
Password
Synchronization
agent
for
Tivoli
Access
Manager
WebSEAL
on
the
Tivoli
Identity
Manager
server.
(Contact
your
IBM
representative
for
information
about
obtaining
this
agent.)
After
you
have
installed
this
agent,
be
aware
of
the
following
considerations:
–
Users
should
change
their
passwords
through
WebSEAL
instead
of
through
the
Change
Password
function
in
this
Sample.
–
After
users
request
that
their
password
be
changed,
the
Reverse
Password
Synchronization
agent
checks
the
newly
chosen
password
against
the
Tivoli
Identity
Manager
password
strength
rules
before
it
makes
the
change.
–
In
Tivoli
Identity
Manager
version
4.5
password
rules
override
provisioning
policy
when
generating
passwords
for
new
accounts.
This
situation
can
cause
problems
in
integrated
environments
when
single
sign-on
is
used.
For
example,
if
you
have
configured
the
provisioning
policy
so
that
it
sets
a
user’s
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
passwords
to
secret,
and
you
do
not
have
any
Tivoli
Identity
Manager
password
rules
enabled,
then
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
accounts
will
be
created
with
a
password
of
secret,
as
expected.
However,
if
you
then
define
a
password
policy
with
any
rules,
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
accounts
will
not
be
created
with
secret
and
instead
the
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
account
passwords
will
be
set
to
different
randomly
generated
passwords.
In
a
non-production
environment,
you
could
workaround
this
situation
by
not
defining
password
rules
in
Tivoli
Identity
Manager
and
setting
the
password
for
the
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
accounts
to
a
constant
value.
(This
method
is
described
in
“Synchronizing
passwords
when
using
single
sign-on
with
Self-Registration”
on
page
60.)
Another
method
you
could
use
to
workaround
this
situation
is
to
force
users
to
change
their
passwords
at
initial
login,
and
to
ensure
that
users
can
use
only
WebSEAL
with
the
Reverse
Password
Synchronization
agent
installed
to
change
their
password;
that
is,
they
do
not
use
Tivoli
Identity
Manager
or
the
Sample
Change
Password
function
to
change
their
password.
Additionally,
keep
in
mind
that
users
receive
an
when
their
Tivoli
Identity
Manager
56
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
and
Tivoli
Access
Manager
accounts
are
created
(they
receive
a
separate
for
each
account).
If
the
passwords
for
each
account
are
different,
users
might
be
confused
as
to
which
password
to
use
when
logging
on.
Tivoli
Identity
Manager
can
be
customized
so
that
it
sends
only
when
the
Tivoli
Access
Manager
account
is
created;
however,
this
customization
involves
writing
a
custom
workflow.
See
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide
for
information
on
workflows.
Configuring
the
Change
Password
function
The
files
associated
with
the
Change
Password
function
are:
JSPs:
changepwd.jsp
changepwdinfo.jsp
pwdrulesinfo.jsp
selfchangepwd.jsp
selfchangepwdinfo.jsp
Servlet:
ChangePasswordServlet.java
This
function
enables
users
to
change
or
reset
their
passwords.
This
function
can
be
used
in
the
Sample
in
two
ways:
v
Change
My
Password
link
on
the
Logon
page:
This
enables
the
users
to
quickly
change
their
password
without
having
to
log
on
to
the
application
or
to
change
their
password
if
it
has
expired.
v
Change
My
Password
link
on
the
Main
(Home)
page:
This
enables
the
users
to
change
their
password
after
they
have
logged
on
to
the
application.
Note:
If
you
are
using
WebSEAL,
there
are
additional
considerations
you
need
to
make.
For
example,
users
should
change
their
passwords
through
the
WebSEAL
interface
instead
of
using
the
Change
Password
page
in
the
Sample.
For
more
information,
see
“Configuring
Password
functions”
on
page
55
and
“Configuring
the
Sample
for
use
with
WebSEAL
single
sign-on”
on
page
66.
The
configuration
needed
for
this
function
is
described
in
the
following
sections.
Configuring
which
password
will
be
changed:
When
you
ran
the
Installer,
you
configured
the
servlet
so
that
the
user’s
password
change
affects
either:
v
Only
the
Tivoli
Identity
Manager
password
v
All
of
the
passwords
that
the
user
is
allowed
to
change
However,
if
you
didn’t
run
the
Installer
or
you
want
to
change
the
settings
you
selected,
you
can
use
a
text
editor
and
change
the
value
of
the
changeonlytimpassword
attribute
in
the
itim_expi.properties
file.
Setting
the
attribute
to
true
means
that
only
the
Tivoli
Identity
Manager
password
will
be
changed.
Setting
it
to
false
means
that
all
of
the
passwords
that
a
user
is
allowed
to
change
will
be
set
to
the
new
password.
Note:
If
you
set
this
attribute
to
false
you
must
also
change
a
setting
in
the
Tivoli
Identity
Manager
server
as
follows:
1.
Log
in
to
the
Tivoli
Identity
Manager
interface.
2.
Click
the
Configuration
tab.
Chapter
6.
Creating
a
Web
interface
for
user
self-management
57
3.
Select
the
Enable
password
synchronization
box.
(The
box
is
not
selected
by
default.)
Creating
ACI
for
the
Change
Password
function:
An
Account
ACI
is
required
to
allow
users
to
change
all
of
their
password
accounts
except
for
the
Tivoli
Identity
Manager
account
password.
If
the
ACI
is
not
created,
then
users
will
be
able
to
change
only
their
Tivoli
Identity
Manager
account
password,
even
if
password
synchronization
is
enabled
in
Tivoli
Identity
Manager
and
the
changeOnlyTimPassword
attribute
in
the
itim_expi.properties
file
is
set
to
false.
The
ACI
is
created
using
the
Tivoli
Identity
Manager
GUI
as
follows:
1.
From
My
Organization,
select
Control
Access.
2.
Click
Add.
3.
Select
Account
(then
select
PD
Account,
if
you
have
more
than
one
set
of
accounts
configured.)
4.
Click
Continue.
5.
Enter
an
ACI
name
(for
example,
EXPI
—
Account
ACI
—
Password)
select
Sub-tree
for
ease
of
use.
6.
Select
Attribute
Permissions
and
at
a
minimum
Grant
Read
and
Write
privileges
for
Password.
7.
Click
Continue.
8.
Grant
Search
and
Modify
Operation
privileges.
9.
Click
Submit.
Configuring
the
Forgot
My
Password
function
The
files
associated
with
the
Forgot
My
Password
function
are:
JSPs:
forgotpwd.jsp
forgotpwdinfo.jsp
Servlet:
ForgotPasswordServlet.java
This
function
enables
users
who
have
forgotten
their
password
to
reset
their
password.
The
password
is
generated
by
Tivoli
Identity
Manager
using
the
password
rules
that
are
defined
for
the
user’s
accounts
or,
if
no
password
rules
are
defined,
using
the
built-in
rules
in
Tivoli
Identity
Manager.
The
newly
generated
password
is
either
displayed
on
the
screen
or
sent
to
the
users
at
their
address
of
record
(based
on
the
configuration
of
properties
as
described
in
“Configuring
the
Forgot
My
Password
properties”
on
page
59).
In
a
WebSEAL
environment,
you
can
use
the
Forgot
My
Password
function
by
changing
the
WebSEAL
login
page
to
include
a
link
that
points
to
the
URL
where
this
page
is
located
in
the
Sample.
Enabling
and
configuring
the
challenge
response
settings
in
Tivoli
Identity
Manager:
The
settings
for
the
Forgot
My
Password
page
depend
on
the
configuration
of
the
challenge
response
settings
in
Tivoli
Identity
Manager.
By
default,
Tivoli
Identity
Manager
has
the
challenge
response
disabled.
The
Sample
supports
challenge
response
with
the
challenge
definition
mode
set
to
ADMIN-DEFINED
and
Admin
challenge
mode
set
to
PRE-DEFINED.
Therefore,
before
configuring
or
using
the
Forgot
My
Password
page
in
this
Sample,
you
need
to
complete
the
following
steps:
58
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
1.
Enable
the
challenge
response
as
described
in
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.
2.
Set
the
challenge
definition
mode
to
ADMIN-DEFINED
and
define
the
challenges.
3.
Set
the
admin
challenge
mode
to
PRE-DEFINED
and
define
the
challenges.
When
you
have
completed
these
steps,
you
can
configure
the
Forgot
My
Password
properties
as
described
in
“Configuring
the
Forgot
My
Password
properties.”
Configuring
the
Forgot
My
Password
properties:
The
Installer
lets
you
configure
the
properties
for
the
Forgot
My
Password
function
during
the
configuration
phase
of
the
installation.
However,
if
you
didn’t
run
the
Installer
or
if
you
want
to
change
your
selections,
you
can
modify
the
properties
in
the
itim_expi.properties
file.
The
properties
are
as
follows:
v
displaypassword
-
This
property
specifies
whether
the
new
password
is
displayed
on
the
screen
or
e-mailed
to
the
user.
If
the
value
is
true,
the
newly
generated
password
is
displayed
to
the
user
on
successful
completion
of
the
Challenge/Response.
If
the
value
is
false,
the
newly
generated
password
is
e-mailed
to
the
user
on
successful
completion
of
Challenge/Response.
v
changeonlytimpassword
-
This
property
specifies
whether
to
change
only
the
Tivoli
Identity
Manager
password
on
successful
completion
of
the
Challenge/Response.
If
the
value
is
true,
only
the
Tivoli
Identity
Manager
password
will
be
changed.
If
the
value
is
false,
all
of
the
passwords
that
a
user
is
allowed
to
change
will
be
set
to
the
new
password.
Creating
ACI
for
the
Forgot
My
Password
function:
An
Account
ACI
is
required
to
allow
users
to
change
all
of
their
password
accounts
except
for
the
Tivoli
Identity
Manager
account
password.
If
the
ACI
is
not
created,
then
users
will
be
able
to
change
only
their
Tivoli
Identity
Manager
account
password,
even
if
password
synchronization
is
enabled
in
Tivoli
Identity
Manager
and
the
changeonlytimpassword
attribute
in
the
itim_expi.properties
file
is
set
to
false.
The
ACI
is
created
using
the
Tivoli
Identity
Manager
GUI
as
follows:
1.
From
My
Organization,
select
Control
Access.
2.
Click
Add.
3.
Select
Account
(then
select
the
Tivoli
Access
Manager
account,
if
you
have
more
than
one
set
of
accounts
configured.)
4.
Click
Continue.
5.
Enter
an
ACI
name
(for
example,
EXPI
—
Account
ACI
—
Password)
select
Sub-tree
for
ease
of
use.
6.
Select
Attribute
Permissions
and
at
a
minimum
Grant
Read
and
Write
privileges
for
Password.
7.
Click
Continue.
8.
Grant
Search
and
Modify
Operation
privileges.
9.
Click
Submit.
Configuring
the
Self-Registration
function
The
files
associated
with
the
Self-Registration
function
are:
JSPs:
selfregister.jsp
selfregsub.jsp
Chapter
6.
Creating
a
Web
interface
for
user
self-management
59
Servlets:
registerServlet.java
This
function
enables
a
user
to
″register
as
a
new
user.″
When
a
user
self-registers,
a
Tivoli
Identity
Manager
Person
is
created
along
with
any
automatic
entitlements
specified
in
the
provisioning
policy.
This
capability
is
dependent
on
the
Tivoli
Identity
Manager
configuration
and
might
be
different
for
each
installation.
(See
“Adding
auto-provisioning
for
Tivoli
Identity
Manager
accounts”
and
“Adding
auto-provisioning
for
Tivoli
Access
Manager
accounts”
on
page
62
for
more
information
about
provisioning
configurations.)
As
part
of
this
function,
the
JSP
displays
a
form
that
asks
the
user
provide
a
minimal
set
of
data
that
is
needed
to
create
a
Person
record
in
Tivoli
Identity
Manager.
The
user
ID
and
password
for
the
user
are
generated
automatically
and
at
the
user’s
next
login
attempt,
the
user
will
be
prompted
to
configure
the
Challenge/Response
answers.
After
the
Person
record
has
been
created
in
Tivoli
Identity
Manager,
the
users
receive
an
informing
them
of
the
success
or
failure
of
their
self-registration
request.
Because
self-registration
affects
settings
in
both
Tivoli
Identity
Manager
and
Tivoli
Access
Manager,
additional
configuration
is
required.
Refer
to
the
sections
below
for
more
information.
Synchronizing
passwords
when
using
single
sign-on
with
Self-Registration
Note:
Before
modifying
any
functions
related
to
passwords,
be
sure
to
review
the
information
in
“Configuring
Password
functions”
on
page
55.
In
addition,
because
the
following
instructions
are
related
to
single
sign-on
with
WebSEAL,
you
should
also
review
the
information
in
“Configuring
the
Sample
for
use
with
WebSEAL
single
sign-on”
on
page
66.
If
you
are
using
single
sign-on
with
WebSEAL
in
the
Sample
along
with
the
Self-Registration,
you
need
to
make
sure
that
the
passwords
for
the
Tivoli
Identity
Manager
account
and
the
Tivoli
Access
Manager
account
are
always
synchronized,
especially
when
they
are
generated
during
Self-Registration.
One
way
to
keep
the
passwords
synchronized
is
to
set
the
password
value
in
the
provisioning
policy
for
the
Tivoli
Identity
Manager
account
and
the
Tivoli
Access
Manager
account
to
a
constant
value.
Attention:
The
following
procedure
introduces
a
security
risk
and
should
not
be
used
in
a
production
environment.
In
a
production
environment,
use
javascript
to
create
an
algorithm
that
will
generate
the
passwords
so
that
they
are
both
the
same.
Using
the
Tivoli
Identity
Manager
interface:
1.
Click
Provisioning
in
the
Main
Menu
Navigation
Bar.
60
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
2.
Navigate
through
the
Organization
Tree
and
click
the
name
of
the
branch
in
which
the
desired
Provisioning
Policy
is
located.
3.
Click
Define
Provisioning
Policies
in
the
task
bar.
The
Provisioning
Policies
list
page
opens.
4.
Click
the
name
of
the
Provisioning
Policy
you
want
to
modify.
5.
Click
the
Entitlements
tab.
6.
Click
the
Tivoli
Identity
Manager
service.
7.
Click
the
Get
Detail
link
next
to
the
Advanced
Provisioning
Parameter
List.
8.
Click
Add.
9.
Select
the
box
next
to
Password
and
then
click
Add.
10.
Type
in
a
constant
value
that
meets
the
password
rules
for
the
accounts
that
will
use
this
provisioning
policy.
11.
Submit
the
changes
by
clicking
the
Submit
button
on
each
open
panel.
12.
Repeat
the
steps
for
the
Tivoli
Access
Manager
provisioning
policy.
Click
Define
Provisioning
Policies
in
the
task
bar.
The
Provisioning
Policies
list
page
opens.
13.
Click
the
name
of
the
Provisioning
Policy
you
want
to
modify.
14.
Click
the
Entitlements
tab.
15.
Click
the
Tivoli
Access
Manager
service.
16.
Click
the
Get
Detail
link
next
to
the
Advanced
Provisioning
Parameter
List.
17.
Click
Add.
18.
Select
the
box
next
to
Password
and
then
click
Add.
19.
Type
in
a
constant
value
that
meets
the
password
rules
for
the
accounts
that
will
use
this
provisioning
policy.
20.
Submit
the
changes
by
clicking
the
Submit
button
on
each
open
panel.
After
the
initial
creation
of
the
password
during
Self-Registration,
you
can
force
the
users
to
change
their
passwords
at
the
next
login.
To
set
the
″forced″
password
change,
you
will
need
to
set
two
properties:
v
Change
Password
at
Next
Login
(in
the
Tivoli
Identity
Manager
provisioning
policy)
v
ertam4expirepass
(in
the
Tivoli
Identity
Manager
provisioning
policy)
Use
the
procedure
for
modifying
provisioning
policies
in
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide.
Creating
a
Location
object
in
Tivoli
Identity
Manager
for
Self-Registration
A
Location
object
must
be
created
somewhere
in
the
Tivoli
Identity
Manager
organization
tree
and
specified
in
the
itim_expi.properties
file.
The
Location
object,
represented
by
the
LDAP
attribute
l,
is
used
in
the
workflow
mechanisms
of
Tivoli
Identity
Manager
to
place
the
self-registered
person
object
somewhere
in
the
organization
tree.
By
default,
the
pages
are
configured
with
the
Location
object
name
set
to
selfregisterhere.
To
use
the
default
name,
use
the
Tivoli
Identity
Manager
interface
to
create
a
Location=selfregisterhere
somewhere
in
your
organization
tree
and
all
self-registered
users
will
be
placed
there.
If
you
created
a
different
Location
object
in
Tivoli
Identity
Manager,
change
the
itim_expi.properties
file
so
that
the
location
matches.
Chapter
6.
Creating
a
Web
interface
for
user
self-management
61
Below
is
an
excerpt
of
the
settings
in
the
properties
file
that
affect
the
self-registration
process.
#------------------------------------------------------
#
Self-Registration
specific
information
#
-
l
=
an
LDAP
attribute
that
represents
a
location
reference
#
in
the
attribute
Person
object.
(this
must
match
#
the
attribute
that
is
configured
in
the
WorkFlow
for
#
LOCATIONSEARCH
-
the
default
name
of
a
workflow
script
#
in
the
selfRegister
entity
object).
#
-
org
=
the
name
of
the
Location
object
created
in
ITIM
#
where
the
self-registered
users
will
be
placed
#
by
default.
#------------------------------------------------------
orgContainer.selfregister.location.attr=l
orgContainer.selfregister.location.org=selfregisterhere
Adding
auto-provisioning
for
Tivoli
Identity
Manager
accounts
Auto-provisioning
is
required
to
create
Tivoli
Identity
Manager
accounts
for
every
Person
object
created
through
Self-Registration
that
will
allow
the
newly
created
user
to
log
on
to
Tivoli
Identity
Manager
(either
directly
or
through
the
Sample
logon
page).
By
default
the
Tivoli
Identity
Manager
provisioning
policy
for
Tivoli
Identity
Manager
accounts
is
set
to
manual.
Two
options
exist
for
getting
the
Samples
configured
and
running
quickly:
v
Modify
the
default
Tivoli
Identity
Manager
provisioning
policy
to
create
Tivoli
Identity
Manager
accounts
automatically.
v
Create
a
new
Tivoli
Identity
Manager
provisioning
policy
(at
the
appropriate
organization
level
in
the
tree)
that
will
automatically
provision
Tivoli
Identity
Manager
accounts.
Adding
auto-provisioning
for
Tivoli
Access
Manager
accounts
Auto-provisioning
is
set
up
for
Tivoli
Access
Manager
accounts
in
Tivoli
Identity
Manager
only
if
it
is
enabled
in
the
provisioning
policy.
If
you
selected
Access
Manager
service
and
provisioning
policy
when
you
ran
the
Installer
(as
described
in
Chapter
3,
“Creating
a
Tivoli
Access
Manager
service
and
default
provisioning
policy,”
on
page
17),
you
specified
a
setting
for
auto-provisioning
during
the
configuration
portion
of
the
installation.
If
you
created
the
provisioning
policy
without
using
the
Installer,
refer
to
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide
for
instructions
on
enabling
auto-provisioning.
Configuring
the
Self-Care
function
The
files
associated
with
the
Self-Care
function
are:
JSPs:
selfcare.jsp
selfcaresub.jsp
Servlets:
selfCareServlet.java
The
self-care
function
enables
users
to
manage
the
personal
data
in
their
Person
object.
For
example,
the
self-care
page
could
enable
users
to
update
their
phone
numbers
or
office
location
in
their
person
definition.
This
personal
data
is
part
of
the
properties
in
a
user’s
Person
object
in
Tivoli
Identity
Manager.
Tivoli
Identity
Manager
uses
the
Access
Control
Information
that
is
set
for
this
page
to
determine
if
a
user
can
access
these
properties.
In
addition,
you
can
customize
the
set
of
properties
that
is
displayed
on
this
page.
62
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Configuring
properties
for
Self-Care
Many
Person
properties
are
available
in
Tivoli
Identity
Manager.
However,
in
a
self-care
scenario,
you
might
want
to
limit
the
properties
that
a
user
can
manage
to
a
subset
of
the
available
properties
from
Tivoli
Identity
Manager.
The
set
of
properties
to
be
managed
is
contained
in
the
itim_expi.properties
file.
The
properties
file
defines
the
label
of
the
attribute,
exact
name
as
found
in
Tivoli
Identity
Manager,
and
the
verbose
description
of
the
text
for
the
attribute.
Creating
ACI
for
Self-Care
A
Person
ACI
must
be
created
using
the
Tivoli
Identity
Manager
GUI
to
allow
for
searching
and
modifying
of
the
properties
that
users
can
access
through
self-care.
The
Person
object
must
have
access
to
all
the
properties
exposed
to
the
user
through
the
Sample
Servlets
and
defined
in
the
itim_expi.properties
file.
At
a
minimum,
the
ACI
must
provide
Read
and
Write
access
for
all
properties
being
manipulated
by
the
Self-Care
portion
of
the
Samples.
Use
the
“My
Organization”
and
“Control
Access”
tasks
in
the
Tivoli
Identity
Manager
graphical
user
interface
to
create
an
ACI
for
Person
objects
that
grants
read/write
access
to
person
properties.
The
ACI
is
created
using
the
Tivoli
Identity
Manager
GUI
in
the
following
manner:
1.
From
My
Organization,
select
Control
Access.
2.
Click
Add.
3.
Select
Person
(then
select
PD
Account,
if
you
have
more
than
one
set
of
accounts
configured.)
4.
Click
Continue.
5.
Enter
an
ACI
name
(for
example,
EXPI
—
Person
ACI
—
Self-Care)
and
select
Sub-tree
for
ease
of
use.
6.
Select
Attribute
Permissions
and
at
a
minimum
Grant
Read
and
Write
privileges
for
person
properties.
7.
Click
Continue.
8.
Grant
Search
and
Modify
Operation
privileges.
9.
Click
Submit.
Configuring
the
Application
Subscription
function
The
files
associated
with
the
Application
Subscription
function
are:
JSP:
applications.jsp
Servlets:
applicationServlet.java
This
function
enables
users
to
request
access
to
company
applications
that
are
managed
through
Tivoli
Access
Manager.
The
page
is
designed
for
you
to
add
a
checklist
of
applications
to
the
JSP
so
that
users
can
select
to
request
access
to
applications
or
can
deselect
to
end
their
access.
Tivoli
Access
Manager
controls
access
to
company
applications
by
preventing
users
from
viewing
an
application
if
they
do
not
have
authorization.
Typically,
the
Tivoli
Access
Manager
access
control
lists
(ACLs),
which
control
access
to
the
applications
managed
by
Tivoli
Access
Manager,
are
defined
using
groups.
Administrators
can
grant
users
access
to
an
application
by
simply
making
the
users
members
of
the
Tivoli
Access
Manager
group
used
in
the
ACL.
The
Chapter
6.
Creating
a
Web
interface
for
user
self-management
63
Application
Subscription
page
works
by
modifying
the
groups
attribute
of
the
user’s
Tivoli
Access
Manager
account
based
on
the
groups
the
user
selects
on
the
page.
Note:
The
JSP
that
is
installed
as
part
of
the
Sample
does
not
automatically
add
the
groups
that
are
supported
by
Tivoli
Access
Manager.
You
must
explicitly
define
and
code
them.
The
Application
Subscription
servlet
includes
commented
code
fragments
to
help
you
build
the
list
of
applications.
Configuring
Tivoli
Access
Manager
service
name
and
service
DN
The
Groups
and
application
names
used
in
the
Application
Subscription
JSP
are
defined
in
the
itim_expi.properties
file.
The
Subscribe
to
Applications
link
on
the
page
is
provided
only
when
a
Tivoli
Access
Manager
service
is
found
on
the
Tivoli
Identity
Manager
server.
The
Tivoli
Access
Manager
service
is
specified
by
the
name
and
full
distinguished
name
(DN)
of
that
service.
If
a
Tivoli
Access
Manager
service
is
not
found,
the
Subscribe
to
Applications
link
will
not
be
displayed
on
the
main
page
(main.jsp).
If
the
Tivoli
Access
Manager
profile
is
installed
prior
to
running
the
Tivoli
Access
Manager
Provisioning
Fast
Start
Installer,
the
application.service.name
and
application.service.dn
properties
will
be
set
up
automatically.
(The
profile
is
usually
installed
as
part
of
the
Tivoli
Access
Manager
agent
installation
procedure.)
If
the
profile
was
not
installed
before
you
ran
the
Installer,
you
must
provide
the
information
manually
by
modifying
the
properties
file
explicitly,
as
follows:
1.
To
obtain
the
application.service.name,
use
the
Directory
Management
Tool
or
a
similar
LDAP
browser
to
look
up
the
appropriate
object.
For
example,
browse
the
Tivoli
Identity
Manager
tree
until
you
get
to
ou=services.
The
DN
you
will
use
immediately
follows
ou=services.
The
DN
in
the
following
example
is
identified
in
<erglobalid=[fully-qualified
DN
respective
of
the
Tivoli
Access
Manager
service]>:
<LDAP
prefix
–
configured
during
ITIM
install>
<erglobalid=000000000000000000>
<ou=services>
<erglobalid=[fully-qualified
DN
respective
of
the
Tivoli
Access
Manager
service]>
2.
Open
the
itim_expi.properties
using
a
text
editor.
3.
Specify
the
name
of
the
Tivoli
Access
Manager
service
for
the
following
attribute:
application.service.name=name_of_the_service
4.
Specify
the
DN
for
the
Tivoli
Access
Manager
service
for
the
following
attribute:
application.service.dn=name_of_the_DN
5.
Make
sure
the
following
attribute
and
value
are
specified:
application.service.attribute=ertamgroupmember
6.
Add
a
list
of
reference
names
for
the
properties
that
will
contain
the
name
of
the
application
(verbose)
description
that
is
displayed
in
the
application.jsp.
This
list
will
also
identify
the
groups
that
the
description
corresponds
to:
application.list=group1,group2,group3,group4
Application
Names:
application.group1.name=Expi_Application_1
application.group2.name=Expi_Application_2
application.group3.name=Expi_Application_3
application.group4.name=Expi_Application_4
64
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
7.
Add
a
list
of
references
to
the
Tivoli
Access
Manager
groups
that
correspond
to
the
equivalent
Application
Names
specified
in
the
previous
step.
Note:
These
groups
must
already
exist
in
Tivoli
Access
Manager.application.group1.dn=tamgrp1
application.group2.dn=tamgrp2
application.group3.dn=tamgrp3
application.group4.dn=tamgrp4
Creating
ACI
for
the
Application
Subscriptions
function
An
Account
ACI
is
required
to
allow
users
to
access
the
Applications
(Tivoli
Access
Manager
Groups)
page.
The
Account
ACI
provides
users
access
to
the
Tivoli
Access
Manager
Account
in
Tivoli
Identity
Manager.
If
the
ACI
is
not
created,
the
Sample
will
not
display
the
Subscribe
to
Applications
link
on
the
Main
page.
The
ACI
is
created
using
the
Tivoli
Identity
Manager
GUI
in
the
following
manner:
1.
From
My
Organization,
select
Control
Access.
2.
Click
Add.
3.
Select
Account
(then
select
PD
Account,
if
you
have
more
than
one
set
of
accounts
configured.)
4.
Click
Continue.
5.
Enter
an
ACI
name
(for
example,
EXPI
—
Account
ACI
—
Application
Subscriptions)
select
Sub-tree
for
ease
of
use.
6.
Select
Attribute
Permissions
and
at
a
minimum
Grant
Read
and
Write
privileges
for
LDAP
Group
Memberships.
7.
Click
Continue.
8.
Grant
Search
and
Modify
Operation
privileges.
9.
Click
Submit.
This
set
of
operations
provides
access
to
the
Tivoli
Access
Manager
accounts
and
specifically
to
the
Application
Subscriptions
(Group
attribute).
When
the
operations
are
carried
out
and
the
user
logs
in
to
the
system
and
has
a
Tivoli
Access
Manager
account,
the
additional
link
(Subscribe
To
Applications)
will
appear
on
the
Main
page.
Configuring
the
Challenge/Response
function
The
files
associated
with
the
Challenge/Response
function
are:
JSPs:
cranswers.jsp
cranswersinfo.jsp
Servlet:
ChangeChallengeResponseServlet.java
The
Challenge/Response
page
enables
users
to
set
the
answers
to
the
administrator-defined
password
challenges
that
are
set
in
Tivoli
Identity
Manager.
There
is
a
link
to
this
page
from
the
Main
page.
The
Main
page
displays
a
warning
message
if
the
user’s
challenge/response
answers
need
to
be
updated.
The
warning
can
occur
when
the
challenge/response
answers
are
not
set
by
the
user
or
if
an
administrator
changed
the
challenge/response
questions.
Chapter
6.
Creating
a
Web
interface
for
user
self-management
65
Configuring
the
Logout
function
The
files
associated
with
the
Logout
function
are:
JSP:
logout.jsp
Servlet:
None
This
function
enables
the
user
to
log
out
of
the
Sample
application.
The
page
can
be
configured
to
direct
the
user
to
a
specific
URL
by
default.
The
page
is
designed
to
be
used
in
an
environment
that
does
not
use
single
sign-on.
If
single
sign-on
is
enabled
to
be
used
with
the
Sample,
the
logout.jsp
calls
the
WebSEAL
pkmslogout
command.
For
more
information
about
pkmslogout,
refer
to
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
Configuring
the
Sample
for
use
with
WebSEAL
single
sign-on
Note:
When
using
WebSEAL
single
sign-on
with
the
Sample,
be
sure
you
are
familiar
with
the
information
in
“Configuring
Password
functions”
on
page
55
and
in
“Synchronizing
passwords
when
using
single
sign-on
with
Self-Registration”
on
page
60.
When
you
run
the
Installer,
you
are
asked
to
provide
configuration
information
that
can
enable
the
Sample
to
be
used
with
WebSEAL
single
sign-on
(SSO).
If
you
didn’t
run
the
Installer
or
you
want
to
change
the
setting,
you
can
enable
the
Sample
as
follows:
1.
Set
the
portal
servlets
to
SSO
mode,
as
follows:
a.
Open
the
itim_expi.properties.
b.
Change
the
ssoenabled
setting
to
true.
(The
default
is
false).2.
Enable
single
sign-on
in
WebSEAL
as
described
in
Chapter
4,
“Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL,”
on
page
21.
3.
Configure
the
junctions
in
WebSEAL
and
provide
a
single
sign-on
logon
page.
(The
logon
page
becomes
part
of
the
WebSEAL
configuration.)
You
can
use
the
Logon
page
provided
with
this
sample,
or
you
can
use
a
custom
logon
page.
See
“Configuring
WebSEAL
login
page”
on
page
67
for
information.
For
single
sign-on
support,
Tivoli
Identity
Manager
must
also
be
configured
appropriately.
See
Chapter
4,
“Configuring
Tivoli
Identity
Manager
for
single
sign-on
with
WebSEAL,”
on
page
21
for
more
information.
Note:
If
you
have
configured
single
sign-on,
you
cannot
login
to
Tivoli
Access
Manager
with
the
default
Tivoli
Identity
Manager
administrator
ID,
itim
manager,
because
Tivoli
Access
Manager
does
not
support
user
IDs
that
contain
spaces.
You
can
assign
any
Tivoli
Access
Manager
user
ID
to
the
default
itim
manager
administrator
ID
if
you
have
configured
Tivoli
Identity
Manager
properties
file,
enRoleAuthentication.properties,
to
enable
an
internal
identity
mapping
algorithm.
See
“Tivoli
Identity
Manager
properties
files
related
to
single
sign-on”
on
page
22
for
more
information.
Converting
Tivoli
Access
Manager
IDs
to
Tivoli
Identity
Manager
IDs
If
all
of
the
user
IDs
in
the
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
accounts
are
the
same,
conversion
of
IDs
is
not
necessary.
However,
if
the
users
IDs
are
not
the
same,
WebSEAL
users
will
use
their
Tivoli
Access
Manager
user
66
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
IDs
to
log
in
to
WebSEAL
and
the
IDs
will
not
be
recognized
by
Tivoli
Identity
Manager.
As
a
result,
you
will
need
to
configure
Tivoli
Identity
Manager
so
that
it
will
convert
the
Tivoli
Access
Manager
user
ID
into
a
Tivoli
Identity
Manager
user
ID.
Note:
Do
not
perform
this
configuration
if
the
user
IDs
in
your
integrated
environment
are
the
same.
Performance
could
be
adversely
affected.
To
configure
Tivoli
Identity
Manager
so
that
ID
conversion
is
possible:
1.
Open
the
enRoleAuthentication.properites
file
with
a
text
editor.
2.
Change
the
value
for
enrole.authentication.idsEqual
to
false.
3.
Stop
and
then
restart
the
Tivoli
Identity
Manager
server.
Controlling
access
to
the
Sample
through
a
WebSEAL
junction
The
following
example
shows
how
a
WebSEAL
junction
is
used
to
control
access
to
the
Sample
in
a
single
sign-on
environment.
An
example
of
protected
and
unprotected
pages
are
shown
below.
A
junction
is
created
by
the
Installer
if
Single
Sign-On
Enablement
in
the
Provisioning
Fast
Start
Installer
is
installed.
Use
the
pdadmin
acl
attach
command
to
make
the
following
attachments.
Refer
to
the
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
for
details
on
using
this
command.
Attach
the
following
object
to
the
ItimProtected
ACL:
/WebSEAL/junction_name/itim_expi/
Attach
the
following
objects
to
the
ItimUnprotected
ACL:
/WebSEAL/webseal_server/junction_name/itim_expi/index.html
/WebSEAL/webseal_server/junction_name/itim_expi/ForgotPasswordServlet
/WebSEAL/webseal_server/junction_name/itim_expi/selfregister.jsp
/WebSEAL/webseal_server/junction_name/itim_expi/forgotpwd.jsp
/WebSEAL/webseal_server/junction_name/itim_expi/images
/WebSEAL/webseal_server/junction_name/itim_expi/css
/WebSEAL/webseal_server/junction_name/itim_expi/ssoerror.jsp
/WebSEAL/webseal_server/junction_name/itim_expi/registerServlet
/WebSEAL/webseal_server/junction_name/itim_expi/selfregsub.jsp
/WebSEAL/webseal_server/junction_name/itim_expi/selfchangepwd.jsp
/WebSEAL/webseal_server/junction_name/itim_expi/ChangePasswordServlet
/WebSEAL/webseal_server/junction_name/itim_expi/forgotpwdinfo.jsp
/WebSEAL/webseal_server/images
/WebSEAL/webseal_server/css
You
can
also
create
your
own
ACLs
using
pdadmin
acl
create
and
then
attach
these
objects
as
appropriate.
Refer
to
the
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
for
more
information
on
using
this
command
Configuring
WebSEAL
login
page
The
installation
of
the
Sample
installs
a
login
page
that
can
be
used
with
WebSEAL
along
with
all
of
the
necessary
supporting
files
(GIF,
CSS,
and
so
on).
These
files
are
provided
in
the
itim_exp.ear
in
the
WebSEAL
directory.
To
use
the
Sample
WebSEAL
login
page:
1.
Replace
the
WebSEAL
login.html
file
where
WebSEAL
is
installed
(for
example:
/PDWeb/www-default/docs/)
with
the
login.html
file
in
the
directory
where
the
Sample
is
installed
(for
example:
itim_expi.ear/itim_expi.war/WebSEAL/login.html)
Chapter
6.
Creating
a
Web
interface
for
user
self-management
67
2.
Edit
the
login.html
file
that
you
copied
into
the
WebSEAL
directory
and
replace
all
instances
of
JUNCTION_NAME
in
that
file
with
the
name
of
the
WebSEAL
junction
you
are
using
with
the
Sample.
3.
Copy
the
following
subdirectories
into
the
directory
where
WebSEAL
is
installed:
itim_expi.ear/itim_expi.war/WebSEAL/css
itim_expi.ear/itim_expi.war/WebSEAL/images
For
example,
in
Windows,
copy
these
directories
to:
C:\Program
Files\Tivoli\PDWeb\www-default\docs\
The
contents
of
these
directories
are:
cs/
*
(directory
containing
Style
Sheet
data)
css/imperative.css
(style
sheet
used
by
the
login.html
and
servlets)
images/*
(directory
containing
image
files--gifs)
images/welcome.gif
images/ibm_banner.gif
images/img_bkg.gif
images/img_clear.gif
images/logo.gif
images/logo_tivoli.gif
images/messages_background.gif
images/message_error.gif
images/message_information.gif
images/message_warning.gif
images/mosaic_banner,gif
images/button_gradient.gif
4.
Edit
the
webseald-default.conf
file
(in
the
directory
where
WebSEAL
is
installed),
as
follows:
forms-auth
=
both
ba-auth
=
none
For
information
about
these
parameters
and
the
configuration
file,
refer
to
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
Running
the
servlets
through
the
junction
To
run
the
Sample
through
the
WebSEAL
junction,
specify
the
following
URL
in
your
Web
browser:
http://junction_name/itim_expi/
Customization
There
are
four
ways
to
customize
the
Web
Application
Sample:
1.
Customize
the
banner
2.
Customize
the
cascading
style
sheets,
which
control
font
size,
typeface,
and
colors
3.
Customize
the
Java
Server
Pages
(JSPs)
4.
Customize
the
servlets
Customizing
the
banner
To
customize
the
banner,
edit
expi_header.html
in
the
WAR
directory
and
change
the
images.
68
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Customizing
the
cascading
style
sheets
To
customize
the
cascading
style
sheets,
edit
css/imperative.css
under
the
WAR
directory.
Note
that
you
might
have
to
stop
and
start
the
application
and
close
your
Web
browser
to
see
the
changes.
Customizing
the
JSPs
To
customize
the
JSPs,
use
an
editor
to
change
them.
The
next
time
you
go
to
that
JSP,
WebSphere
will
recompile
it
with
your
changes.
You
can
also
replace
a
JSP
with
a
new
file.
Copy
the
file
into
the
WAR
directory.
Then
edit
the
itim_expi.properties
file
and
replace
the
existing
JSP
entry
with
your
new
one.
Customizing
the
servlets
You
can
use
WebSphere
Studio
Application
Developer
to
update
the
servlets.
If
you
do
not
have
WebSphere
Studio
Application
Developer,
you
can
still
customize
the
servlets
by
using
the
Java
compiler
that
comes
with
WebSphere
Application
Server.
To
use
the
Java
compiler
that
comes
with
WebSphere
Application
Server:
1.
Edit
the
Java
file
of
the
servlet
you
want
to
change.
2.
Set
your
CLASSPATH.
For
example,
in
AIX:
Use
a
C
command
language
interpreter
(such
as
tsch)
to
set
the
following
variables:
setenv
JAVA_HOME
/opt/WebSphere/AppServer/java
setenv
ITIM_EAR
/opt/WebSphere/AppServer/installedApps/sparrow/enRole.ear
setenv
WAS
/opt/WebSphere/AppServer
setenv
CLASSPATH
.:${JAVA_HOME}/lib/tools.jar:${JAVA_HOME}/jre/lib/
ext/jaas.jar:${ITIM_EAR}/itim_api.jar:${ITIM_EAR}/api_ejb.jar:${WAS}/
lib/j2ee.jar:${WAS}/lib/naming.jar:${WAS}/lib/namingclient.jar
(Keep
each
setenv
command
and
setting
on
one
line.)
For
example,
if
you
are
using
the
tcsh
shell
program,
put
the
preceding
attributes
in
a
file
called
setcp.tcsh.
Then,
from
the
tcsh
shell
prompt,
run
source
setcp.tcsh
3.
From
the
WAR
directory,
run:
$WAS_HOME/AppServer/java/bin/javac
examples/expi/*.java
(where
$WAS_HOME
is
the
directory
where
WebSphere
Application
Server
is
installed.)
If
you
have
the
Sample
application
set
for
″reload
enabled″
so
that
classes
get
automatically
reloaded
in
WebSphere
Application
Server,
then
your
changed
classes
will
be
reloaded
as
soon
as
the
compile
has
finished.
If
you
do
not
have
″reload
enabled″
then
you
must
stop
and
start
the
Sample
application.
Chapter
6.
Creating
a
Web
interface
for
user
self-management
69
70
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Appendix.
Notices
This
information
was
developed
for
products
and
services
offered
in
the
U.S.A.
IBM
may
not
offer
the
products,
services,
or
features
discussed
in
this
document
in
other
countries.
Consult
your
local
IBM
representative
for
information
on
the
products
and
services
currently
available
in
your
area.
Any
reference
to
an
IBM
product,
program,
or
service
is
not
intended
to
state
or
imply
that
only
that
IBM
product,
program,
or
service
may
be
used.
Any
functionally
equivalent
product,
program,
or
service
that
does
not
infringe
any
IBM
intellectual
property
right
may
be
used
instead.
However,
it
is
the
user’s
responsibility
to
evaluate
and
verify
the
operation
of
any
non-IBM
product,
program,
or
service.
IBM
may
have
patents
or
pending
patent
applications
covering
subject
matter
described
in
this
document.
The
furnishing
of
this
document
does
not
give
you
any
license
to
these
patents.
You
can
send
license
inquiries,
in
writing,
to:
IBM
Director
of
Licensing
IBM
Corporation
500
Columbus
Avenue
Thornwood,
NY
10594
U.S.A
For
license
inquiries
regarding
double-byte
(DBCS)
information,
contact
the
IBM
Intellectual
Property
Department
in
your
country
or
send
inquiries,
in
writing,
to:
IBM
World
Trade
Asia
Corporation
Licensing
2-31
Roppongi
3-chome,
Minato-ku
Tokyo
106,
Japan
The
following
paragraph
does
not
apply
to
the
United
Kingdom
or
any
other
country
where
such
provisions
are
inconsistent
with
local
law:
INTERNATIONAL
BUSINESS
MACHINES
CORPORATION
PROVIDES
THIS
PUBLICATION
″AS
IS″
WITHOUT
WARRANTY
OF
ANY
KIND,
EITHER
EXPRESS
OR
IMPLIED,
INCLUDING,
BUT
NOT
LIMITED
TO,
THE
IMPLIED
WARRANTIES
OF
NON-INFRINGEMENT,
MERCHANTABILITY
OR
FITNESS
FOR
A
PARTICULAR
PURPOSE.
Some
states
do
not
allow
disclaimer
of
express
or
implied
warranties
in
certain
transactions,
therefore,
this
statement
may
not
apply
to
you.
This
information
could
include
technical
inaccuracies
or
typographical
errors.
Changes
are
periodically
made
to
the
information
herein;
these
changes
will
be
incorporated
in
new
editions
of
the
publication.
IBM
may
make
improvements
and/or
changes
in
the
product(s)
and/or
the
program(s)
described
in
this
publication
at
any
time
without
notice.
Any
references
in
this
information
to
non-IBM
Web
sites
are
provided
for
convenience
only
and
do
not
in
any
manner
serve
as
an
endorsement
of
those
Web
sites.
The
materials
at
those
Web
sites
are
not
part
of
the
materials
for
this
IBM
product
and
use
of
those
Web
sites
is
at
your
own
risk.
IBM
may
use
or
distribute
any
of
the
information
you
supply
in
any
way
it
believes
appropriate
without
incurring
any
obligation
to
you.
©
Copyright
IBM
Corp.
2003
71
Licensees
of
this
program
who
wish
to
have
information
about
it
for
the
purpose
of
enabling:
(i)
the
exchange
of
information
between
independently
created
programs
and
other
programs
(including
this
one)
and
(ii)
the
mutual
use
of
the
information
which
has
been
exchanged,
should
contact:
IBM
Corporation
2Z4A/101
11400
Burnet
Road
Austin,
TX
78758
USA
Such
information
may
be
available,
subject
to
appropriate
terms
and
conditions,
including
in
some
cases,
payment
of
a
fee.
The
licensed
program
described
in
this
document
and
all
licensed
material
available
for
it
are
provided
by
IBM
under
terms
of
the
IBM
Customer
Agreement,
IBM
International
Program
License
Agreement
or
any
equivalent
agreement
between
us.
Any
performance
data
contained
herein
was
determined
in
a
controlled
environment.
Therefore,
the
results
obtained
in
other
operating
environments
may
vary
significantly.
Some
measurements
may
have
been
made
on
development-level
systems
and
there
is
no
guarantee
that
these
measurements
will
be
the
same
on
generally
available
systems.
Furthermore,
some
measurement
may
have
been
estimated
through
extrapolation.
Actual
results
may
vary.
Users
of
this
document
should
verify
the
applicable
data
for
their
specific
environment.
Information
concerning
non-IBM
products
was
obtained
from
the
suppliers
of
those
products,
their
published
announcements
or
other
publicly
available
sources.
IBM
has
not
tested
those
products
and
cannot
confirm
the
accuracy
of
performance,
compatibility
or
any
other
claims
related
to
non-IBM
products.
Questions
on
the
capabilities
of
non-IBM
products
should
be
addressed
to
the
suppliers
of
those
products.
All
statements
regarding
IBM’s
future
direction
or
intent
are
subject
to
change
or
withdrawal
without
notice,
and
represent
goals
and
objectives
only.
This
information
contains
examples
of
data
and
reports
used
in
daily
business
operations.
To
illustrate
them
as
completely
as
possible,
the
examples
include
the
names
of
individuals,
companies,
brands,
and
products.
All
of
these
names
are
fictitious
and
any
similarity
to
the
names
and
addresses
used
by
an
actual
business
enterprise
is
entirely
coincidental.
Trademarks
The
following
terms
are
trademarks
or
registered
trademarks
of
International
Business
Machines
Corporation
in
the
United
States,
other
countries,
or
both:
AIX
DB2
DB2
Universal
Database
Domino
IBM
Lotus
MQSeries
Notes
OS/390
72
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
SecureWay
Tivoli
WebSphere
z/OS
Microsoft,
Windows,
Windows
NT,
and
the
Windows
logo
are
trademarks
of
Microsoft
Corporation
in
the
United
States,
other
countries,
or
both.
Java
and
all
Java-based
trademarks
and
logos
are
trademarks
or
registered
trademarks
of
Sun
Microsystems,
Inc.
in
the
United
States
and
other
countries.
UNIX®
is
a
registered
trademark
of
The
Open
Group
in
the
United
States
and
other
countries.
Other
company,
product,
and
service
names
may
be
trademarks
or
service
marks
of
others.
Appendix.
Notices
73
74
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
Index
AAccess
Manager
service
and
provisioning
policyadditional
configuration
19
automated
task
17
configured
by
the
Installer
7
creating
17
installation
requirements
7
prerequisite
check
for
12
selecting
in
Installer
14
Account
ACI
65
accountsassigning
to
Person
entities
39
assigning
to
Person
entities
(multi-domain)
41
assigning
with
a
provisioning
policy
43
creating
during
reconciliation
41,
42
creating
during
Self-Registration
60
creating
in
Tivoli
Identity
Manager
3
group
attributes
for
63
matching
user
IDs
in
the
Web
Application
Sample
55
passwords
in
the
Web
Application
Sample
56
ACIApplication
Subscription
function
65
Change
Password
function
58
Forgot
My
Password
function
59
Self-Care
function
63
ACLsfor
groups
63
for
WebSEAL
junctioncreating
22
in
Web
Application
Sample
67
modifying
25
uninstalling
15
agentReverse
Password
Synchronization
3,
48
Tivoli
Access
Manager
1
Tivoli
Access
Manager
GSO
agent
2
Application
Subscription
functionconfiguring
64
creating
ACI
for
65
files
for
63
application.service.dn
64
application.service.name
64
attributesenrole.authentication.idsEqual
22
enrole.ui.logoffURL
22,
26
enrole.ui.ssoEnabled
22
for
groups
63
for
Single
Sign-On
Enablement
22
importing
from
a
corporate
directory
42
importing
from
Tivoli
Access
Manager
user
39
importing
from
Tivoli
Access
Manager
user
(multi-domain)
41
in
DirectorytoTIMImport
36
in
MDTAMtoTIMImport
34
in
TAMtoTIMImport
33
in
TIMtoTAMsync
37
modifying
in
Tivoli
Access
Manager
44
modifying
user
44
synchronizing
user
44
WebSEAL
configuration
21
Bbanner,
customizing
68
Ccascading
style
sheet,
customizing
69
Challenge/Response
functionaccess
for
54
enabling
in
Tivoli
Identity
Manager
58
files
for
65
use
with
Forgot
My
Password
function
59
use
with
Self-Registration
60
Change
Password
functionaccess
for
54
considerations
55
creating
ACI
for
58
files
for
57
use
of
57
use
with
Forgot
My
Password
function
55
use
with
Logon
function
55
use
with
Main
page
55
use
with
Self-Registration
function
55
using
WebSEAL
functions
instead
56
clustered
environmentenabling
single
sign-on
in
23
installation
of
Web
Application
Sample
51
configuration
and
installation
15
connectors,
configuring
38
CSS,
customizing
69
DDirectory
Integrator
AssemblyLine
samplesSee
IBM
Directory
Integrator
AssemblyLine
samples
Directory
Integrator
Data
Feed
serviceSee
IBM
Directory
Integrator
Data
Feed
service
DirectorytoTIMImport.properties
31
DirectorytoTIMImport.xml
31
Eenrole.authentication.idsEqual
23,
66
enrole.ui.ssoEnabled
22
enRoleAuthentication.properties
23
FForgot
My
Password
functionaccess
for
54
configuring
58
configuring
properties
for
59
considerations
55
creating
ACI
for
59
IIBM
Directory
Integrator
AssemblyLine
samplesconfiguring
connectors
for
38
©
Copyright
IBM
Corp.
2003
75
IBM
Directory
Integrator
AssemblyLine
samples
(continued)configuring
Directory
Integrator
Data
Feed
Service
32
importing
users
from
corporate
directory
42
importing
users
from
Tivoli
Access
Manager
39
importing
users
from
Tivoli
Access
Manager
(multi-domain)
41
installation
requirements
9,
30
installed
components
30
overview
29
performance
in
38
prerequisite
configuration
33
properties
files
33
security
in
38
selecting
in
Installer
14
supported
tasks
31
uninstalling
15
using
with
Active
Directory
30
using
with
an
LDAP
directory
30
using
with
Lotus
Domino
30
verification
test
for
38
IBM
Directory
Integrator
Data
Feed
servicecreating
32
overview
29
identity
management,
overview
1
Identity
Manager
Configurationinstallation
requirements
8
properties
file
changes
22
selecting
in
Installer
14
uninstalling
15
use
in
configuring
Tivoli
Identity
Manager
21
identity
policy,
creating
2
IDI
Data
Feed
serviceSee
IBM
Directory
Integrator
Data
Feed
service
importing
user
data
29
installationchoosing
items
to
install
6
requirements
for
(overview)
6
requirements
for
Access
Manager
service
and
provisioning
policy
7
requirements
for
IBM
Directory
Integrator
AssemblyLine
samples
9
requirements
for
Single
Sign-On
Enablement
8
requirements
for
Web
Application
Sample
10,
48
Installerconfiguration
and
installation
15
introduction
1
Java
Runtime
requirement
5
overview
5
preinstallation
5
prerequisite
checking
11
for
Access
Manager
service
and
provisioning
policy
12
for
Web
Application
Sample
12
Java
Runtime
Environment
12
Single
Sign-On
Enablement
12
Tivoli
Identity
Manager
user
registry
12
Web
Application
Sample
11
WebSphere
Application
Server
11
requirements
after
running
15
requirements
for
running
5
running
11
selection
of
items
to
install
14
uninstalling
15
use
with
WebSphere
Application
Server
Security
setting
48
integrationbasic
tasks
for
1
overview
1
integration
(continued)specialized
tasks
4
Tivoli
Identity
Manager
tasks
for
2
internal
mapping
algorithm
23
itim_expi.properties
53
ItimProtected
22
ItimUnprotected
22
iv_user
26
JJava
Runtime
Environmentprerequisite
checking
12
usage
note
5
Java
Server
Pagesaccess
54
customizing
69
Llanguage
option
11
Location
object
61
Logoff
page,
for
WebSEAL
single
sign-on
26
logoff.html
27
Logon
functionaccess
for
54
configuring
54
Logout
functionaccess
for
54
configuring
66
use
with
Main
page
55
Lotus
Notes
connector
38
MMain
(Home)
pageaccess
for
54
configuring
55
mapping
algorithm,
internal
23
MDTAMtoTIMImport.properties
31
MDTAMtoTIMImport.xml
31
PPassword
function
considerations
56
password
policy,
creating
2
passwordsChange
Password
function
57
Forgot
My
Password
function
58
Reverse
Password
Synchronization
3,
48
strength
rules
in
Web
Application
Sample
55
synchronizing
60
synchronizing
in
the
Web
Application
Sample
56
performance,
for
IBM
Directory
Integrator
AssemblyLine
samples
38
Person
ACI
63
Person
entitiescreating
from
a
corporate
directory
42
creating
from
Tivoli
Access
Manager
users
39
creating
from
Tivoli
Access
Manager
users
(multi-domain)
41
creating
in
Tivoli
Identity
Manager
3
preinstallation
5
prerequisite
checkingfor
Access
Manager
service
and
provisioning
policy
12
76
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
prerequisite
checking
(continued)for
Web
Application
Sample
12
Java
Runtime
Environment
12
overview
11
Single
Sign-On
Enablement
12
Tivoli
Identity
Manager
user
registry
12
Web
Application
Sample
11
WebSphere
Application
Server
11
prerequisite
configurationfor
IBM
Directory
Integrator
AssemblyLine
samples
33
for
Single
Sign-On
Enablement
21
for
Web
Application
sample
48
prerequisite
knowledge,
for
Web
Application
Sample
47
profile,
description
of
1
propertiesapplication.service.dn
64
application.service.name
64
Change
Password
at
Next
Login
61
changeonlytimpassword
57,
59
displaypassword
59
enrole.authentication.idsEqual
66
ertam4expirepass
61
for
Change
Password
function
57
for
Forgot
My
Password
59
for
Location
object
61
for
Self-Care
63
for
Self-Registration
61
ssoenabled
54
properties
filesIBM
Directory
Integrator
AssemblyLine
samplesDirectorytoTIMImport.properties
36
MDTAMtoTIMImport.properties
34
TAMtoTIMImport.properties
33
TIMtoTAMsync.properties
37
Web
Application
Sample
53
WebSEAL
single
sign-onenRoleAuthentication.properties
22
ui.properties
22
Provisioning
Fast
Start
collectionchoosing
items
to
install
6
general
requirements
6
introduction
1
preinstallation
5
Provisioning
Fast
Start
InstallerSee
Installer
provisioning
policyauto-provisioning
for
Tivoli
Access
Manager
accounts
62
auto-provisioning
for
Tivoli
Identity
Manager
accounts
62
automated
task
17
configured
by
the
Installer
18
creating
(overview)
3
creating
accounts
with
43
creating
with
the
Installer
17
customizing
19
use
in
Self-Registration
60
using
to
synchronize
passwords
60
provisioning,
description
of
1
Rreconciliation,
overview
of
3
related
publications
viii
Reverse
Password
Synchronization
agentavailability
of
3
requirement
in
Web
Application
Sample
48
Ssecurity
for
IBM
Directory
Integrator
AssemblyLine
samples
38
for
WebSEAL
single
sign-on
26
setting
in
WebSphere
Application
Server
10,
48
selection
of
items
to
install
14
Self-Care
functionaccess
for
54
configuring
62
configuring
properties
63
use
with
Main
page
55
self-management
47
Self-Registration
functionaccess
for
54
auto-provisioning
for
Tivoli
Access
Manager
accounts
62
auto-provisioning
for
Tivoli
Identity
Manager
accounts
62
configuring
59
creating
a
Location
object
for
61
synchronizing
passwords
60
serviceadding
(overview
of)
2
automated
task
17
configured
by
the
Installer
17
creating
with
the
Installer
17
description
of
1
viewing
or
modifying
19
servlets,
customizing
69
single
sign-onaccessing
Tivoli
Identity
Manager
logon
page
27
changing
timeout
session
24
configuring
Logoff
page
26
configuring
the
SSL
certificate
24
configuring
the
Web
Sample
for
66
creating
a
junction
22
custom
login
page
with
Web
Application
Sample
67
enabling
in
a
clustered
environment
23
enabling
in
Tivoli
Identity
Manager
21
ID
conversion
66
modifying
ACLs
25
security
in
26
updating
properties
files
for
22
use
with
Logon
function
54
use
with
Logout
page
66
use
with
password
functions
of
Web
Sample
56
use
with
Self-Registration
function
60
use
with
Web
Application
Sample
48
Single
Sign-On
Enablementinstallation
requirements
8
prerequisite
checking
12
selecting
in
Installer
14
uninstalling
15
use
in
configuring
Tivoli
Identity
Manager
21
SSL
certificate
configuration
24
ssoLogout.jsp
27
synchronizing
user
data
29
TTAMtoTIMImport.properties
31
TAMtoTIMImport.xml
31
TIMTAMIntegration
subdirectory
31
TIMtoTAMsync.properties
31
TIMtoTAMSync.xml
31
TIMtoTAMsyncexit
31
Index
77
Tivoli
Access
Managerimporting
users
(multi-domain)
into
Tivoli
Identity
Manager
41
importing
users
into
Tivoli
Identity
Manager
39
integration
with
Tivoli
Identity
Manager
1
modifying
user
attributes
in
44
service
name
and
DN
64
Tivoli
Access
Manager
agent,
description
of
1
Tivoli
Access
Manager
GSO
agentavailability
of
2
Tivoli
Identity
Managerchanging
the
timeout
session
24
configuring
Directory
Integrator
Data
Feed
Service
for
32
configuring
notification
54
configuring
for
single
sign-on
with
WebSEAL
21
creating
a
Location
object
for
Self-Registration
61
enabling
challenge/response
58
importing
users
(multi-domain)
from
Tivoli
Access
Manager
41
importing
users
from
corporate
directory
42
importing
users
from
Tivoli
Access
Manager
39
integration
with
Tivoli
Access
Manager
1
logon
page
(in
SSO)
27
synchronizing
attributes
with
Tivoli
Access
Manager
44
Tivoli
Identity
Manager
Web
Application
SampleSee
Web
Application
Sample
Uui.properties
22
uninstalling
15
user
attributesmodifying
44
modifying
in
Tivoli
Access
Manager
44
synchronizing
44
user
dataimporting
29
importing
from
corporate
directory
42
importing
from
Tivoli
Access
Manager
39
importing
from
Tivoli
Access
Manager
(multi-domain)
41
modifying
44
modifying
in
Tivoli
Access
Manager
44
synchronizing
29,
44
user
IDsgenerated
during
Self-Registration
60
in
the
Web
Application
Sampleauthentication
of
55
user
registryimporting
from
corporate
directory
42
importing
from
Tivoli
Access
Manager
39
importing
from
Tivoli
Access
Manager
(multi-domain)
41
in
an
integrated
environment
3
modifying
44
prerequisite
checking
12
synchronizing
44
Tivoli
Identity
Manager
12
userscreating
in
Tivoli
Identity
Manager
3
global
sign-on
credentials
for
2
self-management
47
WWeb
Application
SampleApplication
Subscription
function
63
Challenge/Response
function
65
Web
Application
Sample
(continued)Change
Password
function
57
configuring
notification
54
configuring
for
WebSEAL
single
sign-on
66
customizing
68
features
47
Forgot
My
Password
function
58
functions
48
installation
in
clustered
environment
51
installation
requirements
10,
48
installation
with
the
Installer
49
installation
without
Tivoli
Identity
Manager
50
Java
Server
Pages
access
54
Logon
function
54
Logout
function
66
Main
(Home)
page
55
overview
47
Password
function
considerations
55
password
synchronization
56
prerequisite
checking
11
prerequisite
configuration
48
prerequisite
knowledge
47
properties
files
53
requirement
for
Reverse
Password
Synchronization
agent
48
selecting
in
Installer
14
Self-Care
function
62
Self-Registration
function
59
uninstalling
15
user
IDs
authentication
of
55
user
IDs
in
Self-Registration
60
Web
Portal
Manager,
creating
a
junction
for
22
WebSEAL
attributes,
configuration
21
WebSEAL
junctionconfiguring
the
SSL
certificate
24
creating
21
modifying
ACLs
in
25
use
with
Web
Application
Sample
67
use
with
Web
Application
Sample
servlets
68
WebSEAL
Junction
Configurationautomated
task
22
installation
requirements
8
uninstalling
15
use
in
configuring
Tivoli
Identity
Manager
21
WebSEAL
single
sign-onaccessing
Tivoli
Identity
Manager
logon
page
27
changing
timeout
session
24
configuring
Logoff
page
26
configuring
the
SSL
certificate
24
configuring
the
Web
Sample
for
66
creating
a
junction
22
custom
login
page
with
Web
Application
Sample
67
enabling
in
a
clustered
environment
23
enabling
in
Tivoli
Identity
Manager
21
ID
conversion
66
modifying
ACLs
25
security
in
26
updating
properties
files
for
22
use
with
password
functions
of
Web
Sample
56
using
with
the
Logout
page
66
using
with
the
Self-Registration
function
60
using
with
Web
Application
Sample
48
websealLogout.jsp
26
WebSphere
Application
ServerJava
Runtime
requirement
5
prerequisite
checking
11
use
of
Security
setting
48
78
IBM
Tivoli
Access
Manager
for
e-business:
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
����
Printed
in
USA
SC32-1364-00