security policy manager version 7 - ibm€¦ · v ibm redbook for tivoli security policy manager...

Security Policy ManagerVersion 7.1

Installation Guide

GC27-2712-00

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 81.

This edition applies to version 7, release 1, modification 0 of IBM Tivoli Security Policy Manager (product number5724-S24) and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2010.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

About this publication . . . . . . . . ixIntended audience . . . . . . . . . . . . ixPublications . . . . . . . . . . . . . . ix

IBM Tivoli Security Policy Manager library . . . ixPrerequisite publications . . . . . . . . . xAccessing terminology online . . . . . . . xiAccessing publications online . . . . . . . xiOrdering publications . . . . . . . . . . xii

Accessibility . . . . . . . . . . . . . . xiiTivoli technical training . . . . . . . . . . xiiSupport information . . . . . . . . . . . xiiConventions used in this book. . . . . . . . xiii

Typeface conventions . . . . . . . . . . xiiiOperating system differences . . . . . . . xiii

Chapter 1. Introduction . . . . . . . . 1Policy administration components . . . . . . . 1Policy decision components . . . . . . . . . 3Software licensing . . . . . . . . . . . . 5

Chapter 2. Preinstallation road map . . . 7Required preinstallation tasks. . . . . . . . . 7Additional preinstallation tasks . . . . . . . . 7

Chapter 3. Installing a user registry . . . 9Choosing a user registry . . . . . . . . . . 9Supported user registries . . . . . . . . . . 9User registry resources . . . . . . . . . . 10

Chapter 4. Installing and configuringWebSphere Application Server . . . . 11WebSphere Application Server installation roadmap 11Using WebSphere Application Server version 7.0 . . 12

Installing WebSphere Application Server version7.0 . . . . . . . . . . . . . . . . 12Installing the WebSphere Application Serverversion 7.0 Fix Pack . . . . . . . . . . 14

Using WebSphere Application Server version 6.1 . . 15Installing the WebSphere Application ServerFeature Pack for Web Services . . . . . . . 16Installing WebSphere Application Server version6.1 Fix Packs . . . . . . . . . . . . . 16

Configuring security settings and the federatedrepository . . . . . . . . . . . . . . . 18Configuring the Java heap size . . . . . . . . 21Configuring transaction timeout properties . . . . 21

Chapter 5. Installing the policydatabase . . . . . . . . . . . . . . 23

Installing DB2 . . . . . . . . . . . . . 23Using Derby . . . . . . . . . . . . . . 24

Chapter 6. Tivoli Security PolicyManager Installation road map . . . . 25Required installation tasks . . . . . . . . . 25Additional installation tasks . . . . . . . . . 25

Chapter 7. Installing InstallationManager . . . . . . . . . . . . . . 27Installing as an administrator or non-administrator 27Choosing an installation mode . . . . . . . . 28Installing the Installation Manager application. . . 28IBMIM command . . . . . . . . . . . . 32

Chapter 8. Installing policyadministration components . . . . . . 33

Chapter 9. Installing the Tivoli runtimesecurity services server . . . . . . . 39

Chapter 10. Installing the Tivoli runtimesecurity services client. . . . . . . . 43

Chapter 11. Installing the TivoliSecurity Policy Manager softwaredevelopment kit . . . . . . . . . . . 47

Chapter 12. Installing the RuntimeSecurity Services softwaredevelopment kit . . . . . . . . . . . 51

Chapter 13. Installing packages insilent mode. . . . . . . . . . . . . 53Creating a response file . . . . . . . . . . 53Installation response file templates . . . . . . 54Installing with a response file . . . . . . . . 55

Chapter 14. Installing additionalapplications . . . . . . . . . . . . 57Installing Tivoli Common Reporting . . . . . . 57Installing IBM Support Assistant . . . . . . . 57

Appendix A. Migrating Tivoli SecurityPolicy Manager data . . . . . . . . . 59Preparing to migrate security policy data . . . . 59Data migration worksheet . . . . . . . . . 61Migrating security policy data using theconfiguration tool . . . . . . . . . . . . 62

© Copyright IBM Corp. 2010 iii

Appendix B. Uninstalling TivoliSecurity Policy Manager . . . . . . . 65Choosing an uninstallation mode . . . . . . . 65Uninstalling the policy manager components . . . 66Uninstalling the runtime security services server . . 67Uninstalling the runtime security services client . . 69Uninstalling the Tivoli Security Policy Managersoftware development kit. . . . . . . . . . 71Uninstalling the Runtime Security Services softwaredevelopment kit . . . . . . . . . . . . . 72Uninstalling selected Tivoli Security Policy Managerfeatures. . . . . . . . . . . . . . . . 73

Removing the runtime security services keystore . . 74Uninstalling in silent mode . . . . . . . . . 75

Appendix C. Reinstalling Tivoli SecurityPolicy Manager . . . . . . . . . . . 79

Notices . . . . . . . . . . . . . . 81Trademarks . . . . . . . . . . . . . . 82

Index . . . . . . . . . . . . . . . 85

iv Version 7.1: Installation Guide

Figures

1. Policy administration components . . . . . 1 2. Policy decision components . . . . . . . 3

© Copyright IBM Corp. 2010 v

vi Version 7.1: Installation Guide

Tables

1. Required preinstallation tasks . . . . . . . 72. Additional preinstallation tasks . . . . . . 73. Installation scenarios for the WebSphere

Application Server . . . . . . . . . . 11

4. Required installation tasks . . . . . . . 255. Additional installation tasks . . . . . . . 256. Worksheet of data migration properties 61

© Copyright IBM Corp. 2010 vii

viii Version 7.1: Installation Guide

About this publication

IBM Tivoli Security Policy Manager manages access to resources by defining andenforcing security policies. You can manage many types of resources, includingWeb services and applications.

This guide describes how to install Tivoli® Security Policy Manager.

Intended audienceThis publication is designed for the system administrators and networkadministrators in an organization that uses IBM® Tivoli Security Policy Manager tomanage its security policies.

Readers of this book should have working knowledge of the following topics:v The implementation of IBM Tivoli Security Policy Manager in their environmentv Web services security concepts and practicesv The types of resources being protected by policiesv IBM WebSphere® Application Server

PublicationsRead the descriptions of the IBM Tivoli Security Policy Manager library, theprerequisite publications, and the related publications to determine whichpublications that you might find helpful. The section also describes how to accessTivoli publications online and how to order Tivoli publications.

IBM Tivoli Security Policy Manager libraryThe following documents are available in the library:v IBM Tivoli Security Policy Manager Quick Start Guide

Provides instructions for getting started with IBM Tivoli Security PolicyManager.

v IBM Tivoli Security Policy Manager Installation Guide

Provides instructions for installing IBM Tivoli Security Policy Manager.v IBM Tivoli Security Policy Manager Configuration Guide

Provides instructions for configuring IBM Tivoli Security Policy Manager and itsrelated components.

v IBM Tivoli Security Policy Manager Administration Guide

Provides instructions for administering IBM Tivoli Security Policy Manager.v IBM Tivoli Security Policy Manager Error Message Reference

Provides explanations of the IBM Tivoli Security Policy Manager error messages.v IBM Tivoli Security Policy Manager Troubleshooting Guide

Provides troubleshooting information and instructions for problem solving.

You can obtain the publications from the IBM Tivoli Security Policy ManagerInformation Center:

© Copyright IBM Corp. 2010 ix

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ibm.tspm.doc_7.1/toc.xml.

Prerequisite publicationsTo use the information in this book effectively, you need knowledge of relatedsoftware products, which you can obtain from the following publications:v IBM WebSphere Application Server Information Center

Version 7.0http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-dist

Version 6.1http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist

v IBM DeveloperWorks white papers for Tivoli Security Policy ManagerFor information about these white papers as they are published, access the TivoliSecurity Policy Manager Information Center:http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.tspm.doc_71/welcome.htmAlternatively, search for Tivoli Security Policy Manager on the IBMDeveloperWorks Web site.http://www.ibm.com/developerworks/

v IBM Redbook for Tivoli Security Policy ManagerFor more information about this Redbook, access the Tivoli Security PolicyManager Information Center:http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.tspm.doc_71/welcome.htmAlternatively, search for Tivoli Security Policy Manager on the IBM Redbooks®

site.http://www.redbooks.ibm.com/

v Services-oriented architectureFor information regarding service-oriented architecture from IBM, see:http://www.ibm.com/soaWebSphere DataPower® SOA Appliance works with WebSphere Service Registryand Repository to receive policies and policy updates.– IBM WebSphere DataPower SOA Appliance

Tivoli Security Policy Manager supports the use of WebSphere DataPowerSOA Appliance to enforce message protection and role-based authorizationpolicies. This installation guide does not describe the installation andconfiguration of Tivoli Security Policy Manager with DataPower. You canobtain installation information at the following Web site:http://www.ibm.com/software/integration/datapower/library/index.html

– IBM WebSphere Service Registry and RepositoryTivoli Security Policy Manager can send message protection and role-basedaccess policies to the WebSphere Service Registry and Repository, which theWebSphere DataPower SOA Appliance uses to obtain new and updatedpolicy information. This installation guide does not describe the installationand configuration of WebSphere Service Registry and Repository. You canobtain installation information at the following Web site:http://publib.boulder.ibm.com/infocenter/sr/v6r3/index.jsp

x Version 7.1: Installation Guide

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ibm.tspm.doc_7.1/toc.xml


http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-dist


http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist


http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.tspm.doc_71/welcome.htm


http://www.ibm.com/developerworks/



http://www.redbooks.ibm.com/

http://www.ibm.com/soa

http://www.ibm.com/software/integration/datapower/library/index.html

http://publib.boulder.ibm.com/infocenter/sr/v6r3/index.jsp

For more information about the configuration steps for WebSphere DataPowerSOA Appliance, refer to the message protection configuration topic in theconfiguration guide.

v IBM Redbook: Understanding SOA Security Design and Implementation

http://www.redbooks.ibm.com/abstracts/sg247310.htmlv IBM Redpaper: SOA Policy Management

http://www.redbooks.ibm.com/abstracts/redp4463.htmlv IBM Redpaper: IBM WebSphere DataPower SOA Appliances Part II: Authentication

and Authorization

http://www.redbooks.ibm.com/abstracts/redp4364.htmlv IBM Redpaper: Federated Identity and Trust Management

http://www.redbooks.ibm.com/abstracts/redp3678.htmlv IBM Redpaper: Propagating Identity in SOA with Tivoli Federated Identity Manager

http://www.redbooks.ibm.com/abstracts/redp4354.htmlv The IBM WebSphere Application Server information center on the IBM Web site.

This site contains many publications and topics that describe strategies for thedevelopment and deployment of distributed applications.http://www.ibm.com/software/webservers/appserv/was/library/v61/nd-dp/info-center.html

v Web services standardsTivoli Federated Identity Manager, and the Web services security managementcomponent in particular, support a number of open Web services standards, suchas WS-Security. For additional information about Web services standards, see:http://www.ibm.com/developerworks/webservices/standards/

v Extensible Access Control Markup Language (XACML) access controlspecificationsYou can locate a number of XACML specifications at the Organization for theAdvancement of Structured Information Standards (OASIS) Web site:http://docs.oasis-open.org/xacml/2.0/

Accessing terminology onlineThe IBM Terminology Web site consolidates the terminology from IBM productlibraries in one convenient location. You can access the Terminology Web site athttp://www.ibm.com/software/globalization/terminology .

Accessing publications onlineThe documentation CD contains the publications that are in the product library.The format of the publications is PDF, HTML, or both. Refer to the readme file onthe CD for instructions on how to access the documentation.

IBM posts publications for this and all other Tivoli products, as they becomeavailable and whenever they are updated, to the Tivoli Documentation CentralWeb site at http://www.ibm.com/tivoli/documentation

Note: If you print PDF documents on other than letter-sized paper, set the optionin the File → Print window that allows Adobe Reader to print letter-sized pages onyour local paper.

About this publication xi

http://www.redbooks.ibm.com/abstracts/sg247310.html

http://www.redbooks.ibm.com/abstracts/redp4463.html




http://www.ibm.com/software/webservers/appserv/was/library/v61/nd-dp/info-center.html

http://www.ibm.com/software/webservers/appserv/was/library/v61/nd-dp/info-center.html

http://www.ibm.com/developerworks/webservices/standards/

http://docs.oasis-open.org/xacml/2.0/

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/tivoli/documentation

Ordering publicationsYou can order many Tivoli publications online at http://www.ibm.com/e-business/linkweb/publications/servlet/pbi.wss.

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968

In other countries, contact your software account representative to order Tivolipublications. To locate the telephone number of your local representative, performthe following steps:1. Go to http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.2. Select your country from the list and click Go.3. Click About this site in the main panel to see an information page that

includes the telephone number of your local representative.

AccessibilityAccessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You also canuse the keyboard instead of the mouse to operate all features of the graphical userinterface.

For additional information, see the "Accessibility" topic in the Release Informationsection of the information center at http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ibm.tspm.doc_7.1/toc.xml.

Tivoli technical trainingFor Tivoli software training information, refer to the IBM Tivoli Education Website: http://www.ibm.com/software/tivoli/education

Support informationIf you have a problem with your IBM software, you want to resolve it quickly.

IBM provides the following ways for you to obtain the support you need:

OnlineGo to the IBM Software Support site at http://www.ibm.com/software/support/probsub.html and follow the instructions.

IBM Support AssistantThe IBM Support Assistant (ISA) is a free local software serviceability toolthat helps you resolve questions and problems with IBM softwareproducts. The ISA provides quick access to support-related informationand serviceability tools for problem determination. For information aboutIBM Support Assistant, go to http://www.ibm.com/software/support/isa.

Troubleshooting GuideFor more information about resolving problems, see the IBM Tivoli SecurityPolicy Manager Troubleshooting Guide.

xii Version 7.1: Installation Guide

http://www.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/e-business/linkweb/publications/servlet/pbi.wss



http://www.ibm.com/software/tivoli/education/

http://www.ibm.com/software/support/probsub.html

http://www.ibm.com/software/support/probsub.html

http://www.ibm.com/software/support/isa

Conventions used in this bookThis reference uses several conventions for special terms and actions and foroperating system-dependent commands and paths.

Typeface conventionsThe following typeface conventions are used in this guide.

Bold

v Lowercase commands or mixed case commands that are difficult todistinguish from surrounding text, keywords, parameters, options,names of Java™ classes, and objects are in bold

v Interface controls (check boxes, push buttons, radio buttons, spinbuttons, fields, folders, icons, list boxes, items inside list boxes,multicolumn lists, containers, menu choices, menu names, tabs, propertysheets), labels (such as Tip:, and Operating system considerations:)

Italic

v Citations (examples: titles of publications, diskettes, and CDs)v Words defined in text (example: a nonswitched line is called a

point-to-point line)v Emphasis of words and letters (words as words example: "Use the word

that to introduce a restrictive clause."; letters as letters example: "TheLUN address must start with the letter L.")

v New terms in text (except in a definition list): a view is a frame in aworkspace that contains data.

v Variables and values you must provide: ... where myname represents....

Monospace

v Examples and code examplesv File names, programming keywords, and other elements that are difficult

to distinguish from surrounding textv Message text and prompts addressed to the userv Text that the user must typev Values for arguments or command options

Operating system differencesThis publication uses the UNIX convention for specifying environment variablesand for directory notation.

When using the Windows command line, replace $variable with % variable% forenvironment variables and replace each forward slash (/) with a backslash (\) indirectory paths. The names of environment variables are not always the same inthe Windows and UNIX environments. For example, %TEMP% in Windowsenvironments is equivalent to $TMPDIR in UNIX environments.

Note: If you are using the bash shell on a Windows system, you can use the UNIXconventions.

About this publication xiii

xiv Version 7.1: Installation Guide

Chapter 1. Introduction

IBM Tivoli Security Policy Manager provides standards-based application securitymanagement to secure access to applications and Web services in heterogeneous ITand service-oriented architecture (SOA) environments.v “Policy administration components”v “Policy decision components” on page 3v “Software licensing” on page 5

Policy administration componentsThe policy administration components are used to create, store, and managepolicies that protect resources.

Administrator user registryThe user registry stores the Tivoli Security Policy Manager administratorcredentials. The LDAP user registry used must be:v Supported by the version of WebSphere Application Server running on

the Policy server system.v Configured in WebSphere Application Server for use as a federated

repository before installing Tivoli Security Policy Manager components.

No LDAP user registry is provided with Tivoli Security Policy Manager.See Chapter 3, “Installing a user registry,” on page 9 for details.

Policy databaseThis database stores the policies and application roles for Tivoli SecurityPolicy Manager.

WSDL

Web browser toaccess console

Service registryor repository

Policy console

Administrator userregistry

Policy database

Resources protectedby policies

Files from which a servicecan be imported

Policy server (policy administration point)

Figure 1. Policy administration components

© Copyright IBM Corp. 2010 1

In test and non-production environments, no additional software is needed.In these environments, use the Derby JDBC database that is provided withWebSphere Application Server.

In production environments, use IBM DB2® Workgroup Server Edition asthe policy database. This software is provided with Tivoli Security PolicyManager. See Chapter 5, “Installing the policy database,” on page 23 fordetails.

Policy server (acting as the policy administration point)The policy server, running in WebSphere Application Server, provides theframework and processes used to create and manage your security policies.

The Tivoli Security Policy Manager Configuration Tool must be installed,but not necessarily on the same system as the policy server. Theconfiguration tool enables you to configure the policy server and its relatedadministration components. For more information about configurationtasks, see the Tivoli Security Policy Manager Configuration Guide.

Policy consoleThe policy console provides Web-based access to the policy administrationpoint. Administrators can write, configure, and distribute policies using theconsole.

The policy console can be installed on the same system as the policy serveror on a different system.

Resources protected by policiesYou can protect the following types of resources with Tivoli Security PolicyManager:v Web servicesv Custom applicationsv J2EE applicationsv WebSphere Portal resourcesv Microsoft SharePoint resourcesv Databases

Service registry or repository and files for service discovery (optional)You can import and discover services (or resources) that you want toprotect with policies using any of the following methods:v A service registry or repository, if one is configured, to use the service

definitions directly from the registry.v An interchange or Web Services Description Language (WSDL) file to

import service definitions to the policy server.v The policy console to manually add service definitions to the policy

server.

2 Version 7.1: Installation Guide

Policy decision componentsThe policy decision components work together to evaluate a request against apolicy.

The activities of the components include:v Receiving an access request.v Evaluating an access request against a policy.v Deciding whether the access is to be permitted or denied.v Enforcing the decision.

The components must have access to the policy, the request, and all theinformation that is required for the evaluation.

The policy decision components are:

Policy decision pointsPolicy decision points perform the following tasks during the evaluation ofa request:v Evaluate an access request against a policy.v Decide whether access is to be permitted or denied.

One of the policy decision point options you have is the Runtime SecurityServices component. You can use the component in either of the followingconfigurations:

Runtime security services server and one or more runtime securityservices clients in remote mode

In this configuration, the runtime security services server isinstalled in its own installation of WebSphere Application Server.The server provides an authorization decision. A runtime securityservices client is installed on each server that hosts the resourcesyou plan to protect with policies. The client receives theauthorization decision remotely from the server. In thisconfiguration, you can have multiple clients protecting multipleresources and each client receives authorization decisions from thesame server.

Policy decision point

Policy information points (optional)

Userregistry

Policy decision pointconnects to one or more

optional informationpoints if used

Policy enforcement point

Policy enforcement pointmight query additional

credential authenticationinformation from the user

registry to build theauthentication request

Figure 2. Policy decision components

Chapter 1. Introduction 3

Runtime security services client in local modeIn this configuration, the runtime security services client isinstalled on the server that hosts the resources you plan to protectwith policies. The client makes its own authorization decisionlocally.

Your choice of policy decision point depends on:v The types of resources you are protecting.v The types of policies that you are using to protect the resources.

The policy decision point is used with the policy enforcement point.

Policy enforcement pointsPolicy enforcement points perform the following tasks when evaluating anaccess request:v Receive the request.v Notify the policy decision points of the request.v Receive the decision response from the policy decision points.v Enforce the decision by either permitting access or denying access to the

request.

The options for the policy enforcement point depend on the policy decisionpoint you choose to use.

Policy distribution targetsPolicy distribution targets are locations from which policy decision pointscan access policies.

The policy distribution targets depend on the policy decision points youuse. In most cases, the policy distribution target is the same componentthat acts as the policy decision point. The environment might require anadditional product to act as the policy distribution target.

User registryWhen a user requests access to a resource, the policy enforcement pointmust be able to determine the user's credentials. It must also determinewhether the user belongs to group that is affected by a policy.

This user registry does not need to be the same one as the administratoruser registry. The administrator user registry is described in “Policyadministration components” on page 1 and is used to manage TivoliSecurity Policy Manager administrators.

Policy information pointsIn advanced authorization policy scenarios, additional information about arequest is required to make a policy decision. This additional information,in the form of attributes, comes from the request itself or from an externalsource. External sources could be one or more user registries or databases.They are called policy information points. To use a policy informationpoint, you must be using the runtime security services server or theruntime security services client in local mode as your policy decision point.You must also install one or more of the following servers to act as thepolicy information point:v A DB2 database.v A user registry.v A security token service (STS) server, such as Tivoli Federated Identity

Manager.


Software licensingTivoli Security Policy Manager is distributed as a product bundle that includesother IBM licensed products. Each product in the bundle includes licensingconditions, see your product purchase agreement.

Chapter 1. Introduction 5

Chapter 2. Preinstallation road map

Before you install Tivoli Security Policy Manager, you must prepare yourenvironment by installing and configuring prerequisite software.v “Required preinstallation tasks”v “Additional preinstallation tasks”

Required preinstallation tasksBefore installing Tivoli Security Policy Manager, complete the tasks listed inTable 1.

Table 1. Required preinstallation tasks

Task For more information

Install the administrator user registry. Chapter 3, “Installing a user registry,” on page 9

Install or upgrade WebSphere Application server,depending on your installation scenario.

“WebSphere Application Server installation roadmap” onpage 11

Configure the administrator user registry as a federatedrepository and enable WebSphere administrative security.

“Configuring security settings and the federatedrepository” on page 18

Optimize WebSphere Application Server performance. v “Configuring the Java heap size” on page 21

v “Configuring transaction timeout properties” on page21

Install and configure the policy database. Chapter 5, “Installing the policy database,” on page 23

Additional preinstallation tasks

If you are installing the runtime security services server or the runtime securityservices client, complete the tasks that are listed in Table 2 on each system beforeyou install these components.

Table 2. Additional preinstallation tasks


Install a user registry.

This task is necessary only if the user registry that youare using to store Tivoli Security Policy Manageradministrator information is different (separate) from theuser registry that you are using to store the userinformation that is associated with your security policies.

Chapter 3, “Installing a user registry,” on page 9

Install or upgrade WebSphere Application server,depending on your installation scenario.

“WebSphere Application Server installation roadmap” onpage 11

Optimize WebSphere Application Server performance. v “Configuring the Java heap size” on page 21

v “Configuring transaction timeout properties” on page21


Chapter 3. Installing a user registry

You must select a user registry to manage the user IDs and passwords of TivoliSecurity Policy Manager administrators. You can install a new user registryspecifically for Tivoli Security Policy Manager or use an existing one. You can usethis same registry to manage the credentials of the users who are affected by yoursecurity policies or select a different user registry.v “Choosing a user registry”v “Supported user registries”v “User registry resources” on page 10

Choosing a user registryYour choice of user registry depends on your environment and what user andgroup information you need to store and access. You can use a single registry foreverything, or split your information between multiple registries.

If the user registry only stores information about Tivoli Security Policy Manager,you can use any user registry in the list of supported registries. See “Supporteduser registries” to access the list. This user registry is called the administrator userregistry. You must configure the administrator user registry in WebSphereApplication Server as a federated repository.

Managing user and group information about resources protected by your securitypolicies with a single user registry limits your choices. You must choose a userregistry that is supported by the software managing your protected resources. Forexample, to use a single user registry to manage access to Microsoft SharePointresources and Tivoli Security Policy Manager administrators, you must useMicrosoft Active Directory. To manage access to Web services and Tivoli SecurityPolicy Manager administrators, you must use Tivoli Directory Server or MicrosoftActive Directory.

Choose a user registry before installing Tivoli Security Policy Manager. If you usemultiple user registries, you configure WebSphere Application Server to use thecorrect user registry. Specify the administrator user registry for the policyadministration components.

Supported user registriesYou can use Tivoli Directory Server, Microsoft Active Directory, or any user registrythat is supported in a federated repository configuration with Tivoli Security PolicyManager. Tivoli Security Policy Manager does not provide a user registry.

See “Choosing a user registry” for conditions that apply if you use the same userregistry to store Tivoli Security Policy Manager administrator credentials and thecredentials of users that are protected by your security policies.

To display a list of supported user registries in a federated repository:1. Select the list for your version of WebSphere Application Server:

v WebSphere Application Server version 7.0:


http://ibm.com/support/docview.wss?rs=180&uid=swg27012369v WebSphere Application Server version 6.1:

http://ibm.com/support/docview.wss?rs=180&uid=swg270076422. Select the target operating system.3. Locate the LDAP Servers using Federated Repository Configuration section to

view the list of supported user registries.

User registry resourcesThe following resources can assist you in installing a supported user registry andenabling security.

Tivoli Directory Server

Overview and installation instructionshttp://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml

Enabling SSL securityhttp://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml

Enter Configuring IBM Tivoli Directory Server for SSL access in thesearch field.

Microsoft Active Directory

Overview and installation instructionshttp://www.microsoft.com/windows2000/technologies/directory/ad/default.asp

Enabling SSL securityhttp://publib.boulder.ibm.com/infocenter/wpdoc/v6r1m0/index.jsp.

Enter preparing an active directory server in the search field.


http://ibm.com/support/docview.wss?rs=180&uid=swg27012369

http://ibm.com/support/docview.wss?rs=180&uid=swg27007642

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml




http://www.microsoft.com/windows2000/technologies/directory/ad/default.asp

http://www.microsoft.com/windows2000/technologies/directory/ad/default.asp

http://publib.boulder.ibm.com/infocenter/wpdoc/v6r1m0/index.jsp

Chapter 4. Installing and configuring WebSphere ApplicationServer

You install Tivoli Security Policy Manager components into a WebSphereApplication Server environment. You must install WebSphere Application Serveron each system where you install Tivoli Security Policy Manager components.v “WebSphere Application Server installation roadmap”v “Using WebSphere Application Server version 7.0” on page 12v “Using WebSphere Application Server version 6.1” on page 15v “Configuring security settings and the federated repository” on page 18v “Configuring the Java heap size” on page 21v “Configuring transaction timeout properties” on page 21

WebSphere Application Server installation roadmapYou can install Tivoli Security Policy Manager components into a new WebSphereenvironment or an existing WebSphere environment.

For new installations, install WebSphere Application Server version 7.0, whichTivoli Security Policy Manager provides.

You can use an existing deployment of WebSphere Application Server, version 7.0or version 6.1.

Some limitations apply if you intend to install components on different versions ofWebSphere Application Server. These limitations are described in the softwarerequirements section of the Tivoli Security Policy Manager information center.

Use the following table as a guide to completing your WebSphere setup tasks.

Table 3. Installation scenarios for the WebSphere Application Server

If you are: Start here:

Installing Tivoli Security PolicyManager components into a new,uninstalled environment

Install WebSphere Application Server Version 7.0. Seehttp://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp.

Installing Tivoli Security PolicyManager components into anexisting WebSphere ApplicationServer Version 7.0 installation

Apply the required fix pack for WebSphere ApplicationServer 7.0 that is listed in the software requirementssection of the Tivoli Security Policy Managerinformation center. See “Installing the WebSphereApplication Server version 7.0 Fix Pack” on page 14.

Deploying Tivoli Security PolicyManager components into anexisting WebSphere ApplicationServer Version 6.1 installation

Apply the required feature pack and fix packs in theorder listed in the software requirements section of theTivoli Security Policy Manager information center. Forinstallation instructions, see “Installing the WebSphereApplication Server Feature Pack for Web Services” onpage 16 and “Installing WebSphere Application Serverversion 6.1 Fix Packs” on page 16.

For more information on installing WebSphere Application Server Version 7.0, see:


http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp



For more information on installing feature packs, see:


Using WebSphere Application Server version 7.0You can install WebSphere Application Server version 7.0 or use an existingdeployment. Tivoli Security Policy Manager provides this version.

If you have already deployed WebSphere Application Server version 7.0, go to“Installing the WebSphere Application Server version 7.0 Fix Pack” on page 14.v “Installing WebSphere Application Server version 7.0”v “Installing the WebSphere Application Server version 7.0 Fix Pack” on page 14

Installing WebSphere Application Server version 7.0If you do not have WebSphere Application Server already deployed, you caninstall WebSphere Application Server version 7.0.

Before you begin

Ensure that you have installed a suitable user registry, as described in Chapter 3,“Installing a user registry,” on page 9.

About this task

This task describes installing WebSphere Application Server version 7.0. Performthis task on each computer where you intend to install a new version ofWebSphere Application Server and one or more Tivoli Security Policy Managercomponents.

Procedure1. Access the IBM WebSphere Application Server Network Deployment Version

7.0 CD for your operating system, or extract the files from the archive file thatyou downloaded from Passport Advantage.

2. Run the WebSphere installation script.

AIX®, Linux, Linux on System z®, or Solaris./launchpad.sh

WindowsC:\launchpad.bat

Installation notes:v Select Launch the installation wizard for WebSphere Application Server

Network Deployment.v Enable administrative security. When you install the Tivoli Security Policy

Manager components, you will supply the WebSphere Application Serveradministrative user name and password.

v The WebSphere Core product files are required. The additional WebSpherepackages are optional. The sample applications are not needed.

v Select the application server environment in which you are installing theTivoli Security Policy Manager components.




3. When the installation completes, select First Steps > Profile Management Tool.

Note: If you install WebSphere Application Server for the runtime securityservices client and the client manages access to a J2EE policy enforcementpoint, do not configure a profile. Install the fix pack. See “Installing theWebSphere Application Server version 7.0 Fix Pack” on page 14. After youinstall the fix pack, return to this step and configure the profile. This exceptionsapplies only to the WebSphere configuration for J2EE policy enforcementpoints.Profile creation notes:v Choose application server profile.v The user name and password that you enter for administrative security is

supplied during policy manager and platform installation.v The profile creation assigns port numbers that you need to use during policy

manager configuration and administration. For example:– Administrative console port: 9060– Administrative console secure port: 9043– HTTP transport port: 9080– HTTPS transport port: 9443– Bootstrap port: 2809– SOAP connector port: 8880This information is recorded in the AboutThisProfile.txt file. For example, ona Linux or UNIX system, for a profile named AppSrv01, the information isstored in:/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/AboutThisProfile.txt

v The profile creation process creates default copies of the WebSpheretruststore and keystore. When you install the policy manager server andruntime security services components, you specify the location of theWebSphere truststore. The keystore specification is optional. If you use thedefault files, you specify the file paths created by the profile managementtool.For example, on a host called mySystem the default truststore location is:/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/(cont.)mySystemNode01Cell/nodes/mySystemNode01/trust.p12

On the same host, the default keystore is:/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/(cont.)mySystemNode01Cell/nodes/mySystemNode01/key.p12

For information on how Tivoli Security Policy Manager uses the truststore andkeystore, see the topic on securing communication in the Tivoli Security PolicyManager Configuration Guide.

4. Optional: Perform the following steps after creating the profile.a. Select Launch the First steps console.b. Click Finish.c. Select Installation Verification.

The system displays a message similar to the following one:

ADMU3000I: Server server1 open for e-business; process id is 1991

Note: The policy manager console is installed into the Tivoli Integrated Portalenvironment. Tivoli Integrated Portal uses a separate, imbedded instance of

Chapter 4. Installing and configuring WebSphere Application Server 13

WebSphere Application Server with the server1 name. You cannot change thisvalue. If you are installing the policy manager console and policy managerserver on the same computer and the existing WebSphere Application Serverinstance where you are installing the policy manager server is using the server1name, the installation program renames it to ensure compatibility between theseparate WebSphere Application Server instances.

5. Optional: Access the SystemOut.log file to monitor WebSphere applicationserver startup and execution. For example:

AIX, Linux, Linux on System z, or Solaris/opt/IBM/WebSphere/AppServer/profiles/default/logs/server1/SystemOut.log

WindowsC:\Program Files\IBM\WebSphere\AppServer\profiles\default\logs\server1\SystemOut.log

6. Verify that you can use the WebSphere administration console.a. Access a Web browser.b. Enter the URL. For example, if the host name is mySystem.example.com, use:

https://mySystem.example.com:9043/ibm/console/logon.jsp

c. Login to the administration console. If you are not prompted to do so, theapplication server is not running correctly.

d. Do not enter anything at User ID.e. Click Login to display the WebSphere Administration Console Welcome

page.

Installing the WebSphere Application Server version 7.0 FixPack

You must install the required fix pack for WebSphere Application Server so thatTivoli Security Policy Manager can operate properly.

Before you begin

Determine which fix pack to apply to WebSphere Application Server version 7.0.The required fix pack is listed in the Software requirements section of the Productoverview in the Tivoli Security Policy Manager information center.


You can find detailed information on installing fix packs at:

http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.installation.base.doc/info/aes/ae/tins_ptfLevels.html

About this task

This task lists the steps for installing the required fix pack to run Tivoli SecurityPolicy Manager components in WebSphere Application Server version 7.0. Installthe required fix pack on each system where you are installing Tivoli Security PolicyManager components.

Procedure1. Access the WebSphere Application Server support site:

http://www.ibm.com/software/webservers/appserv/was/support/







2. Click Downloads > Fixes by version > 7.0 to display a list of fix packs.3. Select the required fix pack.4. Select Download Fix Pack nn to display the fix pack information panel,

where nn is the required fix pack number.5. Select the operating system tab for your WebSphere Application Server

instance.6. Read the Prerequisites for downloading the fix pack and perform any

necessary tasks.For example, you might need to install the latest version of the UpdateInstaller. The Update Installer installs fix packs and feature packs onWebSphere Application Server. Follow the directions on the Web site todownload and install the Update Installer.

7. Scroll to the Download package table.8. Locate the AppServer package for your operating system and select the

download method.9. Start the download.

10. Record the name of the directory containing the downloaded file. The UpdateInstaller requires the name of this directory.

11. If you are using Download Director and you see a security warning, click Yesto accept the security certificate from IBM.

12. Start Update Installer.13. Click Next in the welcome panel.14. In the product selection panel, specify the type of deployment environment to

which you want to apply the fix pack.15. Specify the installation directory for your WebSphere deployment and click

Next.The default installation directory is /opt/IBM/WebSphere/AppServer.

16. Select Install maintenance package and click Next.17. Select Browse and navigate to the directory where you downloaded the fix

pack file.18. Click Open > Next.19. Ensure that the available maintenance package that you selected is correct and

click Next.20. Review the information in the summary panel and click Next.21. Click Finish after you have applied the fix packs to all applicable applications.

What to do next

Go to “Configuring security settings and the federated repository” on page 18.

Using WebSphere Application Server version 6.1You can use an existing deployment of WebSphere Application Server version 6.1for Tivoli Security Policy Manager. This task includes installing the appropriatefeature and fix packs for Web Services.

Ensure that you install the feature pack and fix packs in the following order oneach WebSphere version 6.1 system where you are installing Tivoli Security PolicyManager components:1. Fix Pack 27 (6.1.0.27)


2. WebSphere Application Server Feature Pack for Web Services3. Feature pack for Web Services specific enablement pack (PK53084)4. Web Services Fix Pack for Application Server (WebServices FP for AppServer)

These topics describe how to install the feature pack and fix packs:v “Installing the WebSphere Application Server Feature Pack for Web Services”v “Installing WebSphere Application Server version 6.1 Fix Packs”

Installing the WebSphere Application Server Feature Pack forWeb Services

Install the Feature Pack for Web Services as a software prerequisite for runningTivoli Security Policy Manager in WebSphere Application Server Version 6.1.

Before you begin

Complete the following tasks:v Install a suitable user registry. See Chapter 3, “Installing a user registry,” on

page 9.v Install Fix Pack 27 (6.1.0.27). See “Installing WebSphere Application Server

version 6.1 Fix Packs.”

About this task

The Feature Pack for Web Services is required to enable Tivoli Security PolicyManager to run in WebSphere Application Server Version 6.1. Install the FeaturePack for Web Services on each system where you are installing Tivoli SecurityPolicy Manager components.


http://www.ibm.com/software/webservers/appserv/was/support/2. Select Downloads > Feature Packs by version.3. Locate Feature Packs for WebSphere Application Server V6.1.4. Follow the instructions for downloading the feature pack.5. Install the Web services feature pack after the download completes.

Note: Do not create a profile. If the profile management startup panel displays,click Cancel.For more information on installing feature packs, see:


What to do next

Install the feature enabling fix pack. See “Installing WebSphere Application Serverversion 6.1 Fix Packs.”

Installing WebSphere Application Server version 6.1 Fix PacksYou must install the required fix packs for WebSphere Application Server so thatTivoli Security Policy Manager can operate properly.




Before you begin

Determine which fix packs to apply to WebSphere Application Server version 6.1.The required fix packs are listed in order in the Software requirements section ofthe Product overview in the Tivoli Security Policy Manager information center.


You can find detailed information on installing fix packs at:


About this task

This task lists the general steps for installing the required fix packs to run TivoliSecurity Policy Manager components in WebSphere Application Server version 6.1.Install the required fix packs on each system where you are installing TivoliSecurity Policy Manager components.


http://www.ibm.com/software/webservers/appserv/was/support/2. Click Downloads > Fixes by version > 6.1.

A list of fix packs is displayed.3. Select the required fix pack.4. Select Download Fix Pack nn to display the fix pack information panel,

where nn is the required fix pack number.5. Select the operating system tab for your WebSphere Application Server

instance.6. Read the Prerequisites for downloading the fix pack and perform any

necessary tasks.For example, you might need to install the latest version of the UpdateInstaller. The Update Installer installs fix packs and feature packs onWebSphere Application Server. Follow the directions on the Web site todownload and install the Update Installer.

7. Scroll to the Download package table.8. Locate the AppServer package for your operating system and select the

download method.9. Start the download.

10. Record the name of the directory containing the downloaded file. The UpdateInstaller requires the name of this directory.

11. If you are using Download Director and you see a security warning, click Yesto accept the security certificate from IBM.

12. Start the Update Installer.13. Click Next in the welcome panel.14. In the product selection panel, specify the type of deployment environment to

which you are applying the fix pack.







15. Specify the installation directory for your WebSphere deployment and clickNext.The default installation directory is /opt/IBM/WebSphere/AppServer.

16. Select Install maintenance package and click Next.17. Select Browse and navigate to the directory where you downloaded the fix

pack file.18. Click Open > Next.19. Ensure that the available maintenance package that you selected is correct and

click Next.20. Review the information in the summary panel, then click Next.21. Click Finish after you have applied the fix packs to all applicable applications.

What to do next

After you install all applicable fix packs and the feature pack, go to “Configuringsecurity settings and the federated repository.”

Configuring security settings and the federated repositoryYou must configure the user registry that is used by the policy server to storeadministrator credentials.

Before you begin

Complete the following tasks:v Install the administrator user registry. See Chapter 3, “Installing a user registry,”

on page 9.v Ensure that you have a user, such as wasadmin, in the user registry that you are

configuring in this task. If you need assistance creating a user, see thedocumentation for the user registry you are using.

v Collect the values needed to complete this task:– Identifier (alias) of the user registry– Type of user registry– Hostname where the user registry is located– Port number used by the user registry– Distinguished name (DN) for binding to the user repository– Bind DN password– Login properties, such as uid, cn– DN of a base entry in the repository, for example, c=US– Administrator user ID and password

About this task

This task performs the following configuration between WebSphere ApplicationServer and the user registry:v Configures SSL between WebSphere Application Server and the user registry.v Adds a federated repository and configures the user registry into that repository.


Procedure1. Open a browser window.2. Log in to the WebSphere administration console.3. Configure SSL between the policy server and the user registry.

a. Select the truststore that contains the signer certificate. Click Security > SSLcertificate and key management > Key stores and certificates >NodeDefaultTrustStore > Signer certificates > Retrieve from port

b. Specify the properties of the user registry.v Host (name)v Portv Alias

c. Click Retrieve signer information.d. Ensure that the signer information is correct.e. Click OK and click Save.

4. Configure a federated repository and add the user registry to that repository.a. In the navigation on the left, click:

v WebSphere Application Server version 7.0: Security > Global Security

v WebSphere Application Server version 6.1: Security > Secureadministration, applications, and infrastructure

b. Ensure that both the Enable administrative security and the Enableapplication security check boxes are selected.

c. In the User account repository section of the panel, verify that theAvailable realm definitions is set to Federated repositories.

d. Click Configure.e. In the Related items section of the panel, click Manage repositories.f. Click Add.g. Complete the following fields:

Repository identifierSpecify the identifier of the user registry.

LDAP server: Directory TypeSelect the type of user registry you are using.

LDAP server: Primary host nameSpecify the host name of the user registry.

Port Specify the port number of the user registry.

Bind distinguished nameSpecify the distinguished name (DN) for the application server touse when binding to the LDAP repository. If no name is specified,the application server binds anonymously. In most cases, bind DNand bind password are needed. However, when anonymous bindcan satisfy the required functions, the bind DN and bind passwordare not needed.

Bind passwordSpecify the password for the application server to use when bindingthe user registry.

Security: Login propertiesSpecify the property names to use to log in to the application server.


This field takes multiple login properties, delimited by a semicolon(;). For example, uid; cn.

Security: Certificate mappingSelect CERTIFICATE_FILTER.

Security: Certificate filterSpecify the filter certificate mapping property for the LDAP filter.The filter maps attributes in the client certificate to entries in theLDAP repository. For example: CN=${SubjectCN}.

Require SSL communicationsSelect this check box to indicate that you have enabled SSLcommunications to the LDAP server. Select Use specific SSL aliasand select the alias for the user registry.

h. Click OK and click Save.5. Configure the entity properties for the user registry.

a. Click Federated repositories at the top of the page.b. In the Additional properties section, click Supported entity types.c. Supply values for the following properties:

v Group

v OrgContainer

v PersonAccount

d. Review the messages related to synchronization and click OK.e. Specify the distinguished name of a base entry in the repository. This entry

determines the default location in the repository where entities of this typeare placed on write operations by user and group management.

f. Click OK. Then click Save.g. Review the messages related to synchronization and click OK.

6. Complete the configuration of the federated repository.a. Click Federated repositories at the top of the page.b. Click Add Base Entry to Realm.c. Select the repository from the list in Repository.d. Specify the distinguished name of the base entry. For example: c=us.e. Click OK. Then click Save.f. Review any synchronization messages and click OK.

7. Remove the file-based repository.a. In the list of Repositories in the realm, select the file-based repository and

click Remove.b. Click Save.

8. Create a user ID and password for the administrator user in the user registry.a. In the Server user identity field, click Server identity that is stored in the

repository.b. In the Server User ID field, type your administrator user name.c. In the Password field, type the password for your administrator user name.d. Click OK and click Save.e. Review any synchronization messages and click OK.

9. Stop and restart WebSphere Application Server.See the starting and stopping topics:v WebSphere Application Server version 7.0:





What to do next

Continue with “Configuring the Java heap size.”

Configuring the Java heap sizeThe Java heap size setting in WebSphere Application Server must be large enoughto process requests from Tivoli Security Policy Manager.

Before you begin

Before modifying the heap size, ensure that the system has enough physicalmemory to support a Java Virtual Machine (JVM) of 2.0 GB without swapping. Ifyou are installing the Tivoli Security Policy Manager console on the same systemas the policy manager component, the system requires a minimum of 3.0 GB ofphysical memory.

About this task

Adjust this setting before installing the policy manager component.

Procedure1. Log in to the administration console of the WebSphere Application Server

where you are installing the policy manager component.2. Navigate to the Java virtual machine settings.

v WebSphere Application Server version 7.0: Click Servers > Server Types >WebSphere application servers > server_name > Java and ProcessManagement > Process definition > Java Virtual Machine.

v WebSphere Application Server version 6.1: Click Servers > Applicationservers > server_name > Java and Process Management > Process definition> Java Virtual Machine.

The server_name is typically server1.3. Specify 1024 for the following two settings.

v Initial Heap Size

v Maximum Heap Size

4. Click OK. Click Save.

What to do next

Continue with “Configuring transaction timeout properties.”

Configuring transaction timeout propertiesYou set the transaction timeout setting in WebSphere Application Server to supportrequests from Tivoli Security Policy Manager.






Procedure1. Log in to the administrative console.2. Navigate to the Transaction service panel.

v WebSphere Application Server 7.0: Click Servers > Server Types >WebSphere application servers > server_name > Container Services >Transaction Service.

v WebSphere Application Server 6.1: Click Servers > Application servers >server_name > Container Services > Transaction Service.

3. Increase the Total transaction lifetime timeout to 600.The default value is 120.

4. Increase the Maximum transaction timeout to 600 seconds.The default value is 300.

5. Stop and restart WebSphere Application Server.v WebSphere Application Server version 7.0:




What to do next

Install the policy database. See Chapter 5, “Installing the policy database,” on page23.






Chapter 5. Installing the policy database

You must install the policy database before you run the configuration tool toconfigure the policy administration components. This database stores the policiesand application roles for Tivoli Security Policy Manager.

In production environments, use IBM DB2 Workgroup Server Edition as the policydatabase. Tivoli Security Policy Manager provides this software.

Test and nonproduction environments require no additional software. In theseenvironments, you can use the Derby JDBC database that is provided withWebSphere Application Server.v “Installing DB2”v “Using Derby” on page 24

Installing DB2Use IBM DB2 Workgroup Server Edition as your policy database in productionenvironments. Tivoli Security Policy Manager provides DB2 Workgroup ServerEdition version 9.7.

Before you begin

You must have either:v The DB2 Workgroup Server Edition version 9.7 installation media provided with

Tivoli Security Policy Manager.You can use the physical DVD or the extracted files from the archive file.

v A supported version of DB2 Workgroup Server Edition.For a list of supported versions, see the hardware and software requirements at:


Procedure1. Install DB2. You can use the default instance name, default UTF-8 encoding,

and default values during the installation. No performance tuning is required.For additional installation information, see:

http://publib.boulder.ibm.com/infocenter/db2luw/v9r5/index.jsp?topic=/com.ibm.db2.luw.doc/welcome.html

2. Create a database on your DB2 instance.Collect the following information when you create the database. You supplythis information when you run the configuration tool to set up the databasetables.v Database server addressv Database portv Database name






What to do next

Install the policy administration components of Tivoli Security Policy Manager. SeeChapter 6, “Tivoli Security Policy Manager Installation road map,” on page 25.

Using DerbyIn test and nonproduction environments, you can use the Derby JDBC database.WebSphere Application Server installs Derby by default. Tivoli Security PolicyManager provides a default configuration of database schema and tables for Derby.


Chapter 6. Tivoli Security Policy Manager Installation roadmap

This road map provides an overview of the steps to install and begin using a newinstallation of Tivoli Security Policy Manager.v “Required installation tasks”v “Additional installation tasks”

Required installation tasks

To install Tivoli Security Policy Manager, complete the tasks listed in Table 4.

Table 4. Required installation tasks


Ensure that the required preinstallation tasks arecompleted.

“Required preinstallation tasks” on page 7

Install Installation Manager

This task is repeated on each system where TivoliSecurity Policy Manager packages are installed.

Chapter 7, “Installing Installation Manager,” on page 27

Install policy administration components. Chapter 8, “Installing policy administration components,”on page 33

Migrate your data, if you are using a previous version ofTivoli Security Policy Manager.

Appendix A, “Migrating Tivoli Security Policy Managerdata,” on page 59

Additional installation tasks

Depending on your environment, perform any additional installation tasks listed inTable 5.

Table 5. Additional installation tasks


Install a runtime security services server. Chapter 9, “Installing the Tivoli runtime security servicesserver,” on page 39

Install a runtime security services client. Chapter 10, “Installing the Tivoli runtime securityservices client,” on page 43

Install the Tivoli Security Policy Manager softwaredevelopment kit.

Chapter 11, “Installing the Tivoli Security Policy Managersoftware development kit,” on page 47

Install the runtime security services softwaredevelopment kit.

Chapter 12, “Installing the Runtime Security Servicessoftware development kit,” on page 51


Chapter 7. Installing Installation Manager

IBM Installation Manager installs Tivoli Security Policy Manager components. Afteryou install Installation Manager, you run it to install the product components.

The first time you install Tivoli Security Policy Manager components on a system,the installation program (install) determines if Installation Manager is alreadyinstalled and if it is the supported version. If not, the installation program installsInstallation Manager. You then start Installation Manager using the IBMIMcommand and select the product components that you want on the system.

After you complete a product installation, use the IBMIM command to modify,reinstall, install in silent mode, or uninstall product components. The IBMIMcommand enables you to specify the full range of parameters that are suppliedwith Installation Manager.

Read the following topics to understand how to install and use InstallationManager.v “Installing as an administrator or non-administrator”v “IBMIM command” on page 32v “Choosing an installation mode” on page 28v “Installing the Installation Manager application” on page 28

Installing as an administrator or non-administrator

You can install Installation Manager as an administrator (root user) or as anon-administrator (non-root user).

Administrator installation

AIX, Linux, Linux on System z, or SolarisUse the install command to install Installation Manager.

WindowsUse the install.exe command to install Installation Manager.

User (non-administrator) installation

AIX, Linux, Linux on System z, or SolarisUse the userinst command to install Installation Manager.

WindowsUse the userinst.exe command to install Installation Manager.

If you install as an administrator, your administrative file permissions apply to theproduct components that you install. If you install as a non-administrator, yourlimited file permissions apply to the product components that you install.

If you are installing Installation Manager and the product components into aproduction environment, run the administrator installation command. Forinstallations on a limited scope, you can use the non-administrator installationcommand.


Note: These installation instructions describe how to install as an administrator,not as a user.

Visit the Installation Manager information center for detailed information aboutusing the install and userinst commands.

http://publib.boulder.ibm.com/infocenter/install/v1r2/index.jsp

Choosing an installation modeYou can install Tivoli Security Policy Manager components using interactive modeor silent (unattended) mode.

Tivoli Security Policy Manager supports an interactive installation mode and anoninteractive (silent) mode for installation. Before beginning the installationprocedures, decide which one to use.

Interactive graphical mode

The interactive graphical mode displays a series of panels that prompt for theinformation to complete the installation. The installation instructions for the policyadministration and policy decision components describe the interactive mode.

Silent mode

You do not interactively enter information using silent mode installation. Instead,Installation Manager reads the input values from a response file that contains theinput values. This mode enables you to use a script to install the product featureswith a common set of options. To use silent mode, you must first create theresponse file.

See Chapter 13, “Installing packages in silent mode,” on page 53

Installing the Installation Manager applicationYou install Installation Manager from the Tivoli Security Policy Manager productinstallation media. You then use Installation Manager to install the productcomponents.

Before you beginv Install and configure WebSphere Application Server. See Chapter 4, “Installing

and configuring WebSphere Application Server,” on page 11.v Determine if you are installing as an administrator or non-administrator. See

“Installing as an administrator or non-administrator” on page 27.

About this task

This task establishes access to the product installation files, then runs the installprogram to install Installation Manager. You must install Installation Managerbefore you install the product components.

If you already have Installation Manager installed, the install program ensuresthat it is the supported version. If not, you are prompted to update the existingversion.



Procedure1. Make the files from the product installation media accessible.

You can access the installation files through archive files that you downloadfrom Passport Advantage® or from physical DVDs.

Archive files from Passport AdvantageTivoli Security Policy Manager is packaged as two archive files.

Tivoli Runtime Security Services is packaged as a single archive file.a. Download the archive files from Passport Advantage.b. Extract the files and note the location of the files. The files are

extracted into root directories:

Tivoli Security Policy ManagerThe root directories are:v rspv aixv disk1v disk2v linuxv linux-ppcv linux-s390v solaris-sparcv win

Tivoli Runtime Security ServicesThe root directories are:v rspv aixv disk1v linuxv linux-ppcv linux-s390v solaris-sparcv win

Note: If you are using AIX, Linux, or Solaris, change to thedirectory where the files were extracted and modify the permissionsusing chmod, for example, type:chmod -R 775 *

Physical media (DVD)

v Tivoli Security Policy Manager is packaged as two installation DVDs.

DVD 1 of 2The root directories are:– rsp– aix– disk1– linux– linux-ppc– linux-s390

Chapter 7. Installing Installation Manager 29

– solaris-sparc– win

DVD 2The single root directory is disk2.

v Tivoli Runtime Security Services is packaged as a single installationDVD. The root directories are:– rsp– aix– disk1– linux– linux-ppc– linux-s390– solaris-sparc– win

2. Follow these steps to start the installation.v To start installation from extracted archive files:

a. Open a command-line window.b. Navigate to the root directory that corresponds to your operating system:

Operating system Installation root directory

AIX aix

Linux linux

Linux on IBM PowerPC® linux-ppc

Linux on System z linux-s390

Solaris solaris-sparc

Windows win

v To start installation from DVD:

AIX, Linux, Linux on System z, or Solaris

a. Insert the DVD in the DVD drive.– Tivoli Security Policy Manager: Insert DVD 1 of 2.– Tivoli Runtime Security Services: Insert the DVD.

b. Open a command-line window and mount the DVD.– Tivoli Security Policy Manager: Mount DVD 1 of 2.– Tivoli Runtime Security Services: Mount the DVD.

c. Navigate to the root directory that corresponds to your operatingsystem:

Operating system Installation root directory

AIX aix

Linux linux

Linux on IBM PowerPC linux-ppc

Linux on System z linux-s390

Solaris solaris-sparc

Windows


a. Insert DVD 1 of 2 in the DVD drive.b. Open a command-line window and navigate to the win root

directory.3. Follow these steps to install Installation Manager.

a. Run the installation command.

AIX, Linux, Linux on System z, or Solarisinstall

Windowsinstall.exe

b. Do one of the following:v If Installation Manager is not installed, the Install Packages panel is

displayed. Go to step 4.v If the correct version of Installation Manager is already installed, the

startup panel of Installation Manager is displayed. Follow these steps:1) Exit Installation Manager. Click File > Exit.2) Go to the installation topic for the product components you want to

install. The installation topics are listed at the end of this task.4. Select IBM Installation Manager Version 1.3.3 and click Next.5. After reading the license agreement:

v To continue the installation, select I accept the terms in the licenseagreement and click Next.

v To cancel the installation, select I do not accept the terms in the licenseagreement and click Cancel.

6. Choose the directory where you want Installation Manager installed or acceptthe default location. Click Next.The default installation directory is:

AIX, Linux, Linux on System z, or Solaris/opt/IBM/InstallationManager/eclipse

WindowsC:\Program Files\IBM\Installation Manager\eclipse

Note: The location of the installation directory is needed when installing TivoliSecurity Policy Manager components.

7. Confirm that the installation information is correct and click Install.The Installation Manager files are retrieved and installed. If a problem isencountered, click View Log File to diagnose it.

8. Do one of the following to exit Installation Manager:v Select Restart Installation Manager > File > Exit.v Click the icon in the upper left corner of the panel, then click Close > Yes.For each set of product components that you install initially, you exit theinstall program, then start Installation Manager using the IBMIM command.

Results

You are now ready to install Tivoli Security Policy Manager components.

Chapter 7. Installing Installation Manager 31

What to do next

Install the desired Tivoli Security Policy Manager components on the system.v Policy administration components

Chapter 8, “Installing policy administration components,” on page 33v Runtime security services server

Chapter 9, “Installing the Tivoli runtime security services server,” on page 39v Runtime security services client

Chapter 10, “Installing the Tivoli runtime security services client,” on page 43v Tivoli Security Policy Manager SDK

Chapter 11, “Installing the Tivoli Security Policy Manager software developmentkit,” on page 47

v Runtime Security Services SDKChapter 12, “Installing the Runtime Security Services software development kit,”on page 51

IBMIM commandAfter installing Installation Manager, use the IBMIM command and parameters torun Installation Manager.

Purpose

The IBMIM command is installed when you install Installation Manager. It enablesyou to run Installation Manager in either interactive or silent (unattended) mode.Use the IBMIM command to install, modify, reinstall, and uninstall productcomponents.

The default installation directory from which you run IBMIM is:

AIX, Linux, Linux on System z, or Solaris/opt/IBM/InstallationManager/eclipse/IBMIM [options]

Windowsc:\Program Files\IBM\InstallationManager\eclipse\IBMIM.exe [options]

where options is one or more parameters that specify actions. For example, the-record parameter specifies to create a response file from the user input.

See the Installation Manager information center for descriptions of all theparameters:


On Windows systems, you can also use the graphical user interface to startInstallation Manager. Click Start > All Programs > IBM Installation Manager >IBM Installation Manager.



Chapter 8. Installing policy administration components

You can install the policy administration components using the installation mediaor files that are downloaded from the Passport Advantage Web site. The policyadministration components include the policy manager server, configuration tool,and policy manager console. You can install the console locally to the server, on aseparate system, or both.

Before you beginv Install Installation Manager. See “Installing the Installation Manager application”

on page 28.v Access the root directories of the product installation files.

Installing from expanded archive files

Tivoli Security Policy ManagerStart from the disk1 root directory. disk2 contains additionalinstallation files.

Tivoli Runtime Security ServicesThe root directory is disk1.

Installing from DVD

DVD 1 of 2The root directory from which you start is disk1.

DVD 2disk2 is a root directory containing additional installation files.You are prompted when you need to install DVD 2.

Tivoli Runtime Security Services is packaged as a single installationDVD. The root directory is disk1.

v If you are installing the policy console, ensure that the WAS_HOME environmentvariable is not set.The console installation includes an embedded version of WebSphereApplication Server and unexpected results occur if this variable is set.

Procedure1. Start Installation Manager.


a. Open a command-line window and navigate to the directorycontaining Installation Manager.The default installation directory is:/opt/IBM/InstallationManager/eclipse

b. Start the program.IBMIM

WindowsClick Start > All Programs > IBM Installation Manager > IBMInstallation Manager.

2. Click File > Preferences.


3. Configure a repository connection. This step specifies the location of theproduct installation files.a. Click Repositories.b. Click Add Repository.c. Browse to directory containing the extracted files from the archive file, or

to the physical DVD.d. Locate the setup information file in the disk1 directory:

Extracted archive installation:

disk1/diskTag.inf

DVD installation:

DVD1_mount_point/disk1/diskTag.inf

where:

DVD1_mount_point is the location where DVD 1 is mounted on the filesystem.

e. Click OK to add the location as a repository.f. Click OK again.

Note: Depending on your network configuration, you also might need toconfigure proxy settings or adjust your firewall settings.

4. Click Install.5. Select Tivoli Security Policy Manager from the list of Installation Packages

and click Next.

Note: If you are installing from physical DVDs, Installation Manager warnsyou that the files on disk 2 are not found. Ignore the warning; whenInstallation Manager starts gathering the files, it prompts you for the locationof the disk2 directory.

6. After reading the license agreement:v To continue the installation, select I accept the terms in the license

agreement and click Next.v To cancel the installation, select I do not accept the terms in the license

agreement and click Cancel.7. If this is the first package that is installed by Installation Manager on the

system, create a shared directory. If Installation Manager has installed anotherpackage, you must use the existing shared resources directory that isdisplayed. To create the shared directory:a. Specify the directory location in Shared Resources Directory or accept the

default.The default location is:

AIX, Linux, Linux on System z, or Solaris/opt/IBM/TSPMshared

WindowsC:\Program Files\IBM\TSPMShared

b. Click Next.8. Specify the location for the Installation Directory of the TSPM package group

or accept the default and click Next.The default installation directory is:


AIX, Linux, Linux on System z, or Solaris/opt/IBM/TSPM

WindowsC:\Program Files\IBM\TSPM

9. Select the components that you want to install, then click Next.

Option Description

To install the following component: Select these features:

Policy manager server v Tivoli Policy Platform

v Tivoli Security Policy Manager

Policy manager console v Tivoli Security Policy Manager Console

v Tivoli Integrated Portal (TIP)

Configuration tool Tivoli Security Policy ManagerConfiguration Tool

10. Specify the following values in the Connection Details panel and click Next.

SOAP portSpecify the port value that is used by WebSphere Application Serverfor SOAP communications. The default port value is 8880 for astand-alone server. Change this value only if an application other thanTivoli Security Policy Manager is using this port.

Security enabledSpecify whether communication with WebSphere Application Serveroccurs only over secure connections. This option is selected by defaultand ensures that communications between Tivoli Security PolicyManager and WebSphere Application Server are always encrypted.

Note: Clear Security enabled only in test environments or if you arecertain that your data is transmitted securely.

11. If you choose to install the policy manager server, specify the following valuesin the Security Details panel and click Next.

Note: If you did not enable security, you cannot specify these values.

Administrative user nameRequired. Specify the user name of the administrator that is managingthe WebSphere Application Server instance. The default value iswasadmin.

Administrative user passwordRequired. Specify the password for the WebSphere Application Serveradministrator.

Truststore locationRequired. Specify the fully qualified path and name of the truststore forWebSphere Application Server or accept the default value.

Note: The value shown is not specific to your operating system orinstallation. It is an example location. Ensure that you have selectedthe actual truststore path and name.

Truststore passwordRequired. Specify the password for the truststore.

Chapter 8. Installing policy administration components 35

Keystore locationOptional. Specify the keystore location used by the WebSphere serverto establish a secure connection with the installation program. If youare using the default keystore, you can leave the location blank.

Keystore passwordOptional. Specify the password for the keystore if a location wasspecified.

12. In the Queried WebSphere Server Information panel, verify that the listedvalues are correct for the WebSphere Application Server instance and performone of the following actions:v If the information is correct, click Next.v If this information is not correct, an error is displayed indicating that the

data could not be confirmed with WebSphere Application Server:a. Exit and restart Installation Manager. Click Cancel > File > Exit.

Note: Do not use Back to return to the data-entry panel.b. Reenter the configuration information.

13. In the Server Or Cluster To Deploy panel, select the WebSphere environmentwhere you are installing the product components.

14. If you choose to install the policy manager console, specify the followingvalues in the Tivoli Integrated Portal Install Details panel and click Next.

User nameSpecify the name of the administrator for the console or accept thedefault.

The default value is tipadmin.

User passwordSpecify a password for the administrator.

Verify user passwordSpecify the password again for verification.

Console HTTP portSpecify the port number to be used for connecting to the consoleusing a Web browser or accept the default.

The default port number is 16310.

Location to install Tivoli Integrated Portal (TIP)Specify the fully qualified name of the directory where the TivoliIntegrated Portal is to be installed or accept the default.

The default installation directory is:

AIX, Linux, Linux on System z, or Solaris/opt/IBM/tivoli/tip

WindowsC:\Program Files\tivoli\tip

15. Review the summary information and click Install.Installation Manager starts gathering the files.

16. If you are installing from the physical DVDs, you are prompted for thelocation of the disk2 directory. Change the DVD to DVD 2 and specify thedisk2 directory:



a. Open a command window and unmount DVD 1:umount DVD1_mount_point

b. Replace DVD 1 with DVD 2 in the DVD drive.c. If your operating system does not automatically mount DVD 2,

mount DVD 2:mount DVD2_mount_point

d. In the Installation Manager window that is prompting for disk2,navigate to the disk2 root directory.

e. Click OK.

Windows

a. Replace DVD 1 with DVD 2 in the DVD drive.b. In the Installation Manager window that is prompting for disk2,

navigate to the disk2 root directory.c. Click OK.

17. Click Finish to complete the installation.18. Exit Installation Manager.

Click File > Exit.

What to do next

Complete the configuration tasks for policy administration components in theTivoli Security Policy Manager Configuration Guide.

You can also install the following components:v Runtime security services server. Use this option if you want your configuration

to include the Tivoli runtime security services server and the Tivoli runtimesecurity services client in remote mode.Chapter 9, “Installing the Tivoli runtime security services server,” on page 39

v Runtime security services client. Use this option if you want your configurationto include the Tivoli runtime security services client in local mode.Chapter 10, “Installing the Tivoli runtime security services client,” on page 43

v Tivoli Security Policy Manager SDKChapter 11, “Installing the Tivoli Security Policy Manager software developmentkit,” on page 47

Chapter 8. Installing policy administration components 37

Chapter 9. Installing the Tivoli runtime security servicesserver

The WebSphere administrator installs the Tivoli runtime security services server asa policy decision point. You can configure multiple remote clients to communicatewith a single server.


on page 28.v Access the root directory of the product installation files. The root directory is

disk1, regardless if you install from expanded archive files or from DVD.






2. Click File > Preferences.3. Configure a repository connection. This step specifies the location of the

product installation files.a. Click Repositories.b. Click Add Repository.c. Browse to directory containing the extracted files from the archive file, or



disk1/diskTag.inf

DVD installation:


where:





4. Click Install.5. Select IBM Tivoli Runtime Security Services Server from the list of

Installation Packages, then click Next.6. After reading the license agreement:



7. If this is the first package that is installed by Installation Manager on thesystem, create a shared directory. If Installation Manager has installed anotherpackage, you must use the existing shared resources directory that isdisplayed. To create the shared directory:a. Specify the directory location in Shared Resources Directory or accept the




b. Click Next.8. Specify the location for the Installation Directory of the RTSS package group


AIX, Linux, Linux on System z, or Solaris/opt/IBM/RTSS

WindowsC:\Program Files\IBM\RTSS

9. Select the Authorization Service package and click Next.10. Specify the following values in the Connection Details panel and click Next.




11. Specify the following values in the Security Details panel and click Next.








Keystore locationOptional. Specify the keystore location so that WebSphere server canestablish a secure connection with the installation program. If you usethe default keystore, you can leave the location blank.






14. Review the summary information and click Install to begin the installation.15. Click Finish to complete the installation.16. Exit Installation Manager.

Click File > Exit.

What to do next

Install the runtime security services clients. See Chapter 10, “Installing the Tivoliruntime security services client,” on page 43.

Chapter 9. Installing the Tivoli runtime security services server 41

Chapter 10. Installing the Tivoli runtime security servicesclient

The WebSphere administrator installs the Tivoli runtime security services client asa policy enforcement point. You can also configure the client to operate as a policydecision point, depending on your security configuration requirements and thetype of resources that you are protecting.









2. Click File > Preferences.3. Configure a repository connection. This step specifies the location of the

product installation files.a. Click Repositories.b. Click Add Repository.c. Browse to directory containing the extracted files from the archive file, or



disk1/diskTag.inf

DVD installation:


where:





4. Click Install.5. Select IBM Tivoli Runtime Security Services Client from the list of

Installation Packages and click Next.6. After reading the license agreement:



7. If this is the first package that is installed by Installation Manager on thesystem, create a shared directory. If Installation Manager has installed anotherpackage, you must use the existing shared resources directory that isdisplayed. To create the shared directory:a. Specify the directory location in Shared Resources Directory or accept the




b. Click Next.8. Specify the location for the Installation Directory of the RTSSClient package

group or accept the default and click Next.The default installation directory is:

AIX, Linux, Linux on System z, or Solaris/opt/IBM/RTSSClient

WindowsC:\Program Files\IBM\RTSSClient

9. Perform the following steps:a. Select the Authorization Service Runtime package.b. Select the Policy Management Administration Agent package.c. Optional: Select the Web Services Application Enforcement package. This

package installs the JAX-RPC and JAX-WS policy enforcement point filesthat manage access to Web services applications.

d. Click Next.10. Specify the following values in the Connection Details panel and click Next.





11. Specify the following values in the Security Details panel and click Next.







Keystore locationOptional. Specify the keystore location so that WebSphere server canestablish a secure connection with the installation program. If you usethe default keystore, you can leave the location blank.






14. Review the summary information and click Install to begin the installation.15. Click Finish to complete the installation.16. Exit Installation Manager.

Click File > Exit.

What to do next

Configure the client. See the client configuration topics in the Tivoli Security PolicyManager Configuration Guide.

Chapter 10. Installing the Tivoli runtime security services client 45

Chapter 11. Installing the Tivoli Security Policy Managersoftware development kit

Install the software development kit to integrate your applications into TivoliSecurity Policy Manager. The software development kit can be installed using theinstallation media or files downloaded from the Passport Advantage Web site.






Installing from DVD









2. Click File > Preferences.3. Select the location of the installation files.

If you have not already configured a repository connection to the TivoliSecurity Policy Manager installation files, you must configure that connectionnow.a. Click Repositories.b. Click Add Repository.


c. Browse to directory containing the extracted files from the archive file, orto the physical DVD.

d. Locate the setup information file in the disk1 directory:


disk1/diskTag.inf

DVD installation:


where:

DVD1_mount_point is the name of the device drive where you installedDVD 1.



4. Click Install.5. Select Tivoli Security Policy Manager Software Development Kit from the

list of Installation Packages and click Next.

Note: If you are installing from physical DVDs, Installation Manager warnsyou that the files on disk 2 are not found. Ignore the warning; whenInstallation Manager starts gathering the files, it prompts you for the locationof the disk2 directory. When prompted, you insert the second DVD andspecify the disk2 directory.

6. After reading the license agreement:v To continue the installation, select I accept the terms in the license

agreement and click Next.v To cancel the installation, select I do not accept the terms in the license

agreement and click Cancel.7. Specify the location for the Installation Directory of the TSPM package group


AIX, Linux, Linux on System z, or Solaris/opt/IBM/TSPM

WindowsC:\Program Files\IBM\TSPM

8. Select the Software Development Kit package and click Next.9. Review the summary information and click Install.

Installation Manager starts gathering the files.10. If you are installing from the physical DVDs, you are prompted for the

location of the disk2 directory. Change the DVD to DVD 2 and specify thedisk2 directory:


a. Open a command window and unmount DVD 1:umount DVD1_mount_point

b. Replace DVD 1 with DVD 2 in the DVD drive.


c. If your operating system does not automatically mount DVD 2,mount DVD 2:mount DVD2_mount_point

d. In the Installation Manager window that is prompting for disk2,navigate to the disk2 root directory.

e. Click OK.

Windows

a. Replace DVD 1 with DVD 2 in the DVD drive.b. In the Installation Manager window that is prompting for disk2,

navigate to the disk2 root directory.c. Click OK.


Click File > Exit.

What to do next

Install any other Tivoli Security Policy Manager components that you want on thesystem. See Chapter 8, “Installing policy administration components,” on page 33.

Chapter 11. Installing the Tivoli Security Policy Manager software development kit 49

Chapter 12. Installing the Runtime Security Services softwaredevelopment kit

Install the software development kit to integrate your applications into the policydecision components of Tivoli Security Policy Manager.









2. Click File > Preferences.3. Select the location of the installation files.

If you have not already configured a repository connection to the TivoliRuntime Security Services installation files, you must configure thatconnection now.a. Click Repositories.b. Click Add Repository.c. Browse to directory containing the extracted files from the archive file, or



disk1/diskTag.inf

DVD installation:


where:

DVD1_mount_point is the name of the device drive where you installedDVD 1.




4. Click Install.5. Select IBM Tivoli Runtime Security Services Software Development Kit

from the list of Installation Packages and click Next.6. After reading the license agreement:



7. Specify the location for the Installation Directory of the RTSSClient packagegroup or accept the default and click Next.The default installation directory is:

AIX, Linux, Linux on System z, or Solaris/opt/IBM/RTSSClient

WindowsC:\Program Files\IBM\RTSSClient

8. Perform the following steps:a. Select the Software Development Kit and Samples package. This package

provides:v Primary JAR files that enable you to create plug-ins to the runtime

security services server or client.v Primary JAR files that enable you to build custom applications for the

runtime security services client.v Samples that include projects and applications that you can modify and

use.b. Optional: Select the Portal Application Enforcement Software

Development Kit package. This package provides the JSP tag library thatenables customized access to portal application objects and actions. TheJSP tag library invokes the runtime security services client at runtime toobtain authorization decisions and entitlements.

c. Click Next.9. Review the summary information and click Install to begin the installation.


Click File > Exit.

What to do next

Install any other Tivoli Security Policy Manager components you want on thesystem.v Runtime security services server


Chapter 10, “Installing the Tivoli runtime security services client,” on page 43


Chapter 13. Installing packages in silent mode

You can install Tivoli Security Policy Manager packages in silent or unattendedmode. Silent installation enables you to perform the task on multiple systems usinga script. You must first create a response file and then run Installation Managerusing the response file.v “Creating a response file”v “Installation response file templates” on page 54v “Installing with a response file” on page 55

Creating a response fileYou can record your responses on the installation panels in a response file. You canlater use that response file to install the packages on one or more systems in silentor unattended mode.






Installing from DVD




Procedure1. Open a command-line window and navigate to the directory containing

Installation Manager.The default installation directory is:



2. Start Installation Manager in interactive mode with the -record option.Optionally, you can specify the -skipInstall option.IBMIM -record response_file_name [-skipInstall agentDataLocation]


where:

-recordSaves your responses in response_file_name.

response_file_nameSpecify a file path if needed. You must have write access to the locationcontaining the response file.

-skipInstallOptional. Specify this parameter if you do not want to install the productcomponents in this installation session.

agentDataLocationSpecify a directory that does not exist. You can remove this directory aftercreating the response file.

3. Complete the installation panels. See the following sections for instructions.v Chapter 8, “Installing policy administration components,” on page 33v Chapter 9, “Installing the Tivoli runtime security services server,” on page 39v Chapter 10, “Installing the Tivoli runtime security services client,” on page 43v Chapter 11, “Installing the Tivoli Security Policy Manager software

development kit,” on page 47v Chapter 12, “Installing the Runtime Security Services software development

kit,” on page 514. Exit Installation Manager.

Click File > Exit.

Note: The response file is not saved until you exit Installation Manager.

Results

Exiting Installation Manager writes your responses to the specified response file.

What to do next

You can use the response file to install the packages on one or more systems.

Installation response file templatesInstallation response file templates are provided in the installation media rootdirectories and in the installation directories. You can copy and change a filemanually to create a response file that is specific to your environment.

Do not manually edit and use a response file unless you are knowledgeable inusing these files. You can use the installation program to generate a response filethat is specific to the product components you want to install. See “Creating aresponse file” on page 53. The response files provided on the installation media arelisted below.v AIX, Linux, Linux on System z, or Solaris

Installation mediaDVD1_mount_point/rsp/tspm-install.xmlDVD1_mount_point/rsp/rtss-install.xml

Product installation default directoryopt/IBM/TSPM/rsp/tspm-install.xmlopt/IBM/RTSS/rsp/rtss-install.xml


v Windows

Installation mediaDVD_drive\rsp\tspm-install.xmlDVD_drive\rsp\rtss-install.xml

Product installation default directoryC:\Program Files\IBM\TSPM\rsp\tspm-install.xmlC:\Program Files\IBM\RTSS\rsp\rtss-install.xml

Installing with a response fileYou can install the packages on one or more systems in silent or unattended modeusing a previously created response file.






Installing from DVD




v Create a response file and make it available on the system. You must have writeaccess to the response file.See “Creating a response file” on page 53 for details.





2. Optional: Edit the response file and make any necessary changes.3. Start Installation Manager in silent mode and specify the previously recorded

response file.

AIX, Linux, Linux on System z, or SolarisIBMIM -silent -input response_file_name

Chapter 13. Installing packages in silent mode 55

WindowsIBMIMc -silent -input response_file_name

Note: On Windows platforms, for silent installations only, do not usethe IBMIM.exe command. Use the IBMIMc.exe command for silentinstallation.

where response_file_name is the path and name of the file containing yourpreviously saved responses.

Results

The packages are installed on the system.


Chapter 14. Installing additional applications

Tivoli Security Policy Manager includes applications and product plugins thatextend the product functions. This section describes how to install the followingcomponents:

Tivoli Common ReportingTivoli Security Policy Manager provides formatted event data. You use theTivoli Common Reporting application to create and manage reports basedon the data. See “Installing Tivoli Common Reporting.”

IBM Support Assistant product pluginTivoli Security Policy Manager provides a plugin that collects problemdetermination information from Tivoli Security Policy Managercomponents. You can use IBM Support Assistant to analyze the data. See“Installing IBM Support Assistant.”

Installing Tivoli Common Reporting

Tivoli Security Policy Manager provides auditing capability for the policy managerand runtime security services components. If auditing is set on, the softwaregenerates audit events and stores them in log files.

Tivoli Security Policy Manager includes Tivoli Common Reporting. You can usethis product to produce reports on the audit events.

For information on setting auditing and capturing audit events, see the auditingsection in the Tivoli Security Policy Manager Administration Guide.

For information on using Tivoli Common Reporting to generate reports, see thereports section in the Tivoli Security Policy Manager Administration Guide.

Installation instructions for Tivoli Common Reporting are on the Tivoli CommonReporting Information Center:

http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc/tcr_welcome.html

Installing IBM Support AssistantThe WebSphere administrator installs IBM Support Assistant and the productplug-in to collect and analyze problem determination information.

About this task

The IBM Support Assistant provides quick access to support-related informationand serviceability tools for problem determination.

To use the Tivoli Security Policy Manager Support Assistant plug-in, you must alsoinstall the WebSphere Application Server Support Assistant plug-in.

An online user guide for IBM Support Assistant is available to assist you in itssetup and use. The following steps summarize the installation and setup:




Procedure1. Download the IBM Support Assistant:

a. Access http://www.ibm.com/software/support/isa/.b. Follow the site directions to the appropriate download location.c. Log in with your IBM Web identity, which is the same ID that you use for

MySupport, developerWorks, and other IBM Web sites.d. If you do not have an IBM Web identity, complete the free registration

process to obtain one.2. Download the compressed archive file for the version of IBM Support

Assistant for your operating system.3. Uncompress the archive file in a temporary directory using a tool such as

WinZip. The archive contains an installer program and an installation andtroubleshooting guide.

4. Install the IBM Support Assistant using the directions in the IBM SupportAssistant Installation and Troubleshooting Guide.

5. Start IBM Support Assistant.6. Click Update > Find New ... > Product Add-Ons to display Product Add-Ons

to Install.7. Select Tivoli.8. Scroll to the product name, Tivoli Security Policy Manager 7.1, and select it.

This plug-in enables you to run the collector locally to gather problemdetermination information.

9. In the Product Add-Ons to Install panel, select WebSphere.10. Scroll to the version that corresponds with the version you are using, then

select it. This plug-in enables you to run the collector remotely to gatherproblem determination information. Install the WebSphere plug-in even if youdo not intend to run a remote data collection.

11. Click Install.12. Read and approve the license and description.13. Restart IBM Support Assistant.14. Use the plug-ins to collect problem determination data from the product and

analyze the data using the Support Assistant analyzer. Click the User Guidetab for information about performing the available tasks.


http://www.ibm.com/software/support/isa/

Appendix A. Migrating Tivoli Security Policy Manager data

The WebSphere Application Server administrator can use the Tivoli Security PolicyManager configuration tool to migrate existing policy information to the newdatabase. You must migrate any existing policy data in Tivoli Security PolicyManager Version 7.0 to use it in Tivoli Security Policy Manager Version 7.1.

Complete the following tasks to migrate an existing policy database.1. Read the setup conditions and requirements for migrating the policy data. See

“Preparing to migrate security policy data.”2. Gather the information needed to start the migration task. See “Data migration

worksheet” on page 61.3. Follow the steps for running the configuration tool to migrate the data. See

“Migrating security policy data using the configuration tool” on page 62.

Preparing to migrate security policy dataBefore you run the configuration tool to migrate an existing Tivoli Security PolicyManager database, read the requirements, conditions, and limitations in thissection.

The database schema that stores Tivoli Security Policy Manager data has changedfrom version 7.0. You must migrate version 7.0 data to use it with Tivoli SecurityPolicy Manager version 7.1.

Note: You cannot migrate data in a Derby database.

DB2 and Derby database migration

Keep the following points in mind:v You can use DB2 to manage policy data in a production environment.v Use the Tivoli Security Policy Manager configuration tool to migrate DB2-based

production data to product version 7.1.v You can migrate DB2 data to either a DB2 or Derby database.v The migration task migrates existing policy manager data from a DB2 database

to the database that is configured for Tivoli Security Policy Manager version 7.1.v By default, WebSphere Application Server uses Derby. If you configure the

WebSphere server to use DB2 instead of Derby, the migration task migrates yourexisting policy manager data from a DB2 database to the new DB2 database.

How the data migration is performed

Tivoli Security Policy Manager version 7.1 provides a migration option in theconfiguration tool that initiates and manages the data migration.v You supply the connection information to the configuration tool.v The configuration tool calls the policy manager server to perform the task.v The policy manager server:

– Reads the data in your existing DB2 database.– Checks the validity of the data.


– Converts the data so it can be used by Tivoli Security Policy Manager version7.1.

– Writes the data to the database that is configured for Tivoli Security PolicyManager version 7.1.

During and after the data conversion, the configuration tool displays relatedmessages indicating the status. The existing data in the DB2 database is not alteredin any way and remains in the original database after the migration is completed.

Conditions of data migration

You must meet all the conditions listed in this section before you use theconfiguration tool to migrate your existing policy data.v Complete the installation and configuration of the following software:

– The Tivoli Security Policy Manager server and console.– The user registry where you store Tivoli Security Policy Manager users and

groups.– The target database where you store policy information. The target database

can be either DB2 or Derby. The source (existing) database must be DB2.– The configuration tool. The configuration tool is available as a separately

installable component in the installation program. You must install and run theconfiguration tool to configure security settings and the new (target) database beforeyou select the data migration task.

v Do not perform the migration during normal operation. Perform the migrationtask during a maintenance window. Both the existing policy manager databaseand the new (target) database cannot be accessed during migration.

v You cannot migrate policy distribution targets that are registered with the policymanager server version 7.0. You can register your existing policy distributiontargets with the policy manager server version 7.1 after you finish migrating thedata.

v The target database that receives the migrated data must be the same databasethat the new policy manager server uses to store policy information. You canconfigure a new DB2 database for Tivoli Security Policy Manager version 7.1.For a list of supported versions, see the hardware and software requirements at:


v The user name to invoke the configuration tool must be a WebSphereadministrative user and a Tivoli Security Policy Manager super user. The username that installs the policy manager server is suitable.

v You can run only one migration task at a time.v You cannot customize the migration task or specify additional parameters other

than the parameters for which the configuration tool prompts.v The data migration task validates the existing data before attempting to migrate

the data to the target database. Tivoli Security Policy Manager version 7.1 doesnot support duplicate object names. If the data validation step detects aduplicate name, a message indicates the duplicate names, and the migration taskis stopped. Correct the names in the existing database and restart the migrationtask.




Gathering the required information

Before you run the configuration tool, gather the connection information in “Datamigration worksheet.” The configuration tool requires this information to start adata migration task.

Data migration worksheetWhen you run the configuration tool to migrate data, you are prompted to specifyproperties that allow access to the applicable files. Use this worksheet to reviewthe properties, and to plan your migration.

After you collect the information, go to “Migrating security policy data using theconfiguration tool” on page 62.

Table 6. Worksheet of data migration properties

Connection property Description Your value

WebSphere Application Server - Tivoli Security Policy Manager server

Host name The host name of thecomputer where the TivoliSecurity Policy Managerversion 7.1 server isinstalled.

Default provided

SOAP port The port number forWebSphere ApplicationServer SOAP (secure)communication.

Default value for stand-alone servers:8880

Administrator ID The WebSphereadministrator ID. Thisname is specified duringpolicy manager serverinstallation. This value isrequired to use WebSphereadministrative security.

Administratorpassword

The password for theWebSphere administrator.

Tivoli Integrated Portal - Tivoli Security Policy Manager console

Host name The host name of thecomputer where the TivoliSecurity Policy Managerversion 7.1 console isinstalled.

SOAP port The port number for TivoliIntegrated Portal SOAP(secure) communication.

Default value for stand-alone servers:16313

Administrator ID The Tivoli Integrated Portaladministrator ID. Thisname is specified duringconsole installation. Thisvalue is required to useWebSphere administrativesecurity.

Default value: tipadmin

Administratorpassword

The password for the TivoliIntegrated Portaladministrator.

Appendix A. Migrating Tivoli Security Policy Manager data 61

Table 6. Worksheet of data migration properties (continued)

Connection property Description Your value

WebSphere Application Server - Tivoli Security Policy Manager server

DB2 database containing the data to migrate

Database serveraddress

The address of the existingdatabase that contains thedata you are migrating to anew database. Specifyeither IP address format ordecimal format (forexample,dbname.city.compay.com).

Database port The port for the database toservice requests.

Database name Name of the remotedatabase instance (databasename) that stores yourpolicy data.

Database user name User name for accessingthe database. This username must have readaccess to the database.

User name password Password for the databaseuser name.

Migrating security policy data using the configuration toolUse the configuration tool to migrate the Tivoli Security Policy Manager data froman existing DB2 database to the new database for Tivoli Security Policy Managerversion 7.1.

Before you beginv Read the requirements and conditions for performing a data migration in

“Preparing to migrate security policy data” on page 59.v Complete the configuration of Tivoli Security Policy Manager before you run the

migration task. See the Tivoli Security Policy Manager Configuration Guide.v Plan the data migration during maintenance hours to prevent all other users

from performing any operations on both databases during data migration.v Ensure that the existing (source) database, new (target) database, policy manager

server, and console are running and available but are not in use.

About this task

You can start the configuration tool in graphical mode or command-line mode.

Note: The following procedure describes how to run the tool in interactivegraphical mode. To use command-line mode, see the Tivoli Security Policy ManagerConfiguration Guide.

Procedure1. Access the computer where you installed the tspmConfigTool configuration

tool.


After you complete the other configuration tasks, you can use the migrationoption to migrate your database.

2. Enter the following command at a command-line prompt:tspmConfigTool [-record response_file_name]

where:

-recordOptional. Specifies to record the user input as options and option values inresponse_file_name.

response_file_nameSpecifies the name of the file to record the user input.

3. Select Configuration.4. Use the step-by-step wizard to configure your environment.

a. Select Migration to start the database migration task.b. Select Guided Configuration and click Next.c. In WebSphere Application Server Configuration - Server, specify the

server information from the“Data migration worksheet” on page 61 andclick Next.

d. In WebSphere Application Server Configuration - Console, specify theTivoli Integrated Portal information from the “Data migration worksheet”on page 61 and click Next.

e. In DB2 Database Connection Information, specify the DB2 informationfrom the “Data migration worksheet” on page 61 and click Next.

f. Review the values in the Migration Summary.g. Click Back to make corrections or Finish to start the data migration.

Results

A progress indicator indicates the processes that are running until the taskcompletes.

If migration fails and a specific error message is not displayed in the configurationtool, check the following logs:v Configuration tool logs (config_tool_install_dir/logs).v WebSphere server logs where the policy manager server is installed.v Tivoli Integrated Portal (WebSphere server) logs where the policy manager

console is installed.

Note: After a successful data migration, the migration function is disabled. To runthe migration task after completing a successful migration, complete these steps:1. Open the configuration file using a text editor:

WAS_HOME/profiles/profile_name/config/tspm/etc/com.ibm.tspm.conf.xmi

2. Locate the com.ibm.tspm.migration.enable parameter and set the value to true.3. Save the changes.4. Restart the Tivoli Security Policy Manager server.

What to do nextv When you finish the setup of the Tivoli Security Policy Manager console and

server, you can view the database objects that you migrated using the TivoliSecurity Policy Manager console.

Appendix A. Migrating Tivoli Security Policy Manager data 63

v Policy distribution targets that are registered with the policy manager version 7.0server are not migrated. You can now register your existing policy distributiontargets with the policy manager version 7.1 server. See the configuration topicsfor policy decision components in the Tivoli Security Policy Configuration Guide.

v After you verify that all the data migrated successfully, you can remove thepolicy manager version 7.0 database tables.


Appendix B. Uninstalling Tivoli Security Policy Manager

You can uninstall Tivoli Security Policy Manager components using eitherinteractive mode or silent mode. You can uninstall all product components orselected product components.

Use the following process to determine how you want to uninstall the product.1. Decide whether to use interactive or silent uninstallation, see “Choosing an

uninstallation mode.”2. Determine which Tivoli Security Policy Manager components to remove.3. Follow the instructions in the appropriate sections to uninstall the components.

v “Uninstalling the policy manager components” on page 66v “Uninstalling the runtime security services server” on page 67v “Uninstalling the runtime security services client” on page 69v “Uninstalling the Tivoli Security Policy Manager software development kit”

on page 71v “Uninstalling the Runtime Security Services software development kit” on

page 72v “Uninstalling selected Tivoli Security Policy Manager features” on page 73v “Removing the runtime security services keystore” on page 74v “Uninstalling in silent mode” on page 75

Choosing an uninstallation modeYou can uninstall one or more Tivoli Security Policy Manager components usinginteractive mode or silent (unattended) mode.

Tivoli Security Policy Manager supports an interactive uninstallation mode and anoninteractive (silent) mode for uninstallation. Before beginning the uninstallationprocedures, decide which one to use.

Interactive graphical mode

The interactive graphical mode displays a series of panels that prompt for theinformation to complete the uninstallation. The uninstallation instructions for thepolicy administration and policy decision components describe the interactivemode.

Use this mode to familiarize yourself with the options that are available duringinstallation. Use the -skipInstall option to go through the steps without installingthe product. Use the -record option to record you selections in a response file.

Silent mode

You do not interactively enter information using silent mode uninstallation.Instead, Installation Manager reads the input values from a response file thatcontains the input values. This mode enables you to use a script to uninstall theproduct features with a common set of options. To use silent mode, you must firstcreate the response file. See “Creating a response file” on page 53.


Uninstalling the policy manager componentsThe WebSphere administrator uses this procedure to interactively uninstall thepolicy manager server, console, Tivoli Integrated Portal, and configuration tool.

Before you begin

Complete these tasks in the order listed before you uninstall the policy managercomponents:1. Unregister runtime security services. See the unregistration topic for the

runtime security services in the Tivoli Security Policy Manager ConfigurationGuide.

2. Unconfigure the policy manager server and its related components. See thepolicy manager server unconfiguration topic in the Tivoli Security PolicyManager Configuration Guide.

3. Ensure that WebSphere Application Server is running.

About this task

This task describes the procedures to interactively uninstall the IBM Tivoli SecurityPolicy Manager package.






2. Select Uninstall in the Installation Manager startup panel.3. Select the IBM Tivoli Security Policy Manager package.4. The features that are installed are displayed for removal. Click Next.5. Specify the connection and security details that are required to access

WebSphere resources, then click Next.6. Verify that the correct package is selected, then click Uninstall.7. When the uninstallation completes, a panel is displayed indicating success or

failure. Click Finish to exit.8. Restart WebSphere. This step is required to release the ports that the

application was using.

Results

If an error occurs during uninstallation, click View Log File to read the details.

The default Installation Manager log files are located in these directories:v AIX, Linux, Linux on System z, or Solaris


/var/ibm/InstallationManager/logs

v WindowsC:\Documents and Settings\All Users\Application Data\IBM\Installation Manager\logs

What to do next

Some files are locked during installation and cannot be removed until theuninstallation is finished. In addition, some files, such as log files, might need tobe referenced after the uninstallation is finished. You can remove the files in thefollowing locations after the uninstallation completes execution.

TSPM_INSTALL_DIR/logsThese files are the product execution logs, you can remove them.

TSPM_INSTALL_DIR/repositoryIf this directory is not removed, you can remove it.

WAS_HOME/pluginsRemove only these files:v com.ibm.ws.repository_6.2.0.jarv com.ibm.tspm.repository.datasource_7.1.0.jar

The shared resources directory is removed if no other IBM InstallationManager-enabled products are registered to that location. The default sharedresources directory is:v AIX, Linux, Linux on System z, or Solaris

opt/IBM/TSPMshared

v WindowsC:\Program Files\IBM\TSPMshared

Uninstalling the runtime security services serverThe WebSphere administrator uses the procedure in this topic to interactivelyuninstall the runtime security services server.

Before you beginv Back up your new and edited registration property files before you uninstall the runtime

security services server. Place the backup files in a directory that is completelyoutside of the runtime security services server installation directory.

v Ensure that the WebSphere Application Server where the runtime securityservices is deployed is running.

v Ensure that the policy manager server is running.

About this task

This task describes the procedures to interactively uninstall the IBM Tivoli RuntimeSecurity Services Server package.

Procedure1. Unregister the runtime security services server from the policy manager

server. See the procedure for unregistering runtime security services in theTivoli Security Policy Manager Configuration Guide.

2. Run the RTSSWSSecurity.py script to remove the WS-Security bindings. Seethe procedure for unregistering runtime security services in the Tivoli SecurityPolicy Manager Configuration Guide for instructions.

Appendix B. Uninstalling Tivoli Security Policy Manager 67

3. Start Installation Manager.





4. Select Uninstall in the Installation Manager startup panel.5. Select the IBM Tivoli Runtime Security Services Server package.6. The features (components) that are installed are displayed for removal. Click

Next.7. Specify the connection and security details that are required to access

WebSphere resources, then click Next.8. Verify that the correct package is selected, then click Uninstall.

The files are uninstalled.9. When the uninstallation completes, a panel is displayed indicating success or

failure. Click Finish to exit.10. Restart WebSphere Application Server.

Results





What to do next

The RTSSWSSecurity.py script does not remove the runtime security serviceskeystore. If you want to remove the keystore, use the procedure described in“Removing the runtime security services keystore” on page 74.

Some files are locked during installation and cannot be removed until theuninstallation is finished. In addition, some files, such as log files, might need tobe referenced after the uninstallation is finished. You can remove the files in thefollowing locations after the uninstallation completes execution:v Files that were copied during installation to any WebSphere Application Server

directories.

Note: Configuration repository files are removed during uninstallation.v Files in RTSS_INSTALL_DIR/etc

v Files in RTSS_INSTALL_DIR/logs



opt/IBM/TSPMshared


Uninstalling the runtime security services clientThe WebSphere administrator uses the procedure in this topic to interactivelyuninstall the runtime security services client.

Before you beginv Back up your new and edited registration property files before you uninstall the runtime

security services client. Place the backup files in a directory that is completelyoutside of the runtime security services client installation directory.

v Ensure that the WebSphere Application Server where the client is deployed isrunning.

v Ensure that the policy manager server is running.v If you are uninstalling a client in remote mode, ensure that the runtime security

services server is running.

About this task

This task describes the procedures you complete to interactively uninstall the IBMTivoli Runtime Security Services Client package.

Procedure1. Unregister the runtime security services client from the policy manager server.

See the procedure for unregistering runtime security services in the TivoliSecurity Policy Manager Configuration Guide.

2. Run the RTSSWSSecurity.py script to remove the WS-Security bindings. Seethe procedure for unregistering runtime security services in the Tivoli SecurityPolicy Manager Configuration Guide for instructions.

3. Start Installation Manager.





4. Select Uninstall in the Installation Manager startup panel.5. Select the IBM Tivoli Runtime Security Services Client package.6. The features (components) that are installed are displayed for removal. Click

Next.


7. Specify the connection and security details that are required to accessWebSphere resources, then click Next.

8. Verify that the correct package is selected, then click Uninstall.9. When the uninstallation completes, a panel is displayed indicating success or

failure. Click Finish to exit.10. Stop the WebSphere server instance.11. Manually remove the runtime security services client runtime Jar files:

a. Change directory to the WebSphere plug-ins directory.v AIX, Linux, Linux on System z, or Solaris

cd WAS_home/plugins

v Windowscd WAS_home\plugins

b. Remove the following files:CAUTION:Do not remove this WebSphere file:

com.ibm.sec.authz.ibmsecauthz_7.0.jar

This file is named similarly to the runtime security services files.com.ibm.sec.authz.jaccplus.tam_7.3.jarcom.ibm.sec.authz.jaccplus.was_7.3.jarcom.ibm.sec.authz.jaccplus_7.3.jarcom.ibm.sec.authz.xacml4j_7.3.jarcom.ibm.tscc.pep.common_7.1.0.jarcom.ibm.tscc.rtss.admin_7.1.0.jarcom.ibm.tscc.rtss.audit_7.1.0.jarcom.ibm.tscc.rtss.authz.client_7.1.0.jarcom.ibm.tscc.rtss.authz_7.1.0.jarcom.ibm.tscc.rtss.common_7.1.0.jarcom.ibm.tscc.rtss.config.emf_7.1.0.jarcom.ibm.tscc.rtss.config_7.1.0.jarcom.ibm.tscc.rtss.discovery.j2ee.was_7.1.0.jarcom.ibm.tscc.rtss.discovery_7.1.0.jarcom.ibm.tscc.rtss.distributed_7.1.0.jarcom.ibm.tscc.rtss.exception_7.1.0.jarcom.ibm.tscc.rtss.higgins.lib_7.1.0.jarcom.ibm.tscc.rtss.lib_7.1.0.jarcom.ibm.tscc.rtss.logging_7.1.0.jarcom.ibm.tscc.rtss.osgi.common_7.1.0.jarcom.ibm.tscc.rtss.osgi.manager_7.1.0.jarcom.ibm.tscc.rtss.osgi_7.1.0.jarcom.ibm.tscc.rtss.prefs_7.1.0.jarcom.ibm.tscc.rtss.productinfo_7.1.0.jarcom.ibm.tscc.rtss.protocols_7.1.0.jarcom.ibm.tscc.rtss.resources_7.1.0.jarcom.ibm.tscc.rtss.soap_7.1.0.jarcom.ibm.tscc.rtss.spif_7.1.0.jarcom.ibm.tscc.rtss.storage_7.1.0.jarcom.ibm.tscc.rtss.sts_7.1.0.jar

12. If you uninstalled the Web Services Application Enforcement policyenforcement point for WebSphere, remove the corresponding Jar files:v AIX, Linux, Linux on System z, or Solaris

WAS_home/plugins/com.ibm.tscc.enforce.was.jaxws_7.1.0.jarWAS_home/lib/ext/com.ibm.tscc.enforce.was.jaxrpc_7.1.0.jar

v WindowsWAS_home\plugins\com.ibm.tscc.enforce.was.jaxws_7.1.0.jarWAS_home\lib\ext\com.ibm.tscc.enforce.was.jaxrpc_7.1.0.jar


13. Run the OSGi configuration script to refresh the WebSphere OSGi cache. Thisstep is required regardless of which components you uninstall:v AIX, Linux, Linux on System z, or Solaris

WAS_HOME/profiles/profile_name/bin/osgiCfgInit.sh

v WindowsWAS_HOME\profiles\profile_name\bin\osgiCfgInit.bat

14. Restart WebSphere Application Server.

Results





What to do next

If you installed the runtime security services client to communicate directly withthe policy manager server (local mode), you ran the RTSSWSSecurity.py script toremove WS-Security configuration. This script does not remove the runtimesecurity services keystore. If you want to remove the keystore, use the proceduredescribed in “Removing the runtime security services keystore” on page 74.

Some files are locked during installation and cannot be removed until theuninstallation is finished. In addition, some files, such as log files, might need tobe referenced after the uninstallation is finished. You can remove the files in thefollowing locations after the uninstallation completes execution:v Files that were copied during installation to any WebSphere Application Server

directories.

Note: Configuration repository files are removed during uninstallation.v Files in RTSSclient_INSTALL_DIR/etc

v Files in RTSSclient_INSTALL_DIR/logs


opt/IBM/TSPMshared


Uninstalling the Tivoli Security Policy Manager software developmentkit

The WebSphere administrator uses the procedure in this topic to interactivelyuninstall the Tivoli Security Policy Manager Software Development Kit.


About this task

This task describes the procedures to interactively uninstall the IBM Tivoli SecurityPolicy Manager Software Development Kit package.






2. Select Uninstall in the Installation Manager startup panel.3. Select the TSPM-SDK installation package.4. The features (components) that are installed are displayed for removal. Click

Next.5. Verify that the correct package is selected, then click Uninstall.6. When the uninstallation completes, a panel is displayed indicating success or

failure. Click Finish to exit.

Results





Uninstalling the Runtime Security Services software development kitThe WebSphere administrator uses the procedure in this topic to interactivelyuninstall the Tivoli Runtime Security Services Software Development Kit.

About this task

This task describes the procedures to interactively uninstall the IBM RuntimeSecurity Services Software Development Kit package.



a. Open a command-line window and navigate to the directorycontaining Installation Manager.


The default installation directory is:/opt/IBM/InstallationManager/eclipse



2. Select Uninstall in the Installation Manager startup panel.3. Select the RTSS-SDK installation package.4. The features (components) that are installed are displayed for removal. Click

Next.5. Specify the connection and security details that are required to access

WebSphere resources, then click Next.6. Verify that the correct package is selected, then click Uninstall.7. When the uninstallation completes, a panel is displayed indicating success or

failure. Click Finish to exit.

Results





Uninstalling selected Tivoli Security Policy Manager featuresThe WebSphere Application Server administrator uses the Modify task tointeractively uninstall one or more Tivoli Security Policy Manager features(components) in a product package.

Before you begin

Ensure that WebSphere Application Server is running where the package isinstalled.

About this task

This task describes how to use the Modify option in Installation Manager toremove one or more components of a product package. If you want to remove allcomponents of a product package, see the uninstallation instructions for thepackage:v “Uninstalling the policy manager components” on page 66v “Uninstalling the runtime security services server” on page 67v “Uninstalling the runtime security services client” on page 69v “Uninstalling the Tivoli Security Policy Manager software development kit” on

page 71v “Uninstalling the Runtime Security Services software development kit” on page

72







2. Select Modify in the Installation Manager startup panel.3. Select the product package that contains the features you want to uninstall,

then click Next.4. Select the features that you want to uninstall, then click Next. Some features

require other features to be uninstalled. Installation Manager selects any otherfeatures, if required.

5. Specify the connection and security details that are required to accessWebSphere resources, then click Next.

6. Verify that the correct features are listed in the Removing Feature column, thenclick Modify.

7. When the uninstallation completes, a panel is displayed indicating success orfailure. Click Finish to exit.

Results

If the uninstallation is not successful, click View Log File for details on the errorcondition.

Removing the runtime security services keystoreThe WebSphere administrator can remove the runtime security services keystore aspart of uninstallation.

About this task

Before you uninstall runtime security services, you run the RTSSWSSecurity.pyscript to remove the security settings, including truststore configuration. The scriptdoes not remove the keystore file, so you can use the following steps to removethe keystore.

Procedure1. Navigate to the directory where the keystore file is stored.

AIX, Linux, Linux on System z, or Solariscd WAS_HOME/profiles/profile_name/config/cells/cell_name

Windowscd WAS_HOME\profiles\profile_name\config\cells\cell_name

2. Delete the file.


AIX, Linux, Linux on System z, or Solarisrm rtss.jks

Windowsdel rtss.jks

Uninstalling in silent modeThis topic describes how to use a response file to uninstall Tivoli Security PolicyManager features.

Before you begin

You must create an uninstallation response file for the components that you haveinstalled before you attempt to uninstall those components in silent mode. Here aresome important points about using uninstallation response files:v Uninstallation response files are not automatically generated when you run

Installation Manager to install the product components.v If you installed two or more components in the same installation, use the

uninstallation response file that is generated from that installation.v You can use the response file to uninstall one, some, or all the components that

you installed. Installation Manager ignores entries in the response file that donot apply to the uninstallation of a component.

v If you did not generate a response file when you installed the components, youcan run Installation Manager to perform a mock installation and generate theresponse file. See the -skipInstall option in “Creating a response file” on page53.

v Template uninstallation response files are provided in the installation media rootdirectories and in the installation directories. You can copy and change a filemanually to create a response file that is specific to your environment.– AIX, Linux, Linux on System z, or Solaris

Installation mediaDVD1_mount_point/rsp/tspm-uninstall.xmlDVD1_mount_point/rsp/rtss-uninstall.xml

Product installation default directoryopt/IBM/TSPM/rsp/tspm-uninstall.xmlopt/IBM/RTSS/rsp/rtss-uninstall.xml

– Windows

Installation mediaDVD_drive\rsp\tspm-uninstall.xmlDVD_drive\rsp\rtss-uninstall.xml

Product installation default directoryC:\Program Files\IBM\TSPM\rsp\tspm-uninstall.xmlC:\Program Files\IBM\RTSS\rsp\rtss-uninstall.xml

For information about uninstallation, see the Installation Manager informationcenter:


About this task

To uninstall product features (components) in silent mode, run InstallationManager and specify the silent mode and response file options.







2. Start Installation Manager with the -silent and -input options.v AIX, Linux, Linux on System z, or Solaris

IBMIM -silent -input response_file_path/response_file_name-uninstall.xml

v WindowsIBMIMc -silent -input response_file_path\response_file_name-uninstall.xml

Note: On Windows platforms, for silent uninstallations only, do not use theIBMIM.exe command. Use the IBMIMc.exe command to uninstall in silentmode.where:

-silentSpecifies to run in silent (noninteractive) mode.

-inputSpecifies to receive input data from the response file.

response_file_name-uninstall.xmlSpecifies the name of the response file. Include the file path if needed.

Examples of silent uninstallations using the default directories

Policy managerAssume that an uninstallation response file named tspm-uninstall.xmlis used.v AIX, Linux, or Solaris

/opt/IBM/InstallationManager/eclipse/IBMIM -silent-input /opt/IBM/TSPM/rsp/tspm-uninstall.xml

v WindowsC:\Program Files\IBM\InstallationManager\eclipse\IBMIMc -silent-input c:\IBM\TSPM\rsp\tspm-uninstall.xml

Runtime security services (server or client)

v AIX, Linux, or Solaris/opt/IBM/InstallationManager/eclipse/IBMIM-silent -input /opt/IBM/RTSS/rsp/rtss-uninstall.xml

v WindowsC:\Program Files\IBM\InstallationManager\eclipse\IBMIMc-silent -input c:\IBM\RTSS\rsp\rtss-uninstall.xml

Results

If errors occur during the uninstallation, check the log file for details. The defaultInstallation Manager log files are located in the following directories. InstallationManager log files are formatted in XML.


v AIX, Linux, Linux on System z, or Solaris/var/ibm/InstallationManager/logs


What to do next

Some files are locked during installation and cannot be removed until theuninstallation is finished. In addition, some files, such as log files, might need tobe referenced after the uninstallation is finished.

If you are uninstalling the policy manager server, platform, console, or TivoliIntegrated Portal components, see “Uninstalling the policy manager components”on page 66 for the list of files that you can delete manually.

If you are uninstalling the runtime security services server or client, see“Uninstalling the runtime security services server” on page 67 for the list of filesthat you can delete manually.


Appendix C. Reinstalling Tivoli Security Policy Manager

To reinstall the policy manager server or the runtime security services server, youmust first remove the installed component.

To reinstall:1. Complete the uninstallation instructions. See:

v “Uninstalling the policy manager components” on page 66v “Uninstalling the runtime security services server” on page 67

2. Complete the installation instructions for the component to reinstall:

Note: In each of the installation scenarios, you do not need to complete thetopics for WebSphere installation and configuration.v Policy administration components

Chapter 8, “Installing policy administration components,” on page 33v Runtime security services server


Chapter 10, “Installing the Tivoli runtime security services client,” on page 43v Tivoli Security Policy Manager SDK

Chapter 11, “Installing the Tivoli Security Policy Manager softwaredevelopment kit,” on page 47

v Runtime Security Services SDKChapter 12, “Installing the Runtime Security Services software developmentkit,” on page 51


Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758USA

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this information and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corporation in the United States, other countries,or both. If these and other IBM trademarked terms are marked on their firstoccurrence in this information with the appropriate symbol (® or ™), these symbolsindicate U.S. registered or common law trademarks owned by IBM at the time thisinformation was published. Such trademarks may also be registered or common


law trademarks in other countries. A current list of IBM trademarks is available onthe Web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml

Adobe, Acrobat, Portable Document Format (PDF), and PostScript are eitherregistered trademarks or trademarks of Adobe Systems Incorporated in the UnitedStates, other countries, or both.

Intel, Intel Inside (logos), Itanium, MMX, and Pentium are trademarks of IntelCorporation in the United States, other countries, or both.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Java and all Java-based trademarks and logos are trademarks orregistered trademarks of Oracle and/or its affiliates.

Other company, product, or service names may be trademarks or service marks ofothers.

Notices 83

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml

Index

Aaccessibility xiiadministrator installation 27

Bbooks

See publications

Cconfiguration tool

installing 33migrating policy data 62

configuringfederated repository 18WebSphere Application Server 6.1 15WebSphere Application Server 7.0 12

console HTTP port 36

Ddata migration worksheet 61database

See also policy databaseas policy information point 4

DB2as policy information point 4installing 23

default database 25Derby database 25directory names, notation xiii

Eeducation

See Tivoli technical trainingenvironment variables, notation xiii

Ffeature pack for Web Services 16federated repository configuration 18fix pack

WebSphere 6.1 17WebSphere 7.0 14

IIBM Support Assistant

download Web site 58installation guide 58installation steps 57

IBMIM command 32IBMIMc.exe command 56information center

WebSphere Application Server 6.1 11WebSphere Application Server 7.0 11

Installation Managerinformation center 27installing 27, 28, 32

installation media 29installation tasks

policy manager 25runtime security services 25

installingIBM Support Assistant 57Installation Manager 27interactive mode 28policy administration components 33policy enforcement components 43portal application enforcement 51record option 54response file templates 54runtime security services client 43runtime security services SDK 39runtime security services server 39runtime security services software

development kit 51silent mode 28, 53silent option 55skipInstall option 53Tivoli Common Reporting 57Tivoli Security Policy Manager

SDK 47Web services application

enforcement 43WebSphere 6.1 fix packs 17WebSphere 7.0 fix pack 14WebSphere Application Server 12WebSphere Application Server 7.0 12

interactive installation 28interactive uninstallation 65

JJava heap size 21

Kkeystore location 41, 45

LLDAP as policy information point 4license 7

Mmanuals

See publicationsMicrosoft Active Directory 10migrating data 59

configuration tool 62setup and requirements 59worksheet 61

migration properties 61

Nnon-administrator installation 27non-root installation 27notation

environment variables xiiipath names xiiitypeface xiii

Oonline publications

accessing xiordering publications xii

Ppath names, notation xiiiplanning

policy administration components 1policy decision components 3

policy administration componentsconfiguring the user registry 18installing 33overview 1

policy administration pointdescription 2

policy console description 2policy database

DB2 23Derby 25description 1installing 23

policy decision componentsinstalling 39overview 3policy decision points 3user registry 4

policy decision pointSee also runtime security servicesdescription 3

policy distribution target description 4policy enforcement components

installing 43policy enforcement point description 4policy information point description 4policy management

administration components 1decision components 3

policy managerinstallation roadmap 25installing console 33installing server 33uninstalling 66

portal application enforcementpackage 52

ports for WebSphere ApplicationServer 13

preinstallation taskspolicy manager 7runtime security services 7


profile for WebSphere ApplicationServer 13

publications ixaccessing online xiordering xii

Rrecord option 54reinstalling Tivoli Security Policy

Manager 79resources protected by policies 2response file

creating 53installation steps 55templates 54

roadmappreinstallation 7product installation 25

root directories for installation 29root installation 27runtime security services

installation roadmap 25installing 39preinstallation tasks 7removing keystore 74server description 3uninstalling 67user registry 4

runtime security services clientinstalling 43local mode description 4remote mode description 3uninstalling 69

runtime security services softwaredevelopment kit

contents 52installing 51samples 52

Ssample response files 54SDK

installing runtime securityservices 51

installing Tivoli Security PolicyManager 47

security configuration on console 18service repository 2silent installation 28, 53

IBMIMc.exe command 56silent option 55

silent uninstallation 65, 75skipInstall option 53SOAP port 35, 40, 44software license 7SSL

console configuration 18security configuration 18

TTivoli Common Reporting 57Tivoli Directory Server 10Tivoli Information Center xi

Tivoli Integrated Portal installationdetails 36

Tivoli Runtime Security Services SDKuninstalling 72

Tivoli Security Policy ManagerModify option 73uninstalling 73

Tivoli Security Policy Manager SDKinstalling 47uninstalling 72

Tivoli technical training xiitraining, Tivoli technical xiitruststore location 41, 45tuning WebSphere Application Server

Java heap size 21transaction timeout 22

Uunattended installation 53unattended uninstallation 75uninstalling

interactive mode 65overview 65policy manager 66post-uninstall steps 67removing keystore 74runtime security services 67runtime security services client 69selected components 73silent mode 75silent mode description 65Tivoli Runtime Security Services

SDK 72Tivoli Security Policy Manager

SDK 72user registry

as policy information point 4choosing 9configuring for administrators 18description 1for policy users 4resources 10supported 9using with product 9

userinst command 27

Vvariables, notation for xiii

WWeb Services feature pack 16Web site

feature pack 11fix pack 11IBM Support Assistant 58WebSphere Application Server 11

WebSphere Application Serveraccessing console 14create profile 13installation roadmap 11Java heap size 21transaction timeout 22

WebSphere Application Server 6.1configuring 15order of software updates 15required feature pack 16required fix packs 17

WebSphere Application Server 7.0installation steps 12ports 13required fix pack 14


��

Printed in USA

GC27-2712-00