am51 tim guide

7/28/2019 Am51 Tim Guide

http://slidepdf.com/reader/full/am51-tim-guide 1/96

IBM Tivoli Access Manager for e-business

IBM Tivoli Identity ManagerProvisioning Fast Start Guide

Version 5.1

SC32-1364-00



IBM Tivoli Access Manager for e-business

IBM Tivoli Identity ManagerProvisioning Fast Start Guide

Version 5.1

SC32-1364-00



NoteBefore using this information and the product it supports, read the information in “Notices,” on page 71.

First Edition (November 2003)

This edition applies to version 5.1 of IBM Tivoli Access Manager (product number 5724-C08) and to all subsequentreleases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 2003. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.



Preface

IBM® Tivoli® Access Manager (Tivoli Access Manager) is the base software that isrequired to run applications in the IBM Tivoli Access Manager product suite. It

enables the integration of IBM Tivoli Access Manager applications that provide awide range of authorization and management solutions. Sold as an integratedsolution, these products provide an access control management solution thatcentralizes network and application security policy for e-business applications.

Note: IBM Tivoli Access Manager is the new name of the previously releasedsoftware entitled Tivoli SecureWay® Policy Director. Also, for users familiarwith the Tivoli SecureWay Policy Director software and documentation, themanagement server is now referred to as the policy server.

Tivoli Access Manager can be integrated with IBM Tivoli Identity Manager to takeadvantage of its identity management and provisioning functions. Following a brief overview of the tasks you might perform to integrate IBM Tivoli IdentityManager and IBM Tivoli Access Manager for e-business, this guide providesinstructions for installing and using the Provisioning Fast Start collection. TheProvisioning Fast Start collection consists of automated tasks, utilities, and samplesthat you might find helpful when integrating Tivoli Identity Manager and TivoliAccess Manager for e-business.

Who should read this book

This guide is for system administrators and security administrators responsible forintegrating Tivoli Access Manager with Tivoli Identity Manager.

Readers of this book should be experienced with advanced administration of:

v Tivoli Access Manager for e-business and its prerequisitesv Tivoli Identity Manager and its prerequisites

Note: Chapter 6, “Creating a Web interface for user self-management,” on page 47is written for Web application developers who have experience withWebSphere® Application Server, Java™ servlets, and Java Server Pages.

What this book contains

This guide contains the following sections:

v Chapter 1, “Overview of integration tasks,” on page 1.

Provides an overview of the tasks related to integrating Tivoli Access Manager

and Tivoli Identity Manager and introduces the Provisioning Fast Startcollection.

v Chapter 2, “Installing the Provisioning Fast Start collection,” on page 5.

Describes how to install the Provisioning Fast Start collection through the use of the Provisioning Fast Start Installer.

v Chapter 3, “Creating a Tivoli Access Manager service and default provisioningpolicy,” on page 17.

Describes the automated task for creating a Tivoli Access Manager service and aprovisioning policy.

© Copyright IBM Corp. 2003 v



v Chapter 4, “Configuring Tivoli Identity Manager for single sign-on withWebSEAL,” on page 21.

Describes the automated task for enabling Tivoli Identity Manager to use singlesign-on with WebSEAL.

v Chapter 5, “Importing and synchronizing user data,” on page 29.

Describes the IBM Directory Integrator AssemblyLine Samples utility and how

to use the utility to import and synchronize user data.v Chapter 6, “Creating a Web interface for user self-management,” on page 47.

Describes the Web Application Sample and how you can use the sample so thatyour users can manage their own user IDs and passwords in Tivoli IdentityManager.

Publications

Review the descriptions of the Tivoli Access Manager library, the prerequisitepublications, and the related publications to determine which publications youmight find helpful. After you determine the publications you need, refer to theinstructions for accessing publications online.

Additional information about the IBM Tivoli Access Manager for e-businessproduct itself can be found at:

http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/

The Tivoli Access Manager library is organized into the following categories:

v “Release information”

v “Base information”

v “Web security information” on page vii

v “Developer references” on page vii

v “Technical supplements” on page viii

Release informationv IBM Tivoli Access Manager for e-business Read This First (GI11-4155-00)

Provides information for installing and getting started using Tivoli AccessManager.

v IBM Tivoli Access Manager for e-business Release Notes (GI11-4156-00)

Provides late-breaking information, such as software limitations, workarounds,and documentation updates.

Base informationv IBM Tivoli Access Manager Base Installation Guide (SC32-1362-00)

Explains how to install and configure the Tivoli Access Manager base software,including the Web Portal Manager interface. This book is a subset of IBM Tivoli Access Manager for e-business Web Security Installation Guide and is intended foruse with other Tivoli Access Manager products, such as IBM Tivoli AccessManager for Business Integration and IBM Tivoli Access Manager for OperatingSystems.

v IBM Tivoli Access Manager Base Administration Guide (SC32-1360-00)

Describes the concepts and procedures for using Tivoli Access Manager services.Provides instructions for performing tasks from the Web Portal Managerinterface and by using the pdadmin command.

vi IBM Tivoli Access Manager for e-business: IBM Tivoli Identity Manager Provisioning Fast Start Guide





Web security informationv IBM Tivoli Access Manager for e-business Web Security Installation Guide(SC32-1361-00)

Provides installation, configuration, and removal instructions for the TivoliAccess Manager base software as well as the Web Security components. This book is a superset of IBM Tivoli Access Manager Base Installation Guide.

v IBM Tivoli Access Manager Upgrade Guide (SC32-1369-00)Explains how to upgrade from Tivoli SecureWay Policy Director Version 3.8 orprevious versions of Tivoli Access Manager to Tivoli Access Manager Version5.1.

v IBM Tivoli Access Manager for e-business WebSEAL Administration Guide(SC32-1359-00)

Provides background material, administrative procedures, and technicalreference information for using WebSEAL to manage the resources of yoursecure Web domain.

v IBM Tivoli Access Manager for e-business IBM WebSphere Application ServerIntegration Guide (SC32-1368-00)

Provides installation, removal, and administration instructions for integratingTivoli Access Manager with IBM WebSphere® Application Server.

v IBM Tivoli Access Manager for e-business IBM WebSphere Edge Server IntegrationGuide (SC32-1367-00)

Provides installation, removal, and administration instructions for integratingTivoli Access Manager with the IBM WebSphere Edge Server application.

v IBM Tivoli Access Manager for e-business Plug-in for Web Servers Integration Guide(SC32-1365-00)

Provides installation instructions, administration procedures, and technicalreference information for securing your Web domain using the plug-in for Webservers.

v IBM Tivoli Access Manager for e-business BEA WebLogic Server Integration Guide

(SC32-1366-00)Provides installation, removal, and administration instructions for integratingTivoli Access Manager with BEA WebLogic Server.

v IBM Tivoli Access Manager for e-business IBM Tivoli Identity Manager ProvisioningFast Start Guide (SC32-1364-00)

Provides an overview of the tasks related to integrating Tivoli Access Managerand Tivoli Identity Manager and explains how to use and install theProvisioning Fast Start collection.

Developer referencesv IBM Tivoli Access Manager for e-business Authorization C API Developer Reference

(SC32-1355-00)Provides reference material that describes how to use the Tivoli Access Managerauthorization C API and the Tivoli Access Manager service plug-in interface toadd Tivoli Access Manager security to applications.

v IBM Tivoli Access Manager for e-business Authorization Java Classes DeveloperReference (SC32-1350-00)

Provides reference information for using the Java™ language implementation of the authorization API to enable an application to use Tivoli Access Managersecurity.

Preface vii



v IBM Tivoli Access Manager for e-business Administration C API Developer Reference(SC32-1357-00)

Provides reference information about using the administration API to enable anapplication to perform Tivoli Access Manager administration tasks. Thisdocument describes the C implementation of the administration API.

v IBM Tivoli Access Manager for e-business Administration Java Classes Developer

Reference (SC32-1356-00)Provides reference information for using the Java language implementation of the administration API to enable an application to perform Tivoli AccessManager administration tasks.

v IBM Tivoli Access Manager for e-business Web Security Developer Reference(SC32-1358-00)

Provides administration and programming information for the cross-domainauthentication service (CDAS), the cross-domain mapping framework (CDMF),and the password strength module.

Technical supplementsv IBM Tivoli Access Manager for e-business Command Reference (SC32-1354-00)

Provides information about the command line utilities and scripts provided withTivoli Access Manager.

v IBM Tivoli Access Manager Error Message Reference (SC32-1353-00)

Provides explanations and recommended actions for the messages produced byTivoli Access Manager.

v IBM Tivoli Access Manager for e-business Problem Determination Guide(SC32-1352-00)

Provides problem determination information for Tivoli Access Manager.

v IBM Tivoli Access Manager for e-business Performance Tuning Guide (SC32-1351-00)

Provides performance tuning information for an environment consisting of TivoliAccess Manager with the IBM Tivoli Directory server as the user registry.

Related publicationsThis section lists publications related to the Tivoli Access Manager library.

The Tivoli Software Library provides a variety of Tivoli publications such as whitepapers, datasheets, demonstrations, redbooks, and announcement letters. The TivoliSoftware Library is available on the Web at:http://www.ibm.com/software/tivoli/library/

The Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available, in English only,from the Glossary link on the left side of the Tivoli Software Library Web page

http://www.ibm.com/software/tivoli/library/

IBM Global Security KitTivoli Access Manager provides data encryption through the use of the IBM GlobalSecurity Kit (GSKit) Version 7.0. GSKit is included on the IBM Tivoli Access ManagerBase CD for your particular platform, as well as on the IBM Tivoli Access ManagerWeb Security CDs, the IBM Tivoli Access Manager Web Administration Interfaces CDs,and the IBM Tivoli Access Manager Directory Server CDs.

The GSKit package provides the iKeyman key management utility, gsk7ikm, whichis used to create key databases, public-private key pairs, and certificate requests.

viii IBM Tivoli Access Manager for e-business: IBM Tivoli Identity Manager Provisioning Fast Start Guide







The following document is available on the Tivoli Information Center Web site inthe same section as the IBM Tivoli Access Manager product documentation:

v IBM Global Security Kit Secure Sockets Layer and iKeyman User’s Guide(SC32-1363-00)

Provides information for network or system security administrators who plan toenable SSL communication in their Tivoli Access Manager environment.

IBM Tivoli Directory ServerIBM Tivoli Directory Server, Version 5.2, is included on the IBM Tivoli Access Manager Directory Server CD for the desired operating system.

Note: IBM Tivoli Directory Server is the new name for the previously releasedsoftware known as:

v IBM Directory Server (Version 4.1 and Version 5.1)

v IBM SecureWay Directory Server (Version 3.2.2)

IBM Directory Server Version 4.1, IBM Directory Server Version 5.1, and IBM TivoliDirectory Server Version 5.2 are all supported by IBM Tivoli Access ManagerVersion 5.1.

Additional information about IBM Tivoli Directory Server can be found at:

http://www.ibm.com/software/network/directory/library/

IBM DB2 Universal DatabaseIBM DB2® Universal Database™ Enterprise Server Edition, Version 8.1 is providedon the IBM Tivoli Access Manager Directory Server CD and is installed with the IBMTivoli Directory Server software. DB2 is required when using IBM Tivoli DirectoryServer, z/OS™, or OS/390® LDAP servers as the user registry for Tivoli AccessManager.

Additional information about DB2 can be found at:

http://www.ibm.com/software/data/db2/

IBM WebSphere Application ServerIBM WebSphere Application Server, Advanced Single Server Edition 5.0, isincluded on the IBM Tivoli Access Manager Web Administration Interfaces CD for thedesired operating system. WebSphere Application Server enables the support of both the Web Portal Manager interface, which is used to administer Tivoli AccessManager, and the Web Administration Tool, which is used to administer IBM TivoliDirectory Server. IBM WebSphere Application Server Fix Pack 2 is also required byTivoli Access Manager and is provided on the IBM Tivoli Access Manager WebSphereFix Pack CD.

Additional information about IBM WebSphere Application Server can be found at:

http://www.ibm.com/software/webservers/appserv/infocenter.html

IBM Tivoli Access Manager for Business IntegrationIBM Tivoli Access Manager for Business Integration, available as a separatelyorderable product, provides a security solution for IBM MQSeries®, Version 5.2,and IBM WebSphere® MQ for Version 5.3 messages. IBM Tivoli Access Manager forBusiness Integration allows WebSphere MQSeries applications to send data withprivacy and integrity by using keys associated with sending and receivingapplications. Like WebSEAL and IBM Tivoli Access Manager for Operating

Preface ix









Systems, IBM Tivoli Access Manager for Business Integration, is one of theresource managers that use the services of IBM Tivoli Access Manager.

Additional information about IBM Tivoli Access Manager for Business Integrationcan be found at:

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/

The following documents associated with IBM Tivoli Access Manager for BusinessIntegration Version 5.1 are available on the Tivoli Information Center Web site:

v IBM Tivoli Access Manager for Business Integration Administration Guide(SC23-4831-01)

v IBM Tivoli Access Manager for Business Integration Problem Determination Guide(GC23-1328-00)

v IBM Tivoli Access Manager for Business Integration Release Notes (GI11-0957-01)

v IBM Tivoli Access Manager for Business Integration Read This First (GI11-4202-00)

IBM Tivoli Access Manager for WebSphere Business IntegrationBrokers

IBM Tivoli Access Manager for WebSphere Business Integration Brokers, availableas part of IBM Tivoli Access Manager for Business Integration, provides a securitysolution for WebSphere Business Integration Message Broker, Version 5.0 andWebSphere Business Integration Event Broker, Version 5.0. IBM Tivoli AccessManager for WebSphere Business Integration Brokers operates in conjunction withTivoli Access Manager to secure JMS publish/subscribe applications by providingpassword and credentials-based authentication, centrally-defined authorization,and auditing services.

Additional information about IBM Tivoli Access Manager for WebSphereIntegration Brokers can be found at:


The following documents associated with IBM Tivoli Access Manager forWebSphere Integration Brokers, Version 5.1 are available on the Tivoli InformationCenter Web site:

v IBM Tivoli Access Manager for WebSphere Business Integration Brokers AdministrationGuide (SC32-1347-00)

v IBM Tivoli Access Manager for WebSphere Business Integration Brokers Release Notes(GI11-4154-00)

v IBM Tivoli Access Manager for Business Integration Read This First (GI11-4202-00)

IBM Tivoli Access Manager for Operating SystemsIBM Tivoli Access Manager for Operating Systems, available as a separately

orderable product, provides a layer of authorization policy enforcement on UNIXsystems in addition to that provided by the native operating system. IBM TivoliAccess Manager for Operating Systems, like WebSEAL and IBM Tivoli AccessManager for Business Integration, is one of the resource managers that use theservices of IBM Tivoli Access Manager.

Additional information about IBM Tivoli Access Manager for Operating Systemscan be found at:

http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/

x IBM Tivoli Access Manager for e-business: IBM Tivoli Identity Manager Provisioning Fast Start Guide









The following documents associated with IBM Tivoli Access Manager forOperating Systems Version 5.1 are available on the Tivoli Information Center Website:

v IBM Tivoli Access Manager for Operating Systems Installation Guide (SC23-4829-00)

v IBM Tivoli Access Manager for Operating Systems Administration Guide(SC23-4827-00)

v

IBM Tivoli Access Manager for Operating Systems Problem Determination Guide(SC23-4828-00)

v IBM Tivoli Access Manager for Operating Systems Release Notes (GI11-0951-00)

v IBM Tivoli Access Manager for Operating Systems Read Me First (GI11-0949-00)

IBM Tivoli Identity ManagerIBM Tivoli Identity Manager Version 4.5, available as a separately orderableproduct, enables you to centrally manage users (such as user IDs and passwords)and provisioning (that is, providing or revoking access to applications, resources,or operating systems.) Tivoli Identity Manager can be integrated with Tivoli AccessManager through the use of the Tivoli Access Manager Agent. Contact your IBMaccount representative for more information about purchasing the Agent.

Additional information about IBM Tivoli Identity Manager can be found at:

http://www.ibm.com/software/tivoli/products/identity-mgr/

The following documents associated with IBM Tivoli Identity Manager Version 4.5are available on the Tivoli Information Center Web site:

v IBM Tivoli Identity Manager Release Notes (GI11-4212-00)

v IBM Tivoli Identity Manager Server Installation Guide on UNIX using WebSphere(SC32-1147-02)

v IBM Tivoli Identity Manager Server Installation Guide on Windows 2000 usingWebSphere (SC32-1148-01)

v

IBM Tivoli Identity Manager Server Installation Guide on UNIX using WebLogic(SC32-1334-00)

v IBM Tivoli Identity Manager Server Installation Guide on Windows 2000 usingWebLogic (SC32-1335-00)

v IBM Tivoli Identity Manager Policy and Organization Administration Guide(SC32-1149-01)

v IBM Tivoli Identity Manager End User Guide (SC32-1152-01)

v IBM Tivoli Identity Manager Server Configuration Guide (SC32-1150-02)

v IBM Tivoli Identity Manager Server Troubleshooting Guide (SC32-1151-01)

v IBM Tivoli Identity Manager Access Manager Agent for Windows Installation Guide(SC32-1165-03)

v IBM Tivoli Identity Manager Lotus Notes Agent Installation Guide (SC32-1157-03)

v IBM Tivoli Identity Manager Sybase Agent for Windows Installation Guide(SC32-1161-03)

v IBM Tivoli Identity Manager Oracle Agent for Windows Installation Guide(SC32-1155-03)

v IBM Tivoli Identity Manager Windows 2000 Agent Installation Guide (SC32-1153-03)

v IBM Tivoli Identity Manager Windows NT Agent Installation Guide (SC32-1154-03)

v IBM Tivoli Identity Manager AIX Agent Installation Guide (SC32-1162-03)

v IBM Tivoli Identity Manager Exchange 2000 Agent Installation Guide (SC32-1156-03)

Preface xi





v IBM Tivoli Identity Manager Novell NetWare Agent Installation Guide (SC32-1158-03)

v IBM Tivoli Identity Manager Universal Provisioning Agent Installation Guide(SC32-1159-03)

Accessing publications onlineThe publications for this product are available online in Portable Document Format

(PDF) or Hypertext Markup Language (HTML) format, or both in the Tivolisoftware library: http://www.ibm.com/software/tivoli/library

To locate product publications in the library, click the Product manuals link on theleft side of the library page. Then, locate and click the name of the product on theTivoli software information center page.

Product publications include release notes, installation guides, user’s guides,administrator’s guides, and developer’s references.

Note: To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is available when you clickFile → Print).

Accessibility

Accessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You also canuse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Contacting software support

Before contacting IBM Tivoli Software Support with a problem, refer to the IBMTivoli Software Support site by clicking the Tivoli support link at the followingWeb site: http://www.ibm.com/software/support/

If you need additional help, contact software support by using the methodsdescribed in the IBM Software Support Guide at the following Web site:http://techsupport.services.ibm.com/guides/handbook.html

The guide provides the following information:

v Registration and eligibility requirements for receiving support

v Telephone numbers, depending on the country in which you are located

v A list of information you should gather before contacting customer support

Conventions used in this book This reference uses several conventions for special terms and actions and foroperating system-dependent commands and paths.

Typeface conventionsThe following typeface conventions are used in this reference:

Bold Lowercase commands or mixed case commands that are difficult todistinguish from surrounding text, keywords, parameters, options, namesof Java classes, and objects are in bold.

xii IBM Tivoli Access Manager for e-business: IBM Tivoli Identity Manager Provisioning Fast Start Guide


http://www.ibm.com/software/support

http://techsupport.services.ibm.com/guides/handbook.html

http://techsupport.services.ibm.com/guides/handbook.html

http://www.ibm.com/software/support




Italic Variables, titles of publications, and special words or phrases that areemphasized are in italic.

MonospaceCode examples, command lines, screen output, file and directory namesthat are difficult to distinguish from surrounding text, system messages,text that the user must type, and values for arguments or command

options are inmonospace

.

Operating system differencesThis book uses the UNIX convention for specifying environment variables and fordirectory notation. When using the Windows command line, replace $variable with%variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. If you are using the bash shell on a Windowssystem, you can use the UNIX conventions.

Preface xiii



xiv IBM Tivoli Access Manager for e-business: IBM Tivoli Identity Manager Provisioning Fast Start Guide



Chapter 1. Overview of integration tasks

IBM® Tivoli® Access Manager for e-business provides policy-based access control of enterprise applications, Web applications, and resources. IBM Tivoli Identity

Manager provides policy-based identity management (managing user IDs andpasswords) and provisioning (providing or revoking access to applications,resources, or operating systems) within an enterprise. When you use theseproducts together in an integrated environment, you will continue to manageaccess to applications and resources using Tivoli Access Manager but you will useTivoli Identity Manager to manage Tivoli Access Manager users and to manage theprovisioning of applications and resources to those users.

To integrate these products, you must perform some basic integration tasks andsome Tivoli Identity Manager tasks. Depending on your integrated environment,you might need to perform some specialized integration tasks. Some of these taskshave been automated and are provided in a collection of utilities called theProvisioning Fast Start collection. The use of the utilities in the collection is optional;however, you might find that they will save you time and effort. The collectionand its Installer are included on the IBM Tivoli Access Manager Base CD in IBMTivoli Access Manager for e-business version 5.1.

This overview chapter provides summaries of the tasks you need to perform tointegrate Tivoli Access Manager and Tivoli Identity Manager. However, theremainder of this guide describes only the tasks that are supported by theProvisioning Fast Start collection.

Basic integration tasks

Tivoli Identity Manager can be integrated with numerous types of systems (such as

a Lotus®

Notes®

system, a Novell NetWare system, a Tivoli Access Managersystem, and others). The integration process consists of several basic tasks,regardless of the type of system that is being integrated. These basic tasks are:

1. Install and configure Tivoli Identity Manager version 4.5. (You might also wantto install IBM Directory Integrator that comes with Tivoli Identity Manager.)

2. Install and configure the software for the other system, such as Tivoli AccessManager for e-business.

3. Locate and install the agent software.

Agents are components of Tivoli Identity Manager and are available for eachtype of system that can be integrated with Tivoli Identity Manager. Agents arerequired for the integration because they enable connectivity between the TivoliIdentity Manager server and the system that will be managed by Tivoli Identity

Manager.The Tivoli Access Manager Agent is available at the IBM Web site. Contact yourIBM account representative for the Web address and the instructions fordownloading the agent.

4. Activate the agent.

5. Configure the agent’s communication protocols to enable the agent tocommunicate with the Tivoli Identity Manager server.

6. Install the agent’s profile on the Tivoli Identity Manager server.

© Copyright IBM Corp. 2003 1



A profile defines a type of system that will be managed by Tivoli IdentityManager. For example, if Tivoli Identity Manager will manage one or moreTivoli Access Manager systems, the Tivoli Access Manager profile must beinstalled on the Tivoli Identity Manager server so that Tivoli Identity Managerwill recognize Tivoli Access Manager.

Detailed information for performing these preceding steps is in the IBM Tivoli

Identity Manager: IBM Tivoli Access Manager Agent Installation Guide. If you areintegrating Tivoli Identity Manager with more than one Tivoli Access Managerdomain, you will need to repeat these steps for each domain.

The last step in the Agent Guide is to configure the Tivoli Identity Manager serverto recognize the agent as a service. This step begins the next phase of theintegration.

Tivoli Identity Manager tasks related to the integration

For the next phase in the integration, you will need to use Tivoli Identity Managerand its interface to perform the following tasks. Tasks that can be performed usingan automated task or a sample provided by the Provisioning Fast Start collectionare indicated with the label Fast start.

AttentionAt the completion of this phase, you should use Tivoli Identity Managerinstead of Web Portal Manager or pdadmin in Tivoli Access Manager tomanage the users of the Tivoli Access Manager system.

1. Add a Tivoli Access Manager service to Tivoli Identity Manager, so that TivoliIdentity Manager can manage Tivoli Access Manager accounts.

Each system that will be managed by Tivoli Identity Manager must be assignedto Tivoli Identity Manager as a service. If Tivoli Identity Manager will manage

more than one Tivoli Access Manager system, you will need to create a servicefor each Tivoli Access Manager system.

Fast start: You can perform this task using the corresponding automated taskavailable in the Provisioning Fast Start collection. For more information, refer toChapter 3, “Creating a Tivoli Access Manager service and default provisioningpolicy,” on page 17.

Note: If your Tivoli Access Manager environment includes resources thatpermit global sign-on access (that is, GSO resources and GSO resourcegroups), be sure to install the Tivoli Access Manager GSO Agent. Thisagent enables you to create services for GSO resources and GSO resourcegroups. The agent and its documentation are available from the IBMWeb site. Contact your IBM account representative for more information.

2. Create an identity policy for the Tivoli Access Manager system, to define howTivoli Identity Manager will create user IDs.

3. Create a password policy for the Tivoli Access Manager system, so that TivoliIdentity Manager knows how to manage password strength, logins, andsynchronization.

Note: If you have a password policy for Tivoli Identity Manager and apassword policy for Tivoli Access Manager, you will need to make surethey are consistent with each other.

2 IBM Tivoli Access Manager for e-business: IBM Tivoli Identity Manager Provisioning Fast Start Guide



If you are using WebSEAL and want to synchronize password changes that areinitiated through WebSEAL, install the Reverse Password Synchronization forTivoli Access Manager WebSEALAgent, which is available as part of the TivoliAccess Manager Agent package at the IBM Web site. Contact your IBM accountrepresentative for more information.

4. Create a provisioning policy for the Tivoli Access Manager system.

Fast start: You can get a head start on the creation of your own provisioningpolicy by using the automated task (available in the Provisioning Fast Startcollection) that creates a basic provisioning policy. For more information, referto Chapter 3, “Creating a Tivoli Access Manager service and defaultprovisioning policy,” on page 17.

5. Create Person entities (users) in Tivoli Identity Manager. In order to manageusers with Tivoli Identity Manager, you must define the users in the TivoliIdentity Manager user registry by creating Person entities.

Fast start: To create Person entities in Tivoli Identity Manager from an existingTivoli Access Manager user registry or from an existing corporate directory,consider using the IBM Directory Integrator AssemblyLine samples utility. Thisutility is part of the Provisioning Fast Start collection and is described in“Specialized integration tasks” on page 4 and in Chapter 5, “Importing and

synchronizing user data,” on page 29. In addition, after you have defined usersin Tivoli Identity Manager and have managed those users using Tivoli IdentityManager, you can also use the IBM Directory Integrator AssemblyLine samplesto synchronize the changes you’ve made in the Tivoli Identity Manager user(Person) records with matching Tivoli Access Manager user records orcorporate directory user records.

6. Create accounts for the Tivoli Access Manager users that you will manage withTivoli Identity Manager.

One way to create accounts for existing users is through the use of thereconciliation function in Tivoli Identity Manager. For more information onreconciliation, see the IBM Tivoli Identity Manager Policy and Organization Administration Guide.

Most of these tasks are manual procedures, which are described in the IBM TivoliIdentity Manager Policy and Organization Administration Guide. However, theProvisioning Fast Start collection and Installer provides automated tasks forcreating a service and for creating a basic provisioning policy that you can use asthe basis for your own policy. It also provides a utility that can help you createPerson records. Use of the automated tasks or utility is optional, but they areintended to make your integration easier.

Chapter 2, “Installing the Provisioning Fast Start collection,” on page 5 providesthe details for running these tasks and installing the utility.

Chapter 3, “Creating a Tivoli Access Manager service and default provisioning

policy,” on page 17 provides details about what happens when the tasks are runand what tasks should be performed after running the tasks.

Chapter 5, “Importing and synchronizing user data,” on page 29 provides thedetails about using the utility to create users in Tivoli Identity Manager.

Chapter 1. Overview of integration tasks 3



Specialized integration tasks

Depending on the complexity of your integrated environment or your existingTivoli Access Manager system, you might need to complete specialized tasks thatare related to the integration.

Some examples of specialized tasks include:

v Configuring Tivoli Identity Manager for single sign-on with WebSEAL.

v Importing user data into Tivoli Identity Manager from an existing Tivoli AccessManager environment or an existing corporate directory.

v Synchronizing Tivoli Identity Manager user data with Tivoli Access Manageruser data.

v Creating a Web interface from which users can self-manage their user IDs andpasswords and request access to applications or resources.

To help you perform these tasks, the Provisioning Fast Start collection provides thefollowing task, utility, and samples:

v Single Sign On Enablement

See Chapter 4, “Configuring Tivoli Identity Manager for single sign-on withWebSEAL,” on page 21.

v IBM Directory Integrator AssemblyLine samples utility

See Chapter 5, “Importing and synchronizing user data,” on page 29.

v Web Application Sample

See Chapter 6, “Creating a Web interface for user self-management,” on page 47.

Chapter 2, “Installing the Provisioning Fast Start collection,” on page 5 can helpyou decide which items in the collection to install, ensure that you have theprerequisite software that each item requires, and install the items. The remainingchapters in this guide describe the tasks that are either automated in the collectionor that are supported by the utilities and samples in the collection.




Chapter 2. Installing the Provisioning Fast Start collection

To help make the integration of Tivoli Access Manager and Tivoli Identity Managereasier, a collection of automated tasks and samples (called the Provisioning Fast

Start collection) is provided with Tivoli Access Manager for e-business version 5.1.Although use of the items in the collection is optional, you might find that theywill save you time and effort. To run the tasks or install the samples or utilities inthe collection you will use the Provisioning Fast Start Installer (referred to as theInstaller.)

Before running the Installer

Before you run the Provisioning Fast Start Installer from the IBM Tivoli Access Manager Base CD, you need to:

1. Make sure that you have the prerequisites for running the Installer and thatyou have met the general requirements for installing the tasks and samples.

2. Decide which automated tasks and samples will meet your needs. As part of this step, you also need to:

a. Make sure that you have the prerequisite software or configuration thatthose tasks, utilities, and samples require.

b. Decide where to install those tasks and samples. (Each task and sample hasspecific requirements for where it should be installed.)

Requirements for the InstallerYou need the following hardware, software, and authorization to run the Installer:

Operating systemThe Installer can be run on the following operating systems:

v Microsoft® Windows® 2000 or Windows NT®

v Sun Solaris Operating Environment version 7 or later

v AIX® version 4.3 or later

Hardware requirementsThe Installer is included on the Tivoli Access Manager Base CD of Tivoli AccessManager for e-business version 5.1. To use this CD, you need a CD-ROM drivethat can read CD-R (CD-Recordable) CDs.

Java Runtime requirementYou must have IBM Java Runtime Environment version 1.3.1 or higher (with theibmjceprovider.jar file and the jaas.jar file) installed.

(Version 1.3.1 is included with Tivoli Access Manager for e-business).

Note: If you run the Installer on a system on which the Java Runtime Environment(JRE) version 1.3.1 is part of your WebSphere Application Server installation,you will receive an error message. As a result, you will need to take thefollowing additional steps to run the Installer:

1. Locate the PD.jar file in the $WAS_HOME /AppServer/java/jre/lib/extdirectory (where $WAS_HOME is the directory where WebSphereApplication Server is installed).




2. If WebSphere Application Server is running on a Windows system, stopthe WebSphere Application Server before taking the next step; otherwise,a sharing violation error will occur.

3. Move the PD.jar out of $WAS_HOME /AppServer/java/jre/lib/extdirectory (where $WAS_HOME is the directory where WebSphereApplication Server is installed).

In most cases after running the Installer, you can move the PD.jar back toits original location. However, during the installation, you might have theoption to create a new JRE configuration (for the JRE that will be used insupport of the tasks or samples you install). If you choose to create a new JRE configuration, do not move the old PD.jar back to its original location because you will overwrite the new PD.jar that was created in the newconfiguration.

System administrator authorityYou must have system administrator authority (root or administrator) on the systemwhere you are running the Installer.

Requirements for the tasks and samplesThe tasks and samples in the Provisioning Fast Start collection are related to theintegration of Tivoli Identity Manager and Tivoli Access Manager. As a result, theuse of many of the tasks and samples require that the following software beinstalled:

v Tivoli Access Manager for e-business, version 5.1 (and its prerequisites)

v Tivoli Identity Manager, version 4.5 (and its prerequisites)

v Tivoli Access Manager agent

However, for a list of the specific prerequisites for each item in the ProvisioningFast Start collection, refer to the sections that correspond to the tasks in “Choosingautomated tasks and samples to install.”

Choosing automated tasks and samples to installDeciding which tasks and samples to install and use depends on how your TivoliAccess Manager and Tivoli Identity Manager environments are set up. All of thetasks and samples in the Provisioning Fast Start collection are optional. They areprovided to fully or partially automate some of the manual steps you wouldotherwise need to perform.

As with any new tool or configuration, consider running these tasks or installingthese samples and utilities in a test or proof of concept environment before usingthem in your production environment.

The following sections list the specialized or automated task you might want tocomplete, the corresponding item you should select in the Installer, the actionperformed by the Installer, and the additional prerequisite software that the task orsample requires.

Note: The Provisioning Fast Start Installer determines the software and agentconfiguration on your system before it presents a list of items for you toselect. As a result, the Installer will display only the items that can be run orinstalled on your system.




Creating a Tivoli Access Manager service and a basicprovisioning policyThis automated task can be used instead of the manual tasks for adding a serviceand adding a provisioning policy in Tivoli Identity Manager. (The manual tasks aredescribed in the IBM Tivoli Identity Manager Policy and Organization AdministrationGuide.) The basic provisioning policy created by this task includes the minimumattributes needed in a provisioning policy and is designed for you to use as the

basis for creating your own provisioning policy.

Item to select in the Installer:To run this automated task, select the following item in the Installer:

Access Manager service and provisioning policy

Prerequisites:

The following environments must be in place before running this task:

v Tivoli Access Manager for e-business, version 5.1

v Tivoli Identity Manager version 4.5

v Tivoli Access Manager agent (and profile, which is created as part of theagent installation procedure)

v Connection to the Tivoli Identity Manager user registry. (You must knowthe password to this registry.)

Location to run the Installer:

Run this task on the Tivoli Identity Manager server.

Actions taken by the Installer:When you select Access Manager service and provisioning policy, theInstaller performs the following configuration:

v Adds a Tivoli Access Manager service to Tivoli Identity Manager, if onehas not already been created.

v Installs a basic provisioning policy to get you started.

Note: You will want to customize this basic policy after it is installed.

For more information about the service and provisioning policy that arecreated, see Chapter 3, “Creating a Tivoli Access Manager service anddefault provisioning policy,” on page 17.

Configuring Tivoli Identity Manager for single sign-on withWebSEALThis automated task corresponds to two selections in the Installer. It replaces manyof the steps in the manual procedure for ″Configuring single sign-on withWebSEAL,″ which is documented in the IBM Tivoli Identity Manager ServerConfiguration Guide.

Attention:Before running this task in the Installer, review the overall task in Chapter 4,“Configuring Tivoli Identity Manager for single sign-on with WebSEAL,” onpage 21.

Items to select in the Installer:To run this automated task, select the following items in the Installer:

v Single Sign-On Enablement

Chapter 2. Installing the Provisioning Fast Start collection 7



– WebSEAL Junction Configuration

– Identity Manager Configuration

Prerequisites:The following environments must be in place before running this task:

v Tivoli Access Manager for e-business, version 5.1 (with WebSEALinstalled and configured)

v Tivoli Identity Manager version 4.5 (The server to be managed byWebSEAL.)


v Tivoli Access Manager service and account (installed and configured)

v A Tivoli Access Manager account must be assigned to the Tivoli IdentityManager administrator.

Additional prerequisites for this task are described in IBM Tivoli Identity Manager Server Configuration Guide.

Location to run the Installer:Run this task on the Tivoli Identity Manager server.

Actions taken by the Installer:

When you select Single Sign-On Enablement: WebSEAL JunctionConfiguration, the Installer performs the following configuration:

v Configures either a WebSEAL TCP junction or a WebSEAL SSL junctionto enable single sign-on capability for Tivoli Identity Manager.

For more information about WebSEAL junctions, refer to the IBM Tivoli Access Manager for e-business WebSEAL Administration Guide.

v In addition, this automated task creates default ACLs for the junction.

For more information about the junction that is created, see Chapter 4,“Configuring Tivoli Identity Manager for single sign-on with WebSEAL,”on page 21.

When you select Single Sign-On Enablement: Identity ManagerConfiguration, the Installer performs the following configuration:

v Updates the Tivoli Identity Manager properties files to support singlesign-on with WebSEAL.

For more information about the properties configured, see Chapter 4,“Configuring Tivoli Identity Manager for single sign-on with WebSEAL,”on page 21.

Importing or synchronizing user dataTo perform this task, you will first need to use the Installer to install the IBMDirectory Integrator AssemblyLine samples utility that is available in theProvisioning Fast Start collection. You can use the utility to:

v Import Tivoli Access Manager users (in a single domain) into Tivoli IdentityManager.

v Import Tivoli Access Manager users (in a multi-domain) into Tivoli IdentityManager.

v Import users from an existing corporate directory into Tivoli Identity Manager.

v Synchronize Tivoli Identity Manager user attributes with Tivoli Access Manageruser attributes.

Item to select in the Installer:To install the utility, select the following item in the Installer:




IBM Directory Integrator AssemblyLine samples

Prerequisites:

To install the utility, you must already have IBM Directory Integrator 5.1.2or later installed.

In addition, the following environments must be in place, depending on

the tasks you plan to complete when using the utility:v Tivoli Access Manager for e-business, version 5.1 and a connection to theTivoli Access Manager user registry (if you will import Tivoli AccessManager users to Tivoli Identity Manager or you will synchronize theTivoli Identity Manager user registry with the Tivoli Access Manageruser registry).

v Tivoli Identity Manager version 4.5 with the IDI Data Feed Servicecreated (as described in “Creating the IDI Data Feed Service in TivoliIdentity Manager” on page 32.)

v Connection to the corporate directory (if you are importing users from acorporate directory into Tivoli Identity Manager).

v Enablement of the LDAP changelog of the Tivoli Identity Manager user

registry, if you are synchronizing Tivoli Identity Manager users withTivoli Access Manager users. See “Synchronizing Tivoli Identity Manageruser attributes with Tivoli Access Manager user attributes” on page 44for more information.


To install the utility files in the proper place, run the Installer on themachine where IBM Directory Integrator is installed.

In addition, if LDAP or Active Directory is the user registry for TivoliAccess Manager, the IBM Directory Integrator and the utility should beinstalled on a server or workstation that can remotely access the TivoliAccess Manager registries and the Tivoli Identity Manager server.

If a Lotus Domino®

server is the user registry for Tivoli Access Manager,IBM Directory Integrator and the utility should be installed together on aLotus Notes client that can access the Domino server.

Actions taken by the Installer:When you select IBM Directory Integrator AssemblyLine samples, theInstaller creates the following directory and copies the utility files to it:$IDI_HOME /TAMTIMIntegration (where $IDI_HOME is the root directory forthe IBM Directory Integrator.

For more information about the utility, see Chapter 5, “Importing andsynchronizing user data,” on page 29.

Creating a Web interface for user self-management through

Tivoli Identity ManagerIf you are using Tivoli Identity Manager and Tivoli Access Manager in anintegrated environment and you would like your users to be able to manage theirown user IDs and passwords and to make requests for accessing companyapplications that are protected by Tivoli Access Manager, you could benefit fromusing a self-management Web portal page.

The Provisioning Fast Start collection provides a set of samples (collectively calledthe Web Application Sample) that you can use to create the Web portal page. You canuse the Installer to install the Web Application Sample. However, if you need toinstall the Sample in a clustered environment or you want to install the Sample on




a machine on which Tivoli Identity Manager is not installed, refer to the additionalinstallation instructions in Chapter 6, “Creating a Web interface for userself-management,” on page 47.

Item to select in the Installer:To install the Sample, select the following item in the Installer:

Tivoli Identity Manager Web Application Sample

Prerequisites:You must have the following software installed to use the Sample:

v WebSphere Application Server 5.0.2, and the patches specified in theIBM Tivoli Identity Manager Version 4.5 Release Notes.

Note: Make sure that Security on the WebSphere server is disabled beforeyou run the Installer. The Installer will not install the Sample if Security is enabled because when Security is enabled, the Installercannot determine the status of the WebSphere Application Servers.

v Tivoli Identity Manager version 4.5

You can use additional features in the Sample if you also have the

following environments configured:

v Tivoli Access Manager for e-business, version 5.1

v WebSEAL (to use for single sign-on to Tivoli Identity Manager)



To install the Sample, run the Installer on the machine where WebSphereApplication Server version 5.0.2 is installed.

Note: If you want to install the Sample in a clustered environment or if you want to install the Sample on a machine that does not haveTivoli Identity Manager installed, see “Installation methods” on page

49.

Actions taken by the Installer:When you select Tivoli Identity Manager Web Application Sample, theInstaller installs the Sample pages and servlets so they can interface withTivoli Identity Manager.

For more information about the Sample, see Chapter 6, “Creating a Webinterface for user self-management,” on page 47.

After you have determined which tasks you want to complete and you haveinstalled the prerequisite software, you might want to review the chapters in thisguide that correspond to those tasks. The information in those chapters will helpyou understand the tasks and make you aware of any additional installationinstructions and post-configuration steps.

After reviewing this information, you are ready to run the Installer. Refer to“Running the Installer” on page 11 for installation instructions.




Running the Installer

The following instructions explain how to run the Installer. As you use theInstaller, view online help by clicking the Help button in the Installer panels. Thehelp window will remain open and, as you move through the Installer panels, thehelp text will change to correspond with the panel that is displayed.

To start the Tivoli Access Manager Provisioning Fast Start Installer:1. If you will run the Installer on a machine where WebSphere Application Server

is installed, be sure to disable Security in the WebSphere Server beforecontinuing with this procedure. For more information, see “Installationrequirements” on page 48.

2. Review the prerequisites for the items you want to install. Then insert the Tivoli Access Manager Base CD into the CD-ROM drive of the appropriate machine.

Note: If you need to install items on different machines, you will need to runthe Installer on each of those machines.

3. Locate and double-click the install_ampfs icon or open a command prompt,change to the CD-ROM drive, and type install_ampfs.

The language selection window is displayed.

4. Select your language.

The Welcome panel is displayed.

5. To continue the installation, click Next.

A license panel is displayed. You are asked to accept the terms of the licenseagreement. Accept the terms if you want to continue with the installation.

6. Click Next.

After this step in the installation process, the following phases take place in theorder shown:

1. Prerequisite checking

2. Selection of items to install

3. Configuration and installation

Prerequisite checking

Note: The Provisioning Fast Start Installer determines the software and agentconfiguration on your system before it presents a list of items for you toselect. As a result, the Installer will display only the items that can be run orinstalled on your system. You will not be able to select items to install untilthe Prerequisite Checking phase has completed.

During the Prerequisite Checking phase, the Installer determines if you have

specific software or configurations. You should know what items you plan toinstall and be familiar with the prerequisites for those items before continuing.Refer to “Choosing automated tasks and samples to install” on page 6 if you needhelp.

Check 1: WebSphere Application ServerWebSphere Application Server is required by the Web Application Sample. TheInstaller determines if you have WebSphere Application Server installed. If you do,the Installer retrieves a list of the WebSphere servers in your environment andstarts any servers that are not already started.




If you don’t have WebSphere Application Server installed in the environmentwhere you are running the Installer, or if the WebSphere servers cannot be started,you will not be able to install the Web Application Sample. This outcome might be acceptable to you if you don’t plan to install the Sample.

After prerequisite check, the Installer displays the next prerequisite checkautomatically.

Check 2: Valid connection to the Tivoli Identity Manager userregistry

Note: This prerequisite check is required if you want to install the Access Managerservice and provisioning policy. The information requested here can also beused as part of the configuration of the Web Application Sample, althoughit is not required for it. If you will not be installing the Access Managerservice and provisioning policy or if you don’t need this informationautomatically configured for the Web Application Sample, click Next untilyou reach the panel that checks for the Tivoli Access Manager Java RuntimeEnvironment, which is described in “Check 3: Tivoli Access Manager JavaRuntime Environment.”

If the Installer locates the administrator account for the user registry, it requests thepassword for this account to validate the connection to the repository.

1. Type the password in the password fields.

2. Click Next.

If you click Next before you provide the password, you will not be able to installAccess Manager service and provisioning policy.

Check 3: Tivoli Access Manager Java Runtime EnvironmentThe Installer looks for the Tivoli Access Manager Java Runtime Environment,which is required to install the Single Sign-On Enablement.

The panel that is displayed during this prerequisite check, depends on which of the following conditions apply to the Tivoli Access Manager Java RuntimeEnvironment:

v Installed and configured

v Installed but not configured

v Not installed




Installed and configured

Note: If you will not be installing Single Sign-On Enablement, skip thisprerequisite check by clicking Next until you reach the panel that saysthe prerequisite checks have been completed.

If the Tivoli Access Manager Java Runtime Environment is already installedand configured, a panel asks you to enter information to establishcommunication between the Installer and Tivoli Access Manager Policy Serverthat is using the Tivoli Access Manager Runtime Environment. You have twooptions for completing this panel:

v Create a new configuration file:

Choose this option if you cannot specify the information for an existingconfiguration.

1. Select the Create a new configuration check box and click Next.

2. On the next panel, you are asked to provide configuration informationfor the Tivoli Access Manager Application Server. Complete the fields.

Click the Help button if you need descriptions of the fields.

3. When you have completed the fields, click Next. Continue with thesteps in “Selection of items to install” on page 14.

v Use an existing configuration file:

If you want to use the existing configuration of the Tivoli Access Manager Java Runtime Environment:

1. Complete the fields. Refer to the online help if you need descriptions of the fields.

2. Then click Next. Continue with the steps in “Selection of items toinstall” on page 14.

Installed but not configured

Note: If you will not be installing Single Sign-On Enablement, skip thisprerequisite check by clicking Next until you reach the panel that saysthe prerequisite checks have been completed.

If the Tivoli Access Manager Java Runtime Environment is already installed but is not configured:

1. A panel asks you to enter information to configure the runtime. Completethe fields. Click the Help button for descriptions of the fields.

2. Click Next.

3. Then, you will be asked to establish communication with the Tivoli AccessManager Runtime Environment. Follow the steps in “Installed andconfigured.”




Not installed

Note: If you will not be installing Single Sign-On Enablement, skip thisprerequisite check by clicking No when you are prompted to install the Java Runtime Environment and then click Next until you reach the

panel that says the prerequisite checks have been completed.

If the Tivoli Access Manager Java Runtime Environment is not installed, apanel asks if you want the Java Runtime Environment to be installed. Clickeither the Yes or No radio button.

v If you click No, Single Sign-On Enablement will not be in the list of installable items. Click Next and continue with the steps in “Selection of items to install.”

v If you click Yes, the Tivoli Access Manager Java Runtime Environment will be installed on your system.

When the installation has completed, a message indicates whether theinstallation was successful. Complete the appropriate step:

– If the installation was successful, click OK. The configuration panel isdisplayed. Follow the steps in “Installed but not configured” on page 13.

– If the Tivoli Access Manager Java Runtime Environment installationfailed, you can try to reinstall it, or you can continue with the overallinstallation, by clicking Next until you reach the panel that saysprerequisite checking is complete; however, if you do not install it, youcannot install Single Sign-On Enablement.

Selection of items to installWhen all of the prerequisite checks have been completed, the panel displayed willlist any items that you will not be able to install because prerequisites are missing.

The missing prerequisites are also identified. On this panel, do one of thefollowing:

v Click Cancel to exit from the Installer and install any missing prerequisites, andthen restart the Installer.

v Click Back to make changes to information you supplied during the prerequisitechecks.

v Click Next to continue with the installation.

If you click Next, the panel displayed will list the items that you can install. Onthis panel:

1. Check marks indicate which items are already selected for installation(selections were made based on the prerequisite checks). Clear the check mark

from any item you don’t want to install. Keep in mind that the Installer hasdetermined the software and agent configuration on your system before itpresents these selections. As a result, the Installer will display only the itemsthat can be run or installed on your system. Some of the selections listed belowmight not be displayed.

v IBM Directory Integrator AssemblyLine samples



– WebSEAL Junction Configuration (Single Sign-On Enablement must beselected in order to select this item.)




– Identity Manager Configuration (Single Sign-On Enablement must beselected in order to select this item.)

v Access Manager service and provisioning policy

2. After you have made your selections, you will have the opportunity to returnto this panel and change your selections before you continue.

3. Click Next when you are ready to provide any configuration information

required for the items you selected.

Configuration and installationIf you selected any of the following items, the Installer will ask you for additionalconfiguration information:

v Single Sign-On Enablement (with WebSEAL Junction Configuration)

v Access Manager service and provisioning policy

v Tivoli Identity Manager Web Application Sample

Note: In addition, if you selected the Web Application Sample and the TivoliIdentity Manager server was not detected, you will be prompted toprovide information about it during this configuration phase.

For help with completing these configuration panels, refer to the online help.When you are done, click Next on the last configuration panel to complete theinstallation.

After running the Installer

Depending on the tasks you ran or the samples you installed, you might have toperform additional configuration tasks. For more information, refer to the chaptersin this guide that correspond to the task you ran or samples you installed:

v Access Manager service and provisioning policy. See Chapter 3, “Creating aTivoli Access Manager service and default provisioning policy,” on page 17.

v Single Sign-On Enablement: WebSEAL Junction and Identity ManagerConfiguration. See Chapter 4, “Configuring Tivoli Identity Manager for singlesign-on with WebSEAL,” on page 21.

v IBM Directory Integrator AssemblyLine samples. See Chapter 5, “Importingand synchronizing user data,” on page 29.

v Web Application Sample. See Chapter 6, “Creating a Web interface for userself-management,” on page 47.

Uninstalling

If you uninstall the Provisioning Fast Start collection, the following installed itemswill be removed:

v IBM Directory Integrator AssemblyLine samples



– WebSEAL Junction Configuration (The junction is removed. However, theACLs are removed only if they are not in use.)

– Identity Manager Configuration (The values in the properties files that werechanged when you ran the Installer are returned to their default values.)

Note: The Access Manager service and provisioning policy are not uninstalled.




To uninstall the Provisioning Fast Start collection:

v On Windows do one of the following:

– Run uninstaller.exe in the C:\ProgramFiles\IBM\TivoliAccessManagerProvisioningFastStart\_uninstdirectory.

– In the Control Panel folder, click Add/Remove programs. Select ProvisioningFast Start. Then click OK.

v On AIX or Solaris: Run uninstaller.bin in the/opt/IBM/TivoliAccessManagerProvisioningFastStart/_uninst.

After running the uninstall program, you can remove the/opt/IBM/TivoliAccessManagerProvisioningFastStartdirectory and itssubdirectories.




Chapter 3. Creating a Tivoli Access Manager service anddefault provisioning policy

This automated task, which is run using the Installer, takes the place of the manualtasks for adding a service and adding a provisioning policy in Tivoli IdentityManager. (The manual tasks are described in the IBM Tivoli Identity Manager Policyand Organization Administration Guide.)

The steps for running the automated task are in Chapter 2, “Installing theProvisioning Fast Start collection,” on page 5. An explanation of what occurredafter running this automated task is described in “Automated configuration.” Stepsyou might need to complete after running this automated task are described in“Post-configuration tasks” on page 19.

Automated configuration

If you selected the Access Manager service and provisioning policy task whenyou ran the Installer, a Tivoli Access Manager service and a default provisioningpolicy were added to Tivoli Identity Manager.

ServiceAfter running the service creation task in the Installer, a Tivoli Access Managerservice has been added to Tivoli Identity Manager, just as if you had followed the″Adding a Service″ procedure described in the IBM Tivoli Identity Manager Policyand Organization Administration Guide.

The following fields were configured with the values you provided in theconfiguration and installation phase of the Installer process:

Service name

URL

User ID

Password

CA Certificate Store

Certificate File

The following fields, which are used for some services, were not used in the TivoliAccess Manager service:

Private Key File

Owner

Service Prerequisite

Remote Time Zone

Domain Server Name




Default provisioning policyAfter running the provisioning policy creation task in the Installer, a provisioningpolicy is created, just as if you had followed the ″Adding a Provisioning Policy″procedure described in the IBM Tivoli Identity Manager Policy and Organization Administration Guide.

This default provisioning policy was configured with the following information:v General information

v Memberships

v Entitlements

General informationThe settings for the general information of the default provisioning policy are:

Policy nameSet to a custom value that you defined when you ran the Installer.

CaptionNot set.

DescriptionNot set.

Status Set to a default value of enabled.

KeywordsNot set.

Service Resolution ScopeNot set.

PrioritySet to a default value of 1; the lowest priority number takes precedence if you have more than one provisioning policy

MembershipMembership specifies who is governed by the provisioning policy. Themembership in the default provisioning policy is ALL; this value specifies thatmembership to the policy can be given to all people in an organization.

EntitlementsEntitlements specify:

v Whether the policy is enforced manually or automatically

v The service or service types used in the provisioning policy

v The provisioning parameters (values that are applied to an account when it isprovisioned to a user)

v The association with a workflow

The entitlements in the default provisioning policy are:

Type Set to a custom value that you defined when you ran the Installer.

Target TypeSet to a default value of service.

Service Type and Service NameSet to a default value of Access Manager Service.

Provisioning Parameters ListNot set.




Advanced Provisioning Parameters ListSet to the following:

sn: subject.getProperty("cn")[0]erpassword: subject.getProperty("sn")[0]ertam4dn: "cn="+subject.getProperty("cn")[0]+","+tamDnertam4passwordpolicy: TRUEertam4singlesign: TRUEcn: subject.getProperty("cn")[0]

Process DefinitionNot set.

PrioritySet to a default value of 1; the lowest priority number takes precedence if you have more than one provisioning policy.

For more information about viewing and modifying a provisioning policy, see theIBM Tivoli Identity Manager Policy and Organization Administration Guide.

Post-configuration tasks

Before using the service and provisioning policy, you might need to complete thefollowing additional tasks:

v Viewing or modifying the service

v Customizing the default provisioning policy

Viewing or modifying the serviceNo further configuration of this service is required; however, using the TivoliIdentity Manager interface, you can add other services or modify or delete thisservice. For more information about managing services, refer to the IBM TivoliIdentity Manager Policy and Organization Administration Guide.

Customizing the default provisioning policyBecause this provisioning policy configures only the minimum values, you willwant to modify the policy after it has been created. For more information aboutmodifying provisioning policies, see the IBM Tivoli Identity Manager Policy andOrganization Administration Guide.

Chapter 3. Creating a Tivoli Access Manager service and default provisioning policy 19



Chapter 4. Configuring Tivoli Identity Manager for singlesign-on with WebSEAL

The Provisioning Fast Start collection provides two automated tasks that are partof the overall task for configuring Tivoli Identity Manager for single sign-on withWebSEAL. An explanation of why you might want to perform this overall task andthe manual steps for performing this task are described in the ″Configuring SingleSign-on Solutions″ chapter of the IBM Tivoli Identity Manager Server ConfigurationGuide.

If you use the automated task provided in the Provisioning Fast Start collection,the steps in the overall task are as follows:

1. Review the ″Configuring Single Sign-on Solutions″ chapter in the IBM TivoliIdentity Manager Server Configuration Guide.

2. Configure WebSEAL as follows:

v

Pass all domain attributes in cookie headers.v Recognize UTF-8 encoded strings only

Refer to the IBM Tivoli Access Manager for e-business WebSEAL AdministrationGuide for more information.

3. Provision a Tivoli Identity Manager administrator with a Tivoli Access Manageraccount.

Refer to the IBM Tivoli Identity Manager Policy and Organization AdministrationGuide for more information.

Note: You cannot log in to Tivoli Access Manager with the default TivoliIdentity Manager administrator ID, itim manager, because Tivoli Access

Manager does not support user IDs that contain spaces. You can assignany Tivoli Access Manager user ID to the default itim manageradministrator ID if you have configured Tivoli Identity Managerproperties file, enRoleAuthentication.properties, to enable an internalidentity mapping algorithm. See “Tivoli Identity Manager properties filesrelated to single sign-on” on page 22 for more information.

4. Run the Provisioning Fast Start Installer as described in Chapter 2, “Installingthe Provisioning Fast Start collection,” on page 5 and select:

v Single Sign-On: WebSEAL Junction Configuration, which creates either aWebSEAL TCP junction or a WebSEAL SSL junction and two default ACLsfor the junction.

v Single Sign-On: Identity Manager Configuration, which updates the TivoliIdentity Manager properties files as needed to support single sign-on.

5. Modify the default ACLs that were created for the junction. For example, youmight want to add groups and permissions to the ACLs. (For details, see“Modifying the ACLs for the junction” on page 25.)

6. Change the Tivoli Identity Manager timeout session. (For details, see“Changing the Tivoli Identity Manager timeout session” on page 24.)

7. If the Installer installs an SSL junction, be sure to update and configure yourSSL certificates. For details, see “Configuring the SSL certificate for an SSL junction” on page 24.)




The steps for running the automated tasks are in Chapter 2, “Installing theProvisioning Fast Start collection,” on page 5. An explanation of what occurredafter running these automated tasks is described in “Automated configuration.”Steps that you might need to complete after running this automated task (such asstep 5, step 6, and step 7 on page 21) are described in “Post-configuration tasks”on page 23.

Automated configuration

If you selected Single Sign-On: WebSEAL Junction Configuration when you ranthe Installer, a WebSEAL junction was configured and ACLs were associated withthe junction. See “WebSEAL junction for single sign-on.”

If you selected Single Sign-On: Identity Manager Configuration when you ranthe Installer, the Tivoli Identity Manager properties files were updated to enablesingle sign-on. See “Tivoli Identity Manager properties files related to singlesign-on.”

WebSEAL junction for single sign-on

After running the Single Sign-on: WebSEAL Junction Configuration automatedtask, either a WebSEAL TCP junction or a WebSEAL SSL junction was created withthe following ACLs associated:

v ItimProtected, for authenticated access. This ACL is associated with allapplications in the WebSEAL protected object space that require a user to log in.The Tivoli Identity Manager server and its interface are associated with thisACL.

v ItimUnprotected, for unauthenticated access. This ACL is associated with allapplications that the user can access without logging in.

These ACLs do not have groups assigned. If you want to assign Tivoli AccessManager groups to them, you will need to modify the ACLs. See “Modifying the

ACLs for the junction” on page 25.

Note: The WebSEAL junction that is created by this task will also support singlesign-on for the Web Application Sample (which is described in Chapter 6,“Creating a Web interface for user self-management,” on page 47) and forthe Web Portal Manager that comes with Tivoli Access Manager. If you areusing WebSEAL to manage Web Portal Manager, you can use this junctionand complete the following steps to enable SSO for Web Portal Manager:

1. Locate pdwpm.conf on the Tivoli Access Manager server and open it in atext editor.

2. Change the value of the authMethod attribute to SSO.

3. Save your changes and close the file.

4. Stop and then restart the WebSphere Application Server.

Tivoli Identity Manager properties files related to singlesign-on

After running the Identity Manager Configuration automated task, some TivoliIdentity Manager properties files (in the $ITIM_HOME /data directory) and attributesare updated to enable single sign-on as follows:

v Properties file: ui.properties

– enrole.ui.ssoEnabled=true




– enrole.ui.logoffURL=ssoLogout.jsp

v Properties file: enRoleAuthentication.properties

– enrole.authentication.idsEqual=

You selected a value for this attribute when you ran the Installer.

true Specifies that the Tivoli Access Manager user ID is always the same asthe Tivoli Identity Manager user ID.

Note: In single sign-on with WebSEAL, the users will use their userIDs for their Tivoli Access Manager accounts. However, TivoliIdentity Manager will need to authenticate the user.

false Specifies that the Tivoli Access Manager user ID is not always thesame as the Tivoli Identity Manager user ID.

If you selected false, an internal identity mapping algorithm is used to mapthe user ID of the user’s Tivoli Access Manager account to the user ID of user’s Tivoli Identity Manager account.

Post-configuration tasksAfter you have run these automated tasks in the Installer, you might need tocomplete additional tasks, depending on your environment:

v Running the automated tasks in a clustered environment

v Changing the timeout session

v Configuring the SSL certificate for an SSL junction

v Modifying the ACLs for the junction

v Addressing security concerns

v Configuring the logoff page

v Accessing the Tivoli Identity Manager logon page

Running the automated tasks in a clustered environmentTivoli Identity Manager Server can be installed in either a single-server or clusterconfiguration. In either case, a single WebSEAL junction is able to support SSO forthe entire Tivoli Identity Manager Server configuration. The ″Configuring singlesign-on with WebSEAL″ procedure in the IBM Tivoli Identity Manager ServerConfiguration Guide and the two automated tasks described in Chapter 2, “Installingthe Provisioning Fast Start collection,” on page 5 of this guide, presents the stepsrequired for a single-server configuration.

The enablement of Tivoli Identity Manager for WebSEAL single sign-on in aclustered environment requires that you perform tasks on multiple systems asfollows:

1. Review the ″Configuring Single Sign-on Solutions″ chapter in the IBM TivoliIdentity Manager Server Configuration Guide.

2. Configure WebSEAL as follows:

v Pass all domain attributes in cookie headers.

v Recognize UTF-8 encoded strings only

Refer to the IBM Tivoli Access Manager for e-business WebSEAL AdministrationGuide for more information.

3. Provision a Tivoli Identity Manager administrator with a Tivoli Access Manageraccount.

Chapter 4. Configuring Tivoli Identity Manager for single sign-on with WebSEAL 23



Refer to the IBM Tivoli Identity Manager Policy and Organization AdministrationGuide for more information.

4. On one of the systems in the cluster:

v Run the Provisioning Fast Start Installer as described in Chapter 2, “Installingthe Provisioning Fast Start collection,” on page 5 and select:

– WebSEAL Junction Configuration, which creates either a WebSEAL TCP

junction or a WebSEAL SSL junction.– Identity Manager Configuration, which updates the Tivoli IdentityManager properties files as needed to support single sign-on.

v Change the Tivoli Identity Manager timeout session. (For details, see the″Configuring Single Sign-On with WebSEAL″ chapter of the IBM TivoliIdentity Manager Server Configuration Guide.)

v If the Installer creates an SSL junction, be sure to update and configure yourSSL certificates. See “Configuring the SSL certificate for an SSL junction.”

5. On the remaining Tivoli Identity Manager Server systems in the cluster use theTivoli Access Manager Provisioning Fast Start Installer and select IdentityManager Configuration, which will update the Tivoli Identity Managerproperties files.

See Chapter 2, “Installing the Provisioning Fast Start collection,” on page 5 fordetailed installation steps.

6. Also, on all machines in the clustered environment be sure to configure thetimeout session. See “Changing the Tivoli Identity Manager timeout session.”

Changing the Tivoli Identity Manager timeout sessionTo prevent a security exposure in a shared workstation environment, you shouldchange the default value of the Tivoli Identity Manager timeout session value to avalue equivalent to one of the following:

v Tivoli Identity Manager will timeout due to inactivity

v Tivoli Identity Manager will timeout at the same time or before a WebSEAL

timeout due to inactivity

To change the setting:

1. Open the WebSphere Administrative Console.

2. Click Applications.

3. Click Enterprise Applications.

4. Click enRole. Scroll down to Additional Properties and click SessionManagement.

5. Change the value of the session timeout to the appropriate value (as describedabove).

6. Save changes.

7. Stop and start enRole.

Configuring the SSL certificate for an SSL junctionIf the Installer created a WebSEAL SSL junction when you ran this task, you needto use GSKit to configure the SSL certificate before you can use the junction.

Note: Before beginning this procedure, make sure that you configure GSKit asdescribed in the IBM Tivoli Access Manager for e-business Web SecurityInstallation Guide, which is available as part of the IBM Tivoli AccessManager for e-business library.




1. Start the iKeyman utility for the WebSphere Application Server.

2. Select Open in the Key Database File task.

3. Open the DummyServerKeyFile.jks file located in the $WAS_HOME /etc directory.A password prompt is displayed. If you are using the dummy file, thepassword is ″WebAS″.

4. Select the websphere dummy server certificate and then click Extract

Certificate.5. On the Extract Certificate to a File window, enter the following:

v Data type: Select Base64-encoded ASCII data.

v Certificate file name: Enter the file name for the certificate.

v Location: Enter the directory path where the certificate is to be stored. Forthis example, enter WebSphereServerCert.arm for the Certificate file nameand store the certificate in the $WAS_HOME /etc directory.

6. Click OK. After the certificate is saved, the certificate needs to be transferredto the WebSEAL server.

If you defined your own keyfiles for WebSphere and obtained a certificatefrom a CA, you must use the root CA’s certificate that signed your WebSphere

certificate in the following steps instead.7. Close the WebSphere IBM Key Management GUI.

8. On the WebSEAL server, start the GSKit iKeyman executable.

9. Select Open in the Key Database File task.

10. This example uses the WebSEAL default database. Navigate to the$WebSEAL_root/www-WebSEAL_instance/certs/pdsrv.kdb file and click Open.(where $WebSEAL_root is the directory where WebSEAL is installed andWebSEAL_instance is the name of the WebSEAL instance where the database islocated).

11. Enter the password when a password prompt window appears. (Thepassword for the default WebSEAL database is pdsrv.)

12. When the database opens, select Signer Certificates.

13. Click Add. The Add CA’s Certificate from a File window is displayed.

14. Do the following in the Add CA’s Certificate from a File window:

v Data type: Select Base64-encoded ASCII

v Certificate file name: Click Browse to navigate to the certificate file name.This example uses the WebSphereServerCert.arm file located in the$WAS_HOME /etc directory.

15. Click OK. A prompt for a label name to store the certificate is displayed. Thisexample uses the entry WAS 5 Server.

16. Click OK. The IBM Key Management panel is displayed with a list of SignerCertificates, including the label name that you specified.

17. Close the GSKit IBM Key Management GUI.

Modifying the ACLs for the junctionIf you want to modify the default ACLs that were created when the junction wascreated, use the acl modify command using either pdadmin as described in theIBM Tivoli Access Manager Command Reference or using Web Portal Manager asdescribed in the IBM Tivoli Access Manager Base Administration Guide.




Addressing security concernsWhen configured for single sign-on, the Tivoli Identity Manager server uses anHTTP header, iv_user, to identify the authenticated user. There is not, however, anindependent mechanism to verify that this HTTP header was received from atrusted source such as Tivoli Access Manager WebSEAL or plug-ins. If users havedirect network access to the Tivoli Identity Manager server, it would be possible to

impersonate another user. This could be done by creating an HTTP request withiv_user equal to another user ID and sending that request to the Tivoli IdentityManager Server’s logon page. To address this security concern, refer to the″Overview of Single Sign-on Capability″ section of the ″Configuring Single Sign-onSolutions″ chapter of the IBM Tivoli Identity Manager Server Configuration Guide.

Changing the configured Logoff pageTivoli Identity Manager comes with several files, each of which can be specified asthe logoff page for the Tivoli Identity Manager GUI. The files are in the$WAS_HOME /AppServer/installedApps/$NODE_NAME /enRole.ear/app_web.wardirectory (where $WAS_HOME is the directory where WebSphere Application Server isinstalled). When you ran the Installer, the ssoLogout.jsp was set as the logoff page.

If you want to use a different page, you will need to modify the ui.propertiesfile, as follows:

1. Open the Tivoli Identity Manager $ITIM_HOME /data/ui.properties file in a texteditor.

2. For the enrole.ui.logoffURL property, specify one of the logoff pages describedin the following table.

Note: The ssoLogout.jsp and websealLogout.jsp files are sample files thatshow the sample code required to use the Tivoli Identity Manager GUIlogout button when WebSEAL single sign-on is enabled. You can editthese files (including language) to perform any functions appropriate to

your environment.

Table 1. Logoff pages

websealLogout.jsp This sample file is the most secure.

Use it when you want the following combined behavior when theuser clicks the Logoff button:

v Terminate the Tivoli Identity Manager logon session.

v Terminate the Tivoli Access Manager logon session (pkmslogoutfunction is invoked).

pkmslogout only works for clients who use an authenticationmechanism that does not supply authentication data with eachrequest. For example, pkmslogout does not work for clients using

Basic Authentication, certificates, or IP address information. Inthese cases, you must close the browser to log out. pkmslogoutprovides this information to the user in a message that appears onthe logout page.

You can edit this file to customize the sample logoff functionality.




Table 1. Logoff pages (continued)

logoff.html Default Tivoli Identity Manager logoff behavior:

SSO disabled:

v After the user clicks the Logoff button, the Tivoli IdentityManager logon page is displayed.

SSO enabled:v After the user clicks the Logoff button, the user is returned to theTivoli Identity Manager GUI because the authenticationinformation from Tivoli Access Manager (in the iv-user HTTPheader) is still available.

ssoLogout.jsp Use this sample file when you want the following combined behavior when the user clicks the Logoff button:

v Terminate the current Tivoli Identity Manager logon session andprovide a link to return to the Tivoli Identity Manager GUI.

v Remain logged in to Tivoli Access Manager (iv-user HTTP headerinformation is still available). This allows, for example, continueduse of a portal page or to return to Tivoli Identity Managerwithout a logon prompt.

You can edit this file to customize the sample logoff functionality.

Accessing the Tivoli Identity Manager Logon pageAfter the WebSEAL junction has been created, the URL for accessing the logonpage for the Tivoli Identity Manager interface was changed. The new URL is either

http://hostname/JunctionName/enrole/logon

https://hostname/JunctionName/enrole/logon

(where hostname is the location of the Tivoli Identity Manager server andJunctionName is the name that you specified for the junction when you ran the

Installer.




Chapter 5. Importing and synchronizing user data

Tivoli Identity Manager is designed to be a central location for corporate identitymanagement. However, in your environment, other IBM Tivoli security

applications with user management (such as Tivoli Access Manager) might havealready been installed and might co-exist with Tivoli Identity Manager. Therefore,several user data records might exist for the same user.

Because Tivoli Identity Manager requires its own user registry and it cannot sharethe user objects that are in the user registry of another application (such as TivoliAccess Manager or a corporate directory), you will have to create new user recordsin Tivoli Identity Manager or import existing user data records from other dataresources to Tivoli Identity Manager, if you want Tivoli Identity Manager tomanage those users.

If Tivoli Access Manager or other applications with user data records co-exist withTivoli Identity Manager and up-to-date user attributes are needed for theseapplications, Tivoli Identity Manager data will need to be dynamicallysynchronized with the user records in these applications.

IBM Directory Integrator AssemblyLine samples utility

The IBM Directory Integrator AssemblyLine samples utility is included in theProvisioning Fast Start collection.

The utility uses IBM Directory Integrator, which is supported in Tivoli IdentityManager version 4.5, to import Tivoli Access Manager and corporate directoryusers to Tivoli Identity Manager and to synchronize Tivoli Identity Manager userattributes with those in Tivoli Access Manager. Directory Integrator is designed to

synchronize identity data located in directories, databases, collaborative systems,applications used for human resources (HR), customer relationship management(CRM), Enterprise Resource Planning (ERP), and other corporate applications. InTivoli Identity Manager version 4.5, a provisioning service type called an IBMDirectory Integrator (IDI) Data Feed is supported for user data exchange betweenDirectory Integrator and Tivoli Identity Manager server. The IDI Data Feed serviceuses Directory Services Markup Language version 2 (DSMLv2) format tocommunicate with the Directory Integrator. While in Directory Integrator version5.1.2, the DSMLv2 EventHandler and the DSMLv2 support in JNDI connector areadded. This greatly enhances the integration capability between the DirectoryIntegrator and Tivoli Identity Manager. In this utility, a JNDI connector withDSML2InitialContextFactory driver is used to import the user entries in to TivoliIdentity Manager.

Note: Before using the utility, you need to be familiar with IBM DirectoryIntegrator concepts, including AssemblyLines, connectors, configurationfiles, and properties files. For more information, refer to IBM DirectoryIntegrator Getting Started Guide. Go to the following Web site:http://www.ibm.com/software/tivoli/library. Click Product manuals andthen locate and click the IBM Directory Integrator link.






The utility uses the IBM Directory Integrator LDAP connector, the DSMLv2 JNDIconnector, and so forth to retrieve Tivoli Access Manager user data or corporateHuman Resources data from a registry server and directly feeds it to TivoliIdentity Manager.

The main functions of this utility include:

v Importing Tivoli Access Manager users (in a single domain) into Tivoli Identity

Manager. See “Importing Tivoli Access Manager users (in a single domain) intoTivoli Identity Manager” on page 39.

v Importing Tivoli Access Manager users (in a multi-domain) into Tivoli IdentityManager. See “Importing Tivoli Access Manager users (in multi-domains) intoTivoli Identity Manager” on page 41.

v Importing users from an existing corporate directory into Tivoli IdentityManager. See “Importing users from an existing a corporate directory” on page42.

v Synchronizing Tivoli Identity Manager user attributes with Tivoli AccessManager user attributes. See “Synchronizing Tivoli Identity Manager userattributes with Tivoli Access Manager user attributes” on page 44.

Installation

Install the utility using the instructions in Chapter 2, “Installing the ProvisioningFast Start collection,” on page 5.

Requirements for installationAs described in “Importing or synchronizing user data” on page 8, the TivoliAccess Manager Provisioning Fast Start Installer copies the utility files to theproper location when you select IBM Directory Integrator AssemblyLine samples.

Note: The Installer will determine if IBM Directory Integrator is installed and if itis the correct version. If it is not installed or is not the correct version, the

installation selection for IBM Directory Integrator AssemblyLine utility willnot be displayed.

As described in “Importing or synchronizing user data” on page 8, you shouldhave considered the following conditions before running the Installer to ensurethat the utility will be placed in the correct location:

v Install the utility on the server or workstation where IBM Directory Integrator5.1.2 or later is installed.

v If LDAP or Active Directory is the user registry for Tivoli Access Manager,install IBM Directory Integrator (if it is not installed) and the utility on anyserver or workstation in the corporate intranet network that can remotely accessthe Tivoli Access Manager registries and Tivoli Identity Manager server.

v If Lotus Domino server is the user registry for Tivoli Access Manager, Lotus

Notes connector is used to access the user data in the Domino server. In thiscase, install IBM Directory Integrator (if it is not installed) and the utility on theNotes client that can access the Domino server. You can use either the Notesclient installed for the Tivoli Access Manager policy server or a newly installedand configured Notes client.

Installed componentsAfter you run the Installer, a subdirectory is created and the utility files are placedin that subdirectory.




TIMTAMIntegration subdirectoryThe Provisioning Fast Start Installer creates the TIMTAMIntegration subdirectoryunder the IBM Directory Integrator root directory $IDI_HOME . For example:C:\Progra~1\ibm\IDI_HOME \TIMTAMIntegration

Utility filesThe Installer copies all the utility files into this subdirectory. The utility files

include one configuration file and one corresponding properties file for each majortask. As listed previously, there are four major tasks. These tasks and their relatedconfiguration files and properties files are as follows:

Task: Import single domain Tivoli Access Manager user data to Tivoli IdentityManager:

v Properties file: TAMtoTIMImport.properties

See “TAMtoTIMImport.properties” on page 33 for more information.

v Configuration file: TAMtoTIMImport.xml, which contains the followingAssemblyLines:

– AssemblyLine: LDAPImport

– AssemblyLine: ADImport

– AssemblyLine: DominoImport

Task: Import multi-domain Tivoli Access Manager user data to Tivoli IdentityManager:

Note: Tivoli Access Manager supports multi-domain only on an LDAP directory.

v Properties file: MDTAMtoTIMImport.properties

See “MDTAMtoTIMImport.properties” on page 34 for more information.

v Configuration file: MDTAMtoTIMImport.xml, which contains the followingAssemblyLine:

– AssemblyLine: LDAPMDImport

Task: Import Directory user data to Tivoli Identity Manager:

v Properties file: DirectorytoTIMImport.properties

See “DirectorytoTIMImport.properties”on page 36 for more information.

v Configuration file: DirectorytoTIMImport.xml, which contains the followingAssemblyLines:

– AssemblyLine: LDAPUserstoTIM

– AssemblyLine: ADUserstoTIM

Task: Synchronize Tivoli Identity Manager user attributes with Tivoli AccessManager users:

v Properties file: TIMtoTAMsync.properties

v Configuration file: TIMtoTAMSync.xml, which contains the followingAssemblyLines:

– AssemblyLine: synchtamdirect

– AssemblyLine: synctambychangelog

v Exit file: TIMtoTAMsyncexit, which contains the default and dynamic changelognumber for TIMtoTAMsync.

See “TIMtoTAMsync.properties” on page 37 for more information.

Chapter 5. Importing and synchronizing user data 31



Note: To understand how configuration files and properties files are used, refer tothe IBM Directory Integrator: Getting Started Guide.

All of these properties files must be configured before you run the utility.

Configuration

After you install the utility, you will need to perform some additionalconfiguration before you can use it.

Creating the IDI Data Feed Service in Tivoli Identity ManagerBefore using this utility to import users, you need to create an IDI Data FeedService in Tivoli Identity Manager 4.5.

Note: The IDI Data Feed Service is not required to perform the synchronizing task.

To create the service:

1. Log in to Tivoli Identity Manager as the Tivoli Identity Manager administrator.

2. Go to Provisioning → Manage Services → Add, and select IDI Data Service asthe service type.

3. Define the following parameters for the service:

Service name:Any value.

URL:Directory Integrator server URL, optional

User ID:Any

Password:Any value.

Naming Context:Any value.

Name Attribute:Use uid as the default.

Use the values you have defined in this service as the values for the correspondingattributes in the properties file for the importing tasks (namely,TAMtoTIMImport.properties, MDTAMtoTIMImport.properties, andDirectorytoTIMImport.properties).

For example, in the MDTAMtoTIMImport.properties file, the following correspondingattributes should have the same values:

MDTAMtoTIMImport.properties file attribute Corresponding service value

TIM_DSMLv2_URL URL

TIM_DSMLv2_Login User ID

TIM_DSMLv2_PW Password

TIM_DSMLv2_SearchBase Naming Context

For more information about configuring the properties files, see “Configuring theproperties files” on page 33.




Configuring the properties filesThe four properties files for the four different tasks in the utility contain thecustomer environment parameters and program initial settings. The properties filenames match the configuration file names.

Before you run the utility, you need to customize these properties files.

View and edit the properties files using a text editor, such as Notepad. The settingsof the properties files are described in the following tables.

TAMtoTIMImport.propertiesThe following table describes the attributes used in this properties file.

Table 2. Attributes in the TAMtoTIMImport.properties file

Attribute Description

TIM_DSMLv2_URL The remote Tivoli Identity Manager DSMLv2handler URL in the format of:

http://hostname: portname/enrole/dsml2_event_handler/tenant

where:

v The hostname is the host name of theTivoli Identity Manager server.

v The portname is the port name of theTivoli Identity Manager, the default is9080

v The tenant is the domain name of theTivoli Identity Manager server

TIM_DSMLv2_Login Tivoli Identity Manager IDI Data FeedService user ID.

TIM_DSMLv2_PW Tivoli Identity Manager IDI Data FeedService user password.

TIM_DSMLv2_SearchBase The naming contexts of the Tivoli IdentityManager IDI Data Feed Service.

Note: The Tivoli Identity Manager IDI Data Feed Service user ID, password, and namingcontexts are defined in the Tivoli Identity Manager server when the IDI Data Feed Serviceis created. Refer to the README for IDI Integration Examples for detailed information. ThisReadme is located in:

$ITIM_HOME /extensions/examples/idi_integration/Readme.html

where $ITIM_HOME is the directory where Tivoli Identity Manager was installed.

The following table describes the attributes that are required if the Tivoli Access

Manager user registry is in an LDAP directory:

Table 3. Attributes required in TAMtoTIMImport.properties for an LDAP Tivoli Access

Manager user registry


TAM_LDAP_URL The remote Tivoli Access Manager LDAPURL in the format of:ldap://hostname: portnumber

TAM_LDAP_Login The remote Tivoli Access Manager LDAPuser ID, for example, cn=root.




Table 3. Attributes required in TAMtoTIMImport.properties for an LDAP Tivoli Access

Manager user registry (continued)


TAM_LDAP_PW The remote Tivoli Access Manager LDAPuser password.

The following table describes the attributes that are required if the Tivoli AccessManager user registry is in an Active Directory registry:

Table 4. Attributes required in TAMtoTIMImport.properties for a Tivoli Access Manager

Active Directory user registry


TAM_AD_URL The remote Active Directory URL in theformat of: ldap://hostname: portnumber

TAM_AD_Username The remote Active Directory user name.

TAM_AD_password The remote Active Directory user password.

TAM_AD_SearchBase The remote Tivoli Access Manager Active

Directory domain name in the format of:cn=Users,cn=default,cn=tivolipdomains,dc=domainname,dc=com. Note thatyou need to replace only the domainnamehere.

TAM_AD_SearchFilter The remote Tivoli Access Manager ActiveDirectory search filter in the format of :

objectCategory=cn=urafuser,cn=schema,cn=configuration,dc=domainname,dc=com

Note that you need to replace only thedomainname here.

TAM_AD_RetrieveBase The remote Tivoli Access Manager ActiveDirectory domain name in the format of dc=domainname,dc=com. Note that you needto replace only the domainname here.

The following table describes the attributes that are required if the Tivoli AccessManager user registry is in a Domino registry:

Table 5. Attributes required in TAMtoTIMImport.properties for a Tivoli Access Manager

Domino user registry


TAM_Domino_Hostname The remote Domino server hostname.

TAM_Domino_UserID The remote Domino server User ID.

TAM_Domino_Password The remote Domino server user password.

TAM_Domino_Servername The remote Domino server name.

MDTAMtoTIMImport.propertiesThe following table describes the attributes used in this properties file.




Note: Tivoli Access Manager supports multi-domain only on an LDAP directory.

Table 6. Attributes in the MDTAMtoTIMImport.properties file



http://hostname: portname/enrole/

dsml2_event_handler/tenant

where:




TIM_DSMLv2_Login Tivoli Identity Manager IDI Data FeedService user ID.

TIM_DSMLv2_PW Tivoli Identity Manager IDI Data FeedService user password

TIM_DSMLv2_SearchBase The naming contexts of the Tivoli IdentityManager IDI Data Feed Service




TAM_LDAP_URL The remote Tivoli Access Manager LDAP

URL in the format of:ldap://hostname: portnumber






DirectorytoTIMImport.propertiesThe following table describes the attributes used in this properties file.

Table 7. Attributes in the DirectorytoTIMImport.properties file



http://hostname: portname/enrole/dsml2_event_handler/tenant

where:




TIM_DSMLv2_Login Tivoli Identity Manager IDI Data Feed

Service user ID.TIM_DSMLv2_PW Tivoli Identity Manager IDI Data Feed

Service user password.

TIM_DSMLv2_SearchBase The naming contexts of the Tivoli IdentityManager IDI Data Feed Service.




The following table describes the attributes that are required if the user registry isin an LDAP directory:

Table 8. Attributes required in DirectorytoTIMImport.properties for an LDAP user registry


LDAP_URL The remote corporate LDAP URL in theformat of: ldap//:hostname: portnumber

LDAP_Login The remote corporate LDAP user ID.

LDAP_PW The remote corporate LDAP user password

LDAP_SearchBase The remote corporate LDAP search base.

The following table describes the attributes that are required if the user registry isin an Active Directory registry:

Table 9. Attributes required in DirectorytoTIMImport.properties for an Active Directory user

registry


AD_URL The remote Active Directory URL in theformat of: ldap//:hostname: portnumber




Table 9. Attributes required in DirectorytoTIMImport.properties for an Active Directory user

registry (continued)


AD_Username The remote Active Directory user name.

AD_password The remote Active Directory user password.

AD_SearchBase The remote Active Directory domain namein the format of:cn=Users,cn=default,cn=tivolipdomains,dc=domainname,dc=com. Note thatyou need to replace only the domainnamehere.

TIMtoTAMsync.propertiesThe following table describes the attributes used in this properties file.

Note: The synchronization function can be used only with LDAP directories.

Table 10. Attributes in the TIMtoTAMsync.properties file

Attribute DescriptionTIM_LDAP_URL The remote Tivoli Identity Manager LDAP

URL in the format of:ldap://hostname: portnumber

TIM_LDAP_Login Tivoli Identity Manager LDAP user login.

TIM_LDAP_PW Tivoli Identity Manager LDAP userpassword.

TAM_LDAP_URL The remote Tivoli Access Manager LDAPURL in the format of:ldap://hostname: portnumber



SYNC_Start Scheduled start time for synchronization.Use the format:<month><day><weekday><hour><minute>

v month 0–11

v day 1–31

v weekday 1–7

v hour 0–23

v minute 0–59

There is a space between each variable. Use

* for any value of that variable. For example,* * * * 15 defines the scheduled starting timeis at 15 minutes passed every hour.

SYNC_Timeout Specifies the maximum time in seconds forthe changelog connector to wait for the nextnew changelog.




Table 10. Attributes in the TIMtoTAMsync.properties file (continued)


SYNC_Sleeptime Specifies the number of seconds for thechangelog connector to sleep if no newchangelog is there.

Notes:

1. If SYNC_Timout is set to 0 andSYNC_Sleeptime is set to a non-zerovalue, the changelog connector will waitfor the new changelog indefinitely. Inthis case, the change number will not beupdated if the AL is stopped manually.

2. The format and range of SYNC_Timoutand SYNC_Sleeptime are defined by IBMDirectory Integrator. They are integersand the range is very large.

You can also use the IDI Admin Tool to view and encrypt these properties files, if

necessary. Refer to the IBM Directory Integrator: Administrator Interface for moreinformation.

Configuring connectorsMost of the connectors that work with the utility are ready for use. However, if you are using Lotus Notes as your data source, you must copy the Notes.jar fileto $IDI_HOME /jars (where $IDI_HOME is the location where Directory Integrator isinstalled). You should also modify the classpath in the IBM Directory Integratorstartup script ibmditk to include these new JAR files so that the Lotus Notesconnector will work properly.

Addressing security concerns

To enhance security when using this utility to import or synchronize user data,perform the following procedures:

v Secure the configuration file and customer settings. You can set the password forthe configuration file and select the encryption option for the properties file.Refer to the IBM Directory Integrator Reference Guide for instructions.

v Enable SSL between the directory and the Directory Integrator. Refer to the IBMDirectory Integrator Reference Guide for instructions.

v Enable SSL between the Directory Integrator and Tivoli Identity Manager. Referto the IBM Tivoli Identity Manager Server Configuration Guide for instructions.

Addressing performance considerations

To ensure the best performance, review the information in the IBM DirectoryIntegrator Reference Guide. In addition, while running the IBM Directory IntegratorAssemblyLine sample utility, enable error logging only when you are debugging.

Running the utility

The four tasks you can run using this utility are:

v “Importing Tivoli Access Manager users (in a single domain) into Tivoli IdentityManager” on page 39.

v “Importing Tivoli Access Manager users (in multi-domains) into Tivoli IdentityManager” on page 41.




v “Importing users from an existing a corporate directory” on page 42.

v “Synchronizing Tivoli Identity Manager user attributes with Tivoli AccessManager user attributes” on page 44.

Note: Before using the utility in a production environment, use a simulatedenvironment to run a verification test for each of the four tasks that youplan to use in a production environment. When you run the verification test,

you will want to verify:

v Environment settings

v Directory server connections

v Tivoli Identity Manager server DSMLv2EventHandler connections

v Attribute availabilities and mapping

Importing Tivoli Access Manager users (in a single domain)into Tivoli Identity Manager

This task assumes that you would start with an existing Tivoli Access Managersingle domain environment that has users defined in a user registry, then installTivoli Identity Manager, and then import all the defined Tivoli Access Managerusers into Tivoli Identity Manager so that Tivoli Identity Manager can managethese users.

(It is necessary to import all the defined Tivoli Access Manager users into TivoliIdentity Manager so that Tivoli Identity Manager can manage these users.)

The utility will extract all the user information from the Tivoli Access Managerregistry, map the user attributes from Tivoli Access Manager users to TivoliIdentity Manager users (Person entities) and create valid input that the TivoliIdentity Manager service can recognize. You can then assign accounts to the Personentities by performing a reconciliation as described in IBM Tivoli Identity ManagerPolicy and Organization Administration Guide.

Before you can import Tivoli Access Manager users into Tivoli Identity Manager,the following is assumed:

v Tivoli Access Manager has been installed and configured.

v A number of users have been created in one of the following Tivoli AccessManager user registry directories:

– IBM Tivoli Directory Server 5.2

– IBM Directory Server 5.1


– IBM SecureWay Directory 3.2

– SUN ONE Directory (iPlanet) 5.0 and above

– Novell eDirectory– Microsoft Active Directory in Windows 2000 servers

– Domino server 5.0 and above

(You want to import all the Tivoli Access Manager users from the user registryto Tivoli Identity Manager.)

v Tivoli Access Manager agent has been installed and configured.

v Tivoli Identity Manager has been installed and configured.

v IBM Directory Integrator and this utility have been installed.




v The IDI Data Feed Service is created and configured, as described in “Creatingthe IDI Data Feed Service in Tivoli Identity Manager” on page 32.

The configuration file for this task is TAMtoTIMImport.xml.

The utility will retrieve the Tivoli Access Manager user data from Tivoli AccessManager user registries, such as LDAP, Active Directory and Domino directory,

and import it to Tivoli Identity Manager.

Using the Directory Integrator Admin ToolTo run this task:

1. Start the Directory Integrator Admin Tool:

v In Windows, click Start → Programs → IBM Directory Integrator → IBMDirectory Integrator.

v In AIX or Solaris, at a command prompt, change to the IBM Tivoli DirectoryIntegrator installation directory and type ./ibmditk

2. Click File → Open. Then select the TIMTAMIntegration subdirectory.

3. Open the configuration file TAMtoTIMImport.xml.

4.

Select the AssemblyLine for the task:v If you want to import user data from an LDAP user registry in a singledomain environment, select LDAPImport.

v If you want to import user data from an Active Directory user registry in asingle domain environment, select ADImport.

v If you want to import user data from a Domino user registry in a singledomain environment, select DominoImport.

5. Click Run in the upper right-hand corner.

The running information is displayed in the execution window.

Using the command lineTo run this task using the command line:

1. Start the AssemblyLine from the command line.2. Type the following command from the Directory Integrator installation

directory:

ibmdisrv -c"Configuration_file_name" -r" AssemblyLine_name" -m

Note: The command line options must have their values following immediatelyafter the options. Do not insert a space between the option and its value.

-c Configuration file; TAMtoTIMImport.xml

-l Log file (default console output). To change the log file for most of the logging,change the log4j.properties file.

-r List of AssemblyLine names to start:

v If you want to import user data from an LDAP user registry in a singledomain environment, use -rLDAPImport.

v If you want to import user data from an Active Directory user registry in asingle domain environment, use -rADImport.

v If you want to import user data from a Domino user registry in a singledomain environment, use -rDominoImport.

-P Password. Input a password if the configuration file is encrypted and protected by a password.

-m Start the Administration and Monitor Console (AMC) server.




After Tivoli Identity Manager users are created, you can run the Tivoli IdentityManager reconciliation operation to create the matched Tivoli Access Manageraccounts in Tivoli Identity Manager. The matching between the Tivoli IdentityManager user and the Tivoli Access Manager account is set by the aliasesattribute in the Tivoli Identity Manager user record that is defined by the utility.

After Tivoli Identity Manager and Tivoli Access Manager are integrated, if you

need to synchronize the Tivoli Identity Manager and Tivoli Access Manager userattributes, you can use the synchronization task to directly or dynamicallyimplement this task. See “Synchronizing Tivoli Identity Manager user attributeswith Tivoli Access Manager user attributes” on page 44.

Importing Tivoli Access Manager users (in multi-domains) intoTivoli Identity Manager

This task assumes that you would start with an existing Tivoli Access Managermulti-domain environment that has users defined in a user registry, then installTivoli Identity Manager, and then import all the defined Tivoli Access Managerusers into Tivoli Identity Manager so that Tivoli Identity Manager can managethese users.

(It is necessary to import all the defined Tivoli Access Manager users into TivoliIdentity Manager so that Tivoli Identity Manager can manage these users.)

The utility will extract all the user information from the Tivoli Access Managerregistry, map the user attributes from Tivoli Access Manager users to TivoliIdentity Manager users (Person entities) and create valid input that the TivoliIdentity Manager service can recognize. You can then assign accounts to the Personentities by performing a reconciliation as described in IBM Tivoli Identity ManagerPolicy and Organization Administration Guide.

Before you can import Tivoli Access Manager users into Tivoli Identity Manager,the following is assumed:

v Tivoli Access Manager has been installed and configured.

v A number of users have been created in one of the following Tivoli AccessManager LDAP user registry directories:






– Novell eDirectory

(You want to import all the Tivoli Access Manager users from the user registry

to Tivoli Identity Manager.)v Tivoli Access Manager agent has been installed and configured.

v Tivoli Identity Manager has been installed and configured.


v You have configured the IDI Data Feed Service, as described in “Creating theIDI Data Feed Service in Tivoli Identity Manager” on page 32.

The configuration file for this task is MDTAMtoTIMImport.xml.




The utility will retrieve the Tivoli Access Manager user data from the Tivoli AccessManager LDAP user registries and import it to Tivoli Identity Manager.



v In Windows, click Start → Programs → IBM Directory Integrator → IBM

Directory Integrator.



3. Open the configuration file MDTAMtoTIMImport.xml.

4. Select the AssemblyLine LDAPMDImport.



Using the command lineTo run this task using the command line:

1. Start the AssemblyLine from the command line.2. Type the following command from the Directory Integrator installation

directory:



-c Configuration file: MDTAMtoTIMImport.xml


-r List of AssemblyLine names to start: -rLDAPMDImport



After Tivoli Identity Manager users are created, you can run the Tivoli IdentityManager reconciliation operation to create the matched Tivoli Access Manageraccounts in Tivoli Identity Manager. The matching between the Tivoli IdentityManager user and the Tivoli Access Manager account is set by the aliasesattribute in the Tivoli Identity Manager user record that is defined by the utility.For more information about reconciliation, see the IBM Tivoli Identity ManagerPolicy and Organization Administration Guide.

After Tivoli Identity Manager and Tivoli Access Manager are integrated, if youneed to synchronize the Tivoli Identity Manager and Tivoli Access Manager userattributes, you can use the synchronization task to directly or dynamicallyimplement this task. See, “Synchronizing Tivoli Identity Manager user attributeswith Tivoli Access Manager user attributes” on page 44.

Importing users from an existing a corporate directoryThis task assumes that your company uses a registry, such as LDAP, to manage itsHuman Resources or corporate directory data. The utility can be used to import allor part of the existing user’s data from this corporate registry into an integrated




Tivoli Identity Manager environment. Tivoli Identity Manager users (Personentities) will be created through the utility and Tivoli Access Manager accounts orother accounts can be created for each Person using the Tivoli Identity Managerprovisioning policy.

For this task, the utility uses the DirectorytoTIMImport.xml configuration file tomap the user attributes and import them to Tivoli Identity Manager.

Before you can import the directory users into Tivoli Identity Manager, thefollowing is assumed:

v A number of users have been created in one of the following user registrydirectories:







– Microsoft Active Directory in Windows 2000 servers

(You want to import all the Tivoli Access Manager users from the user registryto Tivoli Identity Manager.)

v You can access the corporate directory and you know the data tree.

v You know how to map the directory user attributes to Tivoli Identity Managerattributes.

v Tivoli Identity Manager is installed.


v You have configured the IDI Data Feed Service, as described in “Creating theIDI Data Feed Service in Tivoli Identity Manager” on page 32.

v

Also, you should have Tivoli Access Manager installed and you should havecompleted the following steps for the Tivoli Access Manager environment:

1. Install a Tivoli Access Manager service profile in Tivoli Identity Manager (byinstalling and configuring the agent as described in IBM Tivoli Identity Manager IBM Tivoli Access Manager Agent Installation Guide).

2. Create a Tivoli Access Manager service in Tivoli Identity Manager.

3. Define the provisioning policy in Tivoli Identity Manager to create a TivoliAccess Manager account when Tivoli Identity Manager users are created.

This way when using DirectorytoTIMImport.xml to import the corporatedirectory users into an integrated Tivoli Identity Manager and Tivoli AccessManager environment, Tivoli Identity Manager users and Tivoli AccessManager accounts will be created for every user record. Tivoli Access

Manager users will also be created automatically when a Tivoli IdentityManager person is created.









3. Open the configuration file: DirectorytoTIMImport.xml.

4. Select the AssemblyLine or EventHandler for the task:

v If you want to import user data from an LDAP user registry in a singledomain environment, select LDAPUserstoTIM.

v If you want to import user data from an Active Directory user registry in a

single domain environment, select ADUserstoTIM.5. Click Run in the upper right-hand corner.


Using the command line1. Start the AssemblyLine from the command line.

2. Type the following command from the Directory Integrator installationdirectory:



-c Configuration file; use DirectorytoTIMImport.xml



v If you want to import user data from an LDAP user registry in a singledomain environment, use -rLDAPUserstoTIM.

v If you want to import user data from an Active Directory user registry in asingle domain environment, use-rADUserstoTIM.



Synchronizing Tivoli Identity Manager user attributes withTivoli Access Manager user attributes

If you have Tivoli Identity Manager and Tivoli Access Manager already installedand integrated, automatic synchronization of Tivoli Identity Manager userattributes with Tivoli Access Manager user attributes can be useful so thatWebSEAL and other Tivoli Access Manager-based applications can use the TivoliIdentity Manager-synchronized attributes to set the user accessing authenticationsor for other purposes.

In addition, because Tivoli Access Manager does not provide a way to update userattributes, you can use this synchronization task to change the attributes in TivoliIdentity Manager and then synchronize those attribute changes into the TivoliAccess Manager user registry.

Before you can synchronize the Tivoli Identity Manager user attributes intomatching Tivoli Access Manager user records, the following is assumed:

v One or more of the Tivoli Identity Manager users have been created or modifiedin the Tivoli Identity Manager user registry directory.




v You want to import all the user attributes from the Tivoli Identity Manager userregistry to matching user records in one of the following Tivoli Access Manageruser directories:




– IBM SecureWay Directory 3.2– SUN ONE Directory (iPlanet) 5.0 and above



Using the Directory Integrator Admin ToolTo synchronize user attributes:



v In AIX or Solaris, at a command prompt, change to the IBM Tivoli Directory

Integrator installation directory and type./ibmditk


3. Open the configuration file: TIMtoTAMSync.xml.

4. Select the AssemblyLine or EventHandler for the task:

v If you want to synchronize Tivoli Identity Manager user data with TivoliAccess Manager users data, select synchtamdirect.

v If you want to monitor changes to Tivoli Identity Manager user attributesand automatically update Tivoli Access Manager user attributes with thechanges (that is, automatically synchronize), select synchtamchangelog.

Note: To use this AssemblyLine, the LDAP changelog must be turned on.Use the LDAP interface to turn on the changelog.

You could also start this task by using the ScheduleSync event handler. Seethe IBM Directory Integrator Getting Started Guide for more information aboutscheduling events with ScheduleSync.



Using the command line1. Start the AssemblyLine from the command line.

2. Type the following command from the Directory Integrator installationdirectory:



-c Configuration file; use TIMtoTAMSync.xml



v If you want to synchronize Tivoli Identity Manager user data with TivoliAccess Manager users data, use -rsynchtamdirect.




v If you want to monitor changes to Tivoli Identity Manager user attributesand automatically update Tivoli Access Manager user attributes with thechanges (that is, automatically synchronize), use -rsynchtamchangelog.

Note: To use this AssemblyLine, the LDAP changelog must be turned on.Use the LDAP interface to turn on the changelog.

You could also start this task by using the ScheduleSync event handler. Seethe IBM Directory Integrator Getting Started Guide for more information aboutscheduling events with ScheduleSync.



By default, the following attributes are mapped when you run the synchtamdirectAssemblyLine:

GivenName

Homephone

Homepostaladdress

Mail

Mobile

Pager

Postaladdress

Postalcode

Roomnumber

St

Street

Telephonenumber

title

You can view, modify, or delete these mapping attributes using the DirectoryIntegrator Admin Tool. Refer to the IBM Directory Integrator Reference Manual formore information.




Chapter 6. Creating a Web interface for user self-management

If you are using Tivoli Identity Manager to manage user accounts and you wouldlike your users to be able to manage their own user IDs and passwords, you could

benefit from using a self-management Web portal page. By allowing users toperform these types of self-management tasks, the number of help desk calls torequest these tasks could be reduced.

The Provisioning Fast Start collection provides a set of Java servlets, Java ServerPages, and HTML files (collectively called the Web Application Sample) thatdemonstrate how to create a Web application for user self-care, includingself-registration, update of personal data, password change, password resetthrough challenge/response, and requests for application access. The Web Sampleuses the Tivoli Identity Manager version 4.5 API and standard WebSphereinterfaces for Web applications.

The Web Application SampleThe Web Application Sample:

v Can be used as an example of how to create Web applications using the TivoliIdentity Manager 4.5 APIs

v Can be customized in appearance and function to fit your business needs

v Supports single sign-on (SSO) from WebSEAL (if SSO has been enabled in TivoliIdentity Manager)

The Sample is provided for user self-management and is not meant to replace theTivoli Identity Manager graphical user interface that is provided for administrativepurposes.

Prerequisite knowledge for using the SampleTo use this Sample, you should be an experienced Web application developer whois familiar with:

v WebSphere Application Server

v Java Platform 2 Enterprise Edition (J2EE), including Java servlets and Java ServerPages (JSPs)

v Java Authentication and Authorization Service

v Tivoli Identity Manager version 4.5 APIs:

– Refer to the javadocs in the following location of the directory where youinstalled Tivoli Identity Manager: $ITIM_HOME /extensions/api/index.html(where $ITIM_HOME is the directory where Tivoli Identity Manager wasinstalled).

– Also refer to the Tivoli Identity Manager overview document in the followinglocation of the directory where you installed Tivoli Identity Manager:$ITIM_HOME /extensions/doc/applications/applications.html (where$ITIM_HOME is the directory where Tivoli Identity Manager was installed).

When the Web Application Sample is protected by Tivoli Access Manager (throughWebSEAL or the Plug-in for Web Servers), you must be familiar with theintegrated Tivoli Identity Manager and Tivoli Access Manager environment inwhich you will use these pages.




Prerequisite software and configurations for using the SampleTo use the functions in the Sample, the following environments should also beinstalled and configured:

v WebSphere Application Server version 5.0 with patch 2 (also referred to as 5.0.2),and any additional patches that are specified in the IBM Tivoli Identity ManagerVersion 4.5 Release Notes.

v Tivoli Identity Manager version 4.5 (and its prerequisites).v Tivoli Access Manager version 5.1 (and its prerequisites) and Tivoli AccessManager agent, if Tivoli Identity Manager is managing Tivoli Access Manageraccounts.

v The users who will use the Web pages in the Sample must have a Tivoli IdentityManager account.

v If the Sample will be accessed through single sign-on with WebSEAL, the usersmust also have a Tivoli Access Manager account.

Note: If you want to enable the Sample to use single sign-on with WebSEAL, youwill need to have WebSEAL installed and configured and you will need toenable Tivoli Identity Manager to use single sign-on, as described in

Chapter 4, “Configuring Tivoli Identity Manager for single sign-on withWebSEAL,” on page 21. In addition, when you use single sign-on withWebSEAL, do not use the Change Password function in the Sample. Instead,you should install and use the function provided by the Reverse PasswordSynchronization for Tivoli Access Manager WebSEAL agent, which is part of the Tivoli Access Manager agent package that is available from the IBM Website. Contact your IBM account representative for more information.

Functions of the SampleThe Web Application Sample provides the following functions:

v Logon (which can support either user ID and password authentication or singlesign-on through WebSEAL), see “Configuring the Logon function” on page 54.

v Main (Home), see “Configuring the Main (Home) page” on page 55.

v Change Password, see “Configuring Password functions” on page 55.

v Forgot My Password (using Challenge Response), see “Configuring Passwordfunctions” on page 55.

v Self-Care, see “Configuring the Self-Care function” on page 62.

v Self-Registration, see “Configuring the Self-Registration function” on page 59

v Application Subscription, see “Configuring the Application Subscriptionfunction” on page 63.

v Set Challenge Response, see “Configuring the Challenge/Response function” onpage 65

v Logout, see “Configuring the Logout function” on page 66.

Installation

Before you install the Sample, you should be familiar with the requirements forinstalling it and the methods you can choose for installation.

Installation requirementsYou must install the Sample on a system that has WebSphere Application Serverversion 5.0.2 already installed. In addition, you must have installed the WebSphere




Application Server patches that are specified in the IBM Tivoli Identity ManagerVersion 4.5 Release Notes. Use the installation instructions in those Release Notes toinstall the patches.

Note: If you will use the Provisioning Fast Start Installer as your installationmethod, you must disable Security in WebSphere Application Server. Assuch, you will need to take the following steps before and after the

installation:1. Disable Security in WebSphere Application Server. Refer to the

WebSphere documentation for instructions.

2. Install the Sample (as described in Chapter 2, “Installing the ProvisioningFast Start collection,” on page 5).

3. Manually configure the Sample as follows (so that it can run withWebSphere Security enabled):

a. Create a file called was.policy in the following path:

$WAS_HOME /AppServer/config/cells/cellname/applications/itim_expi.ear/deployments/enrole/META-INF/

where $WAS_HOME is the directory where WebSphere Application

Server is installed and cellname is the name of the cell.

b. Add the following lines to the was.policy file:

grant codeBase "file:$application" {permission java.security.AllPermission;

};

where application is the name of the Web application that the policyrefers to.

4. Re-enable Security in the WebSphere Application Server using theWebSphere Administrative Console. Refer to the Administrative Consoledocumentation for instructions.

Installation methodsYou can use one of the following options for installing the Sample:

v Basic installation using the Provisioning Fast Start Installer

v Installation on a system where Tivoli Identity Manager is not installed

v Installation in a clustered environment

Choose the method that is appropriate for your environment.

Basic installation using the Provisioning Fast Start InstallerInstallation of the Web Application Sample is provided through an EAR file that isimbedded in the Provisioning Fast Start Installer. See Chapter 2, “Installing theProvisioning Fast Start collection,” on page 5 for more information.

If you have used this basic installation method, the Web Application Sample can beuninstalled when the Provisioning Fast Start collection is uninstalled. See“Uninstalling” on page 15 for details.

Note: When you run the Installer, the password that is set in the Tivoli IdentityManager enrole.appServer.ejbuser.credentials property is copied into theproperties file for the Sample. However, if you have used the runConfigcommand in Tivoli Identity Manager to encrypt the password, the Samplewon’t be able to use it. In this case, you will need to manually add theunencrypted password into the properties file for the Sample as follows:

Chapter 6. Creating a Web interface for user self-management 49



1. After running the Installer, open the itim_expi.properties file in a texteditor.

2. For the value of the platform.credentials property, type the enRolepassword that is specified in the enrole.appServer.ejbuser.credentialsproperty of the enrole.properties file.

3. Save and close the file.

4. Use the WebSphere Administrative Console to stop and startitim_expi.ear.

Installation where Tivoli Identity Manager is not installedTo install the Web Application Sample on a system on which Tivoli IdentityManager is not installed, follow the instructions in Chapter 2, “Installing theProvisioning Fast Start collection,” on page 5. Then, when the installation iscomplete, you must:

1. Copy the Tivoli Identity Manager API JAR files from a system where TivoliIdentity Manager is installed to the system where the Sample Web Applicationis installed. The JAR files are located in the Tivoli Identity Manager EARdirectory under $WAS_HOME /AppServer/InstalledApps/enRole.ear/ (where$WAS_HOME is the directory where WebSphere Application Server is installed.)

Following is the list of JAR files that must be copied:

v api_ejb.jar

v itim_api.jar

v ldapjdk.jar

2. Place these JAR files on the system where the Web Application Sample isinstalled under:

$WAS_HOME /AppServer/InstalledApps/itim_expi.ear/itim_expi.war/WEB-INF/lib

(where $WAS_HOME is the directory where WebSphere Application Server is

installed.)3. Copy the file itim_expi.properties from itim_expi.ear/itim_expi.war/WEB-

INF/lib to WebSphere/AppServer/properties.

4. Edit the itim_expi.properties file and set the key elements as follows:

Tenant and Tenant DN setup:

tenantid=<your tenant ID>tenantdn=<your tenant DN>

Default organization (root in Tivoli Identity Manager):

default.org=root organization in Tivoli Identity Managerplatform.url=iiop://host name of Tivoli Identity Manager server: port

(URL where Tivoli Identity Manager is installed)platform.principal=EJB user name (default= "rasweb")

platform.credentials=EJB user credentials (default = < blank>)

You can determine the values for these elements by looking at the correspondingvalues in the enrole.properties file, which is located in the $ITIM_HOME /data/directory (where $ITIM_HOME is the directory where Tivoli Identity Manager isinstalled). The elements and corresponding values are described in the followingtable.




Element in itim_expi.properties file Corresponding value in theenrole.properties file

tenantid Use the value for enrole.defaulttenant.id.

tenantdn Use the value ’ou=tenantid’ combined withthe value of enrole.ldapserver.root. Forexample, "tenantdn=ou=myco,dc=com".

default.org Use ’ou=tenantid’.

platform.url Use the URL for the Tivoli Identity Managerserver with the port used by the WebSphereServer for IIOP.

platform.principal Use the name of the user who has beenassigned as the ITIM_SYSTEM role. (Usuallythis value is the same as theenrole.appServer.ejbuser.principal.)

platform.credentials Use the password of the platform.principaluser. (Usually this value is the same as theenrole.appServer.ejbuser.credentials.)Note: If you have used the runConfigcommand in Tivoli Identity Manager toencrypt the password set in theenrole.appServer.ejbuser.credentials, youwill need to manually add the unencryptedpassword as the value for theplatform.credentials property.

Following are example values for these key elements in the itim_expi.propertiesfile:

#------------------------------------------------------# Organizational information#------------------------------------------------------tenantid=myco

tenantdn=ou=myco,dc=comdefault.org=ou=myco

# Application Serverplatform.url=iiop://itimserver.myco.com:2809platform.principal=enroleUserplatform.credentials=enroleUserPassword

Installation in a clustered environmentTo install the Sample in a clustered environment:

1. Change the extension of the Provisioning Fast Start Installer to .jar.

2. Open the Installer file using an unzip utility (such as WinZip) and extract theitim_expi.ear file.

3. On the Network Deployment Manager, use WebSphere to manually install theEAR file on the cluster or on a single node:

v If Tivoli Identity Manager is deployed using the ″regular cluster″ model,install the Sample on to the same cluster.

v If Tivoli Identity Manager is deployed using the ″functional cluster″ model,install the Sample on to the Tivoli Identity Manager user interface cluster.

Use the WebSphere Administrative Console to install the EAR manually. Seethe Administrative Console documentation for instructions.




4. Copy the following JAR files from a Tivoli Identity Manager server toitim_expi.ear/itim_expi.war/WEB-INF/lib on the WebSphere ApplicationServer (appserver), on all application servers that are members of the cluster:

v itim_api.jar

v ldapjdk.jar

v api_ejb.jar

5. Copy the file itim_expi.properties from itim_expi.ear/itim_expi.war/WEB-INF/lib to WebSphere/AppServer/properties on all application servers that aremembers of the cluster.

6. Edit the itim_expi.properties file and set the key elements as follows:

Tenant and Tenant DN setup:

tenantid=<your tenant ID>tenantdn=<your tenant DN>

Default organization (root in Tivoli Identity Manager):

default.org=root organization in Tivoli Identity Managerplatform.url=iiop://host name of Tivoli Identity Manager server: port/cell/clusters/cluster_name

(URL where Tivoli Identity Manager is installed)platform.principal=EJB user name (default= "rasweb")platform.credentials=EJB user credentials (default = < blank>)

You can determine the values for these elements by looking at thecorresponding values in the enrole.properties file, which is located in the$ITIM_HOME /data/ directory (where $ITIM_HOME is the directory where TivoliIdentity Manager is installed). The elements and corresponding values aredescribed in the following table.

Element in itim_expi.properties file Corresponding value in theenrole.properties file

tenantid Use the value for enrole.defaulttenant.id.

tenantdn Use the value ’ou=tenantid’ combined withthe value of enrole.ldapserver.root. Forexample, "tenantdn=ou=myco,dc=com".

default.org Use ’ou=tenantid’.

platform.url Use the URL for the Tivoli Identity Managerserver with the port used by the WebSphereServer for IIOP.

platform.principal Use the name of the user who has beenassigned as the ITIM_SYSTEM role. (Usuallythis value is the same as theenrole.appServer.ejbuser.principal.)

platform.credentials Use the password of the platform.principaluser. (Usually this value is the same as theenrole.appServer.ejbuser.credentials.)

Following are example values for these key elements in theitim_expi.properties file:

#------------------------------------------------------# Organizational information#------------------------------------------------------tenantid=mycotenantdn=ou=myco,dc=comdefault.org=ou=myco




# Application Serverplatform.url=iiop://itimserver.myco.com:2809/cell/clusters/ITIM-UI-CLUSTERplatform.principal=enroleUserplatform.credentials=enroleUserPassword

7. Start the itim_expi application using the WebSphere Administrative Console.

ConfigurationThe following functions (and their related JSPs and corresponding servlets) wereinstalled during the installation of the Sample:

v Logon

v Main (Home)

v Change Password

v Forgot My Password (using Challenge Response)

v Self-Care

v Self-Registration

v Application Subscription

vSet Challenge Response

v Logout

This section describes the configuration performed by the Installer and anyadditional configuration you need to make if you did not install the Sample usingthe Installer.

All of the properties that you’ll need to configure for these functions are stored inthe properties file, itim_expi.properties, which was installed in the/WebSphere/Appserver/properties directory. (This directory is part of the standardCLASSPATH, which is used to find the properties file.)

The properties file contains:

v Properties for the following functions:

– Change password

– Forgot my password

– Self-care

– Self-registration

v The names of the URLs (JSPs) for each of the pages.

For example:

logonpage=expilogon.jsphomepage=home.htmlchallengeresponseanswer=cranswer.htmlchangepassword=changepassword.jsp

v Attributes for Tivoli Access Manager Groups and application names.

v Attributes for enabling the Sample for use with WebSEAL and Tivoli IdentityManager.

v Comments to help you understand the properties and what the propertiesconfigure.

The properties file is a plain text file and you should use a text editor to changethe properties it contains.




After making changes to the properties file, use the WebSphere AdministrativeConsole to stop and start the itim_expi.ear.

Ensuring proper access to the JSPsSeveral of the pages require the user to be authenticated:

v Change Password

v Self-Carev Main page

v Challenge/Response

v Logout

Unauthenticated access is sufficient for the following pages:

v Logon

v Self-Registration

v Forgot My Password

Configuring e-mail notification in Tivoli Identity ManagerYou might want to change the e-mail notification that users receive from TivoliIdentity Manager so that it has the URL of the Samples logon page.

To change the e-mail notification:

1. Edit the notifytemplate.html file in the$ITIM_HOME /data/workflow_systemprocess directory.

2. Replace the URL in the template with the URL of the logon page that you areusing for this Sample.

3. Save and close the file.

4. Stop and then restart Tivoli Identity Manager.

Configuring the Logon functionThe files associated with the Logon function are:

JSP: logon.jsp

Servlet:logonServlet.java

The Logon function supports two types of authentication:

v User ID and password.

v Single sign-on through WebSEAL. (This function requires that Single Sign-On isenabled in Tivoli Identity Manager. For more information, see Chapter 4,“Configuring Tivoli Identity Manager for single sign-on with WebSEAL,” on

page 21.)

When you ran the Installer, the ssoenabled attribute in the itim_expi.propertiesfile was set to one of the following values. If you did not run the Installer, you canmodify this attribute by editing the properties file.

v To use User ID and password authentication, the attribute must be set to false.The Logon function will use JAAS to authenticate to Tivoli Identity Manager

v To use SSO from WebSEAL, the attribute must be set to true. The authenticationwill be performed by WebSEAL and the Login servlet will look in the requestheader for the value specified for iv-user. In addition, you should not use the




Change Password function in the Sample. Instead, you should use the ReversePassword Synchronization agent and the WebSEAL change password function.For more information, see “Configuring Password functions.”

The Logon page also provides links to the following other pages in the Sample:

v Change Password

v

Forgot My Passwordv Self-Registration

Configuring the Main (Home) pageThe files associated with the Main (Home) page are:

JSP: main.jsp

Servlet:main.java

This Main page is referred to as the ″Home page″ on other JSPs. It is a simple JSPthat functions as a ″Welcome″ page in the Sample and contains links to other JSPs

in the Sample:v Self-care page

v Change password page

v Logout page

v Application Subscription page (if you have Tivoli Access Manager configured)

You can add other links to this page to fit your needs. However, no otherconfiguration is required.

Configuring Password functionsBefore you configure the Change Password function or the Forgot My Passwordfunction, consider the following password management practices that relate to the

use of the Samples in an integrated environment:

v Password strength rules

Make sure the password strength rules (which are part of the password policy)match in both Tivoli Identity Manager and Tivoli Access Manager. To ensure thatthese rules match, consider the following:

– Password rules are not configured in Tivoli Identity Manager by default.However, they are configured by default in Tivoli Access Manager. If you useTivoli Identity Manager APIs to change the user’s Tivoli Access Managerpassword, without making sure the password rules match, the passwordchange might succeed in Tivoli Identity Manager but fail in Tivoli AccessManager.

– If you are using a WebSEAL environment and you do not want to maintaintwo sets of rules (one in Tivoli Identity Manager and one in Tivoli AccessManager), you can turn off the password rules in Tivoli Access Manager if you can ensure that users can change their passwords only through the use of the Reverse Password Synchronization for Tivoli Access Manager WebSEALagent (if you are using WebSEAL) or through Tivoli Identity Manager if youare not using WebSEAL. The Reverse Password Synchronization agent checksthe password against the Tivoli Identity Manager password rules. TheReverse Password Synchronization agent is available in the Tivoli AccessManager agent package. Contact your IBM account representative for moreinformation.




v Password synchronization

Tivoli Identity Manager and Tivoli Access Manager account passwords should be synchronized at all times. To ensure this synchronization:

– Enable password synchronization in Tivoli Identity Manager. Refer to the″Configuration Properties″ chapter in the IBM Tivoli Identity Manager Policyand Organization Administration Guide. In the Sample, the Tivoli Identity

Manager APIs that are used to change a user’s password check the TivoliIdentity Manager configuration to determine whether to change all of theuser’s passwords or only the Tivoli Identity Manager password.

– Keep in mind that if you will configure the Sample for use with singlesign-on, the user signs on with the password for the Tivoli Access Manageraccount, however, the Tivoli Identity Manager APIs that are used to changethe user’s password require the password for the Tivoli Identity Manageraccount.

– Ensure that the passwords generated for new Tivoli Identity Manageraccounts and new Tivoli Access Manager accounts are the same. Refer to“Synchronizing passwords when using single sign-on with Self-Registration”on page 60 for more information.

v

Special considerations about using the Password functions in a WebSEALsingle sign-on environment

If you will be using this Sample in a WebSEAL single sign-on environment,install and configure the Reverse Password Synchronization agent for TivoliAccess Manager WebSEAL on the Tivoli Identity Manager server. (Contact yourIBM representative for information about obtaining this agent.) After you haveinstalled this agent, be aware of the following considerations:

– Users should change their passwords through WebSEAL instead of throughthe Change Password function in this Sample.

– After users request that their password be changed, the Reverse PasswordSynchronization agent checks the newly chosen password against the TivoliIdentity Manager password strength rules before it makes the change.

– In Tivoli Identity Manager version 4.5 password rules override provisioningpolicy when generating passwords for new accounts. This situation can causeproblems in integrated environments when single sign-on is used. Forexample, if you have configured the provisioning policy so that it sets a user’sTivoli Identity Manager and Tivoli Access Manager passwords to secret, andyou do not have any Tivoli Identity Manager password rules enabled, thenTivoli Identity Manager and Tivoli Access Manager accounts will be createdwith a password of secret, as expected. However, if you then define apassword policy with any rules, Tivoli Identity Manager and Tivoli AccessManager accounts will not be created with secret and instead the TivoliIdentity Manager and Tivoli Access Manager account passwords will be set todifferent randomly generated passwords.

In a non-production environment, you could workaround this situation by

not defining password rules in Tivoli Identity Manager and setting thepassword for the Tivoli Identity Manager and Tivoli Access Manager accountsto a constant value. (This method is described in “Synchronizing passwordswhen using single sign-on with Self-Registration” on page 60.) Anothermethod you could use to workaround this situation is to force users tochange their passwords at initial login, and to ensure that users can use onlyWebSEAL with the Reverse Password Synchronization agent installed tochange their password; that is, they do not use Tivoli Identity Manager or theSample Change Password function to change their password. Additionally,keep in mind that users receive an e-mail when their Tivoli Identity Manager




and Tivoli Access Manager accounts are created (they receive a separatee-mail for each account). If the passwords for each account are different, usersmight be confused as to which password to use when logging on. TivoliIdentity Manager can be customized so that it sends e-mail only when theTivoli Access Manager account is created; however, this customizationinvolves writing a custom workflow. See the IBM Tivoli Identity Manager Policyand Organization Administration Guide for information on workflows.

Configuring the Change Password functionThe files associated with the Change Password function are:

JSPs:

changepwd.jspchangepwdinfo.jsppwdrulesinfo.jspselfchangepwd.jspselfchangepwdinfo.jsp

Servlet:ChangePasswordServlet.java

This function enables users to change or reset their passwords. This function can be used in the Sample in two ways:

v Change My Password link on the Logon page: This enables the users to quicklychange their password without having to log on to the application or to changetheir password if it has expired.

v Change My Password link on the Main (Home) page: This enables the users tochange their password after they have logged on to the application.

Note: If you are using WebSEAL, there are additional considerations you needto make. For example, users should change their passwords through theWebSEAL interface instead of using the Change Password page in theSample. For more information, see “Configuring Password functions” onpage 55 and “Configuring the Sample for use with WebSEAL single

sign-on” on page 66.

The configuration needed for this function is described in the following sections.

Configuring which password will be changed: When you ran the Installer, youconfigured the servlet so that the user’s password change affects either:

v Only the Tivoli Identity Manager password

v All of the passwords that the user is allowed to change

However, if you didn’t run the Installer or you want to change the settings youselected, you can use a text editor and change the value of thechangeonlytimpassword attribute in the itim_expi.properties file.

Setting the attribute to true means that only the Tivoli Identity Manager passwordwill be changed. Setting it to false means that all of the passwords that a user isallowed to change will be set to the new password.

Note: If you set this attribute to false you must also change a setting in the TivoliIdentity Manager server as follows:

1. Log in to the Tivoli Identity Manager interface.

2. Click the Configuration tab.




3. Select the Enable password synchronization box. (The box is notselected by default.)

Creating ACI for the Change Password function: An Account ACI is required toallow users to change all of their password accounts except for the Tivoli IdentityManager account password. If the ACI is not created, then users will be able tochange only their Tivoli Identity Manager account password, even if password

synchronization is enabled in Tivoli Identity Manager and thechangeOnlyTimPassword attribute in the itim_expi.properties file is set to false.

The ACI is created using the Tivoli Identity Manager GUI as follows:

1. From My Organization, select Control Access.

2. Click Add.

3. Select Account (then select PD Account, if you have more than one set of accounts configured.)

4. Click Continue.

5. Enter an ACI name (for example, EXPI — Account ACI — Password) selectSub-tree for ease of use.

6.Select Attribute Permissions and at a minimum Grant Read and Writeprivileges for Password.

7. Click Continue.

8. Grant Search and Modify Operation privileges.

9. Click Submit.

Configuring the Forgot My Password functionThe files associated with the Forgot My Password function are:

JSPs:

forgotpwd.jspforgotpwdinfo.jsp

Servlet:ForgotPasswordServlet.java

This function enables users who have forgotten their password to reset theirpassword. The password is generated by Tivoli Identity Manager using thepassword rules that are defined for the user’s accounts or, if no password rules aredefined, using the built-in rules in Tivoli Identity Manager. The newly generatedpassword is either displayed on the screen or sent to the users at their e-mailaddress of record (based on the configuration of properties as described in“Configuring the Forgot My Password properties” on page 59).

In a WebSEAL environment, you can use the Forgot My Password function bychanging the WebSEAL login page to include a link that points to the URL where

this page is located in the Sample.

Enabling and configuring the challenge response settings in Tivoli IdentityManager: The settings for the Forgot My Password page depend on theconfiguration of the challenge response settings in Tivoli Identity Manager. Bydefault, Tivoli Identity Manager has the challenge response disabled. The Samplesupports challenge response with the challenge definition mode set toADMIN-DEFINED and Admin challenge mode set to PRE-DEFINED. Therefore, beforeconfiguring or using the Forgot My Password page in this Sample, you need tocomplete the following steps:




1. Enable the challenge response as described in IBM Tivoli Identity Manager Policyand Organization Administration Guide.

2. Set the challenge definition mode to ADMIN-DEFINED and define the challenges.

3. Set the admin challenge mode to PRE-DEFINED and define the challenges.

When you have completed these steps, you can configure the Forgot My Passwordproperties as described in “Configuring the Forgot My Password properties.”

Configuring the Forgot My Password properties: The Installer lets you configurethe properties for the Forgot My Password function during the configuration phaseof the installation. However, if you didn’t run the Installer or if you want tochange your selections, you can modify the properties in the itim_expi.propertiesfile. The properties are as follows:

v displaypassword - This property specifies whether the new password isdisplayed on the screen or e-mailed to the user. If the value is true, the newlygenerated password is displayed to the user on successful completion of theChallenge/Response. If the value is false, the newly generated password ise-mailed to the user on successful completion of Challenge/Response.

v changeonlytimpassword - This property specifies whether to change only the

Tivoli Identity Manager password on successful completion of theChallenge/Response. If the value is true, only the Tivoli Identity Managerpassword will be changed. If the value is false, all of the passwords that a useris allowed to change will be set to the new password.

Creating ACI for the Forgot My Password function: An Account ACI is requiredto allow users to change all of their password accounts except for the TivoliIdentity Manager account password. If the ACI is not created, then users will beable to change only their Tivoli Identity Manager account password, even if password synchronization is enabled in Tivoli Identity Manager and thechangeonlytimpassword attribute in the itim_expi.properties file is set to false.

The ACI is created using the Tivoli Identity Manager GUI as follows:

1. From My Organization, select Control Access.2. Click Add.

3. Select Account (then select the Tivoli Access Manager account, if you havemore than one set of accounts configured.)

4. Click Continue.

5. Enter an ACI name (for example, EXPI — Account ACI — Password) selectSub-tree for ease of use.

6. Select Attribute Permissions and at a minimum Grant Read and Writeprivileges for Password.

7. Click Continue.


9. Click Submit.

Configuring the Self-Registration functionThe files associated with the Self-Registration function are:

JSPs:

selfregister.jspselfregsub.jsp




Servlets:registerServlet.java

This function enables a user to ″register as a new user.″ When a user self-registers,a Tivoli Identity Manager Person is created along with any automatic entitlementsspecified in the provisioning policy. This capability is dependent on the TivoliIdentity Manager configuration and might be different for each installation. (See

“Adding auto-provisioning for Tivoli Identity Manager accounts” and “Addingauto-provisioning for Tivoli Access Manager accounts” on page 62 for moreinformation about provisioning configurations.)

As part of this function, the JSP displays a form that asks the user provide aminimal set of data that is needed to create a Person record in Tivoli IdentityManager.

The user ID and password for the user are generated automatically and at theuser’s next login attempt, the user will be prompted to configure theChallenge/Response answers.

After the Person record has been created in Tivoli Identity Manager, the users

receive an e-mail informing them of the success or failure of their self-registrationrequest.

Because self-registration affects settings in both Tivoli Identity Manager and TivoliAccess Manager, additional configuration is required. Refer to the sections belowfor more information.

Synchronizing passwords when using single sign-on withSelf-Registration

Note: Before modifying any functions related to passwords, be sure to review theinformation in “Configuring Password functions” on page 55. In addition, because the following instructions are related to single sign-on with

WebSEAL, you should also review the information in “Configuring theSample for use with WebSEAL single sign-on” on page 66.

If you are using single sign-on with WebSEAL in the Sample along with theSelf-Registration, you need to make sure that the passwords for the Tivoli IdentityManager account and the Tivoli Access Manager account are always synchronized,especially when they are generated during Self-Registration.

One way to keep the passwords synchronized is to set the password value in theprovisioning policy for the Tivoli Identity Manager account and the Tivoli AccessManager account to a constant value.

Attention:The following procedure introduces a security risk and should not be used ina production environment. In a production environment, use javascript tocreate an algorithm that will generate the passwords so that they are both thesame.

Using the Tivoli Identity Manager interface:

1. Click Provisioning in the Main Menu Navigation Bar.




2. Navigate through the Organization Tree and click the name of the branch inwhich the desired Provisioning Policy is located.

3. Click Define Provisioning Policies in the task bar.

The Provisioning Policies list page opens.

4. Click the name of the Provisioning Policy you want to modify.

5. Click the Entitlements tab.

6. Click the Tivoli Identity Manager service.

7. Click the Get Detail link next to the Advanced Provisioning Parameter List.

8. Click Add.

9. Select the box next to Password and then click Add.

10. Type in a constant value that meets the password rules for the accounts thatwill use this provisioning policy.

11. Submit the changes by clicking the Submit button on each open panel.

12. Repeat the steps for the Tivoli Access Manager provisioning policy.

Click Define Provisioning Policies in the task bar.

The Provisioning Policies list page opens.

13. Click the name of the Provisioning Policy you want to modify.14. Click the Entitlements tab.

15. Click the Tivoli Access Manager service.

16. Click the Get Detail link next to the Advanced Provisioning Parameter List.

17. Click Add.

18. Select the box next to Password and then click Add.

19. Type in a constant value that meets the password rules for the accounts thatwill use this provisioning policy.

20. Submit the changes by clicking the Submit button on each open panel.

After the initial creation of the password during Self-Registration, you can force

the users to change their passwords at the next login. To set the″forced

″passwordchange, you will need to set two properties:

v Change Password at Next Login (in the Tivoli Identity Manager provisioningpolicy)

v ertam4expirepass (in the Tivoli Identity Manager provisioning policy)

Use the procedure for modifying provisioning policies in the IBM Tivoli Identity Manager Policy and Organization Administration Guide.

Creating a Location object in Tivoli Identity Manager forSelf-RegistrationA Location object must be created somewhere in the Tivoli Identity Managerorganization tree and specified in the itim_expi.properties file. The Location

object, represented by the LDAP attribute l, is used in the workflow mechanismsof Tivoli Identity Manager to place the self-registered person object somewhere inthe organization tree.

By default, the pages are configured with the Location object name set toselfregisterhere. To use the default name, use the Tivoli Identity Managerinterface to create a Location=selfregisterhere somewhere in your organizationtree and all self-registered users will be placed there. If you created a differentLocation object in Tivoli Identity Manager, change the itim_expi.properties file sothat the location matches.




Below is an excerpt of the settings in the properties file that affect theself-registration process.

#------------------------------------------------------# Self-Registration specific information# - l = an LDAP attribute that represents a location reference# in the attribute Person object. (this must match# the attribute that is configured in the WorkFlow for# LOCATIONSEARCH - the default name of a workflow script# in the selfRegister entity object).# - org = the name of the Location object created in ITIM# where the self-registered users will be placed# by default.#------------------------------------------------------orgContainer.selfregister.location.attr=lorgContainer.selfregister.location.org=selfregisterhere

Adding auto-provisioning for Tivoli Identity Manager accountsAuto-provisioning is required to create Tivoli Identity Manager accounts for everyPerson object created through Self-Registration that will allow the newly createduser to log on to Tivoli Identity Manager (either directly or through the Samplelogon page).

By default the Tivoli Identity Manager provisioning policy for Tivoli IdentityManager accounts is set to manual. Two options exist for getting the Samplesconfigured and running quickly:

v Modify the default Tivoli Identity Manager provisioning policy to create TivoliIdentity Manager accounts automatically.

v Create a new Tivoli Identity Manager provisioning policy (at the appropriateorganization level in the tree) that will automatically provision Tivoli IdentityManager accounts.

Adding auto-provisioning for Tivoli Access Manager accountsAuto-provisioning is set up for Tivoli Access Manager accounts in Tivoli IdentityManager only if it is enabled in the provisioning policy. If you selected Access

Manager service and provisioning policy when you ran the Installer (as describedin Chapter 3, “Creating a Tivoli Access Manager service and default provisioningpolicy,” on page 17), you specified a setting for auto-provisioning during theconfiguration portion of the installation. If you created the provisioning policywithout using the Installer, refer to the IBM Tivoli Identity Manager Policy andOrganization Administration Guide for instructions on enabling auto-provisioning.

Configuring the Self-Care functionThe files associated with the Self-Care function are:

JSPs:

selfcare.jspselfcaresub.jsp

Servlets:selfCareServlet.java

The self-care function enables users to manage the personal data in their Personobject. For example, the self-care page could enable users to update their phonenumbers or office location in their person definition. This personal data is part of the properties in a user’s Person object in Tivoli Identity Manager. Tivoli IdentityManager uses the Access Control Information that is set for this page to determineif a user can access these properties. In addition, you can customize the set of properties that is displayed on this page.




Configuring properties for Self-CareMany Person properties are available in Tivoli Identity Manager. However, in aself-care scenario, you might want to limit the properties that a user can manage toa subset of the available properties from Tivoli Identity Manager. The set of properties to be managed is contained in the itim_expi.properties file. Theproperties file defines the label of the attribute, exact name as found in TivoliIdentity Manager, and the verbose description of the text for the attribute.

Creating ACI for Self-CareA Person ACI must be created using the Tivoli Identity Manager GUI to allow forsearching and modifying of the properties that users can access through self-care.

The Person object must have access to all the properties exposed to the userthrough the Sample Servlets and defined in the itim_expi.properties file.

At a minimum, the ACI must provide Read and Write access for all properties being manipulated by the Self-Care portion of the Samples. Use the “MyOrganization” and “Control Access” tasks in the Tivoli Identity Manager graphicaluser interface to create an ACI for Person objects that grants read/write access toperson properties.

The ACI is created using the Tivoli Identity Manager GUI in the following manner:


2. Click Add.

3. Select Person (then select PD Account, if you have more than one set of accounts configured.)

4. Click Continue.

5. Enter an ACI name (for example, EXPI — Person ACI — Self-Care) and selectSub-tree for ease of use.

6. Select Attribute Permissions and at a minimum Grant Read and Writeprivileges for person properties.

7. Click Continue.8. Grant Search and Modify Operation privileges.

9. Click Submit.

Configuring the Application Subscription functionThe files associated with the Application Subscription function are:

JSP: applications.jsp

Servlets:applicationServlet.java

This function enables users to request access to company applications that are

managed through Tivoli Access Manager. The page is designed for you to add achecklist of applications to the JSP so that users can select to request access toapplications or can deselect to end their access.

Tivoli Access Manager controls access to company applications by preventing usersfrom viewing an application if they do not have authorization. Typically, the TivoliAccess Manager access control lists (ACLs), which control access to theapplications managed by Tivoli Access Manager, are defined using groups.Administrators can grant users access to an application by simply making theusers members of the Tivoli Access Manager group used in the ACL. The




Application Subscription page works by modifying the groups attribute of theuser’s Tivoli Access Manager account based on the groups the user selects on thepage.

Note: The JSP that is installed as part of the Sample does not automatically addthe groups that are supported by Tivoli Access Manager. You must explicitlydefine and code them. The Application Subscription servlet includes

commented code fragments to help you build the list of applications.

Configuring Tivoli Access Manager service name and service DNThe Groups and application names used in the Application Subscription JSP aredefined in the itim_expi.properties file. The Subscribe to Applications link onthe page is provided only when a Tivoli Access Manager service is found on theTivoli Identity Manager server. The Tivoli Access Manager service is specified bythe name and full distinguished name (DN) of that service. If a Tivoli AccessManager service is not found, the Subscribe to Applications link will not bedisplayed on the main page (main.jsp).

If the Tivoli Access Manager profile is installed prior to running the Tivoli AccessManager Provisioning Fast Start Installer, the application.service.name and

application.service.dn properties will be set up automatically. (The profile isusually installed as part of the Tivoli Access Manager agent installation procedure.)

If the profile was not installed before you ran the Installer, you must provide theinformation manually by modifying the properties file explicitly, as follows:

1. To obtain the application.service.name, use the Directory Management Toolor a similar LDAP browser to look up the appropriate object. For example, browse the Tivoli Identity Manager tree until you get to ou=services. The DNyou will use immediately follows ou=services. The DN in the followingexample is identified in <erglobalid=[ fully-qualified DN respective of theTivoli Access Manager service]>:

<LDAP prefix – configured during ITIM install><erglobalid=000000000000000000><ou=services>

<erglobalid=[fully-qualified DN respective of

the Tivoli Access Manager service]>

2. Open the itim_expi.properties using a text editor.

3. Specify the name of the Tivoli Access Manager service for the followingattribute:

application.service.name=name_of_the_service

4. Specify the DN for the Tivoli Access Manager service for the followingattribute:

application.service.dn=name_of_the_DN

5. Make sure the following attribute and value are specified:

application.service.attribute=ertamgroupmember6. Add a list of reference names for the properties that will contain the name of

the application (verbose) description that is displayed in the application.jsp.This list will also identify the groups that the description corresponds to:

application.list= group1,group2,group3,group4

Application Names:

application.group1.name=Expi_Application_1application.group2.name=Expi_Application_2application.group3.name=Expi_Application_3application.group4.name=Expi_Application_4




7. Add a list of references to the Tivoli Access Manager groups that correspond tothe equivalent Application Names specified in the previous step.

Note: These groups must already exist in Tivoli Access Manager.

application.group1.dn=tamgrp1application.group2.dn=tamgrp2application.group3.dn=tamgrp3

application.group4.dn=tamgrp4

Creating ACI for the Application Subscriptions functionAn Account ACI is required to allow users to access the Applications (Tivoli AccessManager Groups) page. The Account ACI provides users access to the TivoliAccess Manager Account in Tivoli Identity Manager. If the ACI is not created, theSample will not display the Subscribe to Applications link on the Main page.

The ACI is created using the Tivoli Identity Manager GUI in the following manner:


2. Click Add.

3. Select Account (then select PD Account, if you have more than one set of accounts configured.)

4. Click Continue.

5. Enter an ACI name (for example, EXPI — Account ACI — ApplicationSubscriptions) select Sub-tree for ease of use.

6. Select Attribute Permissions and at a minimum Grant Read and Writeprivileges for LDAP Group Memberships.

7. Click Continue.


9. Click Submit.

This set of operations provides access to the Tivoli Access Manager accounts andspecifically to the Application Subscriptions (Group attribute). When the operations

are carried out and the user logs in to the system and has a Tivoli Access Manageraccount, the additional link (Subscribe To Applications) will appear on the Mainpage.

Configuring the Challenge/Response functionThe files associated with the Challenge/Response function are:

JSPs:

cranswers.jspcranswersinfo.jsp

Servlet:ChangeChallengeResponseServlet.java

The Challenge/Response page enables users to set the answers to theadministrator-defined password challenges that are set in Tivoli Identity Manager.

There is a link to this page from the Main page. The Main page displays a warningmessage if the user’s challenge/response answers need to be updated. Thewarning can occur when the challenge/response answers are not set by the user orif an administrator changed the challenge/response questions.




Configuring the Logout functionThe files associated with the Logout function are:

JSP: logout.jsp

Servlet:None

This function enables the user to log out of the Sample application. The page can be configured to direct the user to a specific URL by default. The page is designedto be used in an environment that does not use single sign-on.

If single sign-on is enabled to be used with the Sample, the logout.jsp calls theWebSEAL pkmslogout command. For more information about pkmslogout, referto the IBM Tivoli Access Manager for e-business WebSEAL Administration Guide.

Configuring the Sample for use with WebSEAL single sign-on

Note: When using WebSEAL single sign-on with the Sample, be sure you arefamiliar with the information in “Configuring Password functions” on page

55 and in “Synchronizing passwords when using single sign-on withSelf-Registration” on page 60.

When you run the Installer, you are asked to provide configuration informationthat can enable the Sample to be used with WebSEAL single sign-on (SSO). If youdidn’t run the Installer or you want to change the setting, you can enable theSample as follows:

1. Set the portal servlets to SSO mode, as follows:

a. Open the itim_expi.properties.

b. Change the ssoenabled setting to true. (The default is false).

2. Enable single sign-on in WebSEAL as described in Chapter 4, “ConfiguringTivoli Identity Manager for single sign-on with WebSEAL,” on page 21.

3. Configure the junctions in WebSEAL and provide a single sign-on logon page.(The logon page becomes part of the WebSEAL configuration.) You can use theLogon page provided with this sample, or you can use a custom logon page.See “Configuring WebSEAL login page” on page 67 for information.

For single sign-on support, Tivoli Identity Manager must also be configuredappropriately. See Chapter 4, “Configuring Tivoli Identity Manager for singlesign-on with WebSEAL,” on page 21 for more information.

Note: If you have configured single sign-on, you cannot login to Tivoli AccessManager with the default Tivoli Identity Manager administrator ID, itimmanager, because Tivoli Access Manager does not support user IDs that

contain spaces. You can assign any Tivoli Access Manager user ID to thedefault itim manager administrator ID if you have configured Tivoli IdentityManager properties file, enRoleAuthentication.properties, to enable aninternal identity mapping algorithm. See “Tivoli Identity Manager propertiesfiles related to single sign-on” on page 22 for more information.

Converting Tivoli Access Manager IDs to Tivoli Identity ManagerIDsIf all of the user IDs in the Tivoli Identity Manager and Tivoli Access Manageraccounts are the same, conversion of IDs is not necessary. However, if the usersIDs are not the same, WebSEAL users will use their Tivoli Access Manager user




IDs to log in to WebSEAL and the IDs will not be recognized by Tivoli IdentityManager. As a result, you will need to configure Tivoli Identity Manager so that itwill convert the Tivoli Access Manager user ID into a Tivoli Identity Manager userID.

Note: Do not perform this configuration if the user IDs in your integratedenvironment are the same. Performance could be adversely affected.

To configure Tivoli Identity Manager so that ID conversion is possible:

1. Open the enRoleAuthentication.properites file with a text editor.

2. Change the value for enrole.authentication.idsEqual to false.

3. Stop and then restart the Tivoli Identity Manager server.

Controlling access to the Sample through a WebSEAL junctionThe following example shows how a WebSEAL junction is used to control access tothe Sample in a single sign-on environment. An example of protected andunprotected pages are shown below. A junction is created by the Installer if SingleSign-On Enablement in the Provisioning Fast Start Installer is installed.

Use the pdadmin acl attach command to make the following attachments. Refer tothe IBM Tivoli Access Manager for e-business Command Reference for details on usingthis command.

Attach the following object to the ItimProtected ACL:

/WebSEAL/ junction_name/itim_expi/

Attach the following objects to the ItimUnprotected ACL:

/WebSEAL/webseal_server/ junction_name/itim_expi/index.html/WebSEAL/webseal_server/ junction_name/itim_expi/ForgotPasswordServlet/WebSEAL/webseal_server/ junction_name/itim_expi/selfregister.jsp/WebSEAL/webseal_server/ junction_name/itim_expi/forgotpwd.jsp/WebSEAL/webseal_server/ junction_name/itim_expi/images/WebSEAL/webseal_server/ junction_name/itim_expi/css/WebSEAL/webseal_server/ junction_name/itim_expi/ssoerror.jsp/WebSEAL/webseal_server/ junction_name/itim_expi/registerServlet/WebSEAL/webseal_server/ junction_name/itim_expi/selfregsub.jsp/WebSEAL/webseal_server/ junction_name/itim_expi/selfchangepwd.jsp/WebSEAL/webseal_server/ junction_name/itim_expi/ChangePasswordServlet/WebSEAL/webseal_server/ junction_name/itim_expi/forgotpwdinfo.jsp/WebSEAL/webseal_server/images/WebSEAL/webseal_server/css

You can also create your own ACLs using pdadmin acl create and then attachthese objects as appropriate. Refer to the IBM Tivoli Access Manager for e-businessCommand Reference for more information on using this command

Configuring WebSEAL login page

The installation of the Sample installs a login page that can be used with WebSEALalong with all of the necessary supporting files (GIF, CSS, and so on). These filesare provided in the itim_exp.ear in the WebSEAL directory.

To use the Sample WebSEAL login page:

1. Replace the WebSEAL login.html file where WebSEAL is installed (forexample: /PDWeb/www-default/docs/) with the login.html file in the directorywhere the Sample is installed (for example:itim_expi.ear/itim_expi.war/WebSEAL/login.html)




2. Edit the login.html file that you copied into the WebSEAL directory andreplace all instances of JUNCTION_NAME in that file with the name of theWebSEAL junction you are using with the Sample.

3. Copy the following subdirectories into the directory where WebSEAL isinstalled:

itim_expi.ear/itim_expi.war/WebSEAL/cssitim_expi.ear/itim_expi.war/WebSEAL/images

For example, in Windows, copy these directories to:

C:\Program Files\Tivoli\PDWeb\www-default\docs\

The contents of these directories are:

cs/ * (directory containing Style Sheet data)css/imperative.css (style sheet used by the login.html and servlets)images/* (directory containing image files--gifs)images/welcome.gifimages/ibm_banner.gifimages/img_bkg.gifimages/img_clear.gifimages/logo.gifimages/logo_tivoli.gifimages/messages_background.gifimages/message_error.gifimages/message_information.gifimages/message_warning.gifimages/mosaic_banner,gifimages/button_gradient.gif

4. Edit the webseald-default.conf file (in the directory where WebSEAL isinstalled), as follows:

forms-auth = bothba-auth = none

For information about these parameters and the configuration file, refer to the

IBM Tivoli Access Manager for e-business WebSEAL Administration Guide.

Running the servlets through the junctionTo run the Sample through the WebSEAL junction, specify the following URL inyour Web browser: http:// junction_name/itim_expi/

Customization

There are four ways to customize the Web Application Sample:

1. Customize the banner

2. Customize the cascading style sheets, which control font size, typeface, andcolors

3.Customize the Java Server Pages (JSPs)

4. Customize the servlets

Customizing the bannerTo customize the banner, edit expi_header.html in the WAR directory and changethe images.




Customizing the cascading style sheetsTo customize the cascading style sheets, edit css/imperative.css under the WARdirectory. Note that you might have to stop and start the application and closeyour Web browser to see the changes.

Customizing the JSPs

To customize the JSPs, use an editor to change them. The next time you go to that JSP, WebSphere will recompile it with your changes.

You can also replace a JSP with a new file. Copy the file into the WAR directory.Then edit the itim_expi.properties file and replace the existing JSP entry withyour new one.

Customizing the servletsYou can use WebSphere Studio Application Developer to update the servlets. If you do not have WebSphere Studio Application Developer, you can still customizethe servlets by using the Java compiler that comes with WebSphere ApplicationServer. To use the Java compiler that comes with WebSphere Application Server:

1. Edit the Java file of the servlet you want to change.2. Set your CLASSPATH. For example, in AIX:

Use a C command language interpreter (such as tsch) to set the followingvariables:

setenv JAVA_HOME /opt/WebSphere/AppServer/java

setenv ITIM_EAR /opt/WebSphere/AppServer/installedApps/sparrow/enRole.ear

setenv WAS /opt/WebSphere/AppServer

setenv CLASSPATH .:${JAVA_HOME}/lib/tools.jar:${JAVA_HOME}/jre/lib/ext/jaas.jar:${ITIM_EAR}/itim_api.jar:${ITIM_EAR}/api_ejb.jar:${WAS}/lib/j2ee.jar:${WAS}/lib/naming.jar:${WAS}/lib/namingclient.jar

(Keep each setenv command and setting on one line.)

For example, if you are using the tcsh shell program, put the precedingattributes in a file called setcp.tcsh. Then, from the tcsh shell prompt, runsource setcp.tcsh

3. From the WAR directory, run:

$WAS_HOME /AppServer/java/bin/javac examples/expi/*.java

(where $WAS_HOME is the directory where WebSphere Application Server isinstalled.)

If you have the Sample application set for ″reload enabled″ so that classes get

automatically reloaded in WebSphere Application Server, then your changedclasses will be reloaded as soon as the compile has finished. If you do not have″reload enabled″ then you must stop and start the Sample application.




Appendix. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM Corporation500 Columbus AvenueThornwood, NY 10594U.S.A

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION ″AS IS″ WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.




Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758USA

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreement between us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

Trademarks

The following terms are trademarks or registered trademarks of International

Business Machines Corporation in the United States, other countries, or both:

AIXDB2DB2 Universal DatabaseDominoIBMLotusMQSeriesNotesOS/390




SecureWayTivoliWebSpherez/OS

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Sun Microsystems, Inc. in the United States and other countries.

UNIX® is a registered trademark of The Open Group in the United States andother countries.

Other company, product, and service names may be trademarks or service marksof others.

Appendix. Notices 73



Index

AAccess Manager service and provisioning policy

additional configuration 19automated task 17configured by the Installer 7creating 17installation requirements 7prerequisite check for 12selecting in Installer 14

Account ACI 65accounts

assigning to Person entities 39assigning to Person entities (multi-domain) 41assigning with a provisioning policy 43creating during reconciliation 41, 42creating during Self-Registration 60creating in Tivoli Identity Manager 3

group attributes for 63matching user IDs in the Web Application Sample 55passwords in the Web Application Sample 56

ACIApplication Subscription function 65Change Password function 58Forgot My Password function 59Self-Care function 63

ACLsfor groups 63for WebSEAL junction

creating 22in Web Application Sample 67modifying 25uninstalling 15

agentReverse Password Synchronization 3, 48Tivoli Access Manager 1Tivoli Access Manager GSO agent 2

Application Subscription functionconfiguring 64creating ACI for 65files for 63

application.service.dn 64application.service.name 64attributes

enrole.authentication.idsEqual 22enrole.ui.logoffURL 22, 26enrole.ui.ssoEnabled 22for groups 63for Single Sign-On Enablement 22

importing from a corporate directory 42importing from Tivoli Access Manager user 39importing from Tivoli Access Manager user(multi-domain) 41

in DirectorytoTIMImport 36in MDTAMtoTIMImport 34in TAMtoTIMImport 33in TIMtoTAMsync 37modifying in Tivoli Access Manager 44modifying user 44synchronizing user 44WebSEAL configuration 21

B banner, customizing 68

Ccascading style sheet, customizing 69Challenge/Response function

access for 54enabling in Tivoli Identity Manager 58files for 65use with Forgot My Password function 59use with Self-Registration 60

Change Password functionaccess for 54considerations 55creating ACI for 58files for 57

use of 57use with Forgot My Password function 55use with Logon function 55use with Main page 55use with Self-Registration function 55using WebSEAL functions instead 56

clustered environmentenabling single sign-on in 23installation of Web Application Sample 51

configuration and installation 15connectors, configuring 38CSS, customizing 69

DDirectory Integrator AssemblyLine samplesSee IBM Directory Integrator AssemblyLine samples

Directory Integrator Data Feed serviceSee IBM Directory Integrator Data Feed service

DirectorytoTIMImport.properties 31DirectorytoTIMImport.xml 31

Eenrole.authentication.idsEqual 23, 66enrole.ui.ssoEnabled 22enRoleAuthentication.properties 23

FForgot My Password functionaccess for 54configuring 58configuring properties for 59considerations 55creating ACI for 59

IIBM Directory Integrator AssemblyLine samples

configuring connectors for 38




IBM Directory Integrator AssemblyLine samples (continued)configuring Directory Integrator Data Feed Service 32importing users from corporate directory 42importing users from Tivoli Access Manager 39importing users from Tivoli Access Manager(multi-domain) 41

installation requirements 9, 30installed components 30

overview 29performance in 38prerequisite configuration 33properties files 33security in 38selecting in Installer 14supported tasks 31uninstalling 15using with Active Directory 30using with an LDAP directory 30using with Lotus Domino 30verification test for 38

IBM Directory Integrator Data Feed servicecreating 32overview 29

identity management, overview 1

Identity Manager Configurationinstallation requirements 8properties file changes 22selecting in Installer 14uninstalling 15use in configuring Tivoli Identity Manager 21

identity policy, creating 2IDI Data Feed serviceSee IBM Directory Integrator Data Feed service

importing user data 29installation

choosing items to install 6requirements for (overview) 6requirements for Access Manager service and provisioningpolicy 7

requirements for IBM Directory Integrator AssemblyLinesamples 9

requirements for Single Sign-On Enablement 8requirements for Web Application Sample 10, 48

Installerconfiguration and installation 15introduction 1 Java Runtime requirement 5overview 5preinstallation 5prerequisite checking 11

for Access Manager service and provisioning policy 12for Web Application Sample 12 Java Runtime Environment 12Single Sign-On Enablement 12

Tivoli Identity Manager user registry 12Web Application Sample 11WebSphere Application Server 11

requirements after running 15requirements for running 5running 11selection of items to install 14uninstalling 15use with WebSphere Application Server Securitysetting 48

integration basic tasks for 1overview 1

integration (continued)specialized tasks 4Tivoli Identity Manager tasks for 2

internal mapping algorithm 23itim_expi.properties 53ItimProtected 22ItimUnprotected 22iv_user 26

J Java Runtime Environment

prerequisite checking 12usage note 5

Java Server Pagesaccess 54customizing 69

Llanguage option 11Location object 61Logoff page, for WebSEAL single sign-on 26

logoff.html 27Logon function

access for 54configuring 54

Logout functionaccess for 54configuring 66use with Main page 55

Lotus Notes connector 38

MMain (Home) page

access for 54configuring 55

mapping algorithm, internal 23MDTAMtoTIMImport.properties 31MDTAMtoTIMImport.xml 31

PPassword function considerations 56password policy, creating 2passwords

Change Password function 57Forgot My Password function 58Reverse Password Synchronization 3, 48strength rules in Web Application Sample 55synchronizing 60

synchronizing in the Web Application Sample 56performance, for IBM Directory Integrator AssemblyLinesamples 38

Person ACI 63Person entities

creating from a corporate directory 42creating from Tivoli Access Manager users 39creating from Tivoli Access Manager users(multi-domain) 41

creating in Tivoli Identity Manager 3preinstallation 5prerequisite checking

for Access Manager service and provisioning policy 12




prerequisite checking (continued)for Web Application Sample 12 Java Runtime Environment 12overview 11Single Sign-On Enablement 12Tivoli Identity Manager user registry 12Web Application Sample 11WebSphere Application Server 11

prerequisite configurationfor IBM Directory Integrator AssemblyLine samples 33for Single Sign-On Enablement 21for Web Application sample 48

prerequisite knowledge, for Web Application Sample 47profile, description of 1properties

application.service.dn 64application.service.name 64Change Password at Next Login 61changeonlytimpassword 57, 59displaypassword 59enrole.authentication.idsEqual 66ertam4expirepass 61for Change Password function 57for Forgot My Password 59

for Location object 61for Self-Care 63for Self-Registration 61ssoenabled 54

properties filesIBM Directory Integrator AssemblyLine samples

DirectorytoTIMImport.properties 36MDTAMtoTIMImport.properties 34TAMtoTIMImport.properties 33TIMtoTAMsync.properties 37

Web Application Sample 53WebSEAL single sign-on

enRoleAuthentication.properties 22ui.properties 22

Provisioning Fast Start collection

choosing items to install 6general requirements 6introduction 1preinstallation 5

Provisioning Fast Start Installer

See Installerprovisioning policy

auto-provisioning for Tivoli Access Manager accounts 62auto-provisioning for Tivoli Identity Manager accounts 62automated task 17configured by the Installer 18creating (overview) 3creating accounts with 43creating with the Installer 17customizing 19

use in Self-Registration 60using to synchronize passwords 60provisioning, description of 1

Rreconciliation, overview of 3related publications viiiReverse Password Synchronization agent

availability of 3requirement in Web Application Sample 48

Ssecurity

for IBM Directory Integrator AssemblyLine samples 38for WebSEAL single sign-on 26setting in WebSphere Application Server 10, 48

selection of items to install 14Self-Care function

access for 54

configuring 62configuring properties 63use with Main page 55

self-management 47Self-Registration function

access for 54auto-provisioning for Tivoli Access Manager accounts 62auto-provisioning for Tivoli Identity Manager accounts 62configuring 59creating a Location object for 61synchronizing passwords 60

serviceadding (overview of) 2automated task 17configured by the Installer 17

creating with the Installer 17description of 1viewing or modifying 19

servlets, customizing 69single sign-on

accessing Tivoli Identity Manager logon page 27changing timeout session 24configuring Logoff page 26configuring the SSL certificate 24configuring the Web Sample for 66creating a junction 22custom login page with Web Application Sample 67enabling in a clustered environment 23enabling in Tivoli Identity Manager 21ID conversion 66

modifying ACLs 25security in 26updating properties files for 22use with Logon function 54use with Logout page 66use with password functions of Web Sample 56use with Self-Registration function 60use with Web Application Sample 48

Single Sign-On Enablementinstallation requirements 8prerequisite checking 12selecting in Installer 14uninstalling 15use in configuring Tivoli Identity Manager 21

SSL certificate configuration 24ssoLogout.jsp 27

synchronizing user data 29

TTAMtoTIMImport.properties 31TAMtoTIMImport.xml 31TIMTAMIntegration subdirectory 31TIMtoTAMsync.properties 31TIMtoTAMSync.xml 31TIMtoTAMsyncexit 31

Index 77



Tivoli Access Managerimporting users (multi-domain) into Tivoli IdentityManager 41

importing users into Tivoli Identity Manager 39integration with Tivoli Identity Manager 1modifying user attributes in 44service name and DN 64

Tivoli Access Manager agent, description of 1

Tivoli Access Manager GSO agentavailability of 2Tivoli Identity Manager

changing the timeout session 24configuring Directory Integrator Data Feed Service for 32configuring e-mail notification 54configuring for single sign-on with WebSEAL 21creating a Location object for Self-Registration 61enabling challenge/response 58importing users (multi-domain) from Tivoli AccessManager 41

importing users from corporate directory 42importing users from Tivoli Access Manager 39integration with Tivoli Access Manager 1logon page (in SSO) 27synchronizing attributes with Tivoli Access Manager 44

Tivoli Identity Manager Web Application SampleSee Web Application Sample

Uui.properties 22uninstalling 15user attributes

modifying 44modifying in Tivoli Access Manager 44synchronizing 44

user dataimporting 29importing from corporate directory 42importing from Tivoli Access Manager 39importing from Tivoli Access Manager (multi-domain) 41modifying 44modifying in Tivoli Access Manager 44synchronizing 29, 44

user IDsgenerated during Self-Registration 60in the Web Application Sample

authentication of 55user registry

importing from corporate directory 42importing from Tivoli Access Manager 39importing from Tivoli Access Manager (multi-domain) 41in an integrated environment 3modifying 44prerequisite checking 12

synchronizing 44Tivoli Identity Manager 12

userscreating in Tivoli Identity Manager 3global sign-on credentials for 2self-management 47

WWeb Application Sample

Application Subscription function 63Challenge/Response function 65

Web Application Sample (continued)Change Password function 57configuring e-mail notification 54configuring for WebSEAL single sign-on 66customizing 68features 47Forgot My Password function 58functions 48

installation in clustered environment 51installation requirements 10, 48installation with the Installer 49installation without Tivoli Identity Manager 50 Java Server Pages access 54Logon function 54Logout function 66Main (Home) page 55overview 47Password function considerations 55password synchronization 56prerequisite checking 11prerequisite configuration 48prerequisite knowledge 47properties files 53requirement for Reverse Password Synchronization

agent 48selecting in Installer 14Self-Care function 62Self-Registration function 59uninstalling 15user IDs authentication of 55user IDs in Self-Registration 60

Web Portal Manager, creating a junction for 22WebSEAL attributes, configuration 21WebSEAL junction

configuring the SSL certificate 24creating 21modifying ACLs in 25use with Web Application Sample 67use with Web Application Sample servlets 68

WebSEAL Junction Configurationautomated task 22installation requirements 8uninstalling 15use in configuring Tivoli Identity Manager 21

WebSEAL single sign-onaccessing Tivoli Identity Manager logon page 27changing timeout session 24configuring Logoff page 26configuring the SSL certificate 24configuring the Web Sample for 66creating a junction 22custom login page with Web Application Sample 67enabling in a clustered environment 23enabling in Tivoli Identity Manager 21

ID conversion 66modifying ACLs 25security in 26updating properties files for 22use with password functions of Web Sample 56using with the Logout page 66using with the Self-Registration function 60using with Web Application Sample 48

websealLogout.jsp 26WebSphere Application Server Java Runtime requirement 5prerequisite checking 11use of Security setting 48




Printed in USA

am51 tim guide

Documents