IBM Tivoli Access Managerpublib.boulder.ibm.com/tividd/td/ITAMOS/GC32-1107-00/en_US/PDF/… · authorization C API and the Access Manager service plug-in interface to add Tivoli Access

IBM Tivoli Access Manager

Command ReferenceVersion 4.1

GC32-1107-00

��

IBM Tivoli Access Manager

Command ReferenceVersion 4.1

GC32-1107-00

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 119.

First Edition (October 2002)

This edition applies to version 4.1 of IBM Tivoli Access Manager (product number 5724-C08) and to all subsequentreleases and modifications until otherwise indicated in new editions

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiWho should read this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiWhat this book contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiPublications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

IBM Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiRelated publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xAccessing publications online . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiOrdering publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiProviding feedback about publications . . . . . . . . . . . . . . . . . . . . . . . . . xii

Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiContacting customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiConventions used in this book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Chapter 1. pdadmin command line utility . . . . . . . . . . . . . . . . . . . . . 1Using the pdadmin utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Single command mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Interactive command mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Multiple command mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Special characters disallowed for GSO commands . . . . . . . . . . . . . . . . . . . . . . . 2Tivoli Access Manager pdadmin commands . . . . . . . . . . . . . . . . . . . . . . . . . 2

Access Control List (ACL) commands . . . . . . . . . . . . . . . . . . . . . . . . . . 2Action commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Object commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Object space commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Protected object policy (POP) commands . . . . . . . . . . . . . . . . . . . . . . . . . 4Server commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4User management commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Group management commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Resource management commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Policy management commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

pdadmin acl attach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7pdadmin acl create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8pdadmin acl delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9pdadmin acl detach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10pdadmin acl find . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11pdadmin acl list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12pdadmin acl modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13pdadmin acl show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15pdadmin action create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16pdadmin action delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17pdadmin action group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18pdadmin action list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19pdadmin admin show configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 20pdadmin errtext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21pdadmin exit / quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22pdadmin group create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23pdadmin group delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24pdadmin group import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25pdadmin group list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26pdadmin group modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27pdadmin group show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28pdadmin help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29pdadmin login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30pdadmin logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

iii

pdadmin object create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32pdadmin object delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33pdadmin object list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34pdadmin object listandshow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35pdadmin object modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36pdadmin object show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37pdadmin objectspace create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38pdadmin objectspace delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39pdadmin objectspace list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40pdadmin policy get. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41pdadmin policy set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43pdadmin pop attach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45pdadmin pop create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46pdadmin pop delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47pdadmin pop detach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48pdadmin pop find . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49pdadmin pop list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50pdadmin pop modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51pdadmin pop show. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53pdadmin rsrc create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54pdadmin rsrc delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55pdadmin rsrc list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56pdadmin rsrc show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57pdadmin rsrccred create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58pdadmin rsrccred delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59pdadmin rsrccred list user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60pdadmin rsrccred modify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61pdadmin rsrccred show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62pdadmin rsrcgroup create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63pdadmin rsrcgroup delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64pdadmin rsrcgroup list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65pdadmin rsrcgroup modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66pdadmin rsrcgroup show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67pdadmin server list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68pdadmin server listtasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69pdadmin server replicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70pdadmin server show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71pdadmin server task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72pdadmin server task (WebSEAL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73pdadmin server task add (WebSEAL) . . . . . . . . . . . . . . . . . . . . . . . . . . . 74pdadmin server task stats (WebSEAL) . . . . . . . . . . . . . . . . . . . . . . . . . . 76pdadmin server task trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78pdadmin user create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80pdadmin user delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81pdadmin user import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82pdadmin user list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83pdadmin user modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84pdadmin user show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Chapter 2. Tivoli Access Manager utilities . . . . . . . . . . . . . . . . . . . . 87bassslcfg –chgpwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89bassslcfg –config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90bassslcfg –getcacert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91bassslcfg –modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92bassslcfg –ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93ezinstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94install_pdrte . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96mgrsslcfg –chgcert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97mgrsslcfg –chgpwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98mgrsslcfg –config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99mgrsslcfg –modify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

iv IBM Tivoli Access Manager: Command Reference

pdbackup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101pdconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104pdjrtecfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105pd_start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107pdversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108svrsslcfg –add_replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109svrsslcfg –chg_replica. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110svrsslcfg –chgcert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111svrsslcfg –chgport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112svrsslcfg –chgpwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113svrsslcfg –config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114svrsslcfg –modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116svrsslcfg –rmv_replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117svrsslcfg –unconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Appendix. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Contents v

vi IBM Tivoli Access Manager: Command Reference

Preface

IBM® Tivoli® Access Manager (Tivoli Access Manager) is the base software that isrequired to run applications in the IBM Tivoli Access Manager product suite. Itenables the integration of IBM Tivoli Access Manager applications that provide awide range of authorization and management solutions. Sold as an integratedsolution, these products provide an access control management solution thatcentralizes network and application security policy for e-business applications.

Note: IBM Tivoli Access Manager is the new name of the previously releasedsoftware entitled Tivoli SecureWay® Policy Director. Also, for users familiarwith the Tivoli SecureWay Policy Director software and documentation, themanagement server is now referred to as the policy server.

The IBM Tivoli Access Manager Command Reference provides detailed informationabout the pdadmin command line interface and other command line utilities,which can help you manage servers and resources in your secure domain.

Who should read this bookThis reference is for system administrators responsible for the administration ofTivoli Access Manager software.

Readers should be familiar with the following:v PC and UNIX® operating systemsv Database architecture and conceptsv Security managementv Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and

Telnetv Lightweight Directory Access Protocol (LDAP) and directory servicesv Authentication and authorization

What this book containsThis reference contains the following sections:v Chapter 1, “pdadmin command line utility” on page 1

Provides reference information about pdadmin commands.v Chapter 2, “Tivoli Access Manager utilities” on page 87

Lists other Tivoli Access Manager utilities that can help you maintain yourenvironment and troubleshoot problems that can arise during normal operations.

PublicationsThis section lists publications in the IBM Tivoli Access Manager library and anyother related documents. It also describes how to access Tivoli publications online,how to order Tivoli publications, and how to make comments on Tivolipublications.

vii

IBM Tivoli Access ManagerThe Tivoli Access Manager library is organized into the following categories:v “Release information”v “Base information”v “WebSEAL information”v “Web security information”v “Developer references” on page ixv “Technical supplements” on page ix

Publications in the product library are provided in Portable Document Format(PDF) and HTML format on the Tivoli Information Center Web site:

http://www.tivoli.com/support/documents/

Release informationv IBM Tivoli Access Manager Read Me First Card

GI11-4198-00 (am41_readme.pdf)Provides information for installing and getting started using Tivoli AccessManager.

v IBM Tivoli Access Manager Release NotesSC32-1130-00 (am41_relnotes.pdf)Provides late-breaking information, such as software limitations, workarounds,and documentation updates.

Base informationv IBM Tivoli Access Manager Base Installation Guide

SC32-1131-00 (am41_install.pdf)Explains how to install, configure, and upgrade Tivoli Access Manager software,including the Web Portal Manager interface.

v IBM Tivoli Access Manager Base Administrator’s GuideSC32-1132-00 (am41_admin.pdf)Describes the concepts and procedures for using Tivoli Access Manager services.Provides instructions for performing tasks from the Web Portal Managerinterface and by using the pdadmin command.

WebSEAL informationv IBM Tivoli Access Manager WebSEAL Installation Guide

SC32-1133-00 (amweb41_install.pdf)Provides installation, configuration, and removal instructions for the WebSEALserver and the WebSEAL application development kit.

v IBM Tivoli Access Manager WebSEAL Administrator’s GuideSC32-1134-00 (amweb41_admin.pdf)Provides background material, administrative procedures, and technicalreference information for using WebSEAL to manage the resources of yoursecure Web domain.

Web security informationv IBM Tivoli Access Manager for WebSphere Application Server User’s Guide

SC32-1136-00 (amwas41_user.pdf)Provides installation, removal, and administration instructions for Tivoli AccessManager for IBM WebSphere® Application Server.

viii IBM Tivoli Access Manager: Command Reference


v IBM Tivoli Access Manager for WebLogic Server User’s GuideSC32-1137-00 (amwls41_user.pdf)Provides installation, removal, and administration instructions for Tivoli AccessManager for BEA WebLogic Server.

v IBM Tivoli Access Manager Plug-in for Edge Server User’s GuideSC32-1138-00 (amedge41_user.pdf)Describes how to install, configure, and administer the plug-in for IBMWebSphere Edge Server application.

v IBM Tivoli Access Manager Plug-in for Web Servers User’s GuideSC32-1139-00 (amws41_user.pdf)Provides installation instructions, administration procedures, and technicalreference information for securing your Web domain using the plug-in for Webservers.

Developer referencesv IBM Tivoli Access Manager Authorization C API Developer’s Reference

SC32-1140-00 (am41_authC_devref.pdf)Provides reference material that describes how to use the Tivoli Access Managerauthorization C API and the Access Manager service plug-in interface to addTivoli Access Manager security to applications.

v IBM Tivoli Access Manager Authorization Java Classes Developer’s ReferenceSC32-1141-00 (am41_authJ_devref.pdf)Provides reference information for using the Java™ language implementation ofthe authorization API to enable an application to use Tivoli Access Managersecurity.

v IBM Tivoli Access Manager Administration C API Developer’s ReferenceSC32-1142-00 (am41_adminC_devref.pdf)Provides reference information about using the administration API to enable anapplication to perform Tivoli Access Manager administration tasks. Thisdocument describes the C implementation of the administration API.

v IBM Tivoli Access Manager Administration Java Classes Developer’s ReferenceSC32-1143-00 (am41_adminJ_devref.pdf)Provides reference information for using the Java language implementation ofthe administration API to enable an application to perform Tivoli AccessManager administration tasks.

v IBM Tivoli Access Manager WebSEAL Developer’s ReferenceSC32-1135-00 (amweb41_devref.pdf)Provides administration and programming information for the Cross-domainAuthentication Service (CDAS), the Cross-domain Mapping Framework (CDMF),and the Password Strength Module.

Technical supplementsv IBM Tivoli Access Manager Command Reference

GC32-1107-00 (am41_cmdref.pdf)Provides information about the command line utilities and scripts provided withTivoli Access Manager.

v IBM Tivoli Access Manager Error Message ReferenceSC32-1144-00 (am41_error_ref.pdf)Provides explanations and recommended actions for the messages produced byTivoli Access Manager.

Preface ix

v IBM Tivoli Access Manager Problem Determination GuideGC32-1106-00 (am41_pdg.pdf)Provides problem determination information for Tivoli Access Manager.

v IBM Tivoli Access Manager Performance Tuning GuideSC32-1145-00 (am41_perftune.pdf)Provides performance tuning information for an environment consisting of TivoliAccess Manager with the IBM Directory server defined as the user registry.

The Tivoli Glossary includes definitions for many of the technical terms related toTivoli software. The Tivoli Glossary is available, in English only, at:

http://www.tivoli.com/support/documents/glossary/termsm03.htm

For additional sources of information about Tivoli Access Manager and relatedtopics, see:

http://www.ibm.com/redbookshttp://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

Related publicationsThis section lists publications related to the Tivoli Access Manager library.

IBM Global Security ToolkitTivoli Access Manager provides data encryption through the use of the IBM GlobalSecurity Toolkit (GSKit). GSKit is included on the IBM Tivoli Access Manager BaseCD for your particular platform.

The GSKit package installs the iKeyman key management utility, gsk5ikm, whichenables you to create key databases, public-private key pairs, and certificaterequests. The following document is available on the Tivoli Information CenterWeb site in the same section as the IBM Tivoli Access Manager productdocumentation:v Secure Sockets Layer Introduction and iKeyman User’s Guide

(gskikm5c.pdf)Provides information for network or system security administrators who plan toenable SSL communication in their Tivoli Access Manager secure domain.

IBM DB2 Universal DatabaseIBM DB2® Universal Database™ is required when installing IBM Directory Server,z/OS™, and OS/390® LDAP servers. DB2 is provided on the product CDs for thefollowing operating system platforms:v IBM AIX®

v Microsoft™ Windows™

v Sun Solaris Operating Environment

DB2 information is available at:

http://www.ibm.com/software/data/db2/

IBM Directory ServerIBM Directory Server, Version 4.1, is included on the IBM Tivoli Access ManagerBase CD for all platforms except Linux for zSeries™. You can obtain the IBMDirectory Server software for Linux for S/390 at:

x IBM Tivoli Access Manager: Command Reference

http://www.tivoli.com/support/documents/glossary/termsm03.htm

http://www.ibm.com/redbooks

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

http://www.ibm.com/software/data/db2/

http://www.ibm.com/software/network/directory/server/download/

If you plan to use IBM Directory Server as your user registry, see the informationprovided at:

http://www.ibm.com/software/network/directory/library/

IBM WebSphere Application ServerIBM WebSphere Application Server, Advanced Single Server Edition 4.0.3, isincluded on the Web Portal Manager CDs and installed with the Web PortalManager interface. For information about IBM WebSphere Application Server, see:

http://www.ibm.com/software/webservers/appserv/infocenter.html

IBM Tivoli Access Manager for Business IntegrationIBM Tivoli Access Manager for Business Integration, available as a separatelyorderable product, provides a security solution for IBM MQSeries®, Version 5.2,and IBM WebSphere® MQ for Version 5.3 messages. IBM Tivoli Access Manager forBusiness Integration allows WebSphere MQSeries applications to send data withprivacy and integrity by using keys associated with sending and receivingapplications. Like WebSEAL and IBM Tivoli Access Manager for OperatingSystems, IBM Tivoli Access Manager for Business Integration, is one of theresource managers that use the authorization services of IBM Tivoli AccessManager for e-business.

The following documents associated with IBM Tivoli Access Manager for BusinessIntegration Version 4.1 are available on the Tivoli Information Center Web site:v IBM Tivoli Access Manager for Business Integration Administrator’s Guide

(SC23-4831-00)v IBM Tivoli Access Manager for Business Integration Release Notes (GI11-0957-00)v IBM Tivoli Access Manager for Business Integration Read Me First (GI11-0958-00)

IBM Tivoli Access Manager for Operating SystemsIBM Tivoli Access Manager for Operating Systems, available as a separatelyorderable product, provides a layer of authorization policy enforcement on UNIXsystems in addition to that provided by the native operating system. IBM TivoliAccess Manager for Operating Systems, like WebSEAL and IBM Tivoli AccessManager for Business Integration, is one of the resource managers that use theauthorization services of IBM Tivoli Access Manager for e-business.

The following documents associated with IBM Tivoli Access Manager forOperating Systems Version 4.1 are available on the Tivoli Information Center Website:v IBM Tivoli Access Manager for Operating Systems Installation Guide (SC23-4829-00)v IBM Tivoli Access Manager for Operating Systems Administration Guide

(SC23-4827-00)v IBM Tivoli Access Manager for Operating Systems Problem Determination Guide

(SC23-4828-00)v IBM Tivoli Access Manager for Operating Systems Release Notes (GI11-0951-00)v IBM Tivoli Access Manager for Operating Systems Read Me First (GI11-0949-00)

Accessing publications onlineWhen IBM publishes an updated version of one or more online or hardcopypublications, they are posted to the Tivoli Information Center. The Tivoli

Preface xi

http://www.ibm.com/software/network/directory/server/download/

http://www.ibm.com/software/network/directory/library/

http://www.ibm.com/software/webservers/appserv/infocenter.html

Information Center contains the most recent version of the publications in theproduct library in PDF or HTML format, or both. Translated documents are alsoavailable for some products.

You can access updated publications in the Tivoli Information Center and othersources of technical information from the following Customer Support Web site:


Information is organized by product, including release notes, installation guides,user’s guides, administrator’s guides, and developer’s references.

Note: If you print PDF documents on other than letter-sized paper, select the Fit topage check box in the Adobe Acrobat Print dialog (which is available whenyou click File → Print) to ensure that the full dimensions of a letter-sizedpage are printed on the paper that you are using.

Ordering publicationsYou can order many Tivoli publications online at:

http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968v In other countries, for a list of telephone numbers, see:

http://www.tivoli.com/inside/store/lit_order.html

Providing feedback about publicationsIf you have comments or suggestions about Tivoli products and documentation,complete the customer feedback survey at:

http://www.tivoli.com/support/survey/

AccessibilityAccessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You also canuse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Contacting customer supportIf you have a problem with any Tivoli product, you can contact IBM CustomerSupport for Tivoli products. See the Tivoli Customer Support Handbook at thefollowing Web site:

http://www.tivoli.com/support/handbook/

The handbook provides information about how to contact Customer Support,depending on the severity of your problem, and the following information:v Registration and eligibility

xii IBM Tivoli Access Manager: Command Reference


http://www.elink.ibmlink.ibm.com/public/applications/ publications/cgibin/pbi.cgi

http://www.elink.ibmlink.ibm.com/public/applications/ publications/cgibin/pbi.cgi

http://www.tivoli.com/inside/store/lit_order.html

http://www.tivoli.com/support/survey/

http://www.tivoli.com/support/handbook/

v Telephone numbers and e-mail addresses, depending on the country in whichyou are located

v What information you should gather before contacting Customer Support

Conventions used in this bookThis guide uses several conventions for special terms and actions, operatingsystem-dependent commands and paths, and margin graphics.

Typeface conventionsThe following typeface conventions are used in this book:

Bold Command names and options, keywords, and other informationthat you must use literally appear in bold.

Italic Variables, command options, and values you must provide appearin italics. Titles of publications and special words or phrases thatare emphasized also appear in italics.

Monospace Code examples, command lines, screen output, file and directorynames, and system messages appear in monospace font.

Command syntax conventionsThe commands in this chapter use the following special characters to definecommand syntax.

[ ] Identifies elements that are optional. Those not enclosed in brackets arerequired.

... Indicates that you can specify multiple values for the previous argument.Separate multiple values by one or more spaces, unless otherwise indicatedin the command description.

If the ellipsis for an element follows a closing bracket, use the syntaxwithin the brackets to specify multiple values. For example, to specify twoadministrators for the option [–a admin]...use –a admin1 –a admin2.

If the ellipsis for an element is within the brackets, use the syntax of thelast element to specify multiple values. For example, to specify two hostsfor the option [–h host...], use –h host1 host2.

| Indicates mutually exclusive information. You can use the element oneither the left or right of the vertical bar.

{ } Delimits a set of mutually exclusive elements when one of them isrequired. If the elements are optional, they are enclosed in brackets ([ ]).

Preface xiii

xiv IBM Tivoli Access Manager: Command Reference

Chapter 1. pdadmin command line utility

The pdadmin command line utility is installed as part of the Tivoli AccessManager runtime package. Use this interface to manage access control lists, groups,servers, users, objects, and other resources in your secure domain. You can alsoautomate certain management functions by writing scripts that use pdadmincommands.

Note that the Web Portal Manager interface, discussed in the IBM Tivoli AccessManager Base Administrator’s Guide, enables you to perform similar administrativetasks remotely, without requiring any special network configuration.

Using the pdadmin utilityYou can use the pdadmin command line interface in one of the following threemodes:v Single command modev Interactive command modev Multiple command mode

These modes are described in the following sections.

Single command modeTo run a single pdadmin command from a command prompt, enter the following:pdadmin [–a admin_user] [–p password] command

Notes:

v If you specify the admin_user (–a) and password (–p), you are logged in as thatuser. Using this method may expose your password to others. For example, ifone user is using pdadmin with this command, and another user lists theprocesses that are running, the full command including the password, may bevisible to that user.

v If you do not specify the admin_user (–a), you are logged in as anunauthenticated user.

v If you specify the admin_user (–a), but do not specify a password (–p), you areprompted for a password.

The command option allows you to run one-time commands. For example, userchris is created if you type the following command, all on one line.pdadmin –a sec_master –p password user create chriscn=chris,ou=austin,o=ibm,c=us chris chris chris1234

Interactive command modeTo start pdadmin in interactive mode, enter the pdadmin command followed bythe login command as follows:pdadminlogin –a admin_user –p <password>pdadmin>

At the pdadmin prompt, enter appropriate commands and their associated options.

1

Multiple command modeYou can create a file that contains multiple pdadmin commands, one per line, thattogether perform a complete task or series of tasks. To run commands in this file,enter the following:pdadmin [–a admin_user] [–p password] filename

where admin_user specifies the Tivoli Access Manager administrator ID, passwordspecifies the administrator’s password, and filename specifies the complete pathand name of the file containing pdadmin commands.

Notes:

v If you specify the admin_user (–a) and password (–p), you are logged in as thatuser.

v If you do not specify the admin_user (–a), you are logged in as anunauthenticated user.

v If you specify the admin_user (–a), but do not specify a password (–p), you areprompted for a password.

Special characters disallowed for GSO commandsYou cannot use the following characters to create a global sigon-on (GSO) username, GSO resource name, or GSO resource group name:!”#&()*+,;:<>=@\|

Although it is possible to use most of these characters for other LDAP-related data(such as the CN, DN, and SN of a user), these characters have special meaning inLDAP DN syntax and filters

Before using any of these characters in user and group names, consult thedocumentation for your user registry to determine the effect of special characters.

Tivoli Access Manager pdadmin commandsThis section lists Tivoli Access Manager pdadmin commands by category and bycommand name. For information on how to read the command syntax diagrams,see “Command syntax conventions” on page xiii.v “Access Control List (ACL) commands” on page 2v “Action commands” on page 3v “Object commands” on page 3v “Object space commands” on page 4v “Protected object policy (POP) commands” on page 4v “Server commands” on page 4v “User management commands” on page 5v “Group management commands” on page 5v “Resource management commands” on page 5v “Policy management commands” on page 6

Access Control List (ACL) commandsTable 1 on page 3 lists pdadmin acl commands, which enable you to manage ACLpolicies and extended attributes.

2 IBM Tivoli Access Manager: Command Reference

Table 1. Access Control List (ACL) commands

Command Description

acl attach Attaches an ACL policy to a protected object. If the protected objectalready has an ACL attached, the ACL is replaced with a new one.

acl create Creates an ACL policy in the ACL database. This command does notcreate ACL entries.

acl delete Deletes an ACL policy from the ACL database.

acl detach Detaches the current ACL policy from a protected object. Thiscommand does not delete the ACL policy from the ACL database.

acl find Finds and lists all protected objects that have a specific ACL policyattached.

acl list Lists the names of all defined ACLs. Also lists the extended attributekeys associated with a specific ACL.

acl modify Modifies ACLs, their extended attributes and associated values.

acl show Lists the complete set of entries for a specific ACL policy. Also liststhe values of a specific extended attribute associated with an ACLpolicy.

Action commandsTable 2 lists pdadmin action commands, which are used to define additionalauthorization actions (ACL permissions) and action groups.

Table 2. Action commands

Command Description

action create Defines an action (permission) code in an action group. Also addsan action code to a specific extended action group.

action delete Deletes an action code for an action group. Also defines a specificaction group from which to delete an action.

action group Creates, deletes, and lists ACL action groups.

action list Lists all defined action codes for an action group.

Object commandsTable 3 lists pdadmin objects commands, which enable you to protect objects byattaching ACLs or protected object policy (POP).

Table 3. Object commands

Command Description

object create Creates a protected object under which protected objects can beplaced.

object delete Deletes a protected object.

object list Lists any objects grouped under the specified protected object. Alsolists all the extended attributes associated with the specifiedprotected object.

object listandshow Lists any child objects grouped under the specified protected objectand displays all values associated with each of those objects.

object modify Modifies an existing object.

object show Shows all values associated with a protected object.

Chapter 1. pdadmin command line utility 3

Object space commandsTable 4 lists pdadmin objectspace commands, which allow the creation ofadditional object spaces containing protected objects used by third-partyapplications.

Table 4. Objectspace commands

Command Description

objectspace create Creates a protected object space under which protected objects can beplaced.

objectspace delete Deletes an existing protected object space and all associated protectedobjects.

objectspace list Lists any objects grouped under the specified protected object.

Protected object policy (POP) commandsTable 5 lists pdadmin pop commands, which allow the creation of protected objectpolicies and extended attributes for protected object policies.

Table 5. Protected object policy (POP) commands

Command Description

pop attach Attaches a protected object policy (POP) to a specified protectedobject.

pop create Creates a protected object policy.

pop delete Deletes the specified protected object policy.

pop detach Detaches a protected object policy from the specified protectedobject.

pop find Finds and list all protected objects that have protected object policiesattached.

pop list Lists all protected object policies that have been created.

pop modify Modifies the protected object policy.

pop show Shows details of the protected object policy.

Server commandsTable 6 lists pdadmin server commands and the pdadmin admin showconfiguration command, which perform management tasks on Tivoli AccessManager servers.

Table 6. Server commands

Command Description

admin showconfiguration

Displays current server configuration information.

server list Lists all registered servers.

server listtasks Retrieves the list of tasks (commands) available for this server.

server replicate Notifies authorization servers to receive database updates.

server show Displays the specified server’s properties.

server task Sends the specified command to the specified server.WebSEAL-specific options are also included.


User management commandsTable 7 lists pdadmin user commands, which control user entries in all registries.

Table 7. User management commands

Command Description

user create Creates a Tivoli Access Manager user account in the user registry.

user delete Deletes the user and optionally deletes the user from the userregistry.

user import Creates a user by importing an existing user from the user registry.

user list Generates a list of all configured user accounts, listed by user names,for the pattern you specify.

user modify Modifies various user account parameters.

user show Displays the properties of the specified user.

Group management commandsA group is a set of Tivoli Access Manager user accounts that have similarattributes. Groups allow you to use a group name in an access control list (ACL)instead of listing all users individually. When an LDAP-based user registry is used,group names are not case sensitive.

Table 8 lists pdadmin group commands, which control group entries in the userregistry.

Table 8. Group management commands

Command Description

group create Creates a Tivoli Access Manager group in the user registry.

group delete Deletes an existing group and any entries associated with the group.

group import Imports the information about an existing registry group to create aTivoli Access Manager group.

group list Generates a list of all configured groups whose names match thespecified pattern, listed by group names.

group modify Modifies an existing group by adding a description, or adding orremoving a list of users.

group show Displays details about a specified group.

Resource management commandsTable 9 lists pdadmin commands, which control resource-related information.

Table 9. Resource management commands

Command Description

rsrc create Creates and names a Web server as a resource.

rsrc delete Deletes the specified single signon Web resource.

rsrc list Returns a list of all the single signon Web resource names.

rsrc show Displays the Web resource information for the named resource.

rsrcgroup create Creates and names a Web resource group.

rsrcgroup delete Deletes the named resource group, including any descriptioninformation.


Table 9. Resource management commands (continued)

Command Description

rsrcgroup modify Adds or removes a single signon resource to or from a single signonresource group.

rsrcgroup list Displays the names of all Web resource groups defined in the userregistry.

rsrcgroup show Displays the Web resource group information for the specifiedresource group.

rsrccred create Creates and names a resource credential.

rsrccred modify Changes the user ID and password resource credential informationfor the named resource.

rsrccred delete Deletes only the resource credential information for an existing user.

rsrccred list user Displays the names of all defined resources and their type for thespecified user.

rsrccred show Displays the resource credential information for a specified user.

Policy management commandsTable 10 lists pdadmin policy commands, which are a set of managementcommands that set user and group account rules and conditions in the userregistry.

Table 10. Policy management commands

Command Description

policy get Displays user password and account rules and conditions.

policy set Sets user password and account rules and conditions.


pdadmin acl attachAttaches an ACL policy to a protected object. If the protected object already has anACL attached, the ACL is replaced with a new one.

Syntaxpdadmin acl attach object_name acl_name

Optionsobject_name Specifies the object to which to apply the named ACL policy.

acl_name Specifies the ACL policy that is applied to the named object.

DescriptionAt most, one ACL can be attached to a given protected object. The same ACL canbe attached to multiple protected objects. Ensure that you are familiar with ACLmanagement before using this function.

See Alsopdadmin acl create, pdadmin acl detach


pdadmin acl createCreates an ACL policy in the ACL database. Note that this command does notcreate ACL entries.

Syntaxpdadmin acl create acl_name

Optionsacl_name Specifies the name of the ACL policy being created.

See Alsopdadmin acl attach, pdadmin acl delete


pdadmin acl deleteDeletes an ACL policy from the ACL database.

Syntaxpdadmin acl delete acl_name

Optionsacl_name Specifies the name of the ACL policy being deleted from the ACL

database.

See Alsopdadmin acl detach


pdadmin acl detachDetaches the current ACL policy from a protected object. Note that this commanddoes not delete the ACL policy from the ACL database.

Syntaxpdadmin acl detach object_name

Optionsobject_name Specifies the object from which the current ACL policy is being

removed.

DescriptionOnly one access control list at a time can be attached to an object. Therefore, thecurrently attached access control list is detached.

See Alsopdadmin acl attach, pdadmin acl delete


pdadmin acl findReturns a list of protected objects, which have the specified access control listattached.

Syntaxpdadmin acl find acl_name

Optionsacl_name Specifies the name of the ACL policy that you want to find.

Examples1. The following example lists the default protected object:

pdadmin> acl find default-config/Management/Config

2. The following example returns a list of protected objects, which have thespecified ACL attached:pdadmin> acl find _WebAppServer_deployedResources_CosNamingDelete_admin_ACL

/WebAppServer/deployedResources/CosNamingDelete/admin

See Alsopdadmin acl list, pdadmin acl show


pdadmin acl listLists the names of all defined access control lists. Also lists the extended attributekeys associated with a specific ACL.

Syntaxpdadmin acl list [acl_name attribute]

Optionsacl_name Specifies the ACL policy for which to list the attributes.

ExampleThe following example lists ACL policies:pdadmin> acl list

default-webesealdefault-roottestdefault-replicadefault-management

See Alsopdadmin acl find, pdadmin acl show


pdadmin acl modifyModifies access control list (ACL) policies.

Syntaxacl modify acl_name delete attribute attribute_name [attribute_value]

acl modify acl_name description description

acl modify acl_name remove any-other

acl modify acl_name remove group group_name

acl modify acl_name remove unauthenticated

acl modify acl_name remove user user_name

acl modify acl_name set any-other [permissions]

acl modify acl_name set attribute attribute_name [attribute_value]

acl modify acl_name set description description

acl modify acl_name set group group_name [permissions]

acl modify acl_name set unauthenticated [permissions]

acl modify acl_name set user user_name [permissions]

Optionsacl_name

Specifies the ACL policy which to be modified.

delete attribute attribute_name [attribute_value]Deletes the specified extended attribute key from the specified accesscontrol list. The optional attribute_value deletes the specified value from thespecified extended attribute key in the specified access control list.

description descriptionSets or modifies the description for the specified access control list. Thisoption is equivalent to the acl modify set description command.

remove any-otherRemoves the access control list entry for the user any-other from thespecified access control list.

remove group group_nameRemoves the access control list entry for the specified group from thespecified access control list.

remove unauthenticatedRemoves the access control list entry for the user unauthenticated from thespecified access control list.

remove user user_nameRemoves the access control list entry for the specified user from thespecified access control list.


set any-other [permissions]Sets or modifies the access control list entry for the user any-other in theaccess control list.

set attribute attribute_name [attribute_value]Sets the extended attribute value for the specified extended attribute key inthe specified access control list. If the attribute already exists, the attributevalue is added as an additional value if the same value does not exist forthis attribute. If the same value exists for this attribute, it does not getadded again (duplicate values are not allowed), and no error is returned.

set description descriptionSets or modifies the description for the specified access control list.

set group group_name [permissions]Sets or modifies the access control list (ACL) entry for the specified groupin the specified access control list. The user registry must contain an entryfor the specified group before you can call this function to add an entry forthe group to an ACL.

set unauthenticated [permissions]Sets or modifies the access control list entry for the user unauthenticatedin the specified access control list.

set user user_name [permissions]Sets permissions that the user is permitted to perform. The user registrymust contain an entry for the specified user before you can use thisfunction to add an entry for the user to an access control list (ACL).

Examples1. The following example sets the any-other ACL entry in the indicated ACL

policy definition and sets permissions:pdadmin> acl modify pubs set any-other r

2. The following example sets a group ACL entry in the indicated ACL policydefinition and sets permissions:pdadmin> acl modify pubs set group sales Tr

3. The following example sets the unauthenticated ACL entry in the indicatedACL policy definition and sets permissions:pdadmin> acl modify docs set unauthenticated r

4. The following example sets a user ACL entry in the indicated ACL policydefinition and sets permissions:pdadmin> acl modify pubs set user peter Tr

5. The following example adds a ACL entry for user Kate containing actions fromaction groups primary and test group:pdadmin> acl modify and set user kathy brT[ test-group] PSpdadmin> acl show test

ACL Name: testDescription:Entries:User sec_master TcmdbvaGroup ivmgrd-servers TlAny-other rUser kathy Tbr[test-group]PS

See Alsopdadmin acl attach, pdadmin acl create


pdadmin acl showLists the complete set of entries for a specific ACL policy. Also lists the values of aspecific extended attribute associated with an ACL policy.

Syntaxpdadmin acl show acl_name [attribute attribute_name]

Optionsacl_name Specifies the access control list for which the

extended attribute values are displayed.

attribute attribute_name Specifies the name of the extended attribute whosevalues you want displayed.

ExampleThe following example shows details of ACL test:pdadmin> acl show test

ACL Name: testDescription:Entries:

User sec_mater TcmdbvaGroup ivmgrd-servers TlAny other r

See Alsopdadmin acl find, pdadmin acl list


pdadmin action createDefines an action (permission) code in an action group. Also adds an action codeto a specific extended action group.

Syntaxpdadmin action create action_name action_label action_type [action_group_name]

Optionsaction_name Specifies the new single-character permission being

created.

action_label Specifies the label or description for the action

action_type Specifies the organizational category for this actionwithin a given action group.

action_group_name Defines a new action (permission) code in thespecified action group. Call this function to add anaction code to a user-defined extended actiongroup.

DescriptionAction codes consist of one alphabetic character (a–z or A–Z) and arecase-sensitive. Each action code only can be used once within an action group.Ensure that you do not attempt to redefine the default action codes when addingnew codes to the primary group.

ExampleThe following example creates a new permission character for the specifiedaction_label and action_type:pdadmin> action create k time Ext-Authzn

See Alsopdadmin action delete


pdadmin action deleteDeletes an action (permission) code from an action group. Also defines a specificaction group from which to delete an action.

Syntaxpdadmin action delete action_name [action_group_name]

Optionsaction_name Specifies the name of the action to be deleted.

action_group_name Specifies the name of the action group from whichthe specified action needs to be deleted.

Examples1. The following example deletes action k from the primary action group:

pdadmin> action delete k

2. The following example deletes the action z from the action group agz:pdadmin> action delete z agz

See Alsopdadmin action create


pdadmin action groupCreates, deletes, and lists ACL action groups.

Syntaxpdadmin action group {create action_group_name | delete action_group_name | list}

Optionscreate action_group_name

Specifies the name of the action group to create. Supports amaximum of 32 action groups.

delete action_group_nameSpecifies the name of the action group to delete. All of the actionsthat belong to the specified group are also deleted.

list Lists all the defined action group names.

Examples1. The following example lists the names of all defined access control lists:

pdadmin>pdadmin> action group list

primarytest group

2. The following example creates an action group test:pdadmin> action group create test


pdadmin action listLists all the defined action (permission) codes from an action group. Also defines aspecific action group for which to list an action.

Syntaxpdadmin action list [action_group_name]

Optionsaction_group_name

Specifies the name of the action group for which all actions aredisplayed. If this option is not specified, actions defined in theprimary action group are listed.

ExampleThe following example displays all existing actions in the primary action group:pdadmin> action list

r read WebSEAL...


pdadmin admin show configurationDisplays the current server configuration information, such as the type of registryor whether global signon is enabled.

Syntaxpdadmin admin show configuration

OptionsNone.

ExampleThe following example displays the current server configuration information:pdadmin> admin show configuration


pdadmin errtextDisplays the error message of a given error number. For detailed information onmessages, see the IBM Tivoli Access Manager Error Message Reference.

Syntaxerrtext error_number

Optionserror_number Specifies the number, in either decimal or hexadecimal, of the error

for which to generate the error text.

ExamplesThe following examples display the error message associated with a given number:pdadmin errtext 0x132120c8

Login failed. You have used an invalid user name, password orclient certificate.

pdadmin errtext 268809121

An attribute list already exists for this credential


pdadmin exit / quit

Exits from the pdadmin utility interactive command line mode.

Syntaxpdadmin {exit | quit}

OptionsNone.

See Alsopdadmin login, pdadmin logout


pdadmin group createCreates a group.

Syntaxgroup create group_name dn cn [group_container]

Optionsgroup_name Specifies the name of the group being created. This name must be

unique.

dn Specifies the registry identifier assigned to the group being created.

cn Specifies the common name assigned to the group being created

group_containerSpecifies the group container object assigned to the group beingcreated. If this option is not specified, the group by default isplaced in the object space under /Management/Groups.

ExampleThe following example creates a group in the user registry:pdadmin> group create credit “cn=credit,ou=Austin,o=Tivoli,c=US” Credit

See Alsopdadmin group delete, pdadmin group import


pdadmin group deleteDeletes the specified group. Deletes all information about the group and optionallydeletes the user registry contents.

Syntaxpdadmin group delete [–registry] group_name

Options–registry Deletes the entire group object from the user registry.

group_name Specifies the name of the group to be deleted.

ExampleThe following example deletes the existing engineering group:pdadmin> group delete engineering

See Alsopdadmin group create


pdadmin group importCreates a group by importing a group that already exists in the user registry.

Syntaxgroup import group_name dn [group_container]

Optionsgroup_name Specifies the Tivoli Access Manager name of the group to create.

dn Specifies the registry identifier of the group to import.

group_containerSpecifies the group container object assigned to the group beingcreated. By default, the group is placed in the object space under/Management/Groups.

Examples1. The following example deletes the existing engineering group:

pdadmin> group delete engineering

2. The following example creates an group by importing a group that alreadyexists in the user registry:pdadmin> group import engineering “cn=engineering,ou=Austin,o=Tivoli,c=US”

See Alsopdadmin group create


pdadmin group listLists groups, by group name. The order returned is the order created.

Syntaxpdadmin group {list | list-dn} pattern max_return

Optionslist pattern max_return

Specifies the pattern for the group name for which to be searched. Thepattern can include a mixture of wildcards and string constants, and is caseinsensitive (for example, *austin*).

The max_return option specifies the limit of how many entries should bereturned for a single request; for example, 2. Note that the numberreturned is also governed by the server configuration, which specifies themaximum number of results that can be returned as part of a searchoperation. The actual maximum returned entries is the minimum ofmax_return and the configured value on the server.

list-dn pattern max_returnLists user registry identifiers whose user registry common name attributematches the pattern specified. The returned list are groups, which aredefined in the user registry but are not necessarily Tivoli Access Managergroups. Groups that are not Tivoli Access Manager groups may beimported into Tivoli Access Manager by use of the group importcommand.

Examples1. The following example lists groups matching the specified pattern:

pdadmin> group list *a* 3

Output is similar to the following:salesmarketingAlex

2. The following example lists group information matching the specified commonname attribute pattern:pdadmin> group list-dn *t* 2

Output is similar to the following:cn=credit,ou=Austin,o=Tivoli,c=US salescn=marketing,ou=Boston,o=Austin Sale,c=US marketing

See Alsopdadmin group show


pdadmin group modifyModifies an existing group by adding or removing a list of users or changing thedescription.

Syntaxgroup modify group_name {add user... | description description | remove user...}

Optionsgroup_name Specifies the name of the group to be modified.

add user... Adds the specified users to the specified group. The format of theuser list is a parenthesized list of user names, separated by spaces.

description descriptionChanges the description for the specified group.

remove user_listRemoves the specified users from the specified group. The formatof the user list is a parenthesized list of user names, separated byspaces.

Examples1. The following example adds a new user to the specified group:

pdadmin> group modify engineering add dlucas

2. The following example deletes existing users from the specified group:pdadmin> group modify engineering remove (user1 "john doe" user2 user3)

3. The following example changes the description of the specified group:pdadmin> group modify credit description "Credit, Dept HCUS"

See Alsopdadmin group create, pdadmin group import


pdadmin group showShows the properties of the specified group.

Syntaxpdadmin group { show group_name | show-dn dn | show-members group_name}

Optionsshow group_name

Shows the properties of the group specified by group_name.

show-dn dn Shows the group specified by the group’s identifier in the userregistry. The returned group is defined in the user registry but isnot necessarily a Tivoli Access Manager group. Groups that are notTivoli Access Manager groups can be imported into Tivoli AccessManager by use of the pdadmin group import command.

show-members group_nameLists the user names of the members of the specified group.

Examples1. The following example displays properties of the specified group:

pdadmin> group show credit

Output is similar to the following:Group ID: creditLDAP dn: cn=credit,ou=Austin,o=Tivoli,c=USDescription: Credit, Dept HCUSLDAP cn: creditIs SecGroup: true

2. The following example displays properties specified by the group’s identifier inthe user registry:pdadmin> group show-dn cn=credit,ou=Austin,o=Tivoli,c=US

Output is similar to the following:Group ID: creditLDAP dn: cn=credit,ou=Austin,o=Tivoli,c=USDescription: Credit, Dept HCUSLDAP cn: creditIs SecGroup: true

3. The following example lists the user names of the members of the specifiedgroup:pdadmin> group show-members credit

Output is similar to the following:dlucasmlucaser

See Alsopdadmin group list


pdadmin helpObtains system help for pdadmin commands and options.

Syntaxpdadmin help {topic | command}

Optionstopic Specifies the general command topic for which help is needed.

Topics are as follows:v acl

v action

v admin

v errtext

v exit

v group

v help

v login

v logout

v object

v policy

v pop

v quit

v rsrc

v rsrccred

v rsrcgroup

v server

v user

command Specifies the specific pdadmin command for which help is needed.

Examples1. The following example lists commands specified by the action topic:

help action

Output is similar to the following:action createaction deleteaction group list...

2. The following example lists options available for the specified command:help action create

Output is similar to the following:action create action_name action_label action_typeaction create action_name action_label action_type action_group_name...


pdadmin loginEstablishes authentication credentials used when communicating with the TivoliAccess Manager policy server. These credentials are used to determine a user’saccess privileges to policy server data.

Syntaxpdadmin login [–a admin_id [–p password] ]

Options– a admin_id Specifies the administrator’s ID. If this is the only option that is

specified, the user is prompted for the password.

–p password Specifies the user’s password.

DescriptionCredentials are not accumulated or stacked. A login command completely replacesany existing credentials.

See Alsopdadmin exit / quit, pdadmin logout


pdadmin logoutDiscards any authentication credentials that are in effect.

Syntaxpdadmin logout

OptionsNone.

See Alsopdadmin exit / quit, pdadmin login


pdadmin object createCreates a protected object under which protected objects can be placed.

Syntaxpdadmin object create object_name description type ispolicyattachable {yes|no}

Optionsobject_name Specifies the name for the object being created. This name must be

unique.

description Specifies any text string describing the object being created.

type Specifies the type of the object to be created. Types range from0-13. For example, types 10 or 13 are appropriate for containerobjects.

ispolicyattachable {yes|no}Specifies whether an ACL or a protected object policy can beattached to this object.

See Alsopdadmin object delete


pdadmin object deleteDeletes an existing protected object space and all associated protected objects.

Syntaxpdadmin object delete object_name

Optionsobject_name Specifies the protected object to be deleted.

See Alsopdadmin object create


pdadmin object listLists any objects grouped under the specified protected object. Also lists all theextended attributes associated with the specified protected object.

Syntaxpdadmin object list [object_name attribute]

Optionsobject_name Specifies the protected object.

attribute Lists all extended attributes associated with the protected objectspecified by the object_name option.

See Alsopdadmin object listandshow, pdadmin object show


pdadmin object listandshowLists any child objects grouped under the specified protected object and displaysall values associated with each object.

Syntaxpdadmin object listandshow object_name

Optionsobject_name Specifies the protected object for which the child objects and

associated values are to be displayed.

See Alsopdadmin object list, pdadmin object show


pdadmin object modifyModifies an existing object.

Syntaxpdadmin object modify object_name delete attribute attribute_name [attribute_value]

pdadmin object modify object_name set attribute attribute_name attribute_value

padmin object modify object_name set description description

pdadmin object modify object_name set ispolicyattachable {yes|no}

padmin object modify object_name set name new_object_name

padmin object modify object_name set type type

Optionsobject_name Specifies the protected object to be modified.

delete attribute attribute_name [attribute_value]Deletes the specified extended attribute (name and value) from thespecified protected object. The attribute_value option deletes thespecified value from the specified extended attribute key in thespecified protected object.

set attribute attribute_name attribute_valueCreates an extended attribute, with the specified name and value,and adds it to the specified protected object. If the attribute alreadyexists, the attribute value is added as an additional value if thesame value does not exist for this attribute. If the same value existsfor this attribute, it does not get added again (duplicate values arenot allowed), and no error is returned.

set description descriptionSets the description field of the specified protected object.

set ispolicyattachable {yes|no}Sets whether the protected object can have a protected object policyattached or not.

set name new_object_nameSets the name of the specified protected object.

set type type Sets the type field of the specified protected object.

ExampleThe following example, entered on one line, sets the ispolicyattachable option:pdadmin> object create /Management/Groups/Travel "Travel Container Object" \14 ispolicyattachable yes

See Alsopdadmin object create


pdadmin object showShows all values associated with the protected object. Also returns the valueassociated with the specified extended attribute for the specified protected object.

Syntaxpdadmin object show object_name [attribute attribute_name]

Optionsobject_name Returns the specified protected object.

attribute attribute_nameSpecifies the name of the extended attribute whose values are to bedisplayed.

See Alsopdadmin object list, pdadmin object listandshow


pdadmin objectspace createCreates a protected object space under which protected objects can be placed.

Syntaxpdadmin objectspace create objectspace_name description type

Optionsobjectspace_name

Specifies the name of the objectspace to be created.

description Specifies the description of the new objectspace.

type Specifies the type of the objectspace to be created.

DescriptionThe root of the new protected object space automatically has the ispolicyattachableattribute set to true.

See Alsopdadmin objectspace delete


pdadmin objectspace deleteDeletes the specified protected object space.

Syntaxpdadmin objectspace delete objectspace_name

Optionsobjectspace_name

Specifies the name of the objectspace to be deleted.

See Alsopdadmin objectspace create


pdadmin objectspace listLists all the protected object spaces.

Syntaxpdadmin objectspace list

OptionsNone.


pdadmin policy getDisplays user password and account rules and conditions.

Syntaxpdadmin policy get account-expiry-date [–user user_name]

pdadmin policy get disable-time-interval [–user user_name]

pdadmin policy get max-login-failures [–user user_name]

pdadmin policy get max-password-age [–user user_name]

pdadmin policy get max-password-repeated-chars [–user user_name]

pdadmin policy get min-password-alphas [–user user_name]

pdadmin policy get min-password-length [–user user_name]

pdadmin policy get min-password-non-alphas [–user user_name]

pdadmin policy get password-spaces [–user user_name]

pdadmin policy get tod-access [–user user_name]

Optionsaccount-expiry-date

Displays the account expiration date.

disable-time-intervalDisplays the time to disable user accounts when the maximumnumber of login failures is exceeded.

max-login-failuresDisplays the maximum number of login failures.

max-password-ageDisplays the maximum time a password will be valid.

max-password-repeated-charsDisplays the maximum number of repeated characters allowed in apassword.

min-password-alphasDisplays the minimum number of alphabetic characters required ina password.

min-password-lengthDisplays the minimum password length.

min-password-non-alphasDisplays the minimum number of non-alphabetic charactersrequired in a password.

password-spacesDisplays whether spaces are allowed in passwords.

tod-access Displays the global time of day access policy.


–user user_nameSpecifies the user whose policy information is to be displayed. Ifthis option is not specified, the general policy is displayed. For anygiven policy, if a user has a specific policy applied, this specificpolicy takes precedence over any general policy that might also bedefined. The precedence applies regardless of whether the specificpolicy is more or less restrictive than the general policy.

Examples1. The following example returns the account expiration date for the specified

user:pdadmin> policy get account-expiry-date -user dlucas

2. The following example returns the maximum time a password is valid for thespecified user:pdadmin> policy get max-password-age -user dlucas

See Alsopdadmin policy set


pdadmin policy setSets user password and account rules and conditions.

Syntaxpdadmin policy set account-expiry-date {unlimited|absolute_time|unset}[–user user_name]

pdadmin policy set disable-time-interval {number|unset|disable}[–user user_name]

pdadmin policy set max-login-failures number|unset [–user user_name]

pdadmin policy set max-password-age {unset|relative_time} [–user user_name]

pdadmin policy set max-password-repeated-chars number|unset [–user user_name]

pdadmin policy set min-password-alphas {unset|number} [–user user_name]

pdadmin policy set min-password-length {unset|number} [–user user_name]

pdadmin policy set min-password-non-alphas {unset|number} [–user user_name]

pdadmin policy set password-spaces {yes|no|unset} [–user user_name]

pdadmin policy set tod-access {anyday|weekday|day_list}:{time_spec-time_spec}[:{utc|local}]|unset} [–user user_name]

Optionsaccount-expiry-date {unlimited|absolute_time|unset}

Sets the account expiration date. The absolute_time format is specified asYYYY-MM-DD-hh:mm:ss. You can enter the date and time in either order.You can also enter only the date or only the time. If you enter the timewithout a date, the job runs at the specified time on the current date. Ifyou enter the date without a time, the job runs at the current time on thespecified date. Times must be entered using a 24-hour clock (for example,9:00 for 9 a.m. or 14:00 for 2 p.m.).

disable-time-interval {number|unset|disable}Sets the time to disable each user account when the maximum number oflogin failures is exceeded. The default value is 180.

max-login-failures number|unsetSets the maximum number of login failures allowed. The default value is10.

max-password-age {unset|relative_time}Sets the maximum password age. The relative_time option is relative to thelast time the password was changed. The relative_time format is specified asDDD-hh:mm:ss.

max-password-repeated-chars number|unsetSets the maximum number of repeated characters allowed in a password.The default value is 2.


min-password-alphas {unset|number}Sets the minimum number of alphabetic characters required in a password.The default value is 4.

min-password-length {unset|number}Sets the minimum password length. The default value is 8.

min-password-non-alphas {unset|number}Sets the minimum number of non-alphabetic characters required in apassword. The default value is 1.

password-spaces {yes|no|unset}Sets whether spaces are allowed in passwords. The default value is unset.

tod-access {{anyday|weekday|day_list}:{time_spec-time_spec}[:{utc|local}]|unset}Sets the global time of day access policy. The optional time zone is local bydefault. (Note: utc=GMT) The time_spec format is specified as hh:mm wherehh is expressed using a 24-hour clock (for example, 9:00 for 9 a.m. or 14:00for 2 p.m.).

–user user_nameSpecifies the user whose policy information is to be set. If this option is notspecified, the general policy is set. For any given policy, if a user has aspecific policy applied, this specific policy takes precedence over anygeneral policy that might also be defined. The precedence appliesregardless of whether the specific policy is more or less restrictive than thegeneral policy.

Examples1. The following example sets the expiration date of the specified user:

pdadmin> policy set account-expiry-date 1999-12-30-23:30:00 -user dlucas

2. The following example sets the maximum password age for the specified user:pdadmin> policy set max-password-age 031-08:30:00 -user dlucas

See Alsopdadmin policy get


pdadmin pop attachAttaches a protected object policy (POP) to the specified protected object.

Syntaxpdadmin pop attach object_name pop_name

Optionsobject_name Specifies the name of the protected object for which the protected

object policy will be attached.

pop_name Specifies the name of the protected object policy to be attached.

DescriptionAt most, one POP can be attached to a given protected object. If the object alreadyhas a POP attached to it, the specified POP replaces the existing one. The samePOP can be attached to multiple protected objects. Ensure that the protected objectexists in the protect object space before attempting to attach a POP.

See Alsopdadmin pop create, pdadmin pop detach


pdadmin pop createCreates a protected object policy object.

Syntaxpdadmin pop create pop_name

Optionspop_name Specifies the name of the protected object policy to be created.

ExampleThe following example shows how to create and list a POP:pdadmin> pop create testpdadmin> pop list test

The new POP contains new POP settings similar to the following:pdadmin> pop show test

Protected object policy: testDescription:Warning: noAudit Level: noneQuality of protection: noneTime of day access: sun, mon, tue, wed, thu, fri, sat:anytime: localIP Endpoint Authentication Method Policy

Any Other Network 0

See Alsopdadmin pop attach, pdadmin pop delete


pdadmin pop deleteDeletes the specified protected object policy.

Syntaxpdadmin pop delete pop_name

Optionspop_name Specifies the name of the protected object policy to be deleted.

ExampleThe following example deletes the specified protected object policy:pdadmin> pop delete testpdadmin> pop listpdadmin>

See Alsopdadmin pop create, pdadmin pop detach


pdadmin pop detachDetaches a protected object policy from the specified protected object.

Syntaxpdadmin pop detach object_name

Optionsobject_name Specifies the protected object from which the protected object

policy is to be deleted.

See Alsopdadmin pop attach, pdadmin pop delete


pdadmin pop findFinds and lists all protected objects that have the specified protected object policyattached

Syntaxpdadmin pop find pop_name

Optionspop_name Specifies the name of the protected object policy for which to

search.

See Alsopdadmin pop list


pdadmin pop listLists all protected object policies that have been created. Also lists all extendedattributes associated with a protected object policy.

Syntaxpdadmin pop list pop_name [attribute]

Optionspop_name Specifies the POP for which to list the attributes.

See Alsopdadmin pop find


pdadmin pop modifyModifies protected object policies.

Syntaxpdadmin pop modify pop_name delete attribute attribute_name [attribute_value]

pdadmin pop modify pop_name set attribute attribute_name attribute_value

pdadmin pop modify pop_name set audit-level{all|none|permit|deny|audit_level_list}

pdadmin pop modify pop_name set description description

pdadmin pop modify pop_name set ipauth add network netmask authority_level

pdadmin pop modify pop_name set ipauth anyothernw authority_level

pdadmin pop modify pop_name set ipauth remove network netmask

pdadmin pop modify pop_name set pop {none|integrity|privacy}

pdadmin pop modify pop_name set tod-access{anyday|weekday|day_list}:{anytime|time_spec-time_spec}[:{utc|local}]

pdadmin pop modify pop_name set warning {yes|no}

Optionsdelete attribute attribute_name [attribute_value]

Deletes the specified value from the specified extended attributekey in the specified POP.

pop_name Specifies the name of the protected object policy to be modified.

set attribute attribute_name attribute_valueSets or modifies the specified value from the specified extendedattribute key in the specified POP. If the attribute already exists,the attribute value is added as an additional value if the samevalue does not exist for this attribute. If the same value exists forthis attribute, it does not get added again (duplicate values are notallowed), and no error is returned.

set audit-level {all|none|permit|deny|audit_level_list}Sets the audit level for the specified POP.

set description descriptionSets the description of the specified POP.

set ipauth add network netmask authority_levelSets the IP endpoint authentication settings in the specified POP.

set ipauth anyothernw authority_levelSets the anyothernw (any other network setting) for the IPauthentication level from the specified POP. If controlling access byIP address is not important, use the anyothernw option to set theauthentication level for all IP addresses and IP address ranges notlisted explicitly in the POP.


set ipauth remove network netmaskRemoves the IP endpoint authentication settings from the specifiedPOP.

set pop {none|integrity|privacy}

Sets the quality of protection level for the specified POP. Thefollowing string values are supported:v nonev integrityv privacy

set tod-access {anyday|weekday|day_list}:{anytime|time_spec-time_spec}[:{utc|local}] Sets the time of day range for the specified protected object policy.

The optional time zone is local by default. The time_spec format isspecified as hh:mm where hh is expressed using a 24-hour clock (forexample, 9:00 for 9 a.m. or 14:00 for 2 p.m.).

set warning {yes|no}Sets the warning mode for the specified protected object policy.

ExampleThis example shows how to modify and show a POP description:pdadmin> pop modify test description "Test POP"pdadmin> pop show test

Protected object policy: testDescription: Test POPWarning: noAudit level: noneQuaility of protection: noneTime of day access: sun, mon, tue, wed, thu, fri, sat:

anytime: localIP Endpoint Authentication Method Policy

Any Other Network 0

See Alsopdadmin pop attach, pdadmin pop create


pdadmin pop showShows details of the protected object policy. Optionally, displays the values for thespecified extended attribute from the specified protected object policy.

Syntaxpdadmin pop show pop_name [attribute attribute_name]

Optionspop_name Specifies the POP to display.

attribute attribute_nameSpecifies the name of the extended attribute whose values need tobe displayed.

See Alsopdadmin pop find, pdadmin pop list


pdadmin rsrc createCreates a single signon Web resource.

Syntaxpdadmin rsrc create resource_name [–desc description]

Optionsresource_name Specifies the name of the resource to be created.

–desc descriptionSpecifies a description for the resource. Descriptions containing aspace must be enclosed in double quotes.

DescriptionA Web resource is a Web server that serves as the backend of a WebSEAL junction.

ExampleThe following example, entered as one line, creates and names a Web resourcewith an associated description:pdadmin> rsrc create engwebs01 –desc \“Engineering Web server – Room 4807”

See Alsopdadmin rsrc delete


pdadmin rsrc deleteDeletes the specified single signon Web resource.

Syntaxpdadmin rsrc delete resource_name

Optionsresource_name Specifies the name of the resource to be deleted. The resource must

exist or an error is displayed.

ExampleThe following example deletes the named resource with its associated description:pdadmin> rsrc delete engwebs01

See Alsopdadmin rsrc create


pdadmin rsrc listReturns a list of all the single signon Web resource names.

Syntaxpdadmin rsrc list

ExampleThe following example returns a list of all the single signon Web resource names:pdadmin> rsrc list

Output is similar to the following:engwebs01engwebs02engwebs03

See Alsopdadmin rsrc create


pdadmin rsrc showReturns information for the specified single signon Web resource.

Syntaxpdadmin rsrc show resource_name

Optionsresource_name Specifies the name of the resource for which information is shown.

The resource must exist or an error is displayed.

ExampleThe following example returns information for the specified resource:pdadmin> rsrc show engwebs01

Output is similar to the following:Web Resource Name: engwebs01Description: Engineering Web server - Room 4807

See Alsopdadmin rsrc list


pdadmin rsrccred createCreates a single signon credential.

Syntaxpdadmin rsrccred create resource_name rsrcuser resource_userid rsrcpwdresource_password rsrctype {web|group} user user_name

Optionsresource_name Specifies the name given to the resource when the resource was

created. The resource (or resource group) must already exist inorder to create the resource credential. If the resource (or resourcegroup) does not exist or is not specified, an error message isdisplayed.

rsrcuser resource_useridSpecifies the unique user identification (user ID) for the user at theWeb server.

rsrcpwd resource_passwordSpecifies the password for a user at the Web server.

rsrctype {web|group}Specifies whether the resource type is web or group.

user user_nameSpecifies the name of the user for whom the resource credentialinformation applies. If the user does not exist or is not specified,an error message is displayed.

ExampleThe following example, entered on one line, creates the resource credential for thegiven user:pdadmin> rsrccred create engwebs01 rsrcuser \4807ws01 rsrcpwd resrcpwd rsrctype web user dlucas

See Alsopdadmin rsrc delete


pdadmin rsrccred deleteDeletes a single signon credential.

Syntaxpdadmin rsrccred delete resource_name rsrctype {web|group} user user_name


created.

rsrctype {web|group}Specifies the resource type. The type of resource must match theresource type assigned when the resource was first created.

user user_nameSpecifies the name of the user for whom the resource credentialinformation applies.

ExampleThe following example deletes the resource credential information for the givenresource, resource type, and user name:pdadmin> rsrccred delete engwebs01 rsrctype web user dlucas

See Alsopdadmin rsrccred create


pdadmin rsrccred list userReturns the list of single signon credentials for the specified user.

Syntaxpdadmin rsrccred list user user_name

Optionsuser_name Specifies the name of the user for whom the resource credential

information applies.

ExampleThe following example returns the list of single signon credentials for the specifieduser:pdadmin> rsrccred list user dlucas

Output is similar to the following:Resource name: engwebs01Resource Type: groupResource name: engwebs02Resource Type: web


pdadmin rsrccred modifyCreates or modifies a single signon credential.

Syntaxpdadmin rsrccred modify resource_name rsrctype {web|group}set [–rsrcuser resource_userid] [–rsrcpwd resource_password] user user_name


created.

rsrctype {web|group}Specifies the resource type. The type of resource must match theresource type assigned when the resource was first created.

–rsrcuser resource_useridSpecifies the unique user identification (user ID) for the user at theWeb server. To change or reset the resource user ID of the user orpassword information, these optional commands must be precededby a dash (–).

–rsrcpwd resource_passwordSpecifies the password for a user at the Web server. Specifying thisoption without specifying the –rsrcuser option clears both theresource user ID and the resource password. To simply set theresource password, you must specify both the resource user ID andthe resource password.

user user_nameSpecifies the name of the user for whom the resource credentialinformation applies.

ExampleThe following example, entered as one line, modifies the specified resource:pdadmin> rsrccred modify engwebs01 rsrctype web \set -rsrcuser 4807ws01 -rsrcpwd newrsrpw user dlucas

See Alsopdadmin rsrccred create


pdadmin rsrccred showReturns the specified single signon credential. The credential identifier is composedof a resource name, a resource type, and a user name.

Syntaxpdadmin rsrccred show resource_name rsrctype {web|group} user user_name

Optionsresource_name Specifies the name of the single signon resource associated with the

credential.

rsrctype {web|group}Specifies the type of the single signon resource associated with thecredential.

user user_nameSpecifies the name of the user associated with this credential.

ExampleThe following example returns the specified single signon credential:pdadmin> rsrccred show webs4807 rsrctype group user dlucas

Output is similar to the following:Resource Name: engwebs01Resource Type: groupResource User Id: dlucas

See Alsopdadmin rsrccred list user


pdadmin rsrcgroup createCreates a single signon group resource.

Syntaxpdadmin rsrcgroup create resource_group_name [–desc {description}]

Optionsresource_group_name

Specifies the name of the resource group.

–desc {description}Specifies an optional description to identify this resource group.Note that the –desc option must be preceded with a dash (–). Inaddition, descriptions that have spaces need to be enclosed indouble quotes.

ExampleThe following example creates and names a Web resource group and provides adescription for that resource:pdadmin> rsrcgroup create webs4807 –desc “Web servers, Room 4807”

See Alsopdadmin rsrcgroup delete


pdadmin rsrcgroup deleteDeletes a single signon group resource.

Syntaxpdadmin rsrcgroup delete resource_group_name


Specifies the name of the resource group. The resource group must exist.

ExampleThe following example deletes the named resource group and its associateddescription information:pdadmin> rsrcgroup delete webs4807

See Alsopdadmin rsrcgroup create


pdadmin rsrcgroup listReturns a list of all of the single signon group resource names.

Syntaxpdadmin rsrcgroup list

OptionsNone.

ExampleThe following example returns a list of all of the single signon group resourcenames:pdadmin> rsrcgroup list

Output is similar to the following:webs4807websbld3

See Alsopdadmin rsrcgroup show


pdadmin rsrcgroup modifyAdds or removes a single signon resource to or from a single signon resourcegroup.

Syntaxpdadmin rsrcgroup modify resource_group_name add rsrcname resource_name

pdadmin rsrcgroup modify resource_group_name remove rsrcname resource_name


Specifies the name of the resource group to be modified.

add rsrcname resource_nameAdds a single signon resource to the specified single signonresource group.

remove rsrcname resource_nameRemoves a single signon resource from the specified single signonresource group.

Examples1. The following example adds the named resource to the existing Web resource

group:pdadmin> rsrcgroup modify webs4807 add rsrcname engwebs02

2. The following example deletes the named resource from the existing Webresource group:pdadmin> rsrcgroup modify webs4807 remove rsrcname engwebs02

See Alsopdadmin rsrcgroup create


pdadmin rsrcgroup showReturns the specified single signon group resource.

Syntaxpdadmin rsrcgroup show resource_group_name


Specifies the name of the resource group. The resource group mustexist or an error message displays.

DescriptionThe resource group name, the resource group description, and a list of the namesof the resource group members are displayed. The resource group members are theindividual Web resources (servers).

ExampleThe following example returns the specified single signon group resource:pdadmin> rsrcgroup show webs4807

Output is similar to the following:Resource Group Name: webs4807Description: Web servers, Room 4807Resource Members:engwebs01engwebs02engwebs03

See Alsopdadmin rsrcgroup list


pdadmin server listLists all registered servers.

Syntaxpdadmin server list

OptionsNone.

Descriptionpdadmin server commands require a server_name option. This option must beentered in the exact format as displayed in the output of the pdadmin server listcommand.

The server_name option is the full expression of the actual machine name and theTivoli Access Manager component used by this command (such as WebSEAL). Theserver_name option is in the format:access_manager_component-machine_name

For example, if the machine name is cruz and the Tivoli Access Managercomponent is WebSEAL, the server_name is:webseald-cruz

ExampleThe following example lists all registered servers:pdadmin> server list

Output is similar to the following:ivacld-topserverivacld-server2ivacld-server3ivacld-server4

See Alsopdadmin server listtasks, pdadmin server show


pdadmin server listtasksRetrieves the list of tasks (commands) available for this server.

Syntaxpdadmin server listtasks server_name

Optionsserver_name Specifies the name of the server for which available tasks

(commands) will be listed.

ExampleThe following example displays the list of available tasks from the server:pdadmin> server listtasks ivacld-mogman.admogman.com

Output is similar to the following:trace set component level [file path=file|other-log-agent-config]trace show [component]trace list [component]stats show [component]stats liststats on [component] [interval] [count] [file path= file|other-log-agent-config]stats off [component]stats reset [component]stats get [component]

See Alsopdadmin server list, pdadmin server show


pdadmin server replicateNotifies the authorization servers to receive database updates.

Syntaxpdadmin server replicate [–server server_name]

Options–server server_name

Specifies the name of the server to receive database updates. Ifserver_name is specified, but is not configured to receive databaseupdates, an error message is displayed If server_name is notspecified, all servers configured to receive updates are notified.

ExampleThe following is an example of this command when specifying the server_name:pdadmin> server replicate -server ivacld-topserver


pdadmin server showDisplays the specified server’s properties.

Syntaxpdadmin server show server_name

Optionsserver_name Specifies the name of the server whose properties are to be

displayed.

Examples1. The following example displays the specified server’s properties:

pdadmin> server show ivacld-topserver

Output is similar to the following:ivacld-topserver

Description: ivacld/topserverHostname: topserverPrincipal: ivacld/topserverPort: 7137Listening for authorization database update notifications: yesAZN Administration Services:

AZN_ADMIN_SVC_TRACE

2. The following example displays the properties of the WebSEAL server on thecruz machine:pdadmin> server show webseald-cruz

Output is similar to the following:webseald-cruz

Description: webseald/cruzHostname: cruzPrincipal: webseald/cruzPort: 7234Listening for authorization database update notifications: yesAZN Administration Services:

webseal-admin-svcazn_admin_svc_trace

See Alsopdadmin server list


pdadmin server task

PurposeSends a command to an authorization server.

Syntaxpdadmin server task server_nameserver_task

Optionsserver_name

Specifies the server name. You must specify the server name in theexact format as displayed in the output of the pdadmin server listcommand.

The server_name option is the full expression of the actual machinename and the Tivoli Access Manager component used by thiscommand (such as WebSEAL). The server_name option is in theformat:access_manager_component-machine_name

For example, if the machine name is cruz and the Tivoli AccessManager component is WebSEAL, the server_name is:webseald-cruz

server_task Specifies the task (command) being sent.

See Alsopdadmin server task (WebSEAL), pdadmin server task add (WebSEAL), pdadminserver task stats (WebSEAL), pdadmin server task trace


pdadmin server task (WebSEAL)Creates and manipulates WebSEAL junctions. This command is available only ifyou have the Tivoli Access Manager WebSEAL product installed.

Syntaxpdadmin server task server_name-host_name [ add options | create options | delete| exit | help [command]| jmt {load | clear} | list | remove | show] junction_point

Optionsserver_name-host_name

Specifies the name of the Tivoli Access Manager server.

For a single WebSEAL server, server_name is webseald. Formultiple WebSEAL instances on the same machine, server_name isthe configured name of the WebSEAL server instance followed by–webseald. For example, if the configured name of a WebSEALinstance is webseal2, the server_name is as follows:webseal2–webseald.

Note: The initial WebSEAL server installed on a machine is alwaysnamed after the machine. For example, if the machine nameis patton, the host_name is patton.

add options Adds a server to an existing WebSEAL junction point. For moreinformation, see “pdadmin server task add (WebSEAL)” onpage 74.

create options Creates a new junction for an initial server. For more information,see the IBM Tivoli Access Manager WebSEAL Administrator’s Guide.

delete Removes the junction point specified by junction_point.

exit Exits the pdadmin command line interface.

help [command]Lists junction commands. If the command option is specified, listsdetailed help for a specific junction command.

jmt {load | clear}Loads or clears junction mapping table data, located in thejmt.conf file.

list Lists all junction points on this server.

remove Removes the specified server from a junction point.

show Displays details of a junction.

junction_point Specifies the junction point.

Authorizationsec_master administrative user

See Alsopdadmin server task, pdadmin server task stats (WebSEAL), pdadmin server tasktrace, pdadmin server task add (WebSEAL)


pdadmin server task add (WebSEAL)Adds an additional server to an existing junction point. This command is availableonly if you have the Tivoli Access Manager WebSEAL product installed.

SyntaxFor TCP and SSL proxy junctions:

pdadmin server task server_name-host_name add –h host_name –H host_name –P port[–D dn –i –p port –q url –u uuid –v virt_host_name –w] junction_point

For local, TCP, and SSL junctions:

pdadmin server task server_name-host_name add –h host_name [–D dn –i –p port –qurl –u uuid –v virt_host_name –w] junction_point





–D dn Specifies the distinguished name of the back-end server certificate.This value, matched with actual certificate DN enhancesauthentication.

–H host_name Specifies the DNS host name or IP address of the proxy server.

–i url WebSEAL server treats URLs as case insensitive.

–P port Specifies the TCP port of the proxy server.

–p port Specifies the TCP port of the back-end third party server. Thedefault value is 80 for TCP junctions; 443 for SSL junctions.

–q url Specifies the relative path for the query_contents script. By default,Tivoli Access Manager looks for query_contents in /cgi_bin/. Ifthis directory is different or the query_contents file name isrenamed, use this option to indicate to WebSEAL the new URL tothe file.

–u uuid Specifies the UUID of a back-end server connected to WebSEAL viaa stateful junction (–s).

–v virt_host_nameSpecifies the virtual host name represented on the back-end server.This option supports a virtual host setup on the back-end server.Use–v when the back-end junction server expects a host nameheader because you are junctioning to one virtual instance of thatserver. The default HTTP header request from the browser does


not know that the back-end server has multiple names andmultiple virtual servers. You must cofigure WebSEAL to supplythat extra header information in requests destined for a back-endserver set up as a virtual host.

–w Specifies Win32 filesystem support.

Authorizationsec_master administration user

Description

See Alsopdadmin server show, pdadmin server task stats (WebSEAL), pdadmin server tasktrace, pdadmin server task (WebSEAL)


pdadmin server task stats (WebSEAL)

PurposeEnables the gathering of statistical information. This command is available only ifyou have the Tivoli Access Manager WebSEAL product installed.

Syntaxpdadmin server task server_name–host_name stats {get | list| off | reset | show}[component]

pdadmin server task server_name–host_name stats on component [interval [count]][log_agent]





stats get [component]Displays the current values of statistics being gathered for allenabled components. Specify the component option to get statisticsfor a specific enabled component.

stats list [component]Lists all components available to gather and report statistics.Specify the component option to list a specific enabled component.If the specified component is not enabled, no output is displayed.

stats on component [interval [count]] [log_agent]Enables or disables statistics dynamically statistics gathering for thespecified component. When enabling stats, you can also set thestatistics report frequency, count, and destination for a component.Options are as follows:

interval Specifies the time interval between reports ofinformation. This results in statistics being sent to alog file. When this option is specified, statistics aresent, by default, to standard out of the WebSEALserver, which is the WebSEAL log file. You canspecify another output location using the logagentargument. If interval is not specified, no statisticsare sent to any log file. However, the statisticcomponent is still enabled. You can obtain reportsdynamically at any time using the pdadmin statsget command.


count Specifies the number of reports sent to a log file.The interval option is required if using the countoption. If interval is specified without count, theduration of reporting is indefinite. After the countvalue is reached, reporting to a log file stops.However, the statistic component is still enabled.You can obtain reports dynamically at any timeusing the pdadmin stats get command.

log_agent Specifies a destination for the statistics informationgathered for the specified component. For moreinformation about event logging, see the IBM TivoliAccess Manager Base Administrator’s Guide.

stats off [component]Disables statistics gathering for all components. Specify thecomponent option to disable statistics gathering for a specificenabled component.

Note: By default, the pdweb.threads, pdweb.doccache, andpdweb.jmt components are always enabled and cannot bedisabled.

stats reset [component]Resets the values being gathered by all enabled components.Specify the component option to reset the values for a specificenabled component.

stats show [component]Shows the shows the names and levels for all enabled statscomponents. Specify the component option to show the name andlevel for a specific enabled component.

DescriptionFor more information about gathering statistics, see the IBM Tivoli Access ManagerProblem Determination Guide.

ExampleThe following is an example of the output after sending the pdadmin stats listtask to the authorization server:pdadmin> server task ivacld-mogman.admogman.com stats list

pd.ras.stats.monitorpd.log.EventPool.queue

See Alsopdadmin server task, pdadmin server task trace, pdadmin server task (WebSEAL),pdadmin server task add (WebSEAL)


pdadmin server task trace

PurposeEnables the gathering of trace information. This information is stored in a file andused for debugging purposes.

Syntaxpdadmin server task server_name–host_name trace list [component]

pdadmin server task server_name–host_name trace set component level [log_agent]

pdadmin server task server_name–host_name trace show [component]





trace list [component]Lists all enabled trace components available to gather and reporttrace information. Specify the component option to list a specificcomponent that is enabled (set) for tracing. If the specifiedcomponent is not enabled, no output is displayed.

trace set component level [log_agent]Sets the trace level and trace message destination for a specificcomponent and its subordinates. level option values are 1 through 9,with 9 reporting the most detailed level of information in the traceoutput. The optional log_agent specifies a destination for the traceinformation gathered for the specified component. For moreinformation about event logging, see the IBM Tivoli Access ManagerBase Administrator’s Guide.

trace show [component]Shows the name and level for the specified component. If thecomponent option is not specified, shows the names and levels forall enabled trace components.

DescriptionFor more information about tracing and trace components, see the Tivoli AccessManager Problem Determination Guide.


ExampleThe following is an example of showing enabled trace components. Note thatWebSEAL–specific components are prefixed with pdweb.pdadmin> server task webseald-<instance>trace set pdweb.debug 2pdadmin> server task webseald-<instance>trace showpdweb.debug 2

See Alsopdadmin server task, “pdadmin server task stats (WebSEAL)” on page 76, pdadminserver task (WebSEAL), “pdadmin server task add (WebSEAL)” on page 74


pdadmin user createCreates a user in the user registry used by the policy server and initially associatesthat user with one or more groups.

Syntaxpdadmin user create [–gsouser] [–no-password-policy] user_name dn cn sn password[groups]

Options–gsouser Enables the user’s global signon (GSO) capabilities.

–no-password-policyApplies the password policy in any case. As the exception to thisrule, the –no-password-policy option is provided only for creatinga user with an initial password. It is recommended that the initialpassword be changed.

user_name Specifies the name for the user being created. This name must beunique.

dn Specifies the registry identifier assigned to the user being created.The registry identifier must be known before a new user accountcan be created. The registry identifier must be unique within theuser registry.

cn Specifies the common name assigned to the user being created.

sn Specifies the surname of the user being created.

password Specifies the password set for the new user. Passwords mustadhere to the password policies set by the administrator.

groups This optional option specifies a list of groups to which the newuser is assigned. The format of the group list is a parenthesized listof group names, separated by spaces.

DescriptionA user is a registered participant of the secure domain. A GSO user is a TivoliAccess Manager user that additionally has the authority to work with Webresources, such as a Web server. When an LDAP-based registry is used, user namesare not case sensitive.

ExampleThe following example, entered as one line, creates a new user:pdadmin> user create –gsouser dlucas “cn=Diana \Lucas,ou=Austin,o=Tivoli,c=US” “Diana Lucas” Lucas mypasswd

To make the user account valid, you must use the pdadmin user modify commandto set the account-valid flag to yes.

See Alsopdadmin user delete, pdadmin user import


pdadmin user deleteDeletes the user and optionally deletes the user from the user registry.

Syntaxpdadmin user delete [–registry] user_name

Options–registry Deletes the entire user object from the user registry. If this option is

not specified, registry user information may be used to create auser with the pdadmin user import command.

user_name Specifies the name of the account to be deleted. Any resourcecredentials associated with a user account are automaticallyremoved at the same time the user account is deleted.

ExampleThe following example deletes the account of the specified user:pdadmin> user delete dlucas

See Alsopdadmin user create


pdadmin user importCreates a user by importing an existing user from the user registry.

Syntaxpdadmin user import [–gsouser] user_name dn [group_name]

Options–gsouser Specifies for the user to also be a GSO user (gsoUser).

user_name Specifies a unique user name. This user is created from informationthat already exists in the user registry.

dn Specifies the registry identifier of the user being imported. Thisidentifier must exist in the user registry and must not be associatedwith an existing user.

group_name Specifies the group to which the imported user is being assigned.

DescriptionImported user accounts are created invalid by default. To make the user accountvalid, you must use the pdadmin user modify command to set the account-validflag to yes.

ExampleThe following example, entered on one line, creates the user mlucas by importinginformation from the registry user cn=Mike Lucaser,ou=Austin,o=Tivoli, c=US:pdadmin> user import –gsouser mlucaser “cn=Mike \Lucaser,ou=Austin,o=Tivoli,c=US”

See Alsopdadmin user create


pdadmin user listLists users, by user name.

Syntaxpdadmin user {list | list-dn} pattern max_return

Optionslist pattern max_return

Specifies the pattern for the principal name. The pattern caninclude a mixture of wildcards and string constants, and is casesensitive (for example, *luca*).

The max_return option specifies the maximum number of entriesthat are found and returned for a single request. Note that thenumber returned is also governed by the server configuration,which specifies the maximum number of results that can bereturned as part of a search operation). The actual maximumreturned entries is the minimum of max_return and the configuredvalue on the server.

list-dn pattern max_returnSpecifies the pattern for the common name (CN) portion of theuser’s registry identifier (excluding the cn= component). Thepattern can include a mixture of wildcards and string constants,and is case sensitive (for example, *luca*). The returned list areusers which are defined in the user registry but are not necessarilyTivoli Access Manager users. Users that are not Tivoli AccessManager users can be imported into Tivoli Access Manager by useof the pdadmin user import command.

Examples1. The following example lists the users matching the specified pattern:

pdadmin> user list *luca* 2

Output is similar to the following:dlucasmlucaser

2. The following example lists the users matching the specified registry identifier:pdadmin> user list-dn *luca* 2

Output is similar to the following:cn=Diana Lucas,ou=Austin,o=Tivoli,c=UScn=Mike Lucaser,ou=Austin,o=Tivoli,c=US

See Alsopdadmin user show


pdadmin user modifyModifies various user account options.

Syntaxpdadmin user modify user_name account-valid {yes|no}

pdadmin user modify user_name description description

pdadmin user modify user_name gsouser {yes|no}

pdadmin user modify user_name password password

pdadmin user modify user_name password-valid {yes|no}

Optionsaccount-valid {yes|no}

Enables or disables the specified user account.

description descriptionModifies the user description.

gsouser {yes|no}Enables or disables the single signon capabilities of a user.

password passwordModifies the user password. The new password must comply withpassword policies in effect.

password-valid {yes|no}Validates or invalidates the user’s account password. Setting thepassword-valid flag to no forces the user to change the passwordat the next pdadmin login attempt.

user_name Specifies the name of the account to be modified.

Examples1. The following example enables the specified user account:

pdadmin> user modify dlucas account-valid yes

2. The following example modifies the description of a user account:pdadmin> user modify dlucas description “Diana Lucas, Credit Dept HCUS”

3. The following example removes the user as a GSO user.pdadmin> user modify dlucas gsouser no

4. The following example changes the password for a user account:pdadmin> user modify dlucas password newpasswd

5. The following example inactivates the user password forcing the user to changethe password at the next login.pdadmin> user modify dlucas password-valid no

See Alsopdadmin user create, pdadmin user import


pdadmin user showDisplays the properties of the specified user.

Syntaxpdadmin user show user_name

pdadmin user show-dn dn

pdadmin user show-groups user_name

Optionsuser_name Specifies the name of the user to display.

show-dn dn Displays the user specified by the user’s identifier in the userregistry. The returned user is defined in the user registry but is notnecessarily an Tivoli Access Manager user. Users that are not TivoliAccess Manager users may be imported into Tivoli Access Managerby use of the pdadmin user import command.

show-groups user_nameDisplays the groups in which the specified user is a member.

Examples1. The following example displays the user account information for the specified

user:pdadmin> user show dlucas

Output is similar to the following:Login ID: dlucasLDAP dn: cn=Diana Lucas,ou=Austin,o=Tivoli,c=USLDAP cn: Diana LucasLDAP sn: LucasDescription: Diana Lucas, Credit Dept HCUSIS SecUser: trueIS GSO user: falseAccount valid: truePassword valid: trueAuthentication mechanism: Default:LDAP

2. The following example displays the groups of which the specified user is amember:pdadmin> user show-groups dlucas

Output is similar to the following:salescreditengineering

3. The following example provides additional information about the user whenspecifying the registry identifier:pdadmin> user show-dn “cn=Diana Lucas,ou=Austin,o=Tivoli,c=US”

Output is similar to the following:Login ID: dlucasLDAP dn: cn=Diana Lucas,ou=Austin,o=TivoliInc,c=US


LDAP cn: Diana LucasLDAP sn: LucasDescription: Diana Lucas, Credit Dept HCUSIS SecUser: trueIS GSO user: falseAccount valid: truePassword valid: trueAuthentication mechanism: Default:LDAP

See Alsopdadmin user list


Chapter 2. Tivoli Access Manager utilities

In addition to the pdadmin command utility, Tivoli Access Manager provides thefollowing utilities for your use.

Table 11. Tivoli Access Manager utilities

Command Description

bassslcfg –chgpwd Changes the key database password.

bassslcfg –config Configures the Tivoli Access Manager runtime so as toallow the pdadmin and svrsslcfg utilities to communicatewith the Tivoli Access Manager policy server. Also createsa new key and stash file.

bassslcfg –getcacert Downloads the root CA certificate to a file.

bassslcfg –modify Modifies the Tivoli Access Manager policy serverconfiguration.

bassslcfg –ping Pings a Tivoli Access Manager server.

ezinstall Uses scripts or batch file to set up complete Tivoli AccessManager systems in the secure domain.

install_pdrte An InstallShield wizard that sets up a Tivoli AccessManager runtime system.

mgrsslcfg –chgcert Renews the manager’s SSL certificate.

mgrsslcfg –chgpwd Changes the key database password.

mgrsslcfg –config Performs full configuration, creating new key and stashfiles and generating new certificates for the Tivoli AccessManager policy server.

mgrsslcfg –modify Modifies the current configuration.

pdbackup Backs up, restores, and extracts Tivoli Access Managerdata.

pdconfig Configures and unconfigures Tivoli Access Managercomponents except the Tivoli Access Manager Javaruntime environment component.

pdjrtecfg Configures the Tivoli Access Manager Java runtimeenvironment.

pd_start Stops, starts, and restarts servers on UNIX systems. Alsodisplays server status.

pdversion Lists the current version of Tivoli Access Managercomponents installed on the system.

svrsslcfg Configures aznAPI applications to use an SSL connectionfor communicating with the Tivoli Access Manager policyserver.

svrsslcfg –add_replica Adds a database replica.

svrsslcfg –chg_replica Changes a database replica.

svrsslcfg –chgcert Renews the server’s SSL certificate.

svrsslcfg –chgport Changes the listening port number.

svrsslcfg –chgpwd Changes the keyring file password.

svrsslcfg –config Performs full configuration of a server.

87

Table 11. Tivoli Access Manager utilities (continued)

svrsslcfg –modify Modifies the current configuration.

svrsslcfg –rmv_replica Removes a replica configuration.

svrsslcfg –unconfig Unconfigures the server.


bassslcfg –chgpwdChanges the key database password. A new random password is generated andsaved in the stash file.

Syntaxbassslcfg –chgpwd –e pwd_life

Options–e pwd_life Sets the keyring file password expiration time in days. You can

specify a pwd_life value from 1 to 7200 (days). To use the currentlyconfigured value, specify 0.

AvailabilityThis command is located in the following default installation directories:v On UNIX systems:

/opt/PolicyDirector/sbin/

v On Windows systems:c:\Program Files\Tivoli\Policy Director\sbin\

Chapter 2. Tivoli Access Manager utilities 89

bassslcfg –config

Configures the Tivoli Access Manager runtime so as to allow the pdadmin andsvrsslcfg utilities to communicate with the Tivoli Access Manager policy server.Also creates a new key and stash file.

Syntaxbassslcfg –config –c cert_file –h host_name [–p server_port] [–e pwd_life][–t ssl_timeout]

Options–c cert_file Specifies the name of the policy server base64-encoded, self-signed

certificate.

–h host_name Specifies the TCP host name of the policy server.

–p server_port Specifies the listening port number of the policy server. The defaultvalue is 7135.

–e pwd_life Sets the keyring file password expiration time in days. You canspecify a pwd_life value from 1 to 7299 (days). The default value is7299.

–t ssl_timeout Specifies the SSL session timeout in seconds. You can specify anssl_timeout value from 1 to 86400 (seconds). The default value is7200.





bassslcfg –getcacertDownloads the root CA certificate to a file.

Syntaxbassslcfg –getcacert –c cert_file –h host_name [–p server_port]

Options–c cert_file Specifies the name of the policy server base-64 encoded, self-signed

certificate.

–h host_name Specifies the TCP host name of the policy server.

–p server_port Specifies the listening port number of the policy server. The defaultvalue is 7135.





bassslcfg –modifyModifies the Tivoli Access Manager policy server configuration.

Syntaxbassslcfg –modify [–h host_name] [–e pwd_life] [–p server_port] [–t ssl_timeout]

Options–h host_name Specifies the TCP host name of the policy server.

–e pwd_life Sets the keyring file password expiration time in days. You canspecify a pwd_life value from 1 to 7200 (days).

–p server_port Specifies the listening port number of the policy server.

–t ssl_timeout Specifies the SSL session timeout in seconds. You can specify anssl_timeout value from 1 to 86400 (seconds).





bassslcfg –pingPings a Tivoli Access Manager server.

Syntaxbassslcfg –ping –h host_name [–p server_port]

Options–h host_name Specifies the TCP host name of the policy server.

–p server_port Specifies the listening port number of the Tivoli Access Managerserver that you want to ping. The default value is 7135.





ezinstallUse easy installation scripts (UNIX) or batch files (Windows) to expedite theinstallation and configuration of a secure domain using an LDAP registry. Easyinstallation is also useful if you want to add an Tivoli Access Manager componentor set up a system in an existing domain.

Before running ezinstallEnsure that the ezinstall utility is supported on your platform and that youare familiar with its configuration options. For detailed information, includingstep-by-step scenarios, see the IBM Tivoli Access Manager Base InstallationGuide.

Syntaxezinstall_ldap_server [response_file]

ezinstall_pdacld [response_file]

ezinstall_pdauthadk [response_file]

ezinstall_pdmgr [response_file]

ezinstall_pdwpm [response_file]

Optionsezinstall_ldap_server

Sets up an IBM Directory server system with the following softwarepackages:v IBM DB2v IBM Global Security Toolkitv IBM HTTP Serverv IBM Directory clientv IBM Directory server

ezinstall_pdacldSets up an authorization server system with the following softwarepackages:v IBM Global Security Toolkitv IBM Directory clientv Tivoli Access Manager runtimev Tivoli Access Manager authorization server

ezinstall_pdauthadkSets up a Tivoli Access Manager development system with the followingsoftware packages:v IBM Global Security Toolkitv IBM Directory clientv Tivoli Access Manager runtimev Tivoli Access Manager Application Development Kit


ezinstall_pdmgrSets up the Tivoli Access Manager policy server system with the followingsoftware packages:v IBM Global Security Toolkitv IBM Directory clientv Tivoli Access Manager runtimev Tivoli Access Manager policy server

ezinstall_pdwpmSets up the Web Portal Manager interface with the following softwarepackages:v IBM Global Security Toolkitv IBM Directory clientv Tivoli Access Manager runtimev IBM WebSphere Application Server, Advanced Single Server 4.0 and

FixPack 3v Tivoli Access Manager Web Portal Managerv Tivoli Access Manager Java runtime environment

response_fileSpecifies a response file to perform a silent, unattended installation ofTivoli Access Manager components.

On UNIX systems, the response file is named based on the package thatyou installed and configured. For example, if you run theezinstall_ldap_server script, the response file that is generated is namedezinstall_ldap_server.rsp. Response files for each package that you run arestored in the /var/tmp directory.

On Windows systems, easy installation generates a response file namedezinstall.rsp. This response file resides in the temporary directory that isthe value specified by the %TEMP% variable. For example, if you run theezinstall_ldap_server.bat file, the response file that is generated is named%TEMP%\ezinstall.rsp.

Note: For more information about response files, see the IBM Tivoli AccessManager Base Installation Guide.

Commentsv If you plan to configure Active Directory or Domino as your registry, you cannot

use easy installation. In addition, easy installation is not supported on the Linuxfor zSeries platform.

v You cannot use the ezinstall _ldap_server script if an existing version of IBMDirectory server is installed.

v The ezinstall_pdmgr script is supported on AIX, Solaris, and Windows systemsonly. You cannot use the ezinstall_pdmgr script if an existing version of the TivoliAccess Manager policy server is installed.

See Alsoinstall_pdrte


install_pdrteUse this InstallShield wizard to set up a Tivoli Access Manager runtime system. Allprerequisite products and Tivoli Access Manager components are installed andconfigured except for a platform-specific JRE, which must be installed manually.

Before running install_pdrteEnsure that the install_pdrte utility is supported on your platform and thatyou are familiar with its configuration options. For detailed information,including step-by-step scenarios, see the IBM Tivoli Access Manager BaseInstallation Guide.

Syntaxinstall_pdrte [–options {response_file}]

Optionsinstall_pdrte

Sets up a Tivoli Access Manager runtime system with the followingsoftware packages:v IBM Global Security Toolkitv IBM Directory clientv Access Manager Runtime

Commentsv This utility is only supported when using an LDAP-based registry.v To create a Tivoli Access Manager runtime response file, you must copy a

template provided on the Tivoli Access Manager Base CD to your hard driveand edit its values.

See Alsoezinstall


mgrsslcfg –chgcertRenews the manager’s SSL certificate. A new public-private key pair and certificateis created and stored in the key database.

Syntaxmgrsslcfg –chgcert –l cert_life

Options–l cert_life Sets the certificate expiration time in days. You can specify a

cert_life value from 1 to 7300 (days). To use the currentlyconfigured value, specify 0.

CommentsStop the policy server before running this command.





mgrsslcfg –chgpwdChanges the key database password. A new random password is generated andsaved in the stash file.

Syntaxmgrsslcfg –chgpwd –e pwd_life

Options–e pwd_life Sets the keyring file password expiration time in days. You can

specify a pwd_life value from 1 to 7200 (days). To use the currentlyconfigured value, specify 0.





See Also


mgrsslcfg –configPerforms full configuration, creating new key and stash files and generating newcertificates for the Tivoli Access Manager policy server.

Syntaxmgrsslcfg –config [–e pwd_life] [–l cert_life] [–t ssl_timeout] [–D {yes|no}]

Options–e pwd_life Sets the keyring file password expiration time in days. The pwd_life

value is 1 to 7200 (days). If not specified a default value of 183 isused.

–l cert_life Sets the certificate expiration time in days. You can specify acert_life value from 1 to 7300 (days). The default value is 365.

–t ssl_timeout Specifies the SSL session timeout in seconds. You can specify anssl_timeout value from 1 to 86400 (seconds). The default value is7200.

–D {yes|no} Specifies whether hosts can download the secure domain’s CAcertificate. If you specify no, you must copy or transfer thepdcacert.b64 file to subsequent hosts in order to configure a TivoliAccess Manager runtime. The default value is no.





mgrsslcfg –modifyModifies the current configuration.

Syntaxmgrsslcfg –modify [–e pwd_life] [–l cert_life] [–t ssl_timeout] [–D {yes|no}]

Options–e pwd_life Sets the keyring file password expiration time in days. The pwd_life

value is 1 to 7200 (days).

–l cert_life Sets the certificate expiration time in days. The range of values is1to 7300.

–t ssl_timeout Specifies the SSL session timeout in seconds. The ssl_timeout valuemust be in the range 1–86400.

–D {yes|no} Enables downloading of the secure domain’s CA certificate. If no isspecified, you must manually copy the pdcacert.b64 file tosubsequent hosts before configuring the Tivoli Access Managerruntime component.





pdbackupBacks up, restores, and extracts Tivoli Access Manager data.

Syntaxpdbackup –action backup –list path_to_backup_ list [–path path][–file filename][–usage ][–?]

pdbackup –action restore –file filename [–path path][–usage][–?]

pdbackup –action extract –file filename –path path[–usage][–?]

OptionsNote that you can shorten an option name, but the abbreviation must beunambiguous. For example, you can type a for action. However, values for optionscannot be shortened.

–action [backup | restore | extract]Specifies to backup, restore, or extract data.

–list path_to_backup_listSpecifies the fully qualified path to the backup list file—an ASCII filecontaining various stanzas. This option is required when using the –abackup option

–path pathSpecifies one of the following:v If specified with the –a backup option, specifies the path where you

want backed up files stored. If you do not specify a path when usingthe–a backup option, the default path is one of the following:– On UNIX systems, the default path is as follows:

/var/PolicyDirector/pdbackup/

– On Windows systems, the default path is as follows:runtime_dir\pdbackup\

where runtime_dir specifies the directory where the Tivoli AccessManager runtime environment is installed.

v If specified with the –a restore option on UNIX systems only, indicatesto restore archived files in the specified path. By default, the restore pathon is the directory used when backing up data. On Windows system, therestore process does not support the –p option.

v If specified with the –a extract option, specifies the directory namewhere you want extracted files stored. There is no default path. The –poption is required when using the –a extract option.

–file filenameSpecifies one of the following:v If specified with the –a backup option, specifies a file name other than

the list_date.time [.tar|.dir] default file name.v If specified with the –a restore option, specifies the name and fully

qualified path of the archive file to restore. There is no default path. Thisoption is required when using the –a restore option.

v If specified with the –a extract option, specifies the name and fullyqualified path of the archive file to extract. There is no default path. Thisoption is required when using the –a extract option.


–usageSpecifies pdbackup command usage.

–? Specifies pdbackup command usage.

CommentsUse this command to back up and restore Tivoli Access Manager data.

Archived files are stored in one of the following ways:v On UNIX systems, the archive is stored as a single .tar file in the

/var/PolicyDirector/pdbackup default directory. The default file name is asfollows:list_date.time.tar

where list is the name specified by the –list option and date.time is the currentdate and timestamp of the archived file.

v On Windows systems, the archive is stored as a directory tree in the \runtime_environment_path\pdbackup default directory. A .dir extension is appended tothe archive file or directory. Registry keys (.reg extensions) are stored at thebase of the directory tree.

Files are restored in one of the following ways:v On UNIX systems, archived files are restored to the root directory unless you

specify the –path option, which enables you to restore files to a specific directorytree.

v On Window system, archived files are restored to their original directory. Thereis no –path option available.

You also can use this command during the upgrade process to extract files in asingle directory (without a directory tree structure). Note that Windows registrykeys are not updated with the –a extract option.

UNIX Examples1. The following example performs a back up with default values:

pdbackup -a backup -l /opt/PolicyDirector/etc/pdbackup.1st

This results in a file named pdbackup.1st_date.time.tar, located in the/var/PolicyDirector/pdbackup directory.

2. The following example performs a back up, creating the default archive file inthe /var/backup directory:pdbackup -a backup -l /opt/PolicyDirector/etc/pdbackup.1st -p /var/backup

This results in a file named pdbackup.1st_date.time.tar, located in the/var/backup directory.

3. The following example performs a back up, creating a file namedpdarchive.tar in the following default path:pdbackup -a backup -list /opt/PolicyDirector/etc/pdbackup.1st -f pdarchive

The default archive extension (.tar) is appended to the pdarchive file name.This file is stored in the /var/PolicyDirector/pdbackup directory.

4. The following example restores the archive file in the default location:pdbackup -a restore -f pdbackup.1st_29June2002.07_24.tar

5. The following example restores the archive file from the /var/pdback directory:


pdbackup -a restore -f /var/pdback/pdbackup.1st_29Jun2002.07_25.tar

6. The following example restores the archive file from the /var/pdback directoryto a directory named /pdtest:pdbackup -a restore -p pdtest -f /var/pdback/pdbackup.1st_29Jun2002.07_25.tar

7. The following example extracts the contents of an archive file to a directorynamed e:/pdextract. The –a extract option is used during the upgrade process.pdbackup -a extract -p e:\pdextract -f c:\pdbackup\pdbackup.1st_29Jun2002.07_25.tar

If the pdextract directory does not exist, it is created. Note that all files in thearchive file are copied to this single directory. No subdirectories are created.

Windows Examples1. The following example performs a standard backup with default values:

pdbackup -a backup -l base_dir\etc\pdbackup.1st

This results in a file named pdbackup.1st_date.time.dir, located in thebase_dir\pdbackup directory.

2. The following example performs a back up using the default archive file nameand stores the file in the c:\pdback directory:pdbackup -a backup -l base_dir\etc\pdbackup.1st -path c:\pdback

3. The following example performs a back up using the default path with a filenamed pdarchive.dir:pdbackup -a backup -l base_dir\etc\pdbackup.1st -f pdarchive

The default archive extension (.dir) is applied to the pdarchive file name. Thefile is stored in the base_dir\pdbackup directory.

4. The following example performs a back up to the \pdback directory on the Fdrive:pdbackup -a backup -l pdbackup.1st -p f:\pdback

5. The following example restores the archive file from the default directory:pdbackup -a restore -f base_dir\etc\pdbackup.1st_29Jun2002.07_24.dir

6. The following example restores files from the c:\pdbackup directory:pdbackup -a restore -f h:\pdbackup\pdbackup.1st_29Jun2002.07_25.dir

7. The following example extracts the contents of an archive to the e:\pdextractdirectory from the c:\pdback directory:pdbackup -a extract -p e:\pdextract-f c:\pdback pdbackup.1st_29Jun2002.07_25.dir


/opt/PolicyDirector/bin/

v On Windows systems:c:\Program Files\Tivoli\Policy Director\bin\


pdconfigPresents the user with an interactive menu to configure and unconfigure TivoliAccess Manager components with the exception of the Tivoli Access Manager Javaruntime component, which uses “pdjrtecfg” on page 105. See the IBM Tivoli AccessManager Base Installation Guide for instructions on how to use this utility.

Syntaxpdconfig





pdjrtecfgConfigures the Tivoli Access Manager Java runtime environment.

Syntaxpdjrtecfg –action config [–java_home { jre_path}][–rspfile filename]

pdjrtecfg –action unconfig –java_home { all | jre_path}[–rspfile filename][–remove_common_jars {yes|no}]

pdjrtecfg [–operations][–usage][–?][–help]

Options–action {config | unconfig}

Specifies to configure or unconfigure the Tivoli Access ManagerJava runtime environment.

–help Prints options available for use with the pdjrtecfg command.

–java_home jre_pathSpecifies the fully-qualified path to the Java Runtime Environment(i.e. the directory ending in JRE). For example:c:\Program Files\IBM\JAVA13\JRE

During unconfiguration (–action unconfig), you can use the allsuboption, which unconfigures all configured JREs. Duringconfiguration (–action config), the jre_path variable is not required.If a path is not specified, the current JRE (specified in the path) isused.

–remove_common_jars {yes | no}During unconfiguration only, specifies to delete (yes) or not todelete (no) other IBM related jars, such as logging and security jarfiles.

–operations Prints out all the valid command line options for this program.

–rspfile filenameSpecifies to use a response file named filename. There is not adefault response file name.

–usage Prints out the usage information for this program.

–? Prints the usage information for this program.

CommentsThis command copies Tivoli Access Manager-specific Java libraries to a libraryextensions directory that belongs to the generic Java product that is alreadyinstalled on the system (typically Sun or IBM).

Using this command does not overwrite Jar files that already exist in thejre_home\lib\ext directory, except the PD.jar file, which is overwritten if the fileexists.

You can have more than one JRE installed on a given machine. The pdjrtecfg canbe used to configure Tivoli Access Manager runtime to each of the JRE.


Make sure you use the pdjrtecfg batch or script file and not the pdjrtecfg Javaclass directory. Developers choose to install the Tivoli Access Manager Javaruntime environment because they have a plan in place to run one or more Javaapplications and want to make Tivoli Access Manager security available for thoseapplications to use.

Examples1. The following example configures the Tivoli Access Manager Java runtime

environment:pdjrtecfg -action config -java_home E:\apps\IBM\Java131\jre

2. The following example unconfigures the Tivoli Access Manager Java runtimeenvironment:pdjrtecfg -action unconfig -java_home E:\apps\IBM\Java131\jre

-remove_common_jars yes





pd_startUse to manually stop, start, and restart servers on UNIX systems. Also displaysserver status.

Syntaxpd_start {restart | start | status | stop}

Optionsstart Starts all Tivoli Access Manager servers not currently running on

the local system.

stop Stops all Tivoli Access Manager servers not currently running onthe local system.

restart Restarts all configured all Tivoli Access Manager servers.

status Displays the state of all configured Tivoli Access Manager servers(running or stopped).

CommentsServer processes are normally enabled and disabled through automated scripts thatrun at system startup and shutdown. In a UNIX environment, you can also use thepd_start script to manually start and stop the server processes. This technique isuseful when you need to customize an installation or when you need to performtroubleshooting tasks. You can only use pd_start to run scripts on the localmachine. However, you can use the Web Portal Manager interface to stop and startservers remotely.

AvailabilityThis command is located in the following default installation directory on UNIXsystems:/opt/PolicyDirector/bin/


pdversionLists the current version of Tivoli Access Manager components installed on thesystem.

Syntaxpdversion [–key key1, key2... ] [–separator <delimiter_character]

Optionskey Specifies the component for which the current version will be

presented. Possible values are as follows:v PDRTEv PDMgrv PDWPMv PDAcldv PDJrtev PDAuthADK

ExampleThe following example lists Tivoli Access Manager components and indicates theversion number for any components installed of the current system:pdversionIBM Tivoli Access Manager Runtime 4.1.0.0IBM Tivoli Access Manager Policy Server 4.1.0.0IBM Tivoli Access Manager Web Portal Manager Not InstalledIBM Tivoli Access Manager Application Developer Kit 4.1.0.0IBM Tivoli Access Manager Authorization Server 4.1.0.0IBM Tivoli Access Manager Java Runtime Enviornment Not Installed





svrsslcfg –add_replicaAdds a database replica.

Syntaxsvrsslcfg –add_replica –f cfg_file –h host_name [–p server_port] [–k replica_rank]

Options–f cfg_file Specifies the configuration file path and name.

–h host_name Specifies the TCP host name of an authorization server replica.

–p server_port Specifies the port number on which the replica server listens forrequests. The default value is 7136.

–k replica_rank Specifies the replica order of preference among other replicas. Thedefault value is 10.





svrsslcfg –chg_replicaChanges replica options. The replica host name is used to identify the replica andcannot be changed by this action.

Syntaxsvrsslcfg –chg_replica –f cfg_file –h host_name [–p server_port] [–k replica_rank]


–h host_name Specifies the TCP host name of an authorization server replica.

–p server_port Specifies the port number on which the replica server listens forrequests.

–k replica_rank Specifies the replica order of preference among other replicas.





svrsslcfg –chgcertRenews the server’s SSL certificate.

Syntaxsvrsslcfg –chgcert –f cfg_file –n server_name [–P admin_pwd] [–A admin_id]


–n server_name Specifies the name of the server. The name may be specified aseither server_name/host_name or server_name, in which case the localhost name is appended to form name/host name.

–P admin_pwd Specifies the Tivoli Access Manager administrator password. If thisoption is not specified, the password is read from standard input.

–A admin_id Specifies the Tivoli Access Manager administrator name. Thedefault is sec_master.






svrsslcfg –chgportChanges the listening port number.

Syntaxsvrsslcfg –chgport –f cfg_file –r port_number


–r port_number Sets the listening port number for the server. A value of 0 may bespecified only if the [aznapi-admin-services] stanza in theconfiguration file is empty.

CommentsStop the Tivoli Access Manager policy server before running this command.





svrsslcfg –chgpwdChanges the keyring file password.

Syntaxsvrsslcfg –chgpwd –f cfg_file –e pwd_life


–e pwd_life Sets the keyring file password expiration time in days. The pwd_lifevalue is 1 to 7200 (days). To use the currently configured value,specify 0.






svrsslcfg –configPerforms full configuration of a server.

Syntaxsvrsslcfg –config –f cfg_file –d kdb_dir –n server_name –s server_type –r port_number–P admin_pwd [–S server_pwd] [–A admin_id] [–t ssl_timeout] [–e pwd_life][–l listening_mode] [–a refresh_mode] [–C cert_file] [–h host_name]


–d kdb_dir Specifies the directory that is to contain the keyring database filesfor the server.

–n server_name Specifies the name of the server. The name may be specified aseither server_name/host_name or server_name, in which case the localhost name is appended to form server_name/host_name. Note thatthe names ivacld, secmgrd, ivnet, and ivweb are reserved forTivoli Access Manager servers.

–s server_type Specifies the type of server being configured. The value must beeither local or remote.

–r port_number Sets the listening port number for the server. This is a requiredoption. A value of 0 may be specified only if the[aznapi-admin-services] stanza in the configuration file is empty.

–P admin_pwd Specifies the Tivoli Access Manager administrator password. Thisis a required option. If this option is not specified, the password isread from standard input.

–S server_pwd Specifies the server’s password. This option is required. However,you can request that a password be created by the system byspecifying a dash (–) for the password. If this option is used, theconfiguration file is updated with the password created by thesystem. If the user registry type is LDAP and a password isspecified, it is saved in the configuration file. If this option isabsent, the server password is read from standard input.

–A admin_id Specifies the Tivoli Access Manager administrator name. If thisoption is not specified, sec_master is the default.

–t ssl_timeout Specifies the SSL session timeout in seconds. The ssl_timeout valuemust be in the range 1–86400. The default value is 7200.

–e pwd_life Sets the keyring file password expiration time in days. The pwd_lifevalue is 1 to 7200 (days). To use the currently configured value,specify 0.

–l listening_modeSets the listening-enabled flag in the configuration file. The valueof this option must be yes or no. If not specified, the default is no.A value of yes requires that the –r option have non-zero value.

–a refresh_mode Sets the certificate and keyring file password auto-refresh enabledflag in the configuration file. The default value is yes.

–C cert_file Specifies the fully qualified name of the file containing the base-64encoded SSL certificate used when the server authenticates directlywith the user registry.


–h host_name Specifies the TCP host name of the policy server. This name issaved in the configuration file using the azn-app-host key.





svrsslcfg –modifyModifies the current configuration.

Syntaxsvrsslcfg –modify –f cfg_file [–t ssl_timeout] [–C cert_file] [–l listening_mode]


–t ssl_timeout Specifies the SSL session timeout in seconds. The ssl_timeout valuemust be in the range 1–86400.

–C cert_file Specify the fully qualified name of the file containing the base-64encoded SSL certificate used when the server authenticates directlywith the user registry.

–l listening_modeSets the listening-enabled flag in the configuration file. Values areyes and no. A value of yes requires that the listening port numberin the configuration file be non zero.






svrsslcfg –rmv_replicaRemoves a replica configuration.

Syntaxsvrsslcfg –rmv_replica –f cfg_file –h host_name


–h host_name Specifies the TCP host name of an authorization server replicaserver.





svrsslcfg –unconfigUnconfigures the server. The key ring files are deleted and the server is removedfrom the user registry and Tivoli Access Manager database.

Syntaxsvrsslcfg –unconfig –f cfg_file –n server_name [–P admin_pwd] [–A admin_id]

Options–f cfg_file Specifies the configuration path and file name.

–n server_name Specifies the name of the server. You can specify the name as eitherserver_name/host_name or server_name, in which case the local hostname is appended to form server_name/host_name. Note that ivacld,secmgrd, ivnet, and ivweb server names are reserved for TivoliAccess Manager servers.

–P admin_pwd Specifies the Tivoli Access Manager administrator password. If thisoption is not specified, the password is read from standard in(stdin).

–A admin_id Specifies the Tivoli Access Manager administrator name. Thedefault is sec_master.

AuthorizationThis command fails only if you are not authorized to run the command or thepolicy server could not be contacted. This command is designed to clean up partialor damaged configurations and so that errors for missing or invalid informationare not reported.

CommentsStop the server application before running this command.





Appendix. Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION ″AS IS″ WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

119

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrates programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM’s application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.


If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

TrademarksThe following terms are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both:

AIXDB2IBMIBM logoOS/390SecureWayTivoliTivoli logoUniversal DatabaseWebSpherezSeriesz/OS

Lotus and Domino are trademarks of International Business Machines Corporationand Lotus Development Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Sun Microsystems, Inc. in the United States and other countries.

Microsoft and Windows are trademarks of Microsoft Corporation in the UnitedStates, other countries, or both. Java and all Java-based trademarks and logos aretrademarks or registered trademarks of Sun Microsystems, Inc. in the United Statesand other countries.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, or service names may be trademarks or service marks ofothers.

Appendix. Notices 121


Glossary

Aaccess control. In computer security, the process ofensuring that the resources of a computer system canbe accessed only by authorized users in authorizedways.

access control groups. Groups to be used for accesscontrol. Each group contains a multivalued attributeconsisting of member distinguished names. Accesscontrol groups have an object class of AccessGroup.

access control list. (1) (2) In computer security, a listthat is associated with an object that identifies all thesubjects that can access the object and their accessrights. For example, an access control list is a list that isassociated with a file that identifies the users who canaccess the file and identifies the users’ access rights tothat file.

access permission. The access privilege that applies tothe entire object. or permissions that apply to attributeaccess classes.

action. An access control list (ACL) permissionattribute.

ACL. See access control list.

administration service. An authorization API runtimeplug-in that can be used to perform administrationrequests on an Access Manager resource managerapplication. The admin service will respond to remoterequests from the pdadmin command to perform taskssuch as listing the objects under a particular node inthe protected object tree. Customers may develop theseservices using the Authorization ADK.

attribute list. In Tivoli Access Manager, a linked listthat contains extended information that is used to makeauthorization decisions. Attribute lists consist of a set ofkeyword = value pairs.

authentication. (1) In computer security, verification ofthe identity of a user or the user’s eligibility to accessan object. (2) In computer security, verification that amessage has not been altered or corrupted. (3) Incomputer security, a process that is used to verify theuser of an information system or of protected resources.See also multi-factor authentication, network-basedauthentication, andstep-up authentication.

authorization. (1) In computer security, the rightgranted to a user to communicate with or make use ofa computer system. (2) The process of granting a usereither complete or restricted access to an object,resource, or function.

authorization service plug-in. A dynamically loadablelibrary (DLL or shared library) that can be loaded bythe Access Manager authorization API runtime client atinitialization time in order to perform operations thatextend a service interface within the Authorization API.The service interfaces that are currently availableinclude Administration, External Authorization,Credentials modification, Entitlements and PACmanipulation interfaces. Customers may develop theseservices using the Authorization ADK.

BBA. See basic authentication.

basic authentication. A method of authentication thatrequires the user to enter a valid user name andpassword before access to a secure online resource isgranted.

bind. To relate an identifier to another object in aprogram; for example, to relate an identifier to a value,an address or another identifier, or to associate formalparameters and actual parameters.

blade. A component that provides application-specificservices and components.

business entitlement. The supplemental attributes ofa user credential that describes the fine-grainedconditions that can be used in the authorizationrequests for resources.

CCA. See certificate authority.

CDAS. See Cross Domain Authentication Service.

CDMF. See Cross Domain Mapping Framework.

certificate. In computer security, a digital documentthat binds a public key to the identity of the certificateowner, thereby enabling the certificate owner to beauthenticated. A certificate is issued by a certificateauthority.

certificate authority (CA). In e-commerce, anorganization that issues certificates. The certificateauthority authenticates the certificate owner’s identityand the services that the owner is authorized to use,issues new certificates, renews existing certificates, andrevokes certificates belonging to users who are nolonger authorized to use them.

CGI. See common gateway interface.

123

cipher. Encrypted data that is unreadable until it hasbeen converted into plain data (decrypted) with a key.

common gateway interface (CGI). A computerprogram that runs on a Web server and uses theCommon Gateway Interface (CGI) to perform tasks thatare not usually done by a Web server (for example,database access and form processing). A CGI script is aCGI program that is written in a scripting languagesuch as Perl.

configuration. (1) The manner in which the hardwareand software of an information processing system areorganized and interconnected. (2) The devices andprograms that make up a system, subsystem, ornetwork.

connection. (1) In data communication, an associationestablished between functional units for conveyinginformation. (2) In TCP/IP, the path between twoprotocol applications that provides reliable data streamdelivery service. In the Internet, a connection extendsfrom a TCP application on one system to a TCPapplication on another system. (3) In systemcommunications, a line over which data can be passedbetween two systems or between a system and adevice.

container object. A structural designation thatorganizes the object space into distinct functionalregions.

cookie. Information that a server stores on a clientmachine and accesses during subsequent sessions.Cookies allow servers to remember specific informationabout clients.

credentials. Detailed information, acquired duringauthentication, that describes the user, any groupassociations, and other security-related identityattributes. Credentials can be used to perform amultitude of services, such as authorization, auditing,and delegation.

credentials modification service. An authorizationAPI runtime plug-in which can be used to modify anAccess Manager credential. Credentials modificationservices developed externally by customers are limitedto performing operation to add and remove from thecredentials attribute list and only to those attributesthat are considered modifiable.

cross domain authentication service (CDAS). AWebSEAL service that provides a shared librarymechanism that allows you to substitute the defaultWebSEAL authentication mechanisms with a customprocess that returns a Tivoli Access Manager identity toWebSEAL. See also WebSeal.

cross domain mapping framework (CDMF). Aprogramming interface that allows a developer tocustomize the mapping of user identities and the

handling of user attributes when WebSEALe-Community SSO function are used.

Ddaemon. A program that runs unattended to performa standard service. Some daemons are triggeredautomatically to perform their task; others operateperiodically.

directory schema. The valid attribute types and objectclasses that can appear in a directory. The attributetypes and object classes define the syntax of theattribute values, which attributes must be present, andwhich attributes may be present for the directory.

distinguished name (DN). The name that uniquelyidentifies an entry in a directory. A distinguished nameis made up of attribute:value pairs, separated bycommas.

digital signature. In e-commerce, data that isappended to, or is a cryptographic transformation of, adata unit and that enables the recipient of the data unitto verify the source and integrity of the unit and torecognize potential forgery.

DN. See distinguished name.

domain. (1) That part of a computer network in whichthe data processing resources are under commoncontrol. (2) See domain name.

domain name. In the Internet suite of protocols, aname of a host system. A domain name consists of asequence of subnames separated by a delimitercharacter. For example, if the fully qualified domainname of a host system is ralvm7.vnet.ibm.com, each ofthe following is a domain name:

v ralvm7.vnet.ibm.com

v vnet.ibm.com

v ibm.com

EEAS. See External Authorization Service.

encryption. In computer security, the process oftransforming data into an unintelligible form in such away that the original data either cannot be obtained orcan be obtained only by using a decryption process.

entitlement. A data structure that containsexternalized security policy information. Entitlementscontain policy data or capabilities that are formatted ina way that is understandable to a specific application.

entitlements service. An authorization API runtimeplug-in which can be used to return entitlements froman external source for a principal or set of conditions.Entitlements are normally application specific data that


will be consumed by the resource manager applicationin some way or added to the principal’s credentials foruse further on in the authorization process. Customersmay develop these services using the AuthorizationADK.

external authorization service. An authorization APIruntime plug-in that can be used to make applicationor environment specific authorization decisions as partof the Access Manager authorization decision chain.Customers may develop these services using theAuthorization ADK.

Ffile transfer protocol (FTP). In the Internet suite ofprotocols, an application layer protocol that usesTransmission Control Protocol (TCP) and Telnetservices to transfer bulk-data files between machines orhosts.

Gglobal signon (GSO). A flexible single signon solutionthat enables the user to provide alternative user namesand passwords to the back-end Web application server.Global signon grants users access to the computingresources they are authorized to use — through asingle login. Designed for large enterprises consistingof multiple systems and applications withinheterogeneous, distributed computing environments,GSO eliminates the need for users to manage multipleuser names and passwords. See also single signon.

GSO. See global signon.

Hhost. A computer that is connected to a network (suchas the Internet or an SNA network) and provides anaccess point to that network. Also, depending on theenvironment, the host may provide centralized controlof the network. The host can be a client, a server, orboth a client and a server simultaneously.

HTTP. See Hypertext Transfer Protocol.

hypertext transfer protocol (HTTP). In the Internetsuite of protocols, the protocol that is used to transferand display hypertext documents.

IInternet protocol (IP). In the Internet suite ofprotocols, a connectionless protocol that routes datathrough a network or interconnected networks and actsas an intermediary between the higher protocol layersand the physical network.

Internet suite of protocols. A set of protocolsdeveloped for use on the Internet and published asRequests for Comments (RFCs) through the InternetEngineering Task Force (IETF).

interprocess communication (IPC). A method forallowing a program to handle many user requests atthe same time via the creation and management ofindividual program processes running concurrently inan operating system.

IP. See Internet Protocol.

IPC. See Interprocess Communication.

Jjunction. An HTTP or HTTPS connection between afront-end WebSEAL server and a back-end Webapplication server. Junctions logically combine the Webspace of the back-end server with the Web space of theWebSEAL server, resulting in a unified view of theentire Web object space. A junction allows WebSEAL toprovide protective services on behalf of the back-endserver. WebSEAL performs authentication andauthorization checks on all requests for resources beforepassing those requests across a junction to the back-endserver. Junctions also allow a variety of single signonsolutions between a client and the junctioned back-endapplication.

Kkey. In computer security, a sequence of symbols thatis used with a cryptographic algorithm for encryptingor decrypting data. See private key and public key.

key database file. See key ring.

key file. See key ring.

key pair. In computer security, a public key and aprivate key. When the key pair is used for encryption,the sender uses the public key to encrypt the message,and the recipient uses the private key to decrypt themessage. When the key pair is used for signing, thesigner uses the private key to encrypt a representationof the message, and the recipient uses the public key todecrypt the representation of the message for signatureverification.

key ring. In computer security, a file that containspublic keys, private keys, trusted roots, and certificates.

LLDAP. See Lightweight Directory Access Protocol.

lightweight directory access protocol (LDAP). Anopen protocol that (a) uses TCP/IP to provide access todirectories that support an X.500 model and (b) does

Glossary 125

not incur the resource requirements of the morecomplex X.500 Directory Access Protocol (DAP).Applications that use LDAP (known asdirectory-enabled applications) can use the directory asa common data store and for retrieving informationabout people or services, such as e-mail addresses,public keys, or service-specific configurationparameters. LDAP was originally specified in RFC1777. LDAP version 3 is specified in RFC 2251, and theIETF continues work on additional standard functions.Some of the IETF-defined standard schemas for LDAPare found in RFC 2256.

lightweight third party authentication (LTPA). Anauthentication framework that allows single signonacross a set of Web servers that fall within an Internetdomain.

LTPA. See lightweight third party authentication.

Mmanagement server. Obsolete. See policy server.

metadata. Data that describes the characteristics ofstored data.

migration. The installation of a new version or releaseof a program to replace an earlier version or release.

multi-factor authentication. A protected object policy(POP) that forces a user to authenticate using two ormore levels of authentication. For example, the accesscontrol on a protected resource can require that theusers authenticate with both user name/password anduser name/token passcode. See also protected objectpolicy.

multiplexing proxy agent (MPA). A gateway thataccommodates multiple client access. These gatewaysare sometimes known as Wireless Access Protocol(WAP) gateways when clients access a secure domainusing a WAP. Gateways establish a single authenticatedchannel to the origin server and ″tunnel″ all clientrequests and responses through this channel.

Nnetwork-based authentication. A protected objectpolicy (POP) that controls access to objects based on theinternet protocol (IP) address of the user. See alsoprotected object policy.

PPAC. See privilege attribute certificate.

permission. The ability to access a protected objectsuch as a file or directory. The number and meaning ofpermissions for an object are defined by the accesscontrol list.

policy. A set of rules that are applied to managedresources.

policy data. Includes both password strength policydata and login data.

policy server. The Tivoli Access Manager server thatmaintains the location information about other serversin the secure domain.

polling. A channel access method (CAM) protocolwhere a request for data is made. In a master/slavescenario, the master queries each slave device in turnas to whether it has any data to transmit. If the slaveanswers yes then the device is permitted to transmit itsdata. If the slave answers no then the master moves onand polls the next slave device. The process is repeatedcontinuously. For Tivoli Access Manager, the WebSEALserver can be configured to regularly poll the masterauthorization (policy) database for update information.

POP. See protected object policy.

portal. An integrated Web site that dynamicallyproduces a customized list of Web resources, such aslinks, content, or services, available to a specific user,based on the access permissions for the particular user.

privilege attribute certificate. Describes a container ofdata, defined externally to the Tivoli Access Managersecure domain, that contains a principal’sauthentication and authorization attributes as well ascapabilities.

privilege attribute certificate service. (1) In TivoliAccess Manager, the privilege attribute certificateservice is used to encode or decode a Tivoli AccessManager credential to or from a format that istransmissable in a text-only environment. The format isa combination of ASN1 and MIME encoding. Theservice is built-in to the Tivoli Access Managerauthorization API. (2) An authorization API runtimeclient plug-in which translates a PAC of apredetermined format in to an Access Managercredential, and vice-versa. These services could also beused to package or marshall an Access Managercredential for transmission to other members of thesecure domain. Customers may develop these servicesusing the Authorization ADK.

protected object policy (POP). A type of securitypolicy that dictates additional conditions for accessing aprotected resource after a successful ACL policy check.Examples of POPs include time-of-day access andquality of protection level.

protected object space. The virtual objectrepresentation of actual system resources that is usedfor applying ACLs and POPs and used by theauthorization service.

private key. In computer security, a key that is knownonly to its owner. Contrast with public key.


public key. In computer security, a key that is madeavailable to everyone. Contrast with private key.

Qquality of protection. The level of data security,determined by a combination of authentication,integrity, and privacy conditions.

Rregistry. (1) The datastore that maintains the accountinformation for users and groups that are allowed toparticipate in the secure domain. (2) A database thatcontains system configuration information regardingthe user, the hardware, and the programs andapplications that are installed.

replica. A server that contains a copy of the directoryor directories of another server. Replicas back upservers in order to enhance performance or responsetimes and to ensure data integrity.

resource object. The representation of an actualnetwork resource, such as as a service, file, andprogram.

response file. A file that contains a set of predefinedanswers to questions asked by a program and that isused instead of entering those values one at a time.

role activation. The process of applying the accesspermissions to a role.

role assignment. The process of assigning a role to auser, such that the user has the appropriate accesspermissions for the object defined for that role.

routing file. An ASCII file that contains commandsthat control the configuration of messages.

RSA encryption. A system for public-keycryptography used for encryption and authentication. Itwas invented in 1977 by Ron Rivest, Adi Shamir, andLeonard Adleman. The system’s security depends onthe difficulty of factoring the product of two largeprime numbers.

run time. The time period during which a computerprogram is executing. A runtime environment is anexecution environment.

Sscalability. The ability of a network system to respondto increasing numbers of users who access resources.

schema. The set of statements, expressed in a datadefinition language, that completely describe thestructure of a database.

secure domain. The group of users, systems, andresources that share common services and usuallyfunction with a common purpose.

secure sockets layer (SSL). A security protocol thatprovides communication privacy. SSL enablesclient/server applications to communicate in a way thatis designed to prevent eavesdropping, tampering, andmessage forgery. SSL was developed by NetscapeCommunications Corp. and RSA Data Security, Inc.

security management. The management disciplinethat addresses an organization’s ability to control accessto applications and data that are critical to its success.

self-registration. The process by which a user canenter required data and become a registered TivoliAccess Manager user, without the involvement of anadministrator.

service. Work performed by a server. A service can bea simple request for data to be sent or stored (as withfile servers, HTTP servers, e-mail servers, and fingerservers), or it can be more complex work such as thatof print servers or process servers.

silent installation. An installation that does not sendmessages to the console but instead stores messagesand errors in log files. Also, a silent installation can useresponse files for data input. See also response file.

single signon (SSO). The ability of a user to logononce and access multiple applications without havingto logon to each application separately. See also globalsignon.

SSL. See Secure Sockets Layer.

SSO. See Single Signon.

step-up authentication. A protected object policy(POP) that relies on a preconfigured hierarchy ofauthentication levels and enforces a specific level ofauthentication according to the policy set on a resource.The step-up authentication POP does not force the userto authenticate using multiple levels of authenticationto access any given resource but requires the user toauthenticate at a level at least as high as that requiredby the policy protecting a resource.

suffixes. A distinguished name that identifies the topentry in a locally held directory hierarchy. Because ofthe relative naming scheme used in LightweightDirectory Access Protocol (LDAP), this suffix applies toevery other entry within that directory hierarchy. Adirectory server can have multiple suffixes, eachidentifying a locally held directory hierarchy.

TTivoli Access Manager for Business Integration. ATivoli Access Manager blade, which provides

Glossary 127

comprehensive security services for IBM MQSeries. Itextends the MQSeries environment to supportend-to-end security across queues.

Tivoli Access Manager for Operating Systems. ATivoli Access Manager blade, which provides thesecurity engine for the Tivoli Identity Director product.The security engine intercepts operating system callsrequiring authorization checks, such as for file access.

token. (1) In a local area network, the symbol ofauthority passed successively from one data station toanother to indicate the station temporarily in control ofthe transmission medium. Each data station has anopportunity to acquire and use the token to control themedium. A token is a particular message or bit patternthat signifies permission to transmit. (2) In local areanetworks (LANs), a sequence of bits passed from onedevice to another along the transmission medium.When the token has data appended to it, it becomes aframe.

trusted root. In the Secure Sockets Layer (SSL), thepublic key and associated distinguished name of acertificate authority (CA).

Uuniform resource identifier (URI). The method usedto identify the locations of content on the Internet. TheURL (uniform resource locator) is a particular form of aURI that identifies a Web page address. A URI typicallydescribes (a) the mechanism used to access the resource(for example, HTTP, HTTPS, FTP), (b) the specificcomputer where the resource is stored (for example,www.webserver.org), and the specific name of theresource on the computer (for example/products/images/serv.jpg).

uniform resource locator (URL). A sequence ofcharacters that represent information resources on acomputer or in a network such as the Internet. Thissequence of characters includes (a) the abbreviatedname of the protocol used to access the informationresource and (b) the information used by the protocolto locate the information resource. For example, in thecontext of the Internet, these are abbreviated names ofsome protocols used to access various informationresources: http, ftp, gopher, telnet, and news; and thisis the URL for the IBM home page:http://www.ibm.com.

URI. See uniform resource identifier.

URL. See uniform resource locator.

user. Any person, organization, process, device,program, protocol, or system that uses a serviceprovided by others.

user registry. See registry.

Vvirtual hosting. The capability of a Web server thatallows it to appear as more than one host to theInternet.

WWeb Portal Manager (WPM). A Web-based graphicalapplication used to manage Tivoli Access Manager Baseand WebSEAL security policy in a secure domain. Analternative to the pdadmin command line interface, thisGUI enables remote administrator access and enablesadministrators to create delegated user domains andassign delegate administrators to these domains.

WebSEAL. A Tivoli Access Manager blade. WebSEALis a high performance, multi-threaded Web server thatapplies a security policy to a protected object space.WebSEAL can provide single signon solutions andincorporate back-end Web application server resourcesinto its security policy.

WPM. See Web Portal Manager.


Index

AAccess Control List (ACL) commands

acl attach 2, 7acl create 2, 8acl delete 2, 9acl detach 2, 10acl find 2, 11acl list 2, 12acl modify 2, 13acl show 2, 15

accessibility xiiaction

group 18action commands

action create 3, 16action delete 3, 17action group 3, 18action list 3, 19

attachAccess Control List (ACL) 7protected object policy (POP) 45

Bbassslcfg

change password 89configure 90get certificate 91modify 92ping 93

booksfeedback viionline viiordering vii

Ccommand modes

interactive 1multiple 2single 1

createAccess Control List (ACL) 8actions 16group 23object 32object space 38protected object policy (POP) 46rsrc 54rsrccred 58rsrcgroup 63user 80

Customer Support xii

Ddelete

Access Control List (ACL) 9actions 17

delete (continued)group 24object 33object space 39protected object policy (POP) 47rsrc 55rsrccred 59rsrcgroup 64user 81

detachAccess Control List (ACL) 10protected object policy (POP) 48

Ee-mail contact xii

Ffeedback about publications xiifind

Access Control List (ACL) 11protected object policy (POP) 49

Ggroup management commands

group create 5, 23group delete 5, 24group import 5, 25group list 5, 26group modify 5, 27group show 5, 28

GSO commandscommand syntax xiiisyntax 2

Iimport

group 25user 82

interactive command mode 1

Llist

Access Control List (ACL) 12actions 19group 26object 34object space 40protected object policy (POP) 50

Mmanuals

feedback vii

manuals (continued)online viiordering vii

mgrsslcfgchange certificate 97change password 98configure 99modify 100

modifyAccess Control List (ACL) 13group 27object 36protected object policy (POP) 51rsrccred 61rsrcgroup 66user 84

multiple command mode 2

Oobject

listandshow 35object commands

object create 3, 32object delete 3, 33object list 3, 34object listandshow 3, 35object modify 3, 36object show 3, 37

object space commandsobjectspace create 4, 38objectspace delete 4, 39objectspace list 4, 40

online publications xiordering publications xii

Ppdadmin

help 29login 30utility 1

pdadmin utilitiesexit command line mode 22logout 31show error message 21

pdbackupbacks up, restores, and extracts

data 101pdconfig 104pdjrtecfg

configures Java runtimeenvironment 105

policy management commandspolicy get 6, 41policy set 6, 43

prerequisite publications viiprotected object policy (POP) commands

pop attach 4, 45pop create 4, 46

129

protected object policy (POP) commands(continued)

pop delete 4, 47pop detach 4, 48pop find 4, 49pop list 4, 50pop modify 4, 51pop show 4, 53

publicationsfeedback viionline viiordering vii

Rrelated publications xresource management commands

rsrc create 5, 54rsrc delete 5, 55rsrc list 5, 56rsrc show 5, 57rsrccred create 5, 58rsrccred delete 5, 59rsrccred list user 5, 60rsrccred modify 5, 61rsrccred show 5, 62rsrcgroup create 5, 63rsrcgroup delete 5, 64rsrcgroup list 5, 65rsrcgroup modify 5, 66rsrcgroup show 5, 67

rsrclist 56

rsrccredlist user 60

rsrcgrouplist 65

Sserver

list 68listtasks 69replicate 70

server commandsadmin show configuration 20server list 4, 68, 69server listtasks 4, 69server replicate 4, 70server show 4, 71server task 4, 72, 73server task add 74server task stats 76server task trace 78

showAccess Control List (ACL) 15group 28object

listandshow 37protected object policy (POP) 53rsrc 57rsrccred 62rsrcgroup 67server 71user 85

single command mode 1

special characters 2svrsslcfg

add replica 109change certificate 111change password 113change port 112change replica 110configure 114modify 116remove replica 117unconfigure 118

TTivoli Customer Support xiiTivoli Information Center xi

Uuser

list 83user management commands

user create 5, 80user delete 5, 81user impor 5user import 82user list 5, 83user modify 5, 84user show 5, 85

utilitiesbassslcfg –chgpwd 89bassslcfg –config 90, 94bassslcfg –getcacert 91bassslcfg –modify 92bassslcfg –ping 93install_pdrte 96mgrsslcfg –chgcert 97mgrsslcfg –chgpwd 98mgrsslcfg –config 99mgrsslcfg –modify 100pd_start 107pdbackup 101pdjrtecfg 105pdversion 108svrsslcfg –add_replica 109svrsslcfg –chg_replica 110svrsslcfg –chgcert 111svrsslcfg –chgport 112svrsslcfg –chgpwd 113svrsslcfg –config 114svrsslcfg –modify 116svrsslcfg –rmv_replica 117svrsslcfg –unconfig 118


��

Printed in U.S.A.

GC32-1107-00

Documents

IBM Tivoli Access Managerpublib.boulder.ibm.com/tividd/td/ITAMOS/GC32-1107-00/en_US/PDF/… · authorization C API and the Access Manager service plug-in interface to add Tivoli Access