Embed Size (px)
Citation preview
IBM Tivoli Identity Manager
Server Installation Guide on Windows2000 using WebLogicVersion 4.5.0
SC32-1335-00
���
IBM Tivoli Identity Manager
Server Installation Guide on Windows2000 using WebLogicVersion 4.5.0
SC32-1335-00
���
Note:Before using this information and the product it supports, read the information in Appendix E, “Notices”, on page 109.
First Edition (August 2003)
This edition applies to version 4.5.0 of Tivoli Identity Manager and to all subsequent releases and modificationsuntil otherwise indicated in new editions.
© Copyright International Business Machines Corporation 2003. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.
Contents
Preface . . . . . . . . . . . . . . . vWho Should Read This Book . . . . . . . . . vPublications . . . . . . . . . . . . . . v
Tivoli Identity Manager Server Library . . . . vPrerequisite Product Publications . . . . . . viRelated Publications . . . . . . . . . . viAccessing Publications Online . . . . . . . vi
Accessibility . . . . . . . . . . . . . . viiContacting Software Support . . . . . . . . viiConventions Used in This Book . . . . . . . vii
Chapter 1. Introduction . . . . . . . . 1Hardware and Software Requirements . . . . . . 1Product Compact Disks. . . . . . . . . . . 1
Chapter 2. Server Configuration andImplementation Overview . . . . . . . 3WebLogic Terminology . . . . . . . . . . . 3Single-Server Configuration . . . . . . . . . 4Cluster Configuration . . . . . . . . . . . 6
Chapter 3. Database Configuration . . . 9Oracle Installation and Configuration for TivoliIdentity Manager . . . . . . . . . . . . . 9
Preparing to Install Oracle on AIX . . . . . . 9Preparing to Install Oracle on Solaris . . . . . 11Preparing to Install Oracle on Windows . . . . 12Configuring Oracle after Installation . . . . . 12
SQL Server 2000 Configuration . . . . . . . . 13Preparing to Install SQL Server 2000 . . . . . 13Configuring SQL Server 2000 after Installation. . 13
Chapter 4. Directory ServerConfiguration . . . . . . . . . . . . 15Sun ONE Directory Server Configuration . . . . 15
Chapter 5. Single Server Installation:Tivoli Identity Manager Server. . . . . 17Before You Begin . . . . . . . . . . . . 17
Information Worksheet for Single-ServerInstallation . . . . . . . . . . . . . 17
Installing the Tivoli Identity Manager Server . . . 21Navigate Initial Welcome and LicensingWindows . . . . . . . . . . . . . . 23Select the Installation Type and Directories . . . 25Define the Tivoli Identity Manager InstallationLocation . . . . . . . . . . . . . . 25Specify the Encryption Key and Install the TivoliIdentity Manager Server . . . . . . . . . 27Initial Configuration of Tivoli Identity ManagerDatabase . . . . . . . . . . . . . . 28Initial Configuration of the Directory for TivoliIdentity Manager . . . . . . . . . . . 29Initial Configuration of Tivoli Identity Manager 31
Optionally Installing a Language Pack . . . . . 35Starting and Stopping the Tivoli Identity ManagerServer . . . . . . . . . . . . . . . . 35Testing Tivoli Identity Manager ServerCommunication . . . . . . . . . . . . . 36Certificate Authority for Server-AgentCommunication . . . . . . . . . . . . . 36Increasing the System Memory Usage . . . . . 37
Chapter 6. Cluster Installation: TivoliIdentity Manager Server . . . . . . . 39Before You Begin . . . . . . . . . . . . 39
Information Worksheet for Clustered Installation 40Installing the Tivoli Identity Manager Server . . . 43
Installing the Admin Server . . . . . . . . 45Installing a Managed Server . . . . . . . . 60
Optionally Installing a Language Pack . . . . . 72Starting and Stopping the Tivoli Identity ManagerServer . . . . . . . . . . . . . . . . 72Testing Tivoli Identity Manager ServerCommunication . . . . . . . . . . . . . 73Certificate Authority for Server-AgentCommunication . . . . . . . . . . . . . 73Configuring the Proxy Server . . . . . . . . 74
IIS HTTP Server Configuration . . . . . . . 74Apache HTTP Server Configuration . . . . . 74
Increasing the System Memory Usage . . . . . 75
Appendix A. Compact Discs . . . . . 77Language Packs CD . . . . . . . . . . . 77Base Code Solaris CD for Tivoli Identity Managerusing WebSphere Application Server . . . . . . 77Base Code Solaris CD for Tivoli Identity Managerfor non-IBM Application Servers . . . . . . . 77Supplemental Solaris CD 1 . . . . . . . . . 77Supplemental Solaris CD 2 . . . . . . . . . 78Supplemental Solaris CD 3 . . . . . . . . . 78Supplemental Solaris CD 4 . . . . . . . . . 78Base Code AIX CD for Tivoli Identity Managerusing WebSphere Application Server . . . . . . 79Base Code AIX CD for Tivoli Identity Manager fornon-IBM Application Servers . . . . . . . . 79Supplemental AIX CD 1 . . . . . . . . . . 79Supplemental AIX CD 2 . . . . . . . . . . 80Supplemental AIX CD 3 . . . . . . . . . . 80Base Code HP-UX CD for Tivoli Identity Managerfor non-IBM Application Servers . . . . . . . 80Base Code Windows 2000 CD for Tivoli IdentityManager using WebSphere Application Server . . . 81Base Code Windows 2000 CD for Tivoli IdentityManager for non-IBM Application Servers . . . . 81Supplemental Windows 2000 CD 1 . . . . . . 81Supplemental Windows 2000 CD 2 . . . . . . 82Supplemental Windows 2000 CD 3 . . . . . . 82Supplemental Windows 2000 CD 4 . . . . . . 82
© Copyright IBM Corp. 2003 iii
Appendix B. Software and HardwareRequirements on Windows . . . . . . 83Minimum Operating System and HardwareRequirements for Tivoli Identity Manager usingWebLogic on Windows . . . . . . . . . . 83Databases for Tivoli Identity Manager Server usingWebLogic . . . . . . . . . . . . . . . 83Directory Servers for Tivoli Identity Manager Serverusing WebLogic . . . . . . . . . . . . . 83Tivoli Identity Manager Server Prerequisites forWebLogic Servers . . . . . . . . . . . . 84Supported Web Browsers . . . . . . . . . . 84
Appendix C. Upgrading from TivoliIdentity Manager 4.3 using WebLogic . 85Before Upgrading . . . . . . . . . . . . 85Upgrading from Single Server Version 4.3 to SingleServer Version 4.5 . . . . . . . . . . . . 86
Prepare to Upgrade the Server . . . . . . . 86Select the Installation Type and Directories . . . 87Define the Installation Location. . . . . . . 88Upgrade the Tivoli Identity Manager ServerSchemas . . . . . . . . . . . . . . 89Complete the Upgrade Process . . . . . . . 90Updating Certificate Information . . . . . . 90Re-implement Customizations . . . . . . . 91
Starting and Stopping the Tivoli IdentityManager Server . . . . . . . . . . . . 91Testing Tivoli Identity Manager ServerCommunication . . . . . . . . . . . . 92
Upgrading from Cluster Version 4.3 to ClusterVersion 4.5. . . . . . . . . . . . . . . 92
Upgrade the Admin Server . . . . . . . . 93Upgrade the Managed Servers . . . . . . . 98Updating Certificate Information . . . . . . 103Re-implement Customizations . . . . . . . 103Starting and Stopping the Tivoli IdentityManager Server . . . . . . . . . . . 104Testing Tivoli Identity Manager ServerCommunication . . . . . . . . . . . 105
Appendix D. Uninstalling . . . . . . 107Steps to Uninstall Tivoli Identity Manager . . . . 107
Appendix E. Notices . . . . . . . . 109Trademarks . . . . . . . . . . . . . . 110
Glossary . . . . . . . . . . . . . 113
Index . . . . . . . . . . . . . . . 117
iv IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Preface
The IBM ® Tivoli ® Identity Manager Installation Guide on Windows 2000 usingWebLogic describes how to install and configure the Tivoli Identity Manager Serveron a Windows 2000 Server to manage resources from a central location.
Who Should Read This BookThis manual is intended for system and security administrators who install,maintain, or administer software on their site’s computer systems. Readers areexpected to understand system and security administration concepts. Additionally,the reader should understand administration concepts for the following:v Directory serverv Databasev WebLogic Application Serverv Apache HTTP Server or Microsoft IIS HTTP Server
PublicationsRead the descriptions of the Tivoli Identity Manager library, the prerequisitepublications, and the related publications to determine which publications youmight find helpful. After you determine the publications you need, refer to theinstructions for accessing publications online.
Tivoli Identity Manager Server LibraryThe publications in the Tivoli Identity Manager Server library are:v Online user assistance for Tivoli Identity Manager
Provides integrated online help topics for all Tivoli Identity Manageradministrative tasks.
v Separate versions of Tivoli Identity Manager Server Installation Guide on eitherUNIX or Windows, using either WebSphere or WebLogic. Use the versionappropriate for your site.Provides installation information for Tivoli Identity Manager.
v Tivoli Identity Manager Policy and Organization Administration Guide
Provides topics for Tivoli Identity Manager administrative tasks.v Tivoli Identity Manager Server Configuration Guide
Provides configuration information for single-server and cluster Tivoli IdentityManager configurations.
v Tivoli Identity Manager End User Guide
Provides beginning user information for Tivoli Identity Manager.v Tivoli Identity Manager Release Notes
Provides software and hardware requirements for Tivoli Identity Manager, andadditional fix, patch, and other support information.
v Tivoli Identity Manager Troubleshooting Guide
Provides additional problem solving information for the Tivoli Identity Managerproduct.
© Copyright IBM Corp. 2003 v
Prerequisite Product PublicationsTo use the information in this book effectively, you must have knowledge of theproducts that are prerequisites for Tivoli Identity Manager. Publications areavailable from the following locations:v WebLogic Application Server
http://e-docs.bea.com/v Database servers
– Oraclehttp://technet.oracle.com/documentation/content.html
– Microsoft SQL Server 2000http://msdn.microsoft.com/library/
v Directory server applications– Sun ONE Directory Server
http://www.ibm.com/software/network/directoryv Web Proxy Server
– Microsoft IIS HTTP Serverhttp://www.microsoft.com/technet/prodtechnol/iis/default.asp
– Apache HTTP Serverhttp://httpd.apache.org/docs-project
Related PublicationsInformation related to Tivoli Identity Manager Server is available in the followingpublications:v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, redbooks, and announcement letters.The Tivoli Software Library is available on the Web at:http://www.ibm.com/software/tivoli/library/
v The Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available, in Englishonly from the Glossary link on the left side of the Tivoli Software Library Webpage:http://www.ibm.com/software/tivoli/library/
Accessing Publications OnlineThe IBM publications for this product are available online in Portable DocumentFormat (PDF) or Hypertext Markup Language (HTML) format, or both at theTivoli Software Library:
http://www.ibm.com/software/tivoli/library
To locate product publications in the library, click the Product manuals link on theleft side of the Library page. Then, locate and click the name of the product on theTivoli Software Information Center page.
Product publications include release notes, installation guides, user’s guides,administrator’s guides, and developer’s references.
Note: To ensure proper printing of PDF publications, select the Fit to page checkbox in the Adobe Acrobat Print window (which is available when you clickFile → Print).
vi IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
AccessibilityThe product documentation includes the following features to aid accessibility:v Documentation is available in both HTML and PDF formats to give the
maximum opportunity for users to apply screen-reader software.v All images in the documentation are provided with alternative text so that users
with vision impairments can understand the contents of the images.
Contacting Software SupportBefore contacting IBM Tivoli Software support with a problem, refer to the IBMTivoli Software support Web site at:
http://www.ibm.com/software/sysmgmt/products/support/
If you need additional help, contact software support using the methods describedin the IBM Software Support Guide at the following Web site:
http://techsupport.services.ibm.com/guides/handbook.html
This guide provides the following information:v Registration and eligibility requirements for receiving supportv Telephone numbers, depending on the country in which you are locatedv A list of information you should gather before contacting customer support
Conventions Used in This BookThis reference uses several conventions for special terms and actions and foroperating system-dependent commands and paths.
The following typeface conventions are used in this book:
Bold Bold text indicates selectable window buttons, field entries, andcommands appearing in this manual except from within examplesor the contents of files.
Monospace Text in monospace type indicates the contents of files, file names orthe output from commands.
italic Italic text indicates context-specific values such as:v path namesv file namesv user namesv group namesv system parametersv environment variables
Preface vii
viii IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Chapter 1. Introduction
This manual describes installing, initially configuring, and verifying the TivoliIdentity Manager Server on either a single-server or cluster configuration. Use theinstallation documentation that matches the operating system and Web applicationon your system. There is also a Tivoli Identity Manager Server Installation Guide forUNIX using WebLogic.
Major steps to install and begin to use the Tivoli Identity Manager Server varydepending on whether installation is for a single-server or cluster configuration.An overview of steps includes the following:1. Determining whether your configuration should be a single server, or requires
a more scalable cluster solution, described in Chapter 2, “Server Configurationand Implementation Overview”, on page 3.
2. Installing and configuring a database described in Chapter 3, “DatabaseConfiguration”, on page 9.
3. Installing and configuring a directory server, described in Chapter 4, “DirectoryServer Configuration”, on page 15.
4. Installing and configuring the Tivoli Identity Manager Server.Installing Tivoli Identity Manager Server in a single-server configuration isdescribed in Chapter 5, “Single Server Installation: Tivoli Identity ManagerServer”, on page 17.Installing Tivoli Identity Manager Server in a clustered configuration isdescribed in Chapter 6, “Cluster Installation: Tivoli Identity Manager Server”,on page 39.
Hardware and Software RequirementsFor a list of software and hardware requirements, see Appendix B, “Software andHardware Requirements on Windows”, on page 83.
Product Compact DisksThe Tivoli Identity Manager Server product is provided on a series of compactdiscs (CDs). For help obtaining the CDs, contact IBM Support. For a list of the CDsand their contents, see Appendix A, “Compact Discs”, on page 77.
© Copyright IBM Corp. 2003 1
2 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Chapter 2. Server Configuration and Implementation Overview
Servers in a WebLogic environment are organized in either a single-serverconfiguration or a cluster configuration. This section provides a brief, high-leveldescription of configuration options and an overview of their implementationsequences. Subsequent chapters provide greater implementation detail.
Notes:
1. Sample configurations in this chapter require a number of prior planningactivities before taking the steps that install and configure this product. Foradditional documentation that describes planning to meet your business needs,contact your customer representative.
2. For additional information about the WebLogic products, refer to additionaldocumentation cited in “Prerequisite Product Publications” on page vi.
3. Patches are required for most applications. For more information, seeAppendix B, “Software and Hardware Requirements on Windows”, on page 83.
WebLogic TerminologyThe following terms describe elements in WebLogic configurations:
admin serverThe administration server (admin server) provides a central point formanaging a WebLogic Server domain. Tivoli Identity Manager resourcesare installed on the admin server. Installing the Tivoli Identity Managerresources on the admin server enables control of all connection informationfrom one location. The Tivoli Identity Manager Application Server is notinstalled on the admin server.
managed serverA WebLogic Application Server instance in a domain that is not the adminserver. The Tivoli Identity Manager Application Server is installed on amanaged server. Users log into the Tivoli Identity Manager ApplicationServer on the managed server to use the Tivoli Identity Managerapplication.
Web proxy serverA server that stands in for another server, routing files and requests toother servers. A Web proxy server is typically used to enhance security.
clusterA logical grouping of one or more functionally identical applicationservers. A cluster provides ease of deployment, configuration, workloadbalancing, and fallback redundancy. A cluster is a collection of serversworking together as a single system to ensure that mission-criticalapplications and resources remain available to clients. A Tivoli IdentityManager cluster is located in a WebLogic Server domain.
single-serverA configuration that consists of only one instance of the Tivoli IdentityManager Server. The physical location of the Tivoli Identity ManagerServer with respect to the directory server or the database is irrelevant.
© Copyright IBM Corp. 2003 3
Single-Server ConfigurationA single-server configuration of Tivoli Identity Manager has only one instance ofthe Tivoli Identity Manager Server installed and running. As long as the TivoliIdentity Manager Server can connect to the database and the directory server, thephysical location of the Tivoli Identity Manager Server is irrelevant with respect tothe physical locations of the database or the directory server. The following figuresdisplay three possible single-server configurations for Tivoli Identity Manager.There are many other configurations possible.
Note: If the Tivoli Identity Manager Server is not installed on the same system asthe database, a database client must be installed on the system where theTivoli Identity Manager Server is installed.
WebLogicApplication
Server
Tivoli IdentityManager Server
DirectoryServer
Database
Figure 1. Single-server configuration on one physical computer
4 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
DirectoryServer
Database
WebLogicApplication
Server
Tivoli IdentityManager Server
Figure 2. Single-server configuration on two physical computers
Chapter 2. Server Configuration and Implementation Overview 5
Cluster ConfigurationA clustered configuration has multiple instances of the Tivoli Identity ManagerServer configured to work together to improve performance and scalability. One ofthe Tivoli Identity Manager Servers must be designated as an admin server. Theadmin server manages the resource allocation in the cluster. All other TivoliIdentity Manager Servers must be installed as managed servers.
Notes:
1. All of the Tivoli Identity Manager Servers in the cluster must be installed onthe same operating system.
2. Do not place members from two different clusters on the same physicalcomputer.
DirectoryServer
WebLogicApplication
Server
Tivoli IdentityManager Server
Database
Figure 3. Single-server configuration on three physical computers
6 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
DirectoryServer
Database
Tivoli IdentityManager
Resources
WebLogicAdministrative
Server
Managed Server
Admin Server
Cluster
Tivoli IdentityManager
WebLogicApplication
Server
Managed Server
Tivoli IdentityManager
WebLogicApplication
Server
Web ProxyServer
Figure 4. Clustered configuration
Chapter 2. Server Configuration and Implementation Overview 7
8 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Chapter 3. Database Configuration
This chapter describes configuring a database for use with Tivoli Identity ManagerServer. For more information on supported database releases and required patchesfor Tivoli Identity Manager Server using WebLogic, see Appendix B, “Software andHardware Requirements on Windows”, on page 83.
This section describes the following:v “Oracle Installation and Configuration for Tivoli Identity Manager”v “SQL Server 2000 Configuration” on page 13
Oracle Installation and Configuration for Tivoli Identity ManagerThis section describes pre-installation procedures and post-installationconfiguration steps for an installation of Oracle within a framework of TivoliIdentity Manager.
In all cases, refer to the Oracle 8i Installation Guide for complete information.
Note: When you install Oracle, you must include the JServer option as part of theinstall. If you choose a typical Oracle install, JServer is included. If youchoose to perform a custom Oracle install, ensure that JServer is selected asan option for installation.
Preparing to Install Oracle on AIXComplete the following procedures prior to installing Oracle on an AIX system:1. Log in to the AIX system as root.2. Ensure that the AIX system has the following filesets installed:
v bos.adt.base
v bos.adt.libm
The Oracle product installation links with local libraries to create Oracleexecutables. Without the filesets, the links will fail and Oracle will not installor run correctly. You can install these filesets from the AIX developer’s toolkitCD.
3. Verify that your system meets or exceeds the free disk space requirements forthe following directories:v /usr: 3 GBv /var: 300 MBv /tmp: 2 GB
For AIX, the default Oracle installation directory is /usr.
Notes:
a. To determine disk space availability, enter the following command:df - Ivk
Output values are in units of 1024 bytes.b. To change the size of /usr or /var directories using SMIT or SMITTY,
navigate the following windows: System Storage Management –> FileSystems –> Add/Change/Show/Delete File Systems –> Journaled File
© Copyright IBM Corp. 2003 9
Systems –> Change/Show Characteristics of a Journaled File System–>/usr –> SIZE of file system (in 512–byte blocks).
4. Create a CD-ROM filesystem, if not already present, using the SMITTY utility:a. Type $ mkdir /cdrom from the console or command line.b. Type $ smitty crcdrfs from the console or command line.
The following menu appears:
Add a CDROM File System
Type or select values in entry fields.Press Enter AFTER making all desired changes.
[Entry Fields]* DEVICE name +* MOUNT POINT []
Mount AUTOMATICALLY at system restart? no +
c. Select a CD-ROM drive by pressing F4, selecting a drive, and pressingEnter.
d. Hit Enter again to create the filesystem. Exit SMITTY with F10 when thecreation command completes.
e. Mount the cdrom directory with the following command:mount /cdrom
5. Create mount points to use with Oracle databases:$ mkdir /u01$ mkdir /u02
6. Set permissions for the mount points to allow the Oracle user account to writeto them during the installation:$ chmod 777 /u01$ chmod 777 /u02
7. Use SMIT to create two groups; a user group named dba and a user groupnamed oper.
8. Use SMIT to create a new user called oracle. Complete the following steps forthe new user account.a. Set the Primary GROUP of the account to the dba group you created.b. Set the HOME directory of the account to /home/oracle.c. Set the login shell (Initial PROGRAM) to /bin/sh.
The Oracle account will run the installer. This account must be used only forinstalling and maintaining Oracle.
9. Check that a file path of /usr/lbin exists and is included in the PATH for theOracle user account. This path can be set by editing /home/oracle/.profile.
10. Create the oratab file by executing the oratab.sh script located in the orainstdirectory of the CD.$ ./oratab.sh
11. Sign on to the system as the oracle user:$ su - oracle
12. View the umask settings for the oracle account.$ umask
The umask should be set to 022. If the account’s umask is not set to 022, set itwith the following command:$ umask 022
13. Edit .profile and add the following environment variable settings:
10 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASEORACLE_HOME=$ORACLE_BASE/product/8.1.7; export ORACLE_HOMELIBPATH=$ORACLE_HOME/lib; export LIBPATHLD_LIBRARY_PATH=$ORACLE_HOME/lib:$ORACLE_HOME/network/lib; export LD_LIBRARY_PATHORACLE_SID=or1; export ORACLE_SIDORACLE_TERM=vt100; export ORACLE_TERM
Make sure that the oracle user’s PATH includes $ORACLE_HOME/bin, /bin and/usr/bin. If it does not, add them to .profile.
14. Source the profile using the following command:$ . ./.profile
15. Run rootpre.sh to ready the machine for install from /cdrom:$ ./rootpre.sh
You are now ready to begin the Oracle installation.
Preparing to Install Oracle on SolarisComplete the following procedures prior to installing Oracle on a Solaris system:1. Log in to the Solaris system as root.2. Ensure that the kernel parameters set for the system meet or exceed values
required for the installation. Refer to the Oracle 8i Installation Guide for moreinformation.
3. Create mount points to use with Oracle databases:$ mkdir /u01$ mkdir /u02
4. Start the admintool utility from a console, using the following command:# admintool
5. In the Admintool window, click Browse –> Groups. The Admintool:Groupswindow opens.
6. In the Admintool:Groups window, click Edit –> Add. The Admintool:AddGroup window opens.
7. Create two groups; a user group named dba and a user group named oinstall.8. In the Admintool:Groups window, click Browse –> Users. The
Admintool:Users window opens.9. Use admintool to create a new user called oracle. Complete the following
steps for the new user account.a. Set the Primary Group of the account to the oinstall group you created.b. Set the Secondary Group of the account to the dba group you created.c. Ensure that the radio button beside the Create Home Directory field is
selected. In the Path field, enter /export/home/oracle as the homedirectory for the user oracle.
d. Set the Login Shell to /bin/sh.
The Oracle installer must be run under this account. This account will be usedonly for installing and maintaining Oracle.
10. Sign on to the system as the oracle user:# su - oracle
View the umask settings for the oracle account.$ umask
The umask should be set to 022. If the account’s umask is not set to 022, set itwith the following command:
Chapter 3. Database Configuration 11
$ umask 022
Also modify .profile to reflect the change.11. Add the following to /export/home/oracle/.profile for the oracle account:
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASEORACLE_HOME=$ORACLE_BASE/product/8.1.7; export ORACLE_HOMEORACLE_SID=or1; export ORACLE_SIDORACLE_DOC=$ORACLE_HOME/doc; export ORACLE_DOCORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data; export ORA_NLS33PATH=$ORACLE_HOME/bin:/usr/bin:/usr/local/bin:/usr/ccs/bin:/usr/ucb:/usr/openwin/bin:.
If you require /usr/ucb in your search path make sure it is listed after/usr/ccs/bin in the PATH setting.
12. Source the profile using the following command:$ . ./.profile
You are now ready to begin the Oracle installation. Refer to the appropriate Oracledocumentation and install the software. After a successful installation, return to theconfiguration instructions contained in this section.
Preparing to Install Oracle on WindowsComplete the following procedures prior to installing Oracle on a Windowssystem:1. Verify that your system meets or exceeds the system requirements listed in the
Oracle 8i Installation Guide for the type of installation you intend to perform.2. Log in to the Windows system with the Administrator account that you will
use for the installation.
You are now ready to begin the Oracle installation.
Configuring Oracle after InstallationThere are several post-installation tasks that must be completed to configure Oraclefor use in a Tivoli Identity Manager framework.1. Verify that the following line exists in the init.ora file:
compatible=8.1.0
2. Create a database for use with Tivoli Identity Manager.The following is a sample SQL script that can be used to create your database.The values in the script should be changed to match your site’s requirements.-- Create databaseCREATE DATABASE sample
CONTROLFILE REUSELOGFILE ’/u01/oracle/sample/redo01.log’ SIZE 1M REUSE,
’/u01/oracle/sample/redo02.log’ SIZE 1M REUSE,’/u01/oracle/sample/redo03.log’ SIZE 1M REUSE,’/u01/oracle/sample/redo04.log’ SIZE 1M REUSE
DATAFILE ’/u01/oracle/sample/system01.dbf’ SIZE 10M REUSEAUTOEXTEND ONNEXT 10M MAXSIZE 200M
CHARACTER SET UTF8;
-- Create another (temporary) system tablespaceCREATE ROLLBACK SEGMENT rb_temp STORAGE (INITIAL 100 k NEXT 250 k);
-- Alter temporary system tablespace online before proceedingALTER ROLLBACK SEGMENT rb_temp ONLINE;
-- Create additional tablespaces ...-- RBS: For rollback segments-- USERs: Create user sets this as the default tablespace-- TEMP: Create user sets this as the temporary tablespaceCREATE TABLESPACE rbs
DATAFILE ’/u01/oracle/sample/sample.dbf’ SIZE 5M REUSE AUTOEXTEND ON
12 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
NEXT 5M MAXSIZE 150M;CREATE TABLESPACE users
DATAFILE ’/u01/oracle/sample/users01.dbf’ SIZE 3M REUSE AUTOEXTEND ONNEXT 5M MAXSIZE 150M;
CREATE TABLESPACE tempDATAFILE ’/u01/oracle/sample/temp01.dbf’ SIZE 2M REUSE AUTOEXTEND ONNEXT 5M MAXSIZE 150M;
-- Create rollback segments.CREATE ROLLBACK SEGMENT rb1 STORAGE(INITIAL 50K NEXT 250K)tablespace rbs;
CREATE ROLLBACK SEGMENT rb2 STORAGE(INITIAL 50K NEXT 250K)tablespace rbs;
CREATE ROLLBACK SEGMENT rb3 STORAGE(INITIAL 50K NEXT 250K)tablespace rbs;
CREATE ROLLBACK SEGMENT rb4 STORAGE(INITIAL 50K NEXT 250K)tablespace rbs;
-- Bring new rollback segments online and drop the temporary system oneALTER ROLLBACK SEGMENT rb1 ONLINE;ALTER ROLLBACK SEGMENT rb2 ONLINE;ALTER ROLLBACK SEGMENT rb3 ONLINE;ALTER ROLLBACK SEGMENT rb4 ONLINE;
ALTER ROLLBACK SEGMENT rb_temp OFFLINE;DROP ROLLBACK SEGMENT rb_temp ;
3. Increase the value for Oracle connections from the default of 50 to a value of150 by editing the PROCESSES parameter of the $ORACLE_HOME/dbs/init.orafile.
Note: Oracle connection requirements will vary greatly between enterprises. Setyour connection value to a value appropriate for your environment.
4. Increase the Oracle tablespace from the default to the maximum amountavailable using the alter sql command.SQL> alter database datafile ’<location of DBF file>\ENROLE1_DATA_001.DBF’ resize 500mSQL> alter database datafile ’<Oracle db location of DBF file>\ENROLE1_IDX_001.DBF’resize 500m
SQL Server 2000 ConfigurationThis section describes pre-installation procedures and post-installationconfiguration steps for an installation of Microsoft SQL Server 2000 for use withTivoli Identity Manager.
In all cases, refer to SQL Server 2000 installation documentation for completeinformation.
Preparing to Install SQL Server 2000Complete the following procedures prior to installing SQL Server 2000 on aWindows system:1. Ensure that you have the latest SQL Server 2000 service packs installed.2. Log in to the Windows system with an Administrator account before launching
the SQL Server installation.
You are now ready to begin the SQL Server installation.
Configuring SQL Server 2000 after InstallationThere are several post-installation tasks that must be completed to configure SQLServer 2000 for use in a Tivoli Identity Manager framework.1. Launch the MS SQL Server Enterprise Manager.2. Ensure that the mixed-mod authentication is enabled.
a. Select Tools –> SQL Server Configuration Properties...
Chapter 3. Database Configuration 13
b. On the Security tab, ensure that SQL Server and Windows Authentication isselected.
3. Create a new database.a. Using the navigational tree, navigate to Microsoft SQL Servers –> SQL
Server group –> (local) Windows NT –> Databases.b. Right-click the Databases node and select New Database.
The Database Properties window appears.c. On the General tab, supply itimdb as a value for the Name field.d. On the Data Files tab, supply the following information:
v Initial File Size (MB): 20v Check the check box for Automatically grow file.v Select the radio button for Unrestricted file growth.
e. On the Transaction Log tab, supply the following information:v Initial File Size (MB): 20v Check the check box for Automatically grow file.v Select the radio button for Unrestricted file growth.
f. Click OK.
14 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Chapter 4. Directory Server Configuration
This chapter describes how to configure the directory server for use with TivoliIdentity Manager.
Sun ONE Directory Server Configuration
Note: In the following statements, my_suffix is any value for the suffix that youdefine for Tivoli Identity Manager, such as com.
To configure the Sun ONE Directory Server, do the following:1. Start the iPlanet Console.
The iPlanet Console login dialog window appears.2. Verify the port number in the Administration URL, type in your password,
and click OK.3. Go to your Directory Server in the console tree and click Open.4. Select the Configuration tab.5. Right-click Data in the directory server tree on the Configuration tab, and
click New Root Suffix.The Create new root suffix dialog window appears.
6. Type dc=my_suffix in the New suffix text field on the Create new root suffixdialog window.
7. Type the desired database name in the Database name text field.For example, type the following:itimdb
8. Select the Create associated database automatically check box if it is notselected and click OK.The Confirmation Needed dialog window appears.
9. On the Confirmation Needed dialog window, click Yes.The Directory Server console reappears.
10. Select the Directory tab.11. Right-click the name of the directory server in the directory server tree.
A pop-up menu appears.12. Select dc=my_suffix under New Root Object in the pop-up menu.
The New Object dialog window appears.13. Select domain and click OK.
The Property Editor dialog window for dc=my_suffix appears.14. Click OK in the Property Editor dialog window.
The Directory Server console reappears.15. Select the Tasks tab and click Restart the Directory Server.
The Sun ONE Directory Server is now set up.16. Increase the memory cache available for the Tivoli Identity Manager Server by
completing the following procedures:a. Open the directory server console and click the Configuration tab.
© Copyright IBM Corp. 2003 15
b. Expand the Data node in the directory tree and click the DatabaseSettings tab.
c. Click the LDBM Plug-in Settings tab.d. Set the Maximum Cache Size setting to an appropriate value based on
your hardware’s physical memory.If Sun ONE Directory Server is installed on its own machine, it isrecommended that this value be set to 75% of the system’s availablememory.
e. Click Save.f. Expand the Tivoli Identity Manager application node.
For example, this could be dc=com.g. Select the database object in the Tivoli Identity Manager application node
and click the Database Settings tab.h. Set the ″Memory available for cache″ setting to an appropriate value based
on your hardware’s physical memory.If Tivoli Identity Manager is the only application using this directory, it isrecommended that this value be set to 60% of the ″Maximum Cache Size″set on the LDBM Plug-in Settings tab.
i. Click Save.j. Click the Tasks tab and restart the directory server.
16 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Chapter 5. Single Server Installation: Tivoli Identity ManagerServer
This chapter describes tasks that install and configure the Tivoli Identity ManagerServer in a single-server configuration.
Installation tasks include the following:v “Before You Begin”v “Installing the Tivoli Identity Manager Server” on page 21v “Optionally Installing a Language Pack” on page 35v “Starting and Stopping the Tivoli Identity Manager Server” on page 35v “Testing Tivoli Identity Manager Server Communication” on page 36v “Certificate Authority for Server-Agent Communication” on page 36v “Increasing the System Memory Usage” on page 37
Before You BeginBefore you begin, do the following:v Ensure that the following Tivoli Identity Manager prerequisites are met for a
single-server configuration:
Table 1. Prerequisite applications
Prerequisite Running For more information, see
Database U Chapter 3, “Database Configuration”,on page 9
Directory server U Chapter 4, “Directory ServerConfiguration”, on page 15
WebLogic Application Server U
v Ensure free disk space and virtual memory requirements are met. For moreinformation, see Appendix B, “Software and Hardware Requirements onWindows”, on page 83.
v Ensure you have the correct administrative authority. If not, obtain the authorityand re-login to the system to activate the proper authorization.On Windows, the user with administrative authority should have the followingrights:– Act as part of the operating system– Log on as a service
v On the computer on which Tivoli Identity Manager will be installed, set theappropriate value for your locale to ensure the language format is recognized.
v If you are using Oracle for your database, you need to copy the Oracle JDBCdriver (in the file name classes12.zip) from the supplementary CD into atemporary local directory.
v Complete the information worksheet for your configuration.
Information Worksheet for Single-Server InstallationCollect the following information before you begin installation:
© Copyright IBM Corp. 2003 17
WebLogic InformationCollect the following information about the WebLogic Application Server.
BEA Home Directory___________________________________BEA installation directory. Default value is C:\bea\
WebLogic Application Server Directory_____________________WebLogic Application Server home directory. Default value isC:\bea\weblogic700
Tivoli Identity Manager InformationDetermine the values for the following properties for the Tivoli Identity ManagerServer:
Tivoli Identity Manager__________________________________Directory where Tivoli Identity Manager will be installed.
Domain Base Directory __________________________________Base directory location of the WebLogic domain dedicated to TivoliIdentity Manager.
Domain Name _________________________________________Name of the WebLogic domain dedicated to Tivoli Identity Manager.
Server Name __________________________________________Name of the server where this instance of Tivoli Identity Manager is beinginstalled.
Encryption Key _________________________________________Key used to encrypt Tivoli Identity Manager passwords and other sensitivetext. The default value is sunshine. The key can be any word or phrase.This word or phrase should be used as the encryption key for eachmember of the cluster. This value is stored in the enRole.properties file asenrole.encryption.password.
Database InformationCollect the following information for the relational database management system:
Database Type ________________________________________
Type of database used for your system.
Admin ID ____________________________________________
The Administrator User ID that you created when you configured thedatabase.
Admin Password ______________________________________
The password for the Administrator user ID.
Database Name _______________________________________
Name of the database to be used with the Tivoli Identity Manager Server.
Credentials for the database:
Database User
The account that Tivoli Identity Manager Server uses to connect tothe database. The user ID is enrole.
Note: This user ID cannot be changed.
User Password
18 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Password for the account that Tivoli Identity Manager Server usesto connect to the database. This password can be changed usingthe System Configuration Tool. See the Tivoli Identity ManagerServer Configuration Guide for more information about the SystemConfiguration Tool.
IP Address ___________________________________________
IP address or hostname of the database server. Required for Oracle andSQL Server 2000 databases.
Port Number ___________________________________________
Port number of the database server. Required for Oracle and SQL Server2000 databases.
Additionally, the installation windows report the following Database Poolinformation during installation. The database pool information determines thenumber of JDBC connections that Tivoli Identity Manager Server can open to thedatabase. For more information, refer to the Tivoli Identity Manager ServerConfiguration Guide.
Evaluate the following in relation to your site needs:
Initial CapacityInitial number of JDBC connections that Tivoli Identity Manager Server canopen to the database
Maximum CapacityMaximum number of JDBC connections that Tivoli Identity ManagerServer can open to the database at any one time
Login Delay SecondsTime, in seconds, between connection creation.
Directory Server InformationCollect the following information:
Principal DN ___________________________________________
The directory server Administrator user ID. For example, cn=root.
Password ______________________________________________
The password of the Principal Distinguished Name user ID that youcreated when installing the directory server.
Host name _____________________________________________
Fully-qualified host name of the directory server. For example,identity1.mylab.mydomain.com.
Port __________________________________________________
Port on which the directory server is listening, such as 389.
Number of hash buckets __________________________________
A hash bucket is a notional receptacle, a set of which might be used toapportion data items for sorting or lookup purposes. Evaluate the default(1) in relation to your site needs.
Name of your organization _________________________________
The value that you enter in the Name of Your Organization field will bedisplayed in the organization chart that is displayed on many of the Tivoli
Chapter 5. Single Server Installation: Tivoli Identity Manager Server 19
Identity Manager graphical user interface screens. This value is typicallythe more formal name of your company. For example, an organizationname is IBM Corporation.
Note: You may enter either single-byte (ASCII) characters or double-bytecharacter set characters in this field.
Default Org Short Name ___________________________________
The value that you enter in the Default Org Short Name field will be usedinternally in Sun ONE Directory Server to represent your organization.This value is typically an abbreviation of your company name. Forexample, a short name is ibmcorp.
Note: Enter only single-byte (ASCII) characters in the Default Org ShortName field, such as an identifier in English.
Identity Manager DN Location ______________________________
The value such as dc=com that you enter in the Location field must matchthe suffix (for example, dc=com) that you created when you configuredLDAP.
Additionally, the installation windows report the following LDAP Connection PoolInformation fields for a pool of LDAP connections accessible by Tivoli IdentityManager Server. For more information, refer to the Tivoli Identity Manager ServerConfiguration Guide.
Evaluate the following in relation to your site needs:
Max. pool sizeMaximum number of connections the LDAP Connection Pool can have atany time
Initial pool sizeInitial number of connections created for the LDAP Connection Pool
Increment countNumber of connections added to the LDAP Connection Pool every time aconnection is requested once all connections are in use
Tivoli Identity Manager Logon InformationNote the following information for Tivoli Identity Manager:
User ID _______________________________________________
The Tivoli Identity Manager user ID. The default after installation is itimmanager. Use this user ID when you log on to Tivoli Identity Manager.
Password _____________________________________________
Password for the Tivoli Identity Manager user ID specified as itimmanager. The default password after installation is secret .
Note: It is important that you change this password and make a record ofthe new password immediately after you first log on.
20 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Installing the Tivoli Identity Manager ServerInstalling Tivoli Identity Manager requires installing the Tivoli Identity ManagerServer and configuring various server properties to enable it to connect to thedatabase and directory server. In a single-server configuration, there is only oneinstance of the Tivoli Identity Manager Server installed for use.
The following flowchart describes the basic sequence of windows that install TivoliIdentity Manager in a single-server configuration.
Chapter 5. Single Server Installation: Tivoli Identity Manager Server 21
WebLogicalready
installed?
ClusteredInstallation
Select Type ofInstallation
ClusteredInstallation
No Exit Installation.Install WebLogic.
Restart Installation.
Yes
Enter WebLogicDirectory Information
Enter Tivoli Identity ManagerInstallation Directory
Enter Tivoli Identity ManagerDomain Location
Enter Encryption Key
Pre-installation Summary
Configure Directory ServerConnection
Configure DatabaseConfiguration
Configure DatabaseConnection
Configure Tivoli IdentityManager Server
Single Server Installation
Figure 5. Single Tivoli Identity Manager Server Installation Overview
22 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Navigate Initial Welcome and Licensing WindowsA series of welcome and licensing windows start the installation process. Tonavigate the initial windows, do the following:1. Log on to the computer where the Tivoli Identity Manager Server will be
installed.
Note: You must log on using an account with system administration privileges.2. Insert the Tivoli Identity Manager Product CD into the CD-ROM drive.3. Click Start –> Run.4. Type your CD-ROM drive and then type the following command:
instW2K-WL.exe
Note: If your logon account does not have permission to executeinstW2K-WL.exe, you must grant the account permission to execute thisfile.
The Language Selection window opens.
5. Select the desired language in the language drop-down menu and click OK.The License Agreement window opens.
Figure 6. Language Selection window
Chapter 5. Single Server Installation: Tivoli Identity Manager Server 23
6. Read the license agreement and decide whether to accept its terms.7. Select the I accept the terms of the License Agreement radio button if you
agree to the terms and click Next.The Choose Installation Type window opens. Proceed with choosing aninstallation type.
Figure 7. License Agreement Window
Figure 8. Choose Installation Type Window
24 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Select the Installation Type and DirectoriesThe next steps determine the type of Tivoli Identity Manager to install and thelocation of the WebLogic Application Server used by Tivoli Identity Manager.1. Select the radio button for the type of installation you desire in the Choose
Installation Type window and click Next.If you want to install a single-server version of Tivoli Identity Manager, selectthe Single Server radio button. If you want to install a clustered version ofTivoli Identity Manager, select the Cluster radio button.The Have you installed BEA WebLogic Server 7.0? window opens.
2. Click Yes if you have already installed the WebLogic Application Server.If you click No, you can continue with the installation but you will have toinstall WebLogic 7.0 before Tivoli Identity Manager will run. It is recommendedthat you exit the installation and install the WebLogic Application Server beforeinstalling Tivoli Identity Manager.The Where have you installed WebLogic Server 7.0? window opens.
3. Enter the BEA home directory and the WebLogic Application Server homedirectories in their respective fields and click Next.
Note: In a clustered installation, the WebLogic Application Server homedirectory should be the same for each member of the cluster.
See the following section to proceed with the installation process.
Define the Tivoli Identity Manager Installation LocationThis section describes how to define where the Tivoli Identity Manager Server isinstalled and how the Tivoli Identity Manager Server is recognized by theWebLogic Application Server.
Figure 9. Where have you installed WebLogic Server 7.0? Window
Chapter 5. Single Server Installation: Tivoli Identity Manager Server 25
The previous section ended with the Choose Install Folder window open.
1. Accept the default Tivoli Identity Manager installation directory (C:\itim45) orenter a different installation directory and click Next.The Specify the Tivoli Identity Manager Domain Information window opens.
2. Accept the default domain base directory (C:\bea\user_projects) or enter adifferent directory location.
Figure 10. Choose Install Folder Window
Figure 11. Specify the IBM Tivoli Identity Manager Domain Information Window
26 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
3. Enter the name of the domain to which the Tivoli Identity Manager Server willbe added in the Domain Name field.
4. Enter the name of the Tivoli Identity Manager Server in the Server Name fieldand click Next.Proceed to the next section to continue with the installation process.
Specify the Encryption Key and Install the Tivoli IdentityManager Server
The previous section ended with the Specify the Encryption Key window open.
1. Enter the encryption key and click Next.The encryption key is used to encrypt Tivoli Identity Manager passwords andother sensitive text. The default encryption key is sunshine. It is recommendedthat you change the encryption key.
Note: The encryption key you input here must be the same as the one specifiedduring the admin server installation.
The Pre-Installation Summary window opens.
Figure 12. Specify the Encryption Key Window
Chapter 5. Single Server Installation: Tivoli Identity Manager Server 27
2. Review the information listed.If any of the information is incorrect, click Previous and correct the values. Ifthere is not enough disk space, cancel the installation and ensure that therequired disk space is available before installing Tivoli Identity Manager.
3. Click Install.A series of installation progress windows open during the interval that theinstallation requires. After the installation completes, you must configure theTivoli Identity Manager Server.
4. Proceed to the following section to continue with the installation process.
Initial Configuration of Tivoli Identity Manager DatabaseAfter the Tivoli Identity Manager Server is installed, the Tivoli Identity Managerdatabase must be configured. The installation program uses the databaseconfiguration tool to configure the database.
The previous section ended with the IBM Tivoli Identity Manager DatabaseConfiguration window open.
Figure 13. Pre-Installation Summary Window
28 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Note: If you are using Oracle for your database, you will need to copy the OracleJDBC driver (in the file name classes12.zip) from the temporary localdirectory (where you saved the JDBC driver from the supplementary CDearlier) to the <ITIM_HOME>\lib directory.
1. Enter the database connection information in the appropriate fields of the IBMTivoli Identity Manager Database Configuration window and click Test.If the test is successful, a message window opens confirming that theconnection is successful.
2. Click OK.The IBM Tivoli Identity Manager Database Configuration window reappearswith the Identity Manager User Information fields active.
3. Enter the Tivoli Identity Manager user ID and password in their respectivefields and click Continue.The default values for these fields are listed in the information worksheet. Amessage window opens confirming that the database configuration is complete.
4. Click OK.The IBM Tivoli Identity Manager Directory Configuration window opens.
5. Proceed to configure the directory to continue with the installation process.
Initial Configuration of the Directory for Tivoli IdentityManager
The Tivoli Identity Manager directory server connection must be configured afterinstalling the Tivoli Identity Manager Server. The following procedures describehow to configure the Tivoli Identity Manager Server to recognize the directoryserver.
The previous section ended with the IBM Tivoli Identity Manager DirectoryConfiguration window open.
Figure 14. IBM Tivoli Identity Manager Database Configuration Window
Chapter 5. Single Server Installation: Tivoli Identity Manager Server 29
1. Enter the LDAP server information in the appropriate fields of the IBM TivoliIdentity Manager Directory Configuration window and click Test.If the test is successful, a message window opens confirming that theconnection was successful.
2. Click OK.The IBM Tivoli Identity Manager Directory Configuration window reappearswith the Identity Manager Directory Information fields active.
Figure 15. IBM Tivoli Identity Manager Directory Configuration Window
30 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
3. Select the database used with Tivoli Identity Manager.4. Accept the default number of hash buckets or enter a new value.
Hash buckets can hold up to 1,000,000 entries.5. Complete the remaining Identity Manager Directory Information fields and
click Continue.See the information worksheet for more information about each field. Amessage window opens confirming that the directory server configuration wassuccessful.
6. Click OK.The directory server configuration tool closes and the system configuration toolwindow opens.
Initial Configuration of Tivoli Identity ManagerThe remaining windows provide an initial configuration of Tivoli IdentityManager. During this activity, you can change values you initially set for thedatabase server and the directory server and modify some system defaultconfiguration values. Default values that must be modified are detailed in theprocedures.1. Verify that the information listed on the General tab is correct.
Figure 16. IBM Tivoli Identity Manager Directory Configuration Window (all fields active)
Chapter 5. Single Server Installation: Tivoli Identity Manager Server 31
2. Click the Directory tab and verify that the information listed is correct.If any of the information is not correct, modify the information and click Testto verify that the connection information is correct.
3. Click the Database tab and verify that the information listed is correct.If the information is not correct, modify the information and click Test toverify that the connection information is correct.
Figure 17. General Tab of the System Configuration Window
Figure 18. Directory Tab of the System Configuration Window
32 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
4. Click the Logging tab and modify the level of logging as desired.
5. Click the Mail tab and verify that the Identity Manager Server URL is correct.
Note: In a clustered configuration, the Identity Manager Server URL shouldbe the URL of the proxy server, if one is used.
Figure 19. Database Tab of the System Configuration Window
Figure 20. Logging Tab of the System Configuration Window
Chapter 5. Single Server Installation: Tivoli Identity Manager Server 33
6. Change the Mail From address to the Tivoli Identity Manager systemadministrator e-mail address for your site.
Note: You must change this address. The default address is a valid IBMe-mail address. If you do not change this address you will send spamto the e-mail address listed.
7. Enter the mail server name in the respective field.8. Click the UI tab and modify the values as desired.
Refer to the Tivoli Identity Manager Server Configuration Guide for additionalinformation about customizing the user interface.
Figure 21. Mail Tab of the System Configuration Window
Figure 22. UI Tab of the System Configuration Window
34 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
9. Click the Security tab and modify the values as desired.
10. Click OK to finish configuring the Tivoli Identity Manager Server.11. Proceed to the following section to continue with the installation process.
Optionally Installing a Language PackAfter installing Tivoli Identity Manager, if the default language is not English,optionally obtain and mount the language pack CD for the Tivoli Identity ManagerServer. Use command line mode to install the language pack. For example, enterthe following:java –jar itimlp_setup.jar
The Tivoli Identity Manager language pack setup program will start. To completethe language pack installation, follow the instructions that appear in the setupprogram panels.
Note: To run the Tivoli Identity Manager language pack setup program, Javaruntime environment 1.3.1 should be accessible from the command line.
Starting and Stopping the Tivoli Identity Manager ServerAfter the Tivoli Identity Manager Server is installed you must start the server. Thissection describes how to start and stop the Tivoli Identity Manager Server.
On Windows servers, a service named Tivoli Identity ManagerdomainName_serverName is installed. The domainName is the name of the domain inwhich the Tivoli Identity Manager Server is installed. The serverName is the nameassigned to the Tivoli Identity Manager Server during installation. Use the servicesconsole to start or stop the Tivoli Identity Manager Server.
Using Tivoli Identity Manager on Windows for WebLogic, additional steps arerequired to modify parameters when Tivoli Identity Manager is started as a
Figure 23. Security Tab of the System Configuration Window
Chapter 5. Single Server Installation: Tivoli Identity Manager Server 35
service. In order to modify the classpath, jvm switches or any other runtimeparameters used by the Tivoli Identity Manager NT service, do the following:1. Stop the ITIM service.2. Uninstall the ITIM service by running the following command:
{ITIM_HOME}\bin\uninstallItimService.cmd
3. Reboot the computer to ensure that the deletion of the service takes place.4. Make necessary changes by editing the
{ITIM_HOME}\bin\installItimService.cmd file.5. Reinstall the service by running the following command:
{ITIM_HOME}\bin\installItimService.cmd
Note: Starting the Tivoli Identity Manager Server takes several minutes. Watch the{Weblogic_Home}/user_projects/itim/logs/<domain_name>.log file for arunning message. The <domain_name> is the name of the domain definedfor the server earlier during installation.
Testing Tivoli Identity Manager Server CommunicationTo test whether the database, the directory server, and the Tivoli Identity ManagerServer are correctly configured and communicating with each other, do thefollowing:1. Start Tivoli Identity Manager Server and any prerequisite applications.2. Log on to Tivoli Identity Manager.
For example, at a browser window, type the following:http://hostname/enrole
where hostname is the fully-qualified name or IP address of the computer onwhich Tivoli Identity Manager Server is running.
3. Enter the Tivoli Identity Manager administrator user ID (itim manager) andpassword.
4. Take the necessary steps to create a user (an ITIM user).For more information, refer to online help or to the Tivoli Identity ManagerPolicy and Organization Administration Guide.
Certificate Authority for Server-Agent CommunicationUsing the Tivoli Identity Manager system with a Tivoli Identity Manager Agentwill require production certificates to ensure secure communication between theTivoli Identity Manager Server and the Agent. The Certificate Authority thatcorresponds to the Tivoli Identity Manager Agent’s certificate must be located inthe {ITIM_HOME}\cert directory. Refer to the Tivoli Identity Manager ServerConfiguration Guide and to a specific agent’s installation guide for moreinformation.
Notes:
1. In a cluster configuration, the certificate must be installed in the same directoryon each member in order for the agent to locate the certificate.
2. If the default language is not English, before installing the first Tivoli IdentityManager agent, optionally obtain and mount the language pack CD for theTivoli Identity Manager agents. Use command line mode to install the languagepack for the agents on the Tivoli Identity Manager Server:java –jar itimlp_agents_setup.jar
36 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
The Tivoli Identity Manager language pack setup program will start. Tocomplete the language pack installation, follow the instructions that appear inthe setup program panels.
Note: To run the Tivoli Identity Manager language pack setup program, Javaruntime environment 1.3.1 should be accessible from the command line.
3. For recommendations on where to install the agent profile in a clusterconfiguration, refer to the agent installation guide for your specific agent.
Increasing the System Memory UsageThe Tivoli Identity Manager Server is configured to use the least amount ofmemory required for basic operation in a standard installation. By default, theTivoli Identity Manager Server is configured to use a minimum and maximum of256 megabytes (MB) of memory. These values can be modified to enable thesystem to perform at optimum speed.
In order to optimize the performance of the Tivoli Identity Manager Server, 75% ofthe total memory available (up to a maximum of 1024 MB) should be reserved forthe Tivoli Identity Manager Server, assuming no other software is running on thesystem. For example, if there is 1 gigabyte (GB) of memory available on the systemwhere the Tivoli Identity Manager Server is installed, the Tivoli Identity ManagerServer should be configured to use 768 MB.
The following are detailed procedures on how to increase the memory usage forthe Tivoli Identity Manager Server.1. Log into the system where the Tivoli Identity Manager Server is installed.2. Open the Tivoli Identity Manager Server service install script in a text editor.
The script is located in the <ITIM_HOME>\bin directory. In a single-serverinstallation, the script is named installItimService.cmd. In a clusteredinstallation, the script is named install<servername>Service.cmd where<servername> is the name of the managed server.
3. Find the following line in the script:MEM_ARGS=-XX:MaxPermSize=128m -Xms256ms -Xmx256m
4. Change the -Xms and -Xmx settings to an appropriate value based on yourhardware.The -Xms value is the minimum memory usage.The -Xmx value is the maximum memory usage.If Tivoli Identity Manager Server is the only application running on themachine, it is recommended that both the minimum and maximum memoryusage parameters be set to 75% of the available system memory as long as theydo not exceed 1024 MB, individually. BEA also recommends that theseparameters be set to the same value.
5. Save the script.6. Remove the Tivoli Identity Manager service by executing the service uninstall
script (<ITIM_HOME>\bin\uninstallItimService.cmd).7. Re-install the service by executing the service install script
(<ITIM_HOME>\bin\installItimService.cmd).8. Stop and restart the Tivoli Identity Manager service.
Chapter 5. Single Server Installation: Tivoli Identity Manager Server 37
38 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Chapter 6. Cluster Installation: Tivoli Identity Manager Server
This chapter describes installing and configuring the Tivoli Identity ManagerServer in a regular cluster configuration.
Installation tasks include the following:v “Before You Begin”v “Installing the Tivoli Identity Manager Server” on page 43v “Optionally Installing a Language Pack” on page 72v “Starting and Stopping the Tivoli Identity Manager Server” on page 72v “Testing Tivoli Identity Manager Server Communication” on page 73v “Certificate Authority for Server-Agent Communication” on page 73v “Configuring the Proxy Server” on page 74v “Increasing the System Memory Usage” on page 75
Before You BeginBefore you begin, do the following:v Ensure that the following Tivoli Identity Manager Server prerequisites are met
for a clustered configuration:
Table 2. Prerequisite applications for clustered Tivoli Identity Manager Servers
Prerequisite Running For more information, see
Database U Chapter 3, “Database Configuration”, onpage 9
Directory Server U Chapter 4, “Directory Server Configuration”,on page 15
WebLogic Application Server U
v Ensure free disk space and virtual memory requirements are met. For moreinformation, see Appendix B, “Software and Hardware Requirements onWindows”, on page 83
v Ensure that you have correct administrative authority. If not, obtain the authorityand re-login to the system to activate the proper authorization.The user with administrative authority should have the following rights:– Act as part of the operating system– Log on as a service
v On the computer on which Tivoli Identity Manager will be installed, set theappropriate value for your locale to ensure the language format is recognized.
v The Weblogic Server must be installed in the same location on each eachmember machine of the cluster.
v If you are using Oracle for your database, you need to copy the Oracle JDBCdriver (in the file name classes12.zip) from the supplementary CD into atemporary local directory.
v Complete the information worksheet.
© Copyright IBM Corp. 2003 39
Information Worksheet for Clustered InstallationCollect the following information before you begin installation:
WebLogic InformationCollect the following information about the WebLogic Application Server.
BEA Home Directory___________________________________BEA installation directory. Default value is C:\bea\
WebLogic Application Server Directory_____________________WebLogic Application Server home directory. Default value isC:\bea\weblogic700
Tivoli Identity Manager InformationDetermine the values for the following properties for the Tivoli Identity ManagerServer:
Tivoli Identity Manager__________________________________Directory where Tivoli Identity Manager will be installed.
Domain Base Directory __________________________________Base directory location of the WebLogic domain dedicated to TivoliIdentity Manager.
Domain Name _________________________________________Name of the WebLogic domain dedicated to Tivoli Identity Manager.
Server Name __________________________________________Name of the server where this instance of Tivoli Identity Manager is beinginstalled.
Cluster Name _________________________________________Name assigned to the Tivoli Identity Manager cluster.
Cluster Multicast Address _______________________________Broadcast address used for WebLogic cluster communication.
Cluster Multicast Port __________________________________Port number used to access the other WebLogic Application Servers in thecluster.
Encryption Key _________________________________________Key used to encrypt Tivoli Identity Manager passwords and other sensitivetext. The default value is sunshine. The key can be any word or phrase.This word or phrase should be used as the encryption key for eachmember of the cluster. This value is stored in the enRole.properties file asenrole.encryption.password.
Database InformationCollect the following information for the relational database management system:
Database Type ________________________________________
Type of database used for your system.
Admin ID ____________________________________________
The Administrator User ID that you created when you configured thedatabase.
Admin Password ______________________________________
The password for the Administrator user ID.
Database Name _______________________________________
40 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Name of the database to be used with the Tivoli Identity Manager Server.
Credentials for the database:
Database User
The account that Tivoli Identity Manager Server uses to connect tothe database. The user ID is enrole.
Note: This user ID cannot be changed.
User Password
Password for the account that Tivoli Identity Manager Server usesto connect to the database. This password can be changed usingthe System Configuration Tool. See the Tivoli Identity ManagerServer Configuration Guide for more information about the SystemConfiguration Tool.
IP Address ___________________________________________
IP address or hostname of the database server. Required for Oracle andSQL Server 2000 databases.
Port Number ___________________________________________
Port number of the database server. Required for Oracle and SQL Server2000 databases.
Additionally, the installation windows report the following Database Poolinformation during installation. The database pool information determines thenumber of JDBC connections that Tivoli Identity Manager Server can open to thedatabase. For more information, refer to the Tivoli Identity Manager ServerConfiguration Guide.
Evaluate the following in relation to your site needs:
Initial CapacityInitial number of JDBC connections that Tivoli Identity Manager Server canopen to the database
Maximum CapacityMaximum number of JDBC connections that Tivoli Identity ManagerServer can open to the database at any one time
Login Delay SecondsTime, in seconds, between connection creation.
Directory Server InformationCollect the following information:
Principal DN ___________________________________________
The directory server Administrator user ID. For example, cn=root.
Password ______________________________________________
The password of the Principal Distinguished Name user ID that youcreated when installing the directory server.
Host name _____________________________________________
Fully-qualified host name of the directory server. For example,identity1.mylab.mydomain.com.
Port __________________________________________________
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 41
Port on which the directory server is listening, such as 389.
Number of hash buckets __________________________________
A hash bucket is a notional receptacle, a set of which might be used toapportion data items for sorting or lookup purposes. Evaluate the default(1) in relation to your site needs.
Name of your organization _________________________________
The value that you enter in the Name of Your Organization field will bedisplayed in the organization chart that is displayed on many of the TivoliIdentity Manager graphical user interface screens. This value is typicallythe more formal name of your company. For example, an organizationname is IBM Corporation.
Note: You may enter either single-byte (ASCII) characters or double-bytecharacter set characters in this field.
Default Org Short Name ___________________________________
The value that you enter in the Default Org Short Name field will be usedinternally in Sun ONE Directory Server to represent your organization.This value is typically an abbreviation of your company name. Forexample, a short name is ibmcorp.
Note: Enter only single-byte (ASCII) characters in the Default Org ShortName field, such as an identifier in English.
Identity Manager DN Location ______________________________
The value such as dc=com that you enter in the Location field must matchthe suffix (for example, dc=com) that you created when you configuredLDAP.
Additionally, the installation windows report the following LDAP Connection PoolInformation fields for a pool of LDAP connections accessible by Tivoli IdentityManager Server. For more information, refer to the Tivoli Identity Manager ServerConfiguration Guide.
Evaluate the following in relation to your site needs:
Max. pool sizeMaximum number of connections the LDAP Connection Pool can have atany time
Initial pool sizeInitial number of connections created for the LDAP Connection Pool
Increment countNumber of connections added to the LDAP Connection Pool every time aconnection is requested once all connections are in use
Tivoli Identity Manager Logon InformationNote the following information for Tivoli Identity Manager:
User ID _______________________________________________
The Tivoli Identity Manager user ID. The default after installation is itimmanager. Use this user ID when you log on to Tivoli Identity Manager.
Password _____________________________________________
42 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Password for the Tivoli Identity Manager user ID specified as itimmanager. The default password after installation is secret .
Note: It is important that you change this password and make a record ofthe new password immediately after you first log on.
Installing the Tivoli Identity Manager ServerInstalling Tivoli Identity Manager requires installing the Tivoli Identity ManagerServer and configuring various server properties to enable it to connect to thedatabase and directory server. In a cluster configuration, an admin server and themanaged servers must be installed individually.
Installing a Tivoli Identity Manager admin server loads Tivoli Identity Managerresources onto the WebLogic Administration Server of a WebLogic cluster. TivoliIdentity Manager resources include information such as directory server connectioninformation, database information, and managed resources location information.
Installing a Tivoli Identity Manager managed server loads the Tivoli IdentityManager Application Server onto a managed server in the WebLogic cluster. TheTivoli Identity Manager Application Server uses the information on the adminserver to connect to the various resources, however, the actual processing ofrequests is completed by the managed server.
The following flowchart describes the basic sequence of windows that install TivoliIdentity Manager in a clustered configuration.
Note: The admin server must be installed before any of the managed servers areinstalled in the cluster.
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 43
SingleServer
WebLogicalready
installed?
Single ServerInstallation
Select Type ofInstallation
Cluster Installation
No Exit Installation.Install WebLogic.
Restart Installation.
Yes
Enter WebLogicDirectory Information
Select Type ofServer to Install
Enter Tivoli Identity ManagerInstallation Directory
Admin Server Managed Server
Enter Tivoli Identity ManagerDomain Location
Enter Tivoli Identity ManagerCluster Information
Select Database Type
Enter Encryption Key
Pre-installation Summary
Configure Directory ServerConnection
Configure DatabaseConfiguration
Configure DatabaseConnection
Configure Tivoli IdentityManager Server
Register ManagedServers
Enter Tivoli Identity ManagerInstallation Directory
Enter Tivoli Identity ManagerDomain Location
Enter Admin ServerInformation
Enter Directory ServerInformation
Enter Encryption Key
Pre-installation Summary
Configure DatabaseConfiguration
Configure Tivoli IdentityManager Server
Configure theProxy Server
(Optional)
Figure 24. Clustered Tivoli Identity Manager Server Installation Overview
44 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Installing the Admin ServerThe following sections describe, in detail, the procedures to install the adminserver for a clustered Tivoli Identity Manager Server.
Note: The admin server must be installed before any managed servers areinstalled.
Navigate Initial Welcome and Licensing WindowsA series of welcome and licensing windows start the installation process. Tonavigate the initial windows, do the following:1. Log on to the computer where the Tivoli Identity Manager Server will be
installed.
Note: You must log on using an account with system administration privileges.2. Insert the Tivoli Identity Manager Product CD into the CD-ROM drive.3. Click Start –> Run.4. Type your CD-ROM drive and then type the following command:
instW2K-WL.exe
Note: If your logon account does not have permission to executeinstW2K-WL.exe, you must grant the account permission to execute thisfile.
The Language Selection window opens.
5. Select the desired language in the language drop-down menu and click OK.The License Agreement window opens.
Figure 25. Language Selection window
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 45
6. Read the license agreement and decide whether to accept its terms.7. Select the I accept the terms of the License Agreement radio button if you
agree to the terms and click Next.The Choose Installation Type window opens. Proceed with choosing aninstallation type.
Figure 26. License Agreement Window
Figure 27. Choose Installation Type Window
46 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Select the Installation Type and DirectoriesThe next steps determine the type of Tivoli Identity Manager to install and thelocation of the WebLogic Application Server used by Tivoli Identity Manager.1. Select the radio button for the type of installation you desire in the Choose
Installation Type window and click Next.If you want to install a single-server version of Tivoli Identity Manager, selectthe Single Server radio button. If you want to install a clustered version ofTivoli Identity Manager, select the Cluster radio button.The Have you installed BEA WebLogic Server 7.0? window opens.
2. Click Yes if you have already installed the WebLogic Application Server.If you click No, you can continue with the installation but you will have toinstall WebLogic 7.0 before Tivoli Identity Manager will run. It is recommendedthat you exit the installation and install the WebLogic Application Server beforeinstalling Tivoli Identity Manager.The Where have you installed WebLogic Server 7.0? window opens.
3. Enter the BEA home directory and the WebLogic Application Server homedirectories in their respective fields and click Next.
Note: In a clustered installation, the WebLogic Application Server homedirectory should be the same for each member of the cluster.
See the following section to proceed with the installation process.
Determine the Cluster’s ConfigurationThis section describes the procedures to specify the type of server to install for thecluster and the cluster information.
The previous section ended with the Specify the Server Type window open.
Figure 28. Where have you installed WebLogic Server 7.0? Window
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 47
1. Select the Admin Server radio button in the Specify the Server Type windowand click Next.The Choose Install Folder window opens.
2. Accept the default installation directory (C:\itim45) or enter a differentinstallation directory and click Next.The Specify the Tivoli Identity Manager Domain Information window opens.
Figure 29. Specify the Server Type Window
Figure 30. Choose Install Folder Window
48 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
3. Accept the default domain base directory (C:\bea\user_projects) or enter adifferent directory location.
4. Enter the name of the domain to which the Tivoli Identity Manager Server willbe added in the Domain Name field.
5. Enter the name of the Tivoli Identity Manager Server in the Server Name fieldand click Next.The Specify the Cluster Information window opens.
Figure 31. Specify the Tivoli Identity Manager Domain Information Window
Figure 32. Specify the Cluster Information Window
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 49
6. Enter the cluster’s name, multicast address, and multicast port number in therespective fields and click Next.See “Tivoli Identity Manager Information” on page 40 for more informationabout these values.Proceed to the following section to continue with the installation process.
Specifying the DatabaseThe previous section ended with the Choose the Database Type window open.
Select the radio button next to the type of database to use with Tivoli IdentityManager in the Choose the Database Type window and click Next.
The Specify Encryption Key window opens.
Specify the Encryption Key and Install the Tivoli IdentityManager ServerThe previous section ended with the Specify the Encryption Key window open.
Figure 33. Choose the Database Type Window
50 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
1. Enter the encryption key and click Next.The encryption key is used to encrypt Tivoli Identity Manager passwords andother sensitive text. The default encryption key is sunshine. It is recommendedthat you change the encryption key.
Note: The encryption key you input here must be the same as the one specifiedduring the admin server installation.
The Pre-Installation Summary window opens.
Figure 34. Specify the Encryption Key Window
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 51
2. Review the information listed.If any of the information is incorrect, click Previous and correct the values. Ifthere is not enough disk space, cancel the installation and ensure that therequired disk space is available before installing Tivoli Identity Manager.
3. Click Install.A series of installation progress windows open during the interval that theinstallation requires. After the installation completes, you must configure theTivoli Identity Manager Server.
4. Proceed to the following section to continue with the installation process.
Initial Configuration of Tivoli Identity Manager DatabaseAfter the Tivoli Identity Manager Server is installed, the Tivoli Identity Managerdatabase must be configured. The installation program uses the databaseconfiguration tool to configure the database.
The previous section ended with the IBM Tivoli Identity Manager DatabaseConfiguration window open.
Figure 35. Pre-Installation Summary Window
52 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Note: If you are using Oracle for your database, you will need to copy the OracleJDBC driver (in the file name classes12.zip) from the temporary localdirectory (where you saved the JDBC driver from the supplementary CDearlier) to the <ITIM_HOME>\lib directory.
1. Enter the database connection information in the appropriate fields of the IBMTivoli Identity Manager Database Configuration window and click Test.If the test is successful, a message window opens confirming that theconnection is successful.
2. Click OK.The IBM Tivoli Identity Manager Database Configuration window reappearswith the Identity Manager User Information fields active.
3. Enter the Tivoli Identity Manager user ID and password in their respectivefields and click Continue.The default values for these fields are listed in the information worksheet. Amessage window opens confirming that the database configuration is complete.
4. Click OK.The IBM Tivoli Identity Manager Directory Configuration window opens.
5. Proceed to configure the directory to continue with the installation process.
Initial Configuration of the Directory for Tivoli Identity ManagerThe Tivoli Identity Manager directory server connection must be configured afterinstalling the Tivoli Identity Manager Server. The following procedures describehow to configure the Tivoli Identity Manager Server to recognize the directoryserver.
The previous section ended with the IBM Tivoli Identity Manager DirectoryConfiguration window open.
Figure 36. IBM Tivoli Identity Manager Database Configuration Window
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 53
1. Enter the LDAP server information in the appropriate fields of the IBM TivoliIdentity Manager Directory Configuration window and click Test.If the test is successful, a message window opens confirming that theconnection was successful.
2. Click OK.The IBM Tivoli Identity Manager Directory Configuration window reappearswith the Identity Manager Directory Information fields active.
Figure 37. IBM Tivoli Identity Manager Directory Configuration Window
54 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
3. Select the database used with Tivoli Identity Manager.4. Accept the default number of hash buckets or enter a new value.
Hash buckets can hold up to 1,000,000 entries.5. Complete the remaining Identity Manager Directory Information fields and
click Continue.See the information worksheet for more information about each field. Amessage window opens confirming that the directory server configuration wassuccessful.
6. Click OK.The directory server configuration tool closes and the system configuration toolwindow opens.
Initial Configuration of Tivoli Identity ManagerThe remaining windows provide an initial configuration of Tivoli IdentityManager. During this activity, you can change values you initially set for thedatabase server and the directory server and modify some system defaultconfiguration values. Default values that must be modified are detailed in theprocedures.1. Verify that the information listed on the General tab is correct.
Figure 38. IBM Tivoli Identity Manager Directory Configuration Window (all fields active)
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 55
2. Click the Directory tab and verify that the information listed is correct.If any of the information is not correct, modify the information and click Testto verify that the connection information is correct.
3. Click the Database tab and verify that the information listed is correct.If the information is not correct, modify the information and click Test toverify that the connection information is correct.
Figure 39. General Tab of the System Configuration Window
Figure 40. Directory Tab of the System Configuration Window
56 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
4. Click the Logging tab and modify the level of logging as desired.
5. Click the Mail tab and verify that the Identity Manager Server URL is correct.
Note: In a clustered configuration, the Identity Manager Server URL shouldbe the URL of the proxy server, if one is used.
Figure 41. Database Tab of the System Configuration Window
Figure 42. Logging Tab of the System Configuration Window
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 57
6. Change the Mail From address to the Tivoli Identity Manager systemadministrator e-mail address for your site.
Note: You must change this address. The default address is a valid IBMe-mail address. If you do not change this address you will send spamto the e-mail address listed.
7. Enter the mail server name in the respective field.8. Click the UI tab and modify the values as desired.
Refer to the Tivoli Identity Manager Server Configuration Guide for additionalinformation about customizing the user interface.
Figure 43. Mail Tab of the System Configuration Window
Figure 44. UI Tab of the System Configuration Window
58 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
9. Click the Security tab and modify the values as desired.
10. Click OK to finish configuring the Tivoli Identity Manager Server.11. Proceed to the following section to continue with the installation process.
Registering a Managed ServerThis section describes how to register a managed server with the Admin Server.Managed servers can be registered before Tivoli Identity Manager is installed onthe system.
The previous section ended with the Register Managed Server window open.
Figure 45. Security Tab of the System Configuration Window
Figure 46. Register Managed Server Window
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 59
1. Click Add in the Register Managed Server window.The Edit Server Info window opens.
2. Enter the managed server connection information into the appropriate fieldsand click Add.
Note: The Listening Address can be an IP address or a hostname.
The Edit Server Info window closes and the Register Managed Server windowreappears with the managed server listed.
3. Repeat the previous procedures to add additional managed servers.4. Click Save after all managed servers have been registered.
The Install Complete window opens.5. Click Done to finish the installation process.
Installing a Managed ServerThe following sections describe, in detail, the steps to install a managed server fora clustered Tivoli Identity Manager Server. The managed server must be registeredwith the admin server before being installed. If the managed server has not beenregistered with the admin server, the managed server will not be recognized as amember of the cluster.
If the admin server has not been installed, see “Installing the Admin Server” onpage 45. If the admin server has been installed but the managed server has notbeen registered with it, execute the registerManagedServers.exe program in the{$ITIM_HOME}\bin directory on the admin server and register the managed serverbefore installing it.
The following procedures must be repeated for each managed server in the cluster.
Note: If you are running a managed server on the same computer as the adminserver, it is unnecessary to run the installation for a managed server. Thecommands to start the managed server will automatically be created whenyou register the managed server with the admin server.
Navigate Initial Welcome and Licensing WindowsA series of welcome and licensing windows start the installation process. Tonavigate the initial windows, do the following:1. Log on to the computer where the Tivoli Identity Manager Server will be
installed.
Figure 47. Edit Server Info Window
60 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Note: You must log on using an account with system administration privileges.2. Insert the Tivoli Identity Manager Product CD into the CD-ROM drive.3. Click Start –> Run.4. Type your CD-ROM drive and then type the following command:
instW2K-WL.exe
Note: If your logon account does not have permission to executeinstW2K-WL.exe, you must grant the account permission to execute thisfile.
The Language Selection window opens.
5. Select the desired language in the language drop-down menu and click OK.The License Agreement window opens.
6. Read the license agreement and decide whether to accept its terms.
Figure 48. Language Selection window
Figure 49. License Agreement Window
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 61
7. Select the I accept the terms of the License Agreement radio button if youagree to the terms and click Next.The Choose Installation Type window opens. Proceed with choosing aninstallation type.
Select the Installation Type and DirectoriesThe next steps determine the type of Tivoli Identity Manager to install and thelocation of the WebLogic Application Server used by Tivoli Identity Manager.1. Select the radio button for the type of installation you desire in the Choose
Installation Type window and click Next.If you want to install a single-server version of Tivoli Identity Manager, selectthe Single Server radio button. If you want to install a clustered version ofTivoli Identity Manager, select the Cluster radio button.The Have you installed BEA WebLogic Server 7.0? window opens.
2. Click Yes if you have already installed the WebLogic Application Server.If you click No, you can continue with the installation but you will have toinstall WebLogic 7.0 before Tivoli Identity Manager will run. It is recommendedthat you exit the installation and install the WebLogic Application Server beforeinstalling Tivoli Identity Manager.The Where have you installed WebLogic Server 7.0? window opens.
Figure 50. Choose Installation Type Window
62 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
3. Enter the BEA home directory and the WebLogic Application Server homedirectories in their respective fields and click Next.
Note: In a clustered installation, the WebLogic Application Server homedirectory should be the same for each member of the cluster.
See the following section to proceed with the installation process.
Determine the Cluster’s ConfigurationThis section describes the procedures to specify the type of server to install for thecluster and the cluster information. The previous section ended with the Specifythe Server Type window open.
Figure 51. Where have you installed WebLogic Server 7.0? Window
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 63
1. Select the Managed Server(s) radio button in the Specify Server Type windowand click Next.The Choose Install Folder window opens.
2. Accept the default Tivoli Identity Manager installation directory (C:\itim45) orenter a different installation directory and click Next.The Specify the Tivoli Identity Manager Domain Information window opens.
Figure 52. Specify Server Type Window
Figure 53. Choose Install Folder Window
64 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
3. Accept the default domain base directory (C:\bea\user_projects) or enter adifferent directory location and click Next.The Specify the Admin Server Information window opens.
4. Verify that the admin server is running.5. Modify the default admin server URL to match your admin server’s URL.6. Accept the default WebLogic user password if you did not change the user
password during the admin server install and click Next
Figure 54. Specify the IBM Tivoli Identity Manager Domain Information Window
Figure 55. Specify the Admin Server Information Window
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 65
If you changed the WebLogic user password when you installed the adminserver, you must enter that same password during each managed serverinstallation.The Specify the LDAP Directory Server Information window opens. Proceed tothe following section to continue with the installation process.
Specify Directory Server Connection Information1. Enter the directory server information in the appropriate fields in the Specify
the LDAP Directory Server Information window.These values must match the values entered during the admin serverinstallation.
2. Click Next.The Specify the Encryption Key window opens.
Specifying the DatabaseThe previous section ended with the Choose the Database Type window open.
Figure 56. Specify the LDAP Directory Server Information Window
66 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Select the radio button next to the type of database to use with Tivoli IdentityManager in the Choose the Database Type window and click Next.
The Specify Encryption Key window opens.
Specify the Encryption Key and Install the Tivoli IdentityManager ServerThe previous section ended with the Specify the Encryption Key window open.
Figure 57. Choose the Database Type Window
Figure 58. Specify the Encryption Key Window
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 67
1. Enter the encryption key and click Next.The encryption key is used to encrypt Tivoli Identity Manager passwords andother sensitive text. The default encryption key is sunshine. It is recommendedthat you change the encryption key.
Note: The encryption key you input here must be the same as the one specifiedduring the admin server installation.
The Pre-Installation Summary window opens.
2. Review the information listed.If any of the information is incorrect, click Previous and correct the values. Ifthere is not enough disk space, cancel the installation and ensure that therequired disk space is available before installing Tivoli Identity Manager.
3. Click Install.A series of installation progress windows open during the interval that theinstallation requires. After the installation completes, you must configure theTivoli Identity Manager Server.
4. Proceed to the following section to continue with the installation process.
Initial Configuration of a Managed Tivoli Identity Manager ServerConfiguring a managed server is very similar to configuring an admin server. Thefollowing procedures describe how to configure a managed server. Many of thevalues used to configure the admin server will need to be used for the managedserver.1. Verify that the information listed on the General tab is correct.
If any of the information is not correct, modify the information and clickApply.
Figure 59. Pre-Installation Summary Window
68 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
2. Click the Directory tab and verify that the information listed is correct.If the information is not correct, modify the information and click Test. If thetest is successful, click Apply.
3. Click the Logging tab and modify the level of logging as desired.If the managed server is on a separate computer from the admin server, thelogging level defined will only apply to the managed server.If you modify any value, click Apply.
Figure 60. General Tab of the System Configuration Tool for Managed Servers
Figure 61. Directory Tab of the System Configuration Tool for Managed Servers
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 69
4. Click the Mail tab and verify that the Identity Manager Server URL is correct.
Note: In a clustered configuration, the Identity Manager Server URL shouldbe the URL of the proxy server, if one is used.
5. Change the Mail From address to the Tivoli Identity Manager systemadministrator e-mail address for your site.This value should be the same address entered during configuration of theadmin server.
Note: You must change this address. The default address is a valid IBMe-mail address. If you do not change this address you will send spamto the e-mail address listed.
Figure 62. Logging Tab of the System Configuration Tool for Managed Servers
Figure 63. Mail Tab of the System Configuration Tool for Managed Servers
70 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
6. Enter the mail server name in the respective field and click Apply.7. Click the UI tab and modify the values as desired.
Refer to the Tivoli Identity Manager Server Configuration Guide for additionalinformation about customizing the user interface.
If you modified any value, click Apply.8. Click the Security tab and modify the values as desired.
If you modified any value, click Apply.
9. Click OK to finish configuring the Tivoli Identity Manager Server.The Install Complete window opens.
Figure 64. UI Tab of the System Configuration Tool for Managed Servers
Figure 65. Security Tab of the System Configuration Tool for Managed Servers
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 71
10. Click Done to finish the installation process.
Optionally Installing a Language PackAfter installing Tivoli Identity Manager, if the default language is not English,optionally obtain and mount the language pack CD for the Tivoli Identity ManagerServer. Use command line mode to install the language pack. For example, enterthe following:java –jar itimlp_setup.jar
The Tivoli Identity Manager language pack setup program will start. To completethe language pack installation, follow the instructions that appear in the setupprogram panels.
Note: To run the Tivoli Identity Manager language pack setup program, Javaruntime environment 1.3.1 should be accessible from the command line.
Starting and Stopping the Tivoli Identity Manager ServerThe Tivoli Identity Manager admin server is configured to start automatically afterinstallation. However, the managed servers must be started after installation. Thissection describes how to start and stop an Tivoli Identity Manager Server.
On Windows servers, a service named Tivoli Identity ManagerdomainName_serverName is installed. The domainName is the name of the domain inwhich the Tivoli Identity Manager Server was installed. The serverName is thename assigned to the Tivoli Identity Manager Server during installation.
Use the services console to start the Tivoli Identity Manager Server.
Using Tivoli Identity Manager on Windows for WebLogic, additional steps arerequired to modify parameters when Tivoli Identity Manager is started as aservice. In order to modify the classpath, jvm switches or any other runtimeparameters used by the Tivoli Identity Manager NT service, do the following:1. Stop the ITIM service.2. Uninstall the ITIM service by running one of the following commands:
If uninstalling from the admin server:{ITIM_HOME}\bin\uninstallItimService.cmd
If uninstalling from a managed server:{ITIM_HOME}\bin\uninstall<serverName>Service.cmd
where serverName is the managed server name which is defined duringmanaged server registration on the admin server side.
3. Reboot the computer to ensure that the deletion of the service takes place.4. Make necessary changes by editing the
{ITIM_HOME}\bin\installItimService.cmd or{ITIM_HOME}\bin\install<serverName>Service.cmd file.
5. Reinstall the service by running the following command:If installing to the admin server:{ITIM_HOME}\bin\installItimService.cmd
If installing to a managed server:
72 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
{ITIM_HOME}\bin\install<serverName>Service.cmd
where serverName is the managed server name which is defined duringmanaged server registration on the admin server side.
Note: Starting the Tivoli Identity Manager Server takes several minutes. Watch the<serverName>.log file for a running message. The <serverName> is the nameof the server defined earlier during installation. The log file is located in{$Weblogic_Home}/user_projects/itim/logs/ on the admin server and in{$Weblogic_Home}/user_projects/itim/logs/<serverName>/ on the managedservers.
Testing Tivoli Identity Manager Server CommunicationTo test whether the database, the directory server, and the Tivoli Identity ManagerServer are correctly configured and communicating with each other, do thefollowing:1. Start Tivoli Identity Manager Server and any prerequisite applications.2. Log on to Tivoli Identity Manager.
For example, at a browser window, type the following:http://hostname/enrole
where hostname is the fully-qualified name or IP address of the computer onwhich Tivoli Identity Manager Server is running.
3. Enter the Tivoli Identity Manager administrator user ID (itim manager) andpassword.
4. Take the necessary steps to create a user (an ITIM user).For more information, refer to online help or to the Tivoli Identity ManagerPolicy and Organization Administration Guide.
Certificate Authority for Server-Agent CommunicationUsing the Tivoli Identity Manager system with a Tivoli Identity Manager Agentwill require production certificates to ensure secure communication between theTivoli Identity Manager Server and the Agent. The Certificate Authority thatcorresponds to the Tivoli Identity Manager Agent’s certificate must be located inthe {ITIM_HOME}\cert directory. Refer to the Tivoli Identity Manager ServerConfiguration Guide and to a specific agent’s installation guide for moreinformation.
Notes:
1. In a cluster configuration, the certificate must be installed in the same directoryon each member in order for the agent to locate the certificate.
2. If the default language is not English, before installing the first Tivoli IdentityManager agent, optionally obtain and mount the language pack CD for theTivoli Identity Manager agents. Use command line mode to install the languagepack for the agents on the Tivoli Identity Manager Server:java –jar itimlp_agents_setup.jar
The Tivoli Identity Manager language pack setup program will start. Tocomplete the language pack installation, follow the instructions that appear inthe setup program panels.
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 73
Note: To run the Tivoli Identity Manager language pack setup program, Javaruntime environment 1.3.1 should be accessible from the command line.
3. For recommendations on where to install the agent profile in a clusterconfiguration, refer to the agent installation guide for your specific agent.
Configuring the Proxy ServerAfter installing the Tivoli Identity Manager Server, you must configure your Webproxy server to recognize the clustered Tivoli Identity Manager Server, if you areusing a Web proxy server. The Web proxy server acts as a load balancer for thecluster.
The following sections describe how to configure your Web proxy server for usewith Tivoli Identity Manager Server. WebLogic can use the Microsoft InternetInformation Services (IIS) HTTP Server or the Apache HTTP Server as a Web proxyserver. Refer to the WebLogic user manual for the latest supported version of theIIS and Apache HTTP Servers.
IIS HTTP Server ConfigurationThe following procedures describe how to configure the IIS HTTP Server for usewith the Tivoli Identity Manager Server. For detailed information on configuringthe IIS HTTP Server, refer to the IIS HTTP Server documentation.1. Log into the system where the Tivoli Identity Manager Server is installed.2. Copy the iisproxy.dll from the WEBLOGIC_HOME\server\bin directory of your
WebLogic Server into a directory that is accessible by the IIS HTTP Server, forexample C:\winnt\system32\inetsrv.
3. Create a file called iisproxy.ini in the WEBLOGIC_HOME\server\bin directorythat contains the following lines:# This file contains initialization name/value pairs# for the IIS/WebLogic plug-in.
WebLogicCluster=IPAddress1:port, IPAddress2:port
IPAddress1 and IPAddress2 should be the IP addresses and port numbers forthe managed servers in the cluster. If you have more than two managed serversin the cluster, you must append the list with the additional server information.
4. Copy the iisproxy.ini file to the directory where the copy of the iisproxy.dllfile is located.
5. Add the application extension mapping to the IIS HTTP Server using the IISservice manager.Refer to the Microsoft Internet Information Services documentation for detailedprocedures.
6. Restart the IIS HTTP Server.
Apache HTTP Server ConfigurationThe following procedures describe how to configure the Apache HTTP Server foruse with Tivoli Identity Manager. For detailed information on configuring theApache HTTP Server, refer to the Apache HTTP Server documentation.1. Log into the system where the Tivoli Identity Manager Server is installed.2. Copy the mod_wl_20.so file from the {WEBLOGIC_HOME}\server\bin directory of
your WebLogic Server to the {APACHE_HOME}\modules directory.3. Add the following lines to the {APACHE_HOME}\conf\httpd.conf file:
74 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
LoadModule weblogic_module modules/mod_wl_20.so
<Location /enrole>SetHandler weblogic-handler
</Location>
<IfModule mod_weblogic.c>WebLogicCluster IPAddress1:port,IPAddress2:port
</IfModule>
IPAddress1 and IPAddress2 should be the IP addresses and port numbers forthe managed servers in the cluster. If you have more than two managed serversin the cluster, you must append the list with the additional server information.
4. Verify that the syntax of the APACHE_HOME\conf\httpd.conf file is correct usingthe following command:APACHE_HOME\bin\httpd> configtest
5. Restart the WebLogic Server.6. Restart the Apache HTTP Server.
Increasing the System Memory UsageThe Tivoli Identity Manager Server is configured to use the least amount ofmemory required for basic operation in a standard installation. By default, theTivoli Identity Manager Server is configured to use a minimum and maximum of256 megabytes (MB) of memory. These values can be modified to enable thesystem to perform at optimum speed.
In order to optimize the performance of the Tivoli Identity Manager Server, 75% ofthe total memory available (up to a maximum of 1024 MB) should be reserved forthe Tivoli Identity Manager Server, assuming no other software is running on thesystem. For example, if there is 1 gigabyte (GB) of memory available on the systemwhere the Tivoli Identity Manager Server is installed, the Tivoli Identity ManagerServer should be configured to use 768 MB.
The following are detailed procedures on how to increase the memory usage forthe Tivoli Identity Manager Server.1. Log into the system where the Tivoli Identity Manager Server is installed.2. Open the Tivoli Identity Manager Server service install script in a text editor.
The script is located in the <ITIM_HOME>\bin directory. In a single-serverinstallation, the script is named installItimService.cmd. In a clusteredinstallation, the script is named install<servername>Service.cmd where<servername> is the name of the managed server.
3. Find the following line in the script:MEM_ARGS=-XX:MaxPermSize=128m -Xms256ms -Xmx256m
4. Change the -Xms and -Xmx settings to an appropriate value based on yourhardware.The -Xms value is the minimum memory usage.The -Xmx value is the maximum memory usage.If Tivoli Identity Manager Server is the only application running on themachine, it is recommended that both the minimum and maximum memoryusage parameters be set to 75% of the available system memory as long as theydo not exceed 1024 MB, individually. BEA also recommends that theseparameters be set to the same value.
Chapter 6. Cluster Installation: Tivoli Identity Manager Server 75
5. Save the script.6. Remove the Tivoli Identity Manager service by executing the service uninstall
script (<ITIM_HOME>\bin\uninstallItimService.cmd).7. Re-install the service by executing the service install script
(<ITIM_HOME>\bin\installItimService.cmd).8. Stop and restart the Tivoli Identity Manager service.
76 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Appendix A. Compact Discs
Tivoli Identity Manager Server installation provides the following compact discs(CDs). If you do not have all listed CDs, contact IBM Support.
Language Packs CDThe following table itemizes the contents of the language pack CD.
Table 3. Contents of Language Pack CD
Product File Name
language packs itimlp_setup.jar, itimlp_agents_setup.jar
Base Code Solaris CD for Tivoli Identity Manager using WebSphereApplication Server
The following table itemizes the contents of the base code Solaris CD for TivoliIdentity Manager using WebSphere Application Server:
Table 4. Contents of base code Solaris CD for Tivoli Identity Manager using WebSphereApplication Server
Product File Name
Tivoli Identity Manager Version 4.5 forWebSphere Application Server
instSOL-WAS.bin
Documentation ReadMeFirst Docs-ReadMeFirst.pdf
Base Code Solaris CD for Tivoli Identity Manager for non-IBMApplication Servers
The following table itemizes the contents of the base code Solaris CD for TivoliIdentity Manager using non-IBM Application Servers (WebLogic):
Table 5. Contents of base code Solaris CD for Tivoli Identity Manager using WebLogic
Product File Name
Tivoli Identity Manager Version 4.5 forWebLogic
instSOL-WL.bin
Documentation ReadMeFirst Docs-ReadMeFirst.pdf
Supplemental Solaris CD 1The following table itemizes the contents of supplemental Solaris CD 1:
Table 6. Contents of Supplemental Solaris CD 1
Product File Name
WebSphere Application Server base Version5.0 Fix Pack 2
was50_fp2_solaris.zip
© Copyright IBM Corp. 2003 77
Table 6. Contents of Supplemental Solaris CD 1 (continued)
Product File Name
WebSphere Application Server NetworkDeployment Version 5.0 Fix Pack 2
was50_nd_fp2_solaris.zip
WebSphere Application Server base Version5.0.2 interim fix (APAR PQ75794)
PQ75794.zip
WebSphere Application Server base andWebSphere Application Server NetworkDeployment Version 5.0.2 interim fix (APARSOV62778)
ibmorb.jar
WebSphere Application Server JSP Compileinterim fix (APAR PQ77263)
PQ77263.zip
Supplemental Solaris CD 2The following table itemizes the contents of supplemental Solaris CD 2:
Table 7. Contents of Supplemental Solaris CD 2
Product File Name
IBM Directory Server Version 5.1 ids510-solaris-ismp-us.tar
IBM Directory Server Version 5.1 Fix Pack 1 FP510S-01.tar.Z
IBM Directory Server referential integrityplug-in
DelRef/aix/libdelref.aDelRef/hpux/libdelref.slDelRef/nt/libdelref.dllDelRef/sun/libdelref.so
Tivoli Identity Manager Version 4.5configuration file
DelRef/timdelref.conf
Supplemental Solaris CD 3The following table itemizes the contents of supplemental Solaris CD 3:
Table 8. Contents of Supplemental Solaris CD 3
Product File Name
IBM DB2 Version 8.1 Fix Pack 2 (32 and 64Bit)
Sol-FP2_U486567.tar.Z
Supplemental Solaris CD 4The following table itemizes the contents of supplemental Solaris CD 4:
Table 9. Contents of Supplemental Solaris CD 4
Product File Name
Oracle Type 4 JDBC driver classes12.zip
Oracle Type 4 JDBC driver license file LI_en
78 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Base Code AIX CD for Tivoli Identity Manager using WebSphereApplication Server
The following table itemizes the contents of the base code AIX CD for TivoliIdentity Manager using WebSphere Application Server:
Table 10. Contents of base code AIX CD for Tivoli Identity Manager using WebSphereApplication Server
Product File Name
Tivoli Identity Manager Version 4.5 usingWebSphere Application Server
instAIX-WAS.bin
Documentation ReadMeFirst Docs-ReadMeFirst.pdf
Base Code AIX CD for Tivoli Identity Manager for non-IBM ApplicationServers
The following table itemizes the contents of the base code AIX CD for TivoliIdentity Manager using non-IBM application servers (WebLogic):
Table 11. Contents of base code AIX CD for Tivoli Identity Manager using WebLogic
Product File Name
Tivoli Identity Manager Version 4.5 forWebLogic
instAIX-WL.bin
Documentation ReadMeFirst Docs-ReadMeFirst.pdf
Supplemental AIX CD 1
Note: Because of size constraints, the Fix Pack 2 for IBM DB2 on AIX is notprovided on a supplemental CD. To obtain Fix Pack 2 for IBM DB2 on AIX,access the following FTP site:ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2aix5v8/fixpak/FP2_U486566/
or access the following Web site:http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8fphist.d2w/report#AIX5
The following table itemizes the contents of supplemental AIX CD 1:
Table 12. Contents of Supplemental AIX CD 1
Product File Name
WebSphere Application Server base Version5.0 Fix Pack 2
was50_fp2_aix.zip
WebSphere Application Server NetworkDeployment Version 5.0 Fix Pack 2
was50_nd_fp2_aix.zip
WebSphere Application Server base Version5.0.2 interim fix (APAR PQ75794)
PQ75794.zip
WebSphere Application Server base andWebSphere Application Server NetworkDeployment Version 5.0.2 interim fix (APARSOV62778)
ibmorb.jar
Appendix A. Compact Discs 79
Table 12. Contents of Supplemental AIX CD 1 (continued)
Product File Name
WebSphere Application Server JSP Compileinterim fix (APAR PQ77263)
PQ77263.zip
Supplemental AIX CD 2The following table itemizes the contents of supplemental AIX CD 2:
Table 13. Contents of Supplemental AIX CD 2
Product File Name
IBM Directory Server Version 5.1 ids510-aix-ismp-us.tar
IBM Directory Server Version 5.1 Fix Pack 1 FP510A-01.tar
IBM Directory Server referential integrityplug-in
DelRef/aix/libdelref.aDelRef/hpux/libdelref.slDelRef/nt/libdelref.dllDelRef/sun/libdelref.so
Tivoli Identity Manager Version 4.5configuration file
DelRef/timdelref.conf
Supplemental AIX CD 3The following table itemizes the contents of supplemental AIX CD 3:
Table 14. Contents of Supplemental AIX CD 3
Product File Name
Oracle Type 4 JDBC driver classes12.zip
Oracle Type 4 JDBC driver license file LI_en
Base Code HP-UX CD for Tivoli Identity Manager for non-IBMApplication Servers
The following table itemizes the contents of the base code HP-UX CD for TivoliIdentity Manager for non-IBM application servers (WebLogic):
Table 15. Contents of base code HP-UX CD for Tivoli Identity Manager using WebLogic
Product File Name
Tivoli Identity Manager Version 4.5 usingWebLogic
instHPUX-WL.bin
Documentation ReadMeFirst Docs-ReadMeFirst.pdf
80 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Base Code Windows 2000 CD for Tivoli Identity Manager usingWebSphere Application Server
The following table itemizes the contents of the base code Windows 2000 CD forTivoli Identity Manager using WebSphere Application Server:
Table 16. Contents of base code Windows 2000 CD for Tivoli Identity Manager usingWebSphere Application Server
Product File Name
Tivoli Identity Manager Version 4.5 usingWebSphere Application Server
instW2K-WAS.exe
Documentation ReadMeFirst Docs-ReadMeFirst.pdf
Base Code Windows 2000 CD for Tivoli Identity Manager for non-IBMApplication Servers
The following table itemizes the contents of the base code Windows 2000 CD forTivoli Identity Manager for non-IBM application servers (WebLogic):
Table 17. Contents of base code Windows 2000 CD for Tivoli Identity Manager usingWebLogic
Product File Name
Tivoli Identity Manager Version 4.5 forWebLogic
instW2K-WL.exe
Documentation ReadMeFirst Docs-ReadMeFirst.pdf
Supplemental Windows 2000 CD 1The following table itemizes the contents of supplemental Windows 2000 CD 1:
Table 18. Contents of supplemental Windows 2000 CD 1
Product File Name
WebSphere Application Server base Version5.0 Fix Pack 2
was50_fp2_win.zip
WebSphere Application Server NetworkDeployment Version 5.0 Fix Pack 2
was50_nd_fp2_win.zip
WebSphere Application Server base Version5.0.2 interim fix (APAR PQ75794)
PQ75794.zip
WebSphere Application Server base andWebSphere Application Server NetworkDeployment Version 5.0.2 interim fix (APARSOV62778)
ibmorb.jar
WebSphere Application Server JSP Compileinterim fix (APAR PQ77263)
PQ77263.zip
Appendix A. Compact Discs 81
Supplemental Windows 2000 CD 2The following table itemizes the contents of supplemental Windows 2000 CD 2:
Table 19. Contents of supplemental Windows 2000 CD 2
Product File Name
IBM Directory Server Version 5.1 ids510-windows-us.zip
IBM Directory Server Version 5.1 Fix Pack 1 FP510W-01.zip
IBM Directory Server referential integrityplug-in
DelRef\aix\libdelref.aDelRef\hpux\libdelref.slDelRef\nt\libdelref.dllDelRef\sun\libdelref.so
Tivoli Identity Manager Version 4.5configuration file
DelRef\timdelref.conf
Supplemental Windows 2000 CD 3The following table itemizes the contents of supplemental Windows 2000 CD 3:
Table 20. Contents of supplemental Windows 2000 CD 3
Product File Name
IBM DB2 Version 8.1 Fix Pack 2 W2K-FP2.zip
Supplemental Windows 2000 CD 4The following table itemizes the contents of supplemental Windows 2000 CD 4:
Table 21. Contents of supplemental Windows 2000 CD 4
Product File Name
Oracle Type 4 JDBC driver classes12.zip
Oracle Type 4 JDBC driver license file LI_en
82 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Appendix B. Software and Hardware Requirements onWindows
This appendix specifies software and hardware requirements for Tivoli IdentityManager Server on Windows using WebLogic.
Minimum Operating System and Hardware Requirements for TivoliIdentity Manager using WebLogic on Windows
The following table identifies the operating system, patches, and minimumhardware requirements for installation. These values do not include additionalruntime requirements.
Table 22. Minimum operating system and hardware requirements for Tivoli Identity Manager
Operating System Patch Minimum memory, free disk space, andother hardware requirements
Windows 2000Advanced Server
Service Pack 3 or later v RAM: 1 GB of memory
v Processor: Intel Pentium with a clock speedof 500 MHz or faster
v Free disk space: The temp directory musthave 500 MB free disk space. Additionally,provide 150 MB for /itim45. {BEA_HOME}requires 300 MB of disk space.
Databases for Tivoli Identity Manager Server using WebLogicThe following table lists databases available for Tivoli Identity Manager Serverusing WebLogic:
Table 23. Databases available for Tivoli Identity Manager Server using WebLogic
Database Version and Fix Pack orpatch
AIX 5.1 Solaris 8 Windows 2000AdvancedServer
Oracle 8.1.7 U U U
Microsoft SQL server SQL Server 2000 U
Directory Servers for Tivoli Identity Manager Server using WebLogicThe following table lists Directory servers available for Tivoli Identity ManagerServer using WebLogic:
Table 24. Directory servers available for Tivoli Identity Manager Server using WebLogic
Directory server Version AIX Solaris 8 Windows 2000 AdvancedServer
Sun ONE DirectoryServer¹
5.1 U
on AIX 4.3.3, noton 5.1
U U
© Copyright IBM Corp. 2003 83
Table 24. Directory servers available for Tivoli Identity Manager Server using WebLogic (continued)
Directory server Version AIX Solaris 8 Windows 2000 AdvancedServer
1. Also check the following website for information about the latest patch requirements:
http://wwws.sun.com/software/download/inter_ecom#dirserv
Tivoli Identity Manager Server Prerequisites for WebLogic ServersThe following table lists the Tivoli Identity Manager Server prerequisites forWebLogic servers:
Table 25. Tivoli Identity Manager Server prerequisites for WebLogic servers
Application Version
WebLogic Version 7.0 with Service Pack 3
(Version 7.0.3.0)Note: For WebLogic on AIX, JDK 1.3.1_06 orhigher must be installed.
Supported Web BrowsersThe following Web browsers are supported on Windows only:v Internet Explorer 5.5 with Service Pack 2v Internet Explorer 6.0 with Service Pack 1v Netscape 4.75
Notes:
1. Cookies must be enabled.2. Do not start two separate browser sessions from the same client computer. The
two sessions are regarded as one session ID, resulting in problems with data.3. For Internet Explorer, ensure that the Java runtime environment (JRE) is
specified. Open the browser and click Tools –> Internet Options. Click theAdvanced tab. Scroll the list of features. Select the check box for an item similarto Use Java 2 V1.3.1_04. Restart the computer.
84 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Appendix C. Upgrading from Tivoli Identity Manager 4.3 usingWebLogic
This section describes upgrading previous data and schema from Tivoli IdentityManager Version 4.3 using WebLogic to Tivoli Identity Manager Version 4.5 usingWebLogic.
Note: After upgrading, the Tivoli Identity Manager Server will continue to use theexisting directory server and database.
The directory structures of the previous and current release of Tivoli IdentityManager are different. At version 4.3, the WebLogic server binaries are installed aspart of ENROLE_HOME, and the application domain enrole is created within theWebLogic server configuration.
At version 4.5, the application domain is created in BEA_HOME under user_projects,in the domain directory that includes the server and cluster configuration files andapplication log files. The following figure illustrates the differences:
Before UpgradingBefore upgrading from version 4.3 to version 4.5, do the following:1. Back up the directory server.
On the iPlanet Directory Server, use the iPlanet console to perform the backup.During upgrade of the directory server, entries within the Tivoli IdentityManager sub-tree are scanned for the string enrole (case-insensitive). If an
4.3 Directory Structure
ENROLE_HOMEbincertconfigdatadocenRoleUninstallerDataextensionslibweblogic
binconfig
enroleapplicationslogs
extLibSampleuninstaller
4.5 Directory Structure
ITIM_HOMEbincertconfigdatadocextensionsitimUninstallerDatalib
BEA_HOMEuser_projects
itimapplicationslogsuserConfigs
Figure 66. Differences in version 4.3 and version 4.5 directory structures
© Copyright IBM Corp. 2003 85
attribute’s value contains the string enrole, that string is changed to itim. Thisstring replacement is done for all attributes except those listed in the{ITIM_HOME}\data\enRoleUnchangedAttributes.properties file. Beforebeginning the upgrade process, export the contents of the Tivoli IdentityManager 4.3 LDAP sub-tree to an LDIF file. Search the LDIF file for the stringenrole. If you find attributes that contain values that should not be changedduring upgrade, do the following:a. Select No for LDAP Directory Upgrade during the Tivoli Identity Manager
4.5 installation.b. Edit the {ITIM_HOME}\data\enRoleUnchangedAttributes.properties file to
add the attribute names.c. Invoke the LDAP Directory Upgrade manually.
2. Back up the database.On the database server, use the administrative console to perform a databasebackup.
3. Back up the existing Tivoli Identity Manager directory for each server in thecluster.This allows you to save any customizations so that you can re-implement themafter the upgrade. You can use a tar or a zip utility to back up the information.
4. Stop all members in the cluster.See “Starting and Stopping the Tivoli Identity Manager Server” on page 72 fordetailed information about stopping the cluster members.
5. Verify that the directory server and database are running.6. Install WebLogic Server version 7.0.
Notes:
1. After the upgrade, previous audit and log data may not be relevant to the newdata.
2. Upgrading the Tivoli Identity Manager Server removes any customizationpreviously implemented.
Upgrading from Single Server Version 4.3 to Single Server Version 4.5The following procedures describe how to upgrade a single server installation ofTivoli Identity Manager version 4.3 to a single server installation of Tivoli IdentityManager version 4.5. If you have a clustered installation of Tivoli Identity Managerversion 4.3 and want to upgrade it to Tivoli Identity Manager version 4.5, see“Upgrading from Cluster Version 4.3 to Cluster Version 4.5” on page 92.
Be sure to complete the procedures in “Before Upgrading” on page 85 beforeupgrading Tivoli Identity Manager. Backing up the information is the only way tosave any customizations.
Prepare to Upgrade the ServerThis section describes the initial process to upgrade the Tivoli Identity ManagerServer.1. Log on to the Tivoli Identity Manager Server to be upgraded.
You must log on using an account with system administrator privileges.2. Install BEA WebLogic 7.0 using the typical installation option.3. Insert the Tivoli Identity Manager product CD into the CD-ROM drive.4. Open a command prompt window.
86 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
5. Type your CD-Rom drive and then type the following command:Install.exe
The Language Selection window opens.6. Select the language to use during installation and click OK.
The License Agreement window opens.7. Read the license agreement and decide whether to accept its terms.8. Select the I accept the terms of the License Agreement radio button if you
agree to the terms and click Next.The Choose the Installation Type window opens. Proceed with the followingsection to continue with the upgrade.
Select the Installation Type and DirectoriesThe next steps determine the type of Tivoli Identity Manager to install and thelocation of the WebLogic Application Server used by Tivoli Identity Manager.1. Select the radio button for the type of installation you desire in the Choose
Installation Type window and click Next.If you want to install a single-server version of Tivoli Identity Manager, selectthe Single Server radio button. If you want to install a clustered version ofTivoli Identity Manager, select the Cluster radio button.The Have you installed BEA WebLogic Server 7.0? window opens.
2. Click Yes if you have already installed the WebLogic Application Server.If you click No, you can continue with the installation but you will have toinstall WebLogic 7.0 before Tivoli Identity Manager will run. It is recommendedthat you exit the installation and install the WebLogic Application Server beforeinstalling Tivoli Identity Manager.The Where have you installed WebLogic Server 7.0? window opens.
Figure 67. Where have you installed WebLogic Server 7.0? Window
Appendix C. Upgrading from Tivoli Identity Manager 4.3 using WebLogic 87
3. Enter the BEA home directory and the WebLogic Application Server homedirectories in their respective fields and click Next.
Note: In a clustered installation, the WebLogic Application Server homedirectory should be the same for each member of the cluster.
See the following section to proceed with the installation process.
Define the Installation LocationThe procedures in this section identify the location of the existing Tivoli IdentityManager installation and upgrades it.
The previous section ended with the Choose Install Folder window open.
1. Enter the location where the existing Tivoli Identity Manager Server is installedand click Next.
Note: If you choose a different location, the installation program will not detectthe existing installation and will install a new Tivoli Identity ManagerServer.
The Do you want to upgrade? window opens.2. Click Yes to upgrade the Tivoli Identity Manager Server.
The Do you want to upgrade the LDAP Directory during installation? windowopens.
3. Click Yes. This will initiate an LDAP directory upgrade during installation.
Note: You can choose to upgrade the LDAP directory after the installation byselecting No. After the installation, invoke the ldapUpgrade utilitylocated in the bin directory.
Figure 68. Choose the Install Folder Window
88 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
The Specify the Tivoli Identity Manager Domain Information window opens.
4. Accept the default domain base directory (C:\bea\user_projects) or enter anew value.
5. Enter the name of the domain on which the Tivoli Identity Manager will runand the name of the server and click Next.In the previous release, the default domain name was enrole. In the currentrelease, the default domain name is itim.Proceed to the following section to continue with the upgrade process.
Upgrade the Tivoli Identity Manager Server SchemasThe following procedures describe how to upgrade the schemas associated withTivoli Identity Manager.
The previous section ended with the Pre-Installation Summary window open.
Figure 69. Specify the Tivoli Identity Manager Domain Information Window
Appendix C. Upgrading from Tivoli Identity Manager 4.3 using WebLogic 89
1. Click Install in the Pre-Installation Summary window.The Installing Tivoli Identity Manager window opens and a message lineappears in the window describing the current installation process. After thedatabase schema is upgrade, a message window opens confirming that thedatabase schema upgrade is complete.
2. Click OK.The directory server schema is upgraded and a message window opensconfirming that the directory schema upgrade is complete.
3. Click OK.The upgrade process completes and the System Configuration window opens.The fields on the tabs are populated with values from the previous installationof Tivoli Identity Manager.
4. Confirm that the values on the tabs are correct and click OK.Proceed to the following section to continue with the upgrade process.
Complete the Upgrade ProcessThe previous section ended with the Install Complete window open. Complete theupgrade process by clicking Done.
Updating Certificate InformationUpgrading from Tivoli Identity Manager version 4.3 to Tivoli Identity Managerversion 4.5 does not preserve the SSL certificate setting in the config.xml file. Youwill need to manual update the SSL certificate settings through the WebLogicadmin console.1. Start the WebLogic server if not started yet.2. Open the WebLogic admin console. At a brower window, type the following
URL:http://<hostname>/console
Figure 70. Pre-Installation Window
90 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
where the hostname is the host name or IP address of the admin server.3. Click your domain name in the tree.4. Click Servers under your domain name.5. Click the name of the server for which to update the SSL certificate settings.6. Click the Connections tab in the right pane.7. Click the SSL tab under the Connections tab.8. Modify the values to match your system’s configuration.9. Click Apply.
10. Repeat the previous procedures for all members in your cluster, if you have aclustered configuration.
Re-implement CustomizationsUpgrading the Tivoli Identity Manager Server removes any customizations madeto the server. Retrieve the customized files from the backup copy of the TivoliIdentity Manager directories and implement the customizations in the new,upgraded versions of the files.
Common items that are customized are the logo, LDAP schema, the authenticationmechanism, and Java security.
Updating Custom LogosIf you had previously customized the logo in the Tivoli Identity Manager graphicaluser interface (GUI), you will need to move the graphic file to the new location.
The previous location was:../enrole/weblogic/config/enrole/applications/enrole/images
where ../enrole was the Tivoli Identity Manager home directory.
The graphic must be placed in the{WEBLOGIC_HOME}/bea/user_projects/itim/applications/enrole/images directoryafter Tivoli Identity Manager is upgraded.
Verifying Logging SettingsAfter upgrading the Tivoli Identity Manager Server, previous logging settings areoverwritten. If you did not configure the logging settings during installation andaccepted the defaults, you will need to update your logging settings after theupgrade is complete.
To update your logging settings, use the System Configuration Tool. Refer to theTivoli Identity Manager Server Configuration Guide for detailed information on usingthe System Configuration Tool and configuring the logging settings.
Starting and Stopping the Tivoli Identity Manager ServerAfter the Tivoli Identity Manager Server is installed you must start the server. Thissection describes how to start and stop the Tivoli Identity Manager Server.
On Windows servers, a service named Tivoli Identity ManagerdomainName_serverName is installed. The domainName is the name of the domain inwhich the Tivoli Identity Manager Server is installed. The serverName is the nameassigned to the Tivoli Identity Manager Server during installation. Use the servicesconsole to start or stop the Tivoli Identity Manager Server.
Appendix C. Upgrading from Tivoli Identity Manager 4.3 using WebLogic 91
Using Tivoli Identity Manager on Windows for WebLogic, additional steps arerequired to modify parameters when Tivoli Identity Manager is started as aservice. In order to modify the classpath, jvm switches or any other runtimeparameters used by the Tivoli Identity Manager NT service, do the following:1. Stop the ITIM service.2. Uninstall the ITIM service by running the following command:
{ITIM_HOME}\bin\uninstallItimService.cmd
3. Reboot the computer to ensure that the deletion of the service takes place.4. Make necessary changes by editing the
{ITIM_HOME}\bin\installItimService.cmd file.5. Reinstall the service by running the following command:
{ITIM_HOME}\bin\installItimService.cmd
Note: Starting the Tivoli Identity Manager Server takes several minutes. Watch the{Weblogic_Home}/user_projects/itim/logs/<domain_name>.log file for arunning message. The <domain_name> is the name of the domain definedfor the server earlier during installation.
Testing Tivoli Identity Manager Server CommunicationTo test whether the database, the directory server, and the Tivoli Identity ManagerServer are correctly configured and communicating with each other, do thefollowing:1. Start Tivoli Identity Manager Server and any prerequisite applications.2. Log on to Tivoli Identity Manager.
For example, at a browser window, type the following:http://hostname/enrole
where hostname is the fully-qualified name or IP address of the computer onwhich Tivoli Identity Manager Server is running.
3. Enter the Tivoli Identity Manager administrator user ID (itim manager) andpassword.
4. Take the necessary steps to create a user (an ITIM user).For more information, refer to online help or to the Tivoli Identity ManagerPolicy and Organization Administration Guide.
Upgrading from Cluster Version 4.3 to Cluster Version 4.5The following procedures describe how to upgrade a clustered installation of TivoliIdentity Manager version 4.3 to a clustered installation of Tivoli Identity Managerversion 4.5. If you have a single server installation of Tivoli Identity Managerversion 4.3 and want to upgrade to Tivoli Identity Manager version 4.5, see“Upgrading from Single Server Version 4.3 to Single Server Version 4.5” onpage 86.
Be sure to complete the procedures in “Before Upgrading” on page 85 beforeupgrading Tivoli Identity Manager. Backing up the information is the only way tosave any customizations.
To upgrade version 4.3 to version 4.5, do the following:1. “Upgrade the Admin Server” on page 932. “Upgrade the Managed Servers” on page 98
92 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
3. “Re-implement Customizations” on page 103
Upgrade the Admin ServerOn the computer on which the administration server is installed, do the following:
Prepare to Upgrade the ServerThis section describes the initial process to upgrade the Tivoli Identity ManagerServer.1. Log on to the Tivoli Identity Manager Server to be upgraded.
You must log on using an account with system administrator privileges.2. Install BEA WebLogic 7.0 using the typical installation option.3. Insert the Tivoli Identity Manager product CD into the CD-ROM drive.4. Open a command prompt window.5. Type your CD-Rom drive and then type the following command:
Install.exe
The Language Selection window opens.6. Select the language to use during installation and click OK.
The License Agreement window opens.7. Read the license agreement and decide whether to accept its terms.8. Select the I accept the terms of the License Agreement radio button if you
agree to the terms and click Next.The Choose the Installation Type window opens. Proceed with the followingsection to continue with the upgrade.
Select the Installation Type and DirectoriesThe next steps determine the type of Tivoli Identity Manager to install and thelocation of the WebLogic Application Server used by Tivoli Identity Manager.1. Select the radio button for the type of installation you desire in the Choose
Installation Type window and click Next.If you want to install a single-server version of Tivoli Identity Manager, selectthe Single Server radio button. If you want to install a clustered version ofTivoli Identity Manager, select the Cluster radio button.The Have you installed BEA WebLogic Server 7.0? window opens.
2. Click Yes if you have already installed the WebLogic Application Server.If you click No, you can continue with the installation but you will have toinstall WebLogic 7.0 before Tivoli Identity Manager will run. It is recommendedthat you exit the installation and install the WebLogic Application Server beforeinstalling Tivoli Identity Manager.The Where have you installed WebLogic Server 7.0? window opens.
Appendix C. Upgrading from Tivoli Identity Manager 4.3 using WebLogic 93
3. Enter the BEA home directory and the WebLogic Application Server homedirectories in their respective fields and click Next.
Note: In a clustered installation, the WebLogic Application Server homedirectory should be the same for each member of the cluster.
See the following section to proceed with the installation process.
Define the Installation LocationThe procedures in this section identify the location of the existing Tivoli IdentityManager installation and upgrades it.
The previous section ended with the Specify the Server Type window open.
Figure 71. Where have you installed WebLogic Server 7.0? Window
94 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
1. Select the Admin Server radio button in the Specify the Server Type windowand click Next.The Choose Install Folder window opens.
2. Enter the location where the existing Tivoli Identity Manager Server is installedand click Next.
Figure 72. Specify the Server Type Window
Figure 73. Choose the Install Folder Window
Appendix C. Upgrading from Tivoli Identity Manager 4.3 using WebLogic 95
Note: If you choose a different location, the installation program will not detectthe existing installation and will install a new Tivoli Identity ManagerServer.
The Do you want to upgrade? window opens.3. Click Yes to upgrade the Tivoli Identity Manager Server.
The Do you want to upgrade the LDAP Directory during installation? windowopens.
4. Click Yes. This will initiate an LDAP directory upgrade during installation.
Note: You can choose to upgrade the LDAP directory after the installation byselecting No. After the installation, invoke the ldapUpgrade utilitylocated in the bin directory.
The Specify the Tivoli Identity Manager Domain Information window opens.
5. Accept the default domain base directory (C:\bea\user_projects) or enter anew value.
6. Enter the name of the domain on which the Tivoli Identity Manager will runand the name of the server and click Next.In the previous release, the default domain name was enrole. In the currentrelease, the default domain name is itim.Proceed to the following section to continue with the upgrade process.
Upgrade the Tivoli Identity Manager Server SchemasThe following procedures describe how to upgrade the schemas associated withTivoli Identity Manager.
The previous section ended with the Pre-Installation Summary window open.
Figure 74. Specify the Tivoli Identity Manager Domain Information Window
96 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
1. Click Install in the Pre-Installation Summary window.The Installing Tivoli Identity Manager window opens and a message lineappears in the window describing the current installation process. After thedatabase schema is upgrade, a message window opens confirming that thedatabase schema upgrade is complete.
2. Click OK.The directory server schema is upgraded and a message window opensconfirming that the directory schema upgrade is complete.
3. Click OK.The upgrade process completes and the System Configuration window opens.The fields on the tabs are populated with values from the previous installationof Tivoli Identity Manager.
4. Confirm that the values on the tabs are correct and click OK.Proceed to the following section to continue with the upgrade process.
Update the Managed Server InformationAfter the Tivoli Identity Manager Server and the schemas are upgraded, you mustverify that the managed servers are correctly identified and registered with theadmin server. The following procedures describe how to verify that the managedserver information is correct.
The previous section ended with the Register Managed Server window open.
Figure 75. Pre-Installation Window
Appendix C. Upgrading from Tivoli Identity Manager 4.3 using WebLogic 97
1. Verify that the connection information for each of the managed servers iscorrect.If the any of the information is not correct, modify the information by clickingEdit and change the information as needed.
2. Delete any server that will no longer be in the cluster by selecting the servername and clicking Delete.
3. Click Save to save the information for all managed servers.The Install Complete window opens.
4. Click Done to exit the installation program.
Upgrade the Managed ServersThe following sections describe how to upgrade a managed server.
Prepare to Upgrade the ServerThis section describes the initial process to upgrade the Tivoli Identity ManagerServer.1. Log on to the Tivoli Identity Manager Server to be upgraded.
You must log on using an account with system administrator privileges.2. Install BEA WebLogic 7.0 using the typical installation option.3. Insert the Tivoli Identity Manager product CD into the CD-ROM drive.4. Open a command prompt window.5. Type your CD-Rom drive and then type the following command:
Install.exe
The Language Selection window opens.6. Select the language to use during installation and click OK.
The License Agreement window opens.7. Read the license agreement and decide whether to accept its terms.
Figure 76. Register Managed Servers window
98 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
8. Select the I accept the terms of the License Agreement radio button if youagree to the terms and click Next.The Choose the Installation Type window opens. Proceed with the followingsection to continue with the upgrade.
Select the Installation Type and DirectoriesThe next steps determine the type of Tivoli Identity Manager to install and thelocation of the WebLogic Application Server used by Tivoli Identity Manager.1. Select the radio button for the type of installation you desire in the Choose
Installation Type window and click Next.If you want to install a single-server version of Tivoli Identity Manager, selectthe Single Server radio button. If you want to install a clustered version ofTivoli Identity Manager, select the Cluster radio button.The Have you installed BEA WebLogic Server 7.0? window opens.
2. Click Yes if you have already installed the WebLogic Application Server.If you click No, you can continue with the installation but you will have toinstall WebLogic 7.0 before Tivoli Identity Manager will run. It is recommendedthat you exit the installation and install the WebLogic Application Server beforeinstalling Tivoli Identity Manager.The Where have you installed WebLogic Server 7.0? window opens.
3. Enter the BEA home directory and the WebLogic Application Server homedirectories in their respective fields and click Next.
Note: In a clustered installation, the WebLogic Application Server homedirectory should be the same for each member of the cluster.
See the following section to proceed with the installation process.
Figure 77. Where have you installed WebLogic Server 7.0? Window
Appendix C. Upgrading from Tivoli Identity Manager 4.3 using WebLogic 99
Define the Installation Location and Complete the UpgradeProcessThe procedures in this section identify the location of the existing Tivoli IdentityManager installation and upgrades it.
The previous section ended with the Specify the Server Type window open.
1. Select the Managed Server(s) radio button in the Specify the Server Typewindow and click Next.The Choose Install Folder window opens.
Figure 78. Specify the Server Type Window
100 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
2. Enter the location where the existing Tivoli Identity Manager Server is installedand click Next.
Note: If you choose a different location, the installation program will not detectthe existing installation and will install a new Tivoli Identity ManagerServer.
The Do you want to upgrade? window opens.3. Click Yes to upgrade the Tivoli Identity Manager Server.
The Specify the Tivoli Identity Manager Domain Information window opens.
Figure 79. Choose the Install Folder Window
Appendix C. Upgrading from Tivoli Identity Manager 4.3 using WebLogic 101
4. Accept the default domain base directory (C:\bea\user_projects) or enter anew value and click Next.The Pre-Installation Summary window opens.
5. Click Install.The Installing Tivoli Identity Manager window opens and a message lineappears in the window describing the current installation process. The upgrade
Figure 80. Specify the Tivoli Identity Manager Domain Information Window
Figure 81. Pre-Installation Window
102 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
process completes and the System Configuration window opens. The fields onthe tabs are populated with values from the previous installation of TivoliIdentity Manager.
6. Confirm that the values on the tabs are correct and click OK.The Install Complete window opens.
7. Click Done to complete the upgrade process.
Updating Certificate InformationUpgrading from Tivoli Identity Manager version 4.3 to Tivoli Identity Managerversion 4.5 does not preserve the SSL certificate setting in the config.xml file. Youwill need to manual update the SSL certificate settings through the WebLogicadmin console.1. Start the WebLogic server if not started yet.2. Open the WebLogic admin console. At a brower window, type the following
URL:http://<hostname>/console
where the hostname is the host name or IP address of the admin server.3. Click your domain name in the tree.4. Click Servers under your domain name.5. Click the name of the server for which to update the SSL certificate settings.6. Click the Connections tab in the right pane.7. Click the SSL tab under the Connections tab.8. Modify the values to match your system’s configuration.9. Click Apply.
10. Repeat the previous procedures for all members in your cluster, if you have aclustered configuration.
Re-implement CustomizationsUpgrading the Tivoli Identity Manager Server removes any customizations madeto the server. Retrieve the customized files from the backup copy of the TivoliIdentity Manager directories and implement the customizations in the new,upgraded versions of the files.
Common items that are customized are the logo, LDAP schema, the authenticationmechanism, and Java security.
Updating Custom LogosIf you had previously customized the logo in the Tivoli Identity Manager graphicaluser interface (GUI), you will need to move the graphic file to the new location.
The previous location was:../enrole/weblogic/config/enrole/applications/enrole/images
where ../enrole was the Tivoli Identity Manager home directory.
The graphic must be placed in the{WEBLOGIC_HOME}/bea/user_projects/itim/applications/enrole/images directoryafter Tivoli Identity Manager is upgraded.
Appendix C. Upgrading from Tivoli Identity Manager 4.3 using WebLogic 103
Verifying Logging SettingsAfter upgrading the Tivoli Identity Manager Server, previous logging settings areoverwritten. If you did not configure the logging settings during installation andaccepted the defaults, you will need to update your logging settings after theupgrade is complete.
To update your logging settings, use the System Configuration Tool. Refer to theTivoli Identity Manager Server Configuration Guide for detailed information on usingthe System Configuration Tool and configuring the logging settings.
Starting and Stopping the Tivoli Identity Manager ServerThe Tivoli Identity Manager admin server is configured to start automatically afterinstallation. However, the managed servers must be started after installation. Thissection describes how to start and stop an Tivoli Identity Manager Server.
On Windows servers, a service named Tivoli Identity ManagerdomainName_serverName is installed. The domainName is the name of the domain inwhich the Tivoli Identity Manager Server was installed. The serverName is thename assigned to the Tivoli Identity Manager Server during installation.
Use the services console to start the Tivoli Identity Manager Server.
Using Tivoli Identity Manager on Windows for WebLogic, additional steps arerequired to modify parameters when Tivoli Identity Manager is started as aservice. In order to modify the classpath, jvm switches or any other runtimeparameters used by the Tivoli Identity Manager NT service, do the following:1. Stop the ITIM service.2. Uninstall the ITIM service by running one of the following commands:
If uninstalling from the admin server:{ITIM_HOME}\bin\uninstallItimService.cmd
If uninstalling from a managed server:{ITIM_HOME}\bin\uninstall<serverName>Service.cmd
where serverName is the managed server name which is defined duringmanaged server registration on the admin server side.
3. Reboot the computer to ensure that the deletion of the service takes place.4. Make necessary changes by editing the
{ITIM_HOME}\bin\installItimService.cmd or{ITIM_HOME}\bin\install<serverName>Service.cmd file.
5. Reinstall the service by running the following command:If installing to the admin server:{ITIM_HOME}\bin\installItimService.cmd
If installing to a managed server:{ITIM_HOME}\bin\install<serverName>Service.cmd
where serverName is the managed server name which is defined duringmanaged server registration on the admin server side.
Note: Starting the Tivoli Identity Manager Server takes several minutes. Watch the<serverName>.log file for a running message. The <serverName> is the nameof the server defined earlier during installation. The log file is located in
104 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
{$Weblogic_Home}/user_projects/itim/logs/ on the admin server and in{$Weblogic_Home}/user_projects/itim/logs/<serverName>/ on the managedservers.
Testing Tivoli Identity Manager Server CommunicationTo test whether the database, the directory server, and the Tivoli Identity ManagerServer are correctly configured and communicating with each other, do thefollowing:1. Start Tivoli Identity Manager Server and any prerequisite applications.2. Log on to Tivoli Identity Manager.
For example, at a browser window, type the following:http://hostname/enrole
where hostname is the fully-qualified name or IP address of the computer onwhich Tivoli Identity Manager Server is running.
3. Enter the Tivoli Identity Manager administrator user ID (itim manager) andpassword.
4. Take the necessary steps to create a user (an ITIM user).For more information, refer to online help or to the Tivoli Identity ManagerPolicy and Organization Administration Guide.
Appendix C. Upgrading from Tivoli Identity Manager 4.3 using WebLogic 105
106 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Appendix D. Uninstalling
The Tivoli Identity Manager process uninstalls the following:v Tivoli Identity Managerv Tivoli Identity Manager application and configuration settings created for Tivoli
Identity Manager on WebLogic Application Serverv All {ITIM_HOME} files copied to a target system during the Tivoli Identity
Manager installation
Note: Uninstalling Tivoli Identity Manager does not modify existing databasetables or the Directory server schema. The Tivoli Identity Manageruninstaller only removes the Tivoli Identity Manager application fromwithin WebLogic Application Server.
To uninstall additional products that may have been installed during the TivoliIdentity Manager installation, such as WebLogic Application Server for example,please refer to the appropriate documentation for the product.
Steps to Uninstall Tivoli Identity ManagerTo uninstall Tivoli Identity Manager, do the following:1. Uninstall the Tivoli Identity Manager application by running the following
command on the computer on which Tivoli Identity Manager is installed:{ITIM_HOME}\itimUninstallerData\Uninstall_ITIM
2. Proceed through the uninstall wizard panels to confirm you wish to uninstallTivoli Identity Manager.
3. After the uninstall completes successfully, remove any residual directories,configuration files, and log files for Tivoli Identity Manager from yourfilesystem.
To verify that Tivoli Identity Manager has been uninstalled and removed as anapplication from WebLogic Application Server, do the following:1. Verify that the Tivoli Identity Manager directories are deleted.
Note: Some directories may still remain since the uninstall program does notremove dynamic files. These file can include various log files. However,all application files should no longer be available on the system.
2. Verify that the Tivoli Identity Manager registry items are removed.The registry items were located in theHKEY_LOCAL_MACHINE\SOFTWARE\IBM\Tivoli Identity Manager\4.5 directory.
© Copyright IBM Corp. 2003 107
108 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Appendix E. Notices
This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:
IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.
This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.
Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2003 109
Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged should contact:
IBM Corporation2ZA4/10111400 Burnet RoadAustin, TX 78758U.S.A.
Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.
The licensed program described in this information and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreementbetween us.
Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.
TrademarksThe following terms are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both:
AIXDB2IBMIBM logoSecureWayTivoliTivoli logoUniversal DatabaseWebSphere
Lotus is a registered trademark of Lotus Development Corporation and/or IBMCorporation.
Domino is a trademark of International Business Machines Corporation and LotusDevelopment Corporation in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.
110 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
UNIX is a registered trademark of The Open Group in the United States and othercountries.
Java™ and all Java-based trademarks and logos aretrademarks or registered trademarks of Sun Microsystems,Inc. in the United States and other countries.
Other company, product, and service names may be trademarks or service marksof others.
Appendix E. Notices 111
112 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Glossary
Aaccess. The privilege to use information or data storedon computer systems.
account. The set of parameters that define the logininformation and access control information for a user.
account report. A report that lists people and theirassociated accounts and whether or not the account isin compliance with current policies.
access control information (ACI). Data that identifiesthe access rights of a group or principal. See also accesscontrol.
ACI origin. The branch in the organization tree wherethe ACI is created.
ACI target. The set of entities that are controlled bythe ACI.
active account. An account that exists and that is inuse by the owner to access a resource.
admin domain. A division of an organization withinthe Tivoli Identity Manager system that contains itsown policies, services, ACIs, and so on. Each admindomain can have administrators that cannot administeror view the policies, services, ACIs of other admindomains.
alias. An identity for a user, usually referred to as theuser ID. A person can have several aliases, for example:GSmith and GWSmith.
attribute enforcement. The process in which systemadministrators define the attributes that are requiredfor an account and the values that are valid for thoseattributes.
audit trail. The record of transactions for a computersystem during a given time period.
authentication. The process of identifying anindividual, usually based on a user name andpassword. In security systems, authentication is distinctfrom authorization, which is the process of givingindividuals access to system objects based on theiridentity. Authentication merely ensures that theindividual is who he or she claims to be, but saysnothing about the access rights of the individual.
authorization. In computer security, the right grantedto a user to communicate with or make use of a
computer system. The process of granting a user eithercomplete or restricted access to an object, resource, orfunction.
Most computer security systems are based on atwo-step process. The first stage is authentication,which ensures that a user is who he or she claims tobe. The second stage is authorization, which allows theuser access to various resources based on the user’sidentity.
authorization owner. A group of users who can defineaccess control information (ACI) within the context ofthe organizational unit to which they belong.
Bbranch. Each level within the organization tree iscalled a branch. Each type of branch in the tree isindicated by a different icon. The contents of a branchwith sub-units can be viewed by clicking the plus (+)sign next to it.
business partner organization. One of the types ofsubsidiary entities that can be added to anorganization. Typically, a business partner organizationis used to identify a contractor, supplier, or othergroups of individuals who are not direct employees butmay need access to a company’s resources.
business partner person. A person in a businesspartner organization.
business unit. A subsidiary entity of an organization.
Ccentral data repository. The database used to recordand store user and access privilege data for allregistered users, including transaction and maintenancerecords.
Certificate Authority (CA). An organization thatissues certificates. The certificate authority authenticatesthe certificate owner’s identity and the services that theowner is authorized to use, issues new certificates,renews existing certificates, and revokes certificatesbelonging to users who are no longer authorized to usethem.
challenge response. An authentication method thatrequires users to respond to a prompt by providingprivate information to verify their identity whenlogging in to the network.
completed requests. Requests that were submitted tothe system and that are completed.
© Copyright IBM Corp. 2003 113
constraint. A limitation on a parameter or policy.
control type. An instance of the Java Type class thatrepresents the type of field on a user interface.
credential. The User ID and password information fora user, which allows access to an account.
Ddelegate. An individual who is designated as theresponsible party to approve requests or provideinformation for requests for another user.
de-provision. To remove a service or component. Forexample, to de-provision an account means to delete anaccount from a resource.
digital certificate. An attachment to an electronicmessage used for security purposes.
Directory Services Markup Language (DSML). AnXML implementation that provides a common formatfor describing and sharing directory servicesinformation among different directory systems.
disallowed action. A parameter set for reconciliationsthat defines action to take if the Tivoli IdentityManager Server finds accounts for persons who are notallowed to have an account for the selected service.This parameter is only valid if the Check Policy checkbox is selected.
domain administrator. An administrator that candefine and manage provisioning entities, policies,services, workflow definitions, roles, and users withintheir admin domain, but only in his or her own admindomain.
DSML identity feed. One of Tivoli Identity Manager’sthree default service types.
A DSML identity feed service imports user data from ahuman resources database or file and feeds theinformation into the Tivoli Identity Manager directory.The service can receive the information in one of twoways: a reconciliation or an unsolicited notification.
Eelectronic forms. An electronic form serves as atemplate to define the parameters of the access beingrequested.
entitlement. In security management, a data structure,service, or list of attributes that represents policyinformation.
entity. 1) A person or object for which information isstored.
2) One of the following classes, as referred to by theTivoli Identity Manager system:
v Person
v BPPerson
v Organization
v BPOrganization
escalation participant. In identity management, aperson that has the authority to respond to requeststhat participants do not respond to within a specifiedescalation time. An escalation participant can beidentified as an individual, as a roles, or by using acustom JavaScript script.
escalation limit. The amount of time, in days, hours,minutes or seconds, that a participant has to respond toa request, before an escalation occurs.
HHR feed. An automated process in which the TivoliIdentity Manager system imports user data from ahuman resources database or file. Refer to DSMLidentity feed.
Iidentity policy. The rules by which the Tivoli IdentityManager system defines how a user’s ID is created.
inactive account. An account that exists in the system,but that is not in use by the account owner.
ITIM group. A user group within the Tivoli IdentityManager Server.
System access and administration can be structuredaround ITIM groups. However, before a person can beassigned to an ITIM group, the user must beprovisioned with an ITIM account. Once the person isprovisioned with an ITIM account, the person is anITIM user and can be added to an ITIM group.
Jjoin directive. The set of rules that define how tohandle attributes when two or more provisioningpolicies conflict.
Kkeyword. An index entry that identifies the policy in asearch.
Llocation. One of the types of subsidiary entities thatcan be added to an organization. Typically, locations areused to logically separate geographic locations fororganizational management purposes.
114 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Ooperation report. A report that lists Tivoli IdentityManager operation requests by type of operation, date,who requested the operation, and who the operation isrequested for.
organization. In identity management, a body of usersand resources which is fairly independent. Althoughthe sharing of resources between organizations ispossible, the level of integration between theorganizations is relatively low. Generally, anorganization represents a company.
organization tree. A hierarchical structure of theorganization that provides a logical place to create,access, and store organizational information.
organizational role. In identity management, anattribute that is used to determine membership topolicies that grant access to various managed resources.
organizational unit. A body of users and resourceswithin an organization defined to sub-divide anorganization into more manageable groups. Users areassigned to only one organizational unit. Resources arealso assigned to only one organizational unit unlessthey are defined as global to an organization.
orphan (orphan accounts). Accounts on a remoteresource whose owner in the Tivoli Identity Managersystem cannot be determined.
owner. A person in the Tivoli Identity Managersystem that owns an account or a service.
Pparticipant. In identity management, a person that hasthe authority to respond to a request that is submittedthrough the workflow engine. A participant can beidentified as an individual, as a roles, or by using acustom JavaScript script.
password. In computer and network security, aspecific string of characters entered by a user andauthenticated by the system, which allows the user togain access to the system and to the information storedwithin it.
password expiration period. The amount of time apassword can be used before the user is forced tochange it.
password policy. The rules that define the setparameters that all passwords must meet, such aslength, and the type of characters allowed anddisallowed.
pending requests. Requests that have been submittedto the system but that have not yet been completed.
personal information. A user’s personal information.This information can include last name, first name,home address, phone number, e-mail address, officenumber, supervisor, etc.
policy. In Tivoli, a set of rules that are applied tomanaged resources. For example, a policy can apply topasswords or to resources that a user attempts toaccess.
policy enforcement. The manner in which the TivoliIdentity Manager system allows or disallows accountsthat violate provisioning policies.
provision. To set up and maintain a user’s access to asystem in the organization.
provisioning policy. A policy that defines the accessto various types of managed services, such as TivoliIdentity Manager or operating systems. Access isgranted to all persons or based on a person’sorganizational role. Access can also be grantedspecifically to persons who are not members of anyorganizational role.
Qquery. A way in which to limit a reconciliation toreturn smaller packets.
Rreconciliation. The process of comparing theinformation the central data repository to the managedagent system and identifying the discrepancies betweenthe two.
reconciliation report. A report that lists the orphanaccounts found since the last reconciliation wasperformed.
rejected report. A report that lists requests denied bydate, who requested the operation, and who theoperation is requested for.
request. An action item in the Tivoli Identity Managersystem asking for approval or information.
requestee. The person for whom a request issubmitted.
requestor. A person who submits a request.
resource. A hardware, software, or data entity that ismanaged by Tivoli software. See also managedresource.
resource provisioning management (rpm). Themanagement principle that combines three keyelements - business logic, workflow management, and
Glossary 115
distribution agents - which together centrally managethe provisioning of users with access to informationand business resources.
restore. To reactivate an account that was suspended.
request for information (RFI). In identitymanagement, an action item that requests additionalinformation from the specified participant and that is arequired step in the workflow.
Sscope. The range that a policy can affect.
Typically, the scope is defined as single or subtree. Whenthe scope is defined as single, the policy only affectsentities in the same branch in which the policy isdefined. When the scope is defined as sub-tree, thepolicy affects the branch in which it is defined and allother branches that are subordinate to the policy’sbranch of origin.
service. A program that performs a primary functionwithin a server or related software.
service selection policy. A JavaScript filter thatdetermines which service to use in a provisioningpolicy.
shared secret. An encrypted value used to retrieve auser’s initial password to access the Tivoli IdentityManager system. This value is defined when the user’spersonal information is initially loaded into the system.
signature authority. The right to approve or deny arequest that is submitted to the workflow engine. Auser or group of users is granted signature authoritywhen they are designated as the participant orescalation participant in a workflow design.
secure socket layer (SSL). A protocol for transmittingprivate documents through the Internet. SSL works byusing a private key to encrypt data that is transferredover the SSL connection.
static organizational role. An organizational role thatcan only be assigned manually.
subprocess. A workflow design that is started as partof another workflow design.
supervisor. A person in the Tivoli Identity Managersystem that is designated as the owner of a businessunit.
suspend. The act of deactivating an account so theaccount owner cannot log into the resource.
system administrator. Individuals with access to allareas in the system.
A pre-configured ITIM Group is provided in the TivoliIdentity Manager system. This ITIM Group is designed
to grant members maximum access to the system.Users who are members of the administrator ITIMGroup have access to all system functions and data.
TTivoli Identity Manager Agent. An intelligentinterface between the targeted managed system and theTivoli Identity Manager Server. It acts as a trustedvirtual administrator and is a critical component thattranslates user requests and provides secureconfigurations access to various targeted systems.
Tivoli Identity Manager Server. A software andservices package designed to deploy policy-basedprovisioning solutions.
to do list. The list of actions items assigned to a userfor completion.
Uuser. Any person who interacts with the system.
user class. An LDAP class such as inetorgperson orBPPerson.
user interface (UI). The display used by the user tointeract with the system.
user name. The ID used by the user to access thesystem. This ID also identifies the user to the systemand allows the system to determine the user’s accessrights based on the user’s membership in variousorganizational roles and ITIM groups.
user report. A report that lists all Tivoli IdentityManager operations by date, who requested theoperation, and who the operation is requested for.
Wworkflow. The sequence of activities performed inaccordance with the business processes of an enterprise.
116 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
Index
Aaccessibility, documentation viiAdmin ID, database field 18, 40Admin Password, database field 18, 40administrative authority, ensure before installation 17, 39administrative authority, Windows 17, 39audience v
BBEA Home Directory, WebLogic Application Server field 18,
40bold text vii
CCA certificate
requirements 36, 73CDs 77Choose installation type
installation input 24, 25, 46, 47, 62, 87, 93, 99cluster
installationadmin server 45Apache HTTP server configuration 74configuring the proxy server 74determining cluster configuration 47, 63IIS HTTP server configuration 74initial configuration of a managed server 68installing a managed server 60registering a managed server 59specifying directory server connection information 66specifying the database 50, 66Tivoli Identity Manager Server 39
installation flowchart 43prerequisites
database 39directory server 39WebLogic 39
worksheet 40Cluster Multicast Address, Tivoli Identity Manager field 40Cluster Multicast Port, Tivoli Identity Manager field 40Cluster Name, Tivoli Identity Manager field 40configuration
database 28, 52directory 29, 30, 53, 54Tivoli Identity Manager
database tab 32, 56directory tab 32, 56general tab 31, 55logging tab 33, 57mail tab 33, 57security tab 35, 59UI tab 34, 58
configuringOracle 12SQL Server 2000 13Sun ONE Directory Server 15
contacting support viiconventions, in publications vii
Ddatabase
configurationinitial 28, 52
fieldAdmin ID 18, 40Admin Password 18, 40Database Name 18, 41Database Type 18, 40Database User 18, 41Initial Capacity 19, 41IP Address 19, 41Login Delay Seconds 19, 41Maximum Capacity 19, 41Port Number 19, 41User Password 19, 41
database configurationinstallation input 28, 52
Database Name, database field 18, 41Database Name, database pool field 19, 41database tab 32, 56Database Type, database field 18, 40Database User, database field 18, 41Default Org Short Name, directory server field 20, 42directory
configurationinitial 29, 53reappearance with active fields 30, 54
directory configurationinstallation input 29, 30, 53, 54
directory serverfield
Default Org Short Name 20, 42Host name 19, 41Identity Manager DN Location 20, 42Increment count 20, 42Initial pool size 20, 42Max. pool size 20, 42Name of your organization 20, 42Number of hash buckets 19, 42Password 19, 41Port 19, 42Principal DN 19, 41
directory structure differencesupgrading
Tivoli Identity Manager Server 85directory tab 32, 56documents
accessibility viiaccessing online viOracle virelated v, viSQL Server 2000 viSun ONE Directory Server viWeb proxy server viWebLogic Application Server vi
Domain Base Directory, Tivoli Identity Manager field 40Domain Name, Tivoli Identity Manager field 40
© Copyright IBM Corp. 2003 117
Eencryption
key 27, 50, 67Encryption key
installation input 27, 50, 67Encryption Key, Tivoli Identity Manager field 40
Fflowchart
cluster installation 43single-server installation 21
Ggeneral tab 31, 55
HHost name, directory server field 19, 41
IIdentity Manager DN Location, directory server field 20, 42Increment count, directory server field 20, 42Initial pool size, directory server field 20, 42installation
clusteradmin server 45Apache HTTP server configuration 74configuring the proxy server 74determining cluster configuration 47, 63IIS HTTP server configuration 74initial configuration of a managed server 68installing a managed server 60registering a managed server 59specifying directory server connection information 66specifying the database 50, 66
installation inputChoose installation type 24, 25, 46, 47, 62, 87, 93, 99database configuration 28, 52directory configuration 29, 30, 53, 54Encryption key 27, 50, 67Language selection 23, 45, 61License Agreement 23, 45, 61Log on 23, 45, 61Pre-Installation summary 27, 51, 68, 89, 96Product CD 23, 45, 61Start installation wizard 23, 45, 61system configuration 90, 97system configuration, database tab 32, 56system configuration, directory tab 32, 56system configuration, general tab 31, 55system configuration, logging tab 33, 57system configuration, mail tab 33, 57system configuration, security tab 35, 59system configuration, UI tab 34, 58WebLogic server location 25, 47, 62, 87, 93, 99
installation sequencesingle-server
choose install folder 26specify domain information 26
installingOracle
AIX 9
installing (continued)Oracle (continued)
Solaris 11Windows 12
SQL Server 2000 13Tivoli Identity Manager Server
cluster 39flowchart, cluster 43flowchart, single-server 21single-server 17
IP Address, database field 19, 41italic text i
LLanguage selection
installation input 23, 45, 61License Agreement
installation input 23, 45, 61Log on
installation input 23, 45, 61logging tab 33, 57Login Delay Seconds, database pool field 19, 41
Mmail tab 33, 57Max. pool size, directory server field 20, 42Maximum Capacity, database pool field 19, 41Microsoft SQL server, with WebLogic 83monospace text vii
NName of your organization, directory server field 20, 42Number of hash buckets, directory server field 19, 42
Ooperating system
Windows 2000 Advanced Server supported 83Oracle
configuring 12installing
AIX 9Solaris 11Windows 12
with WebLogic 83Oracle documents vi
PPassword
directory server field 19, 41Password, Tivoli Identity Manager field 21, 43Port
directory server field 19, 42Port Number, database field 19, 41Pre-Installation summary
installation input 27, 51, 68, 89, 96prerequisite
documents vworksheet
cluster 40
118 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
prerequisitesadministrative authority on Windows 17, 39cluster
database 39directory server 39WebLogic 39
single-serveradministrative authority 17, 39database 17directory server 17WebLogic Application Server 17
worksheetsingle-server 17
Principal DN, directory server field 19, 41Product CD
installation input 23, 45, 61properties value
single-serverDomain Base Directory 18Domain Name 18Encryption Key 18Server Name 18Tivoli Identity Manager 18
publicationsaccessibility viiaccessing online viconventions used in viiOracle viprerequisite vrelated viSQL Server 2000 viSun ONE Directory Server viTivoli Identity Manager vWeb proxy server viWebLogic Application Server vi
Rrelated documents v, virequirements
browsers, Windows only 84CA certificate 36, 73Microsoft SQL server 83Oracle 83Sun ONE Directory Server 83WebLogic 84Windows 2000 Advanced Server 83
Ssecurity tab 35, 59Server Configuration and Implementation
cluster 6Overview 3single–server 4
Server Name, Tivoli Identity Manager field 40single-server
configurationinstalling 17
installationTivoli Identity Manager Server 17
installation flowchart 21installation sequence
choose install folder 26specify domain information 26
single-server (continued)prerequisites
administrative authority 17, 39database 17directory server 17WebLogic Application Server 17
properties valueDomain Base Directory 18Domain Name 18Encryption Key 18Server Name 18Tivoli Identity Manager 18
worksheet 17SQL Server 2000
configuring 13installing 13
SQL Server 2000 documents viStart installation wizard
installation input 23, 45, 61starting and stopping
Tivoli Identity Manager Server 35, 72, 91, 104Sun ONE Directory Server
configuring 15documents viwith WebLogic 83
support, contacting viisystem configuration
installation input 90, 97system configuration, database tab
installation input 32, 56system configuration, directory tab
installation input 32, 56system configuration, general tab
installation input 31, 55system configuration, logging tab
installation input 33, 57system configuration, mail tab
installation input 33, 57system configuration, security tab
installation input 35, 59system configuration, UI tab
installation input 34, 58
Ttab
database 32, 56directory 32, 56general 31, 55logging 33, 57mail 33, 57security 35, 59UI 34, 58
TerminologyWebLogic 3
test communicationTivoli Identity Manager Server 36, 73, 92, 105
Tivoli Identity Managerconfiguration
database tab 32, 56directory tab 32, 56general tab 31, 55logging tab 33, 57mail tab 33, 57security tab 35, 59UI tab 34, 58
Index 119
Tivoli Identity Manager (continued)field
Cluster Multicast Address 40Cluster Multicast Port 40Cluster Name 40Domain Base Directory 40Domain Name 40Encryption Key 40Password 21, 43Server Name 40Tivoli Identity Manager directory 40User ID 20, 42
uninstalling 107additional products 107database tables 107directory server schema 107steps 107
upgrading 86, 93, 98customizations, removal 91, 103schemas 89, 96updating custom logos 91, 103
Tivoli Identity Manager directory, Tivoli Identity Managerfield 40
Tivoli Identity Manager ServerCA certificate 36, 73installing
cluster 39flowchart, cluster 43flowchart, single-server 21single-server 17
starting and stopping 35, 72, 91, 104test communication 36, 73, 92, 105upgrading
before upgrading 85completing the upgrade process 90, 100defining installation location 100defining the installation location 94directory structure differences 85from cluster version 4.3 to cluster version 4.5 92from single server version 4.3 to single server version
4.5 86from Tivoli Identity Manager 4.3 85the admin server 93updating the managed server 97
UUI tab 34, 58uninstalling
Tivoli Identity Manager 107additional products 107database tables 107directory server schema 107steps 107
upgradingTivoli Identity Manager 86, 93, 98
customizations, re-implementing 91, 103schemas 89, 96updating custom logos 91, 103
Tivoli Identity Manager Serverbefore upgrading 85completing the upgrade process 90, 100defining installation location 100defining the installation location 94directory structure differences 85from cluster version 4.3 to cluster version 4.5 92
upgrading (continued)Tivoli Identity Manager Server (continued)
from single server version 4.3 to single server version4.5 86
from Tivoli Identity Manager 4.3 85the admin server 93updating the managed server 97
User ID, Tivoli Identity Manager field 20, 42User Password, database field 19, 41
Wweb browsers, supported on Windows only 84Web proxy server
documents viWebLogic
server configurations 3cluster 6single-server 4
supported level 84supported level of Microsoft SQL server 83supported level of Oracle 83supported level of Sun ONE Directory Server 83terminology 3
admin server 3cluster 3managed server 3single-server 3Web proxy server 3
WebLogic Application Serverfield
BEA Home Directory 18, 40WebLogic Application Server Directory 18, 40
WebLogic Application Server Directory, WebLogic ApplicationServer field 18, 40
WebLogic Application Server documents viWebLogic server location
installation input 25, 47, 62, 87, 93, 99Windows 2000 Advanced Server supported 83worksheet
cluster 40single-server 17
120 IBM Tivoli Identity Manager: Server Installation Guide on Windows 2000 using WebLogic
����
Program Number: 5724–C34
Printed in U.S.A.
SC32-1335-00
