TAM COMBO ADAPTER

Tivoli® Identity Manager

Tivoli Access Manager Combo AdapterInstallation and Configuration Guide

Version 5.1

SC23-9664-00

��

Tivoli® Identity Manager

Tivoli Access Manager Combo AdapterInstallation and Configuration Guide

Version 5.1

SC23-9664-00

��

Note:Before using this information and the product it supports, read the information in Appendix C, “Notices,” on page 59.

© Copyright International Business Machines Corporation 2006, 2009.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Preface . . . . . . . . . . . . . . . vAbout this book . . . . . . . . . . . . . vIntended audience for this book . . . . . . . . vPublications and related information . . . . . . v

Tivoli Identity Manager library . . . . . . . vPrerequisite product publications . . . . . . viiRelated publications . . . . . . . . . . viiiAccessing terminology online . . . . . . . viiiAccessing publications online . . . . . . . viiiOrdering publications . . . . . . . . . viii

Accessibility . . . . . . . . . . . . . . ixTivoli technical training . . . . . . . . . . ixSupport information . . . . . . . . . . . ixConventions used in this book . . . . . . . . ix

Typeface conventions . . . . . . . . . . ixOperating system-dependent variables and paths xDefinitions for HOME and other directoryvariables. . . . . . . . . . . . . . . x

Chapter 1. Overview of the Tivoli AccessManager Combo Adapter . . . . . . . 1Features of the adapter . . . . . . . . . . . 1Architecture of the adapter . . . . . . . . . 1Supported configurations . . . . . . . . . . 2

Chapter 2. Planning to install the TivoliAccess Manager Combo Adapter . . . . 5Preinstallation roadmap . . . . . . . . . . 5Installation roadmap. . . . . . . . . . . . 5Prerequisites . . . . . . . . . . . . . . 6Installation worksheet for the adapter . . . . . . 7Downloading the software. . . . . . . . . . 7

Chapter 3. Installing the Tivoli AccessManager Combo Adapter . . . . . . . 9Installing and configuring the Tivoli Access ManagerRuntime for Java System . . . . . . . . . . 9Installing using the installation wizard. . . . . . 9Configuring the Tivoli Directory IntegratorApplication into the Tivoli Access Manager securedomain . . . . . . . . . . . . . . . . 12Installing the Tivoli Access Manager ComboAdapter Utilities Package. . . . . . . . . . 15Installing the RMI Dispatcher . . . . . . . . 15

Chapter 4. Importing the adapter profileinto the Tivoli Identity Manager Server . 17

Chapter 5. Creating a Tivoli AccessManager Combo service . . . . . . . 19

Chapter 6. Configuring the TivoliAccess Manager Combo Adapter . . . 25

Customizing the Tivoli Access Manager ComboAdapter profile . . . . . . . . . . . . . 25Standard parameters . . . . . . . . . . . 26Adapter attributes and object classes . . . . . . 26Other Configuration Considerations . . . . . . 32RMI Dispatcher Configuration Properties . . . . 33

Chapter 7. Configuring SSLauthentication for the adapter . . . . . 35SSL terminology . . . . . . . . . . . . . 35SSL configurations . . . . . . . . . . . . 36

Configuring for one-way SSL authentication . . 36Configuring for two-way SSL authentication . . 37

Task performed on the SSL server (Tivoli DirectoryIntegrator server workstation) . . . . . . . . 38

Creating a keystore for the Tivoli DirectoryIntegrator server. . . . . . . . . . . . 38Creating a truststore for the Tivoli DirectoryIntegrator server. . . . . . . . . . . . 38Creating a server-signed certificate for the TivoliDirectory Integrator server . . . . . . . . 39Creating a CA certificate for Tivoli DirectoryIntegrator . . . . . . . . . . . . . . 39Importing the WebSphere CA certificate into theTivoli Directory Integrator truststore . . . . . 40Configure Tivoli Directory Integrator to use thekeystores . . . . . . . . . . . . . . 40Configure Tivoli Directory Integrator to use thetruststores . . . . . . . . . . . . . . 40Enabling the adapter service to use SSL . . . . 41

Tasks performed on the SSL client (Tivoli IdentityManager and WebSphere Application Serverworkstation) . . . . . . . . . . . . . . 41

Creating a signed certificate for the TivoliIdentity Manager server . . . . . . . . . 41Creating a WebSphere Application Server CAcertificate for Tivoli Identity Manager. . . . . 42Importing the Tivoli Identity Manager CAcertificate into the WebSphere Application Servertruststore . . . . . . . . . . . . . . 42

Chapter 8. Verifying the Tivoli AccessManager Combo Adapter profileinstallation . . . . . . . . . . . . . 43

Chapter 9. Troubleshooting the TivoliAccess Manager Combo Adapterinstallation . . . . . . . . . . . . . 45Logging information format . . . . . . . . . 45Reconciliation of Supporting Data . . . . . . . 46Runtime Problems . . . . . . . . . . . . 46Performance Tuning . . . . . . . . . . . 48

Selection of groups to determine membership . . 48

© Copyright IBM Corp. 2006, 2009 iii

Chapter 10. Uninstalling the TivoliAccess Manager Combo Adapter . . . 51

Appendix A. Accessibility . . . . . . 53Navigating the interface using the keyboard . . . 53Magnifying what is displayed on the screen . . . 53

Appendix B. Support information . . . 55Searching knowledge bases . . . . . . . . . 55

Search the information center on your localsystem or network . . . . . . . . . . . 55

Search the Internet . . . . . . . . . . . 55Contacting IBM Software Support . . . . . . . 55

Determine the business impact of your problem 56Describe your problem and gather backgroundinformation . . . . . . . . . . . . . 57Submit your problem to IBM Software Support 57

Appendix C. Notices . . . . . . . . . 59Trademarks . . . . . . . . . . . . . . 60

iv IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide

Preface

About this bookThis installation guide provides the basic information that you need to install andconfigure the IBM® Tivoli Access Manager Combo Adapter. The Tivoli AccessManager Combo Adapter enables connectivity between the Tivoli® IdentityManager Server and the Tivoli Access Manager Policy Server and its associateddirectory server.

Intended audience for this bookThis book is intended for administrators responsible for installing and configuringsoftware on their organization’s computer systems. Readers are expected tounderstand IBM Tivoli Identity Manager, IBM Tivoli Access Manager and IBMTivoli Directory Integrator, and operating system concepts. The person completingthe Tivoli Access Manager Combo Adapter installation procedure must also befamiliar with their organization’s system standards. Readers should be able toperform routine security administration tasks.

Publications and related informationThis section lists publications in the IBM Tivoli Identity Manager library andrelated documents. The section also describes how to access Tivoli publicationsonline and how to order Tivoli publications.

Read the descriptions of the IBM Tivoli Identity Manager library. To determinewhich additional publications you might find helpful, read the “Prerequisiteproduct publications” on page vii and the “Related publications” on page viii.After you determine the publications you need, refer to the instructions in“Accessing publications online” on page viii.

Tivoli Identity Manager libraryThe publications in the technical documentation library for your product areorganized into the following categories:v Release informationv Online user assistancev Server installation and configurationv Problem determinationv Technical supplementsv Adapter installation and configuration

Release Information:

v Release NotesProvides software and hardware requirements for the product, and additionalfix, patch, and other support information.

v Read This First cardLists the publications for the product.

Online user assistance:

© Copyright IBM Corp. 2006, 2009 v

Provides online help topics and an information center for administrative tasks.

Server installation and configuration:

Provides installation and configuration information for the product server.

Problem determination:

Provides problem determination, logging, and message information for theproduct.

Technical supplements:

The following technical supplements are provided by developers or by othergroups who are interested in this product:v Performance and tuning information

Provides information needed to tune your production environment, available onthe Web at:http://publib.boulder.ibm.com/tividd/td/tdprodlist.htmlClick the I character in the A-Z product list to locate IBM Tivoli IdentityManager products. Click the link for your product, and then browse theinformation center for the Technical Supplements section.

v IBM Redbooks® and white papers are available on the Web at:http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.htmlBrowse to the Self Help section, in the Learn category, and click the Redbookslink.

v Technotes are available on the Web at:http://www.redbooks.ibm.com/redbooks.nsf/tips/

v Field guides are available on the Web at:http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

v For an extended list of other Tivoli Identity Manager resources, search thefollowing IBM developerWorks® Web address:http://www.ibm.com/developerworks/

Adapter documentation:

The technical documentation library also includes a set of platform-specificdocuments for the adapter components of the product. Adapter information isavailable on the Web at:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z product list to locate IBM Tivoli Identity Managerproducts. Click the link for your product, and then browse the information centerfor the adapter information that you want.

Skills and training:

The following additional skills and technical training information were available atthe time that this manual was published:v Virtual Skills Center for Tivoli Software on the Web at:

vi IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide


http://www-306.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html


http://www.redbooks.ibm.com/redbooks.nsf/tips/

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

http://www.ibm.com/developerworks/


http://www.cgselearning.com/tivoliskills/v Tivoli Education Software Training Roadmaps on the Web at:

http://www.ibm.com/software/tivoli/education/eduroad_prod.htmlv Tivoli Technical Exchange on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html

Prerequisite product publicationsTo use the information in this book effectively, you must have knowledge of theproducts that are prerequisites for your product. Publications are available fromthe following locations:v Operating systems

– IBM AIXhttp://publib16.boulder.ibm.com/pseries/

– Solaris Operating Environmenthttp://docs.sun.com/app/docs/prod/solaris

– Red Hat Linuxhttp://www.redhat.com/docs/

– Microsoft® Windows® Server 2003http://www.microsoft.com/windowsserver2003/proddoc/default.mspx

v Database servers– IBM DB2 Universal Database

- Support: http://www.ibm.com/software/data/db2/udb/support.html- Information center: http://publib.boulder.ibm.com/infocenter/db2help/

index.jsp- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/

winos2unix/support/v8pubs.d2w/en_main- DB2® product family: http://www.ibm.com/software/data/db2- Fix packs: http://www.ibm.com/software/data/db2/udb/support/

downloadv8.html- System requirements: http://www.ibm.com/software/data/db2/udb/

sysreqs.html– Oracle

http://www.oracle.com/technology/documentation/index.htmlhttp://otn.oracle.com/tech/index.htmlhttp://otn.oracle.com/tech/linux/index.html

– Microsoft SQL Serverhttp://www.msdn.com/library/http://www.microsoft.com/sql/

v Directory server applications– IBM Directory Server

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the Dcharacter in the A-Z list, and then click the link for your product to access theproduct library.http://www.ibm.com/software/network/directory

– Sun Java System Directory Serverhttp://www.sun.com/software/products/directory_srvr/home_directory.xml

Preface vii

http://www.cgselearning.com/tivoliskills/

http://www.ibm.com/software/tivoli/education/eduroad_prod.html



http://publib16.boulder.ibm.com/pseries/

http://docs.sun.com/app/docs/prod/solaris

http://www.redhat.com/docs/

http://www.microsoft.com/windowsserver2003/proddoc/default.mspx

http://www.ibm.com/software/data/db2/udb/support.html

http://publib.boulder.ibm.com/infocenter/db2help/index.jsp

http://publib.boulder.ibm.com/infocenter/db2help/index.jsp

http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main

http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main

http://www.ibm.com/software/data/db2

http://www.ibm.com/software/data/db2/udb/support/downloadv8.html

http://www.ibm.com/software/data/db2/udb/support/downloadv8.html

http://www.ibm.com/software/data/db2/udb/sysreqs.html

http://www.ibm.com/software/data/db2/udb/sysreqs.html

http://www.oracle.com/technology/documentation/index.html

http://otn.oracle.com/tech/index.html

http://otn.oracle.com/tech/linux/index.html

http://www.msdn.com/library/

http://www.microsoft.com/sql/


http://www.ibm.com/software/network/directory

http://www.sun.com/software/products/directory_srvr/home_directory.xml

v WebSphere®

Additional information is available in the product directory or Web sites.http://www.ibm.com/software/webservers/appserv/was/library/http://www.redbooks.ibm.com/

v WebSphere embedded messaginghttp://www.ibm.com/software/integration/wmq/

v IBM HTTP Serverhttp://www.ibm.com/software/webservers/httpservers/library.html

Related publicationsThe following documents also provide useful information:v The Tivoli Software Library provides a variety of Tivoli publications such as

white papers, datasheets, demonstrations, IBM Redbooks, and announcementletters. The Tivoli Software Library is available on the Web at:http://www.ibm.com/software/tivoli/literature/

v The Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available from theGlossary link of the Tivoli Software Library Web page at:http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

Accessing terminology onlineThe Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available at the followingTivoli software library Web site:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

The IBM Terminology Web site consolidates the terminology from IBM productlibraries in one convenient location. You can access the Terminology Web site at thefollowing Web address:

http://www.ibm.com/software/globalization/terminology

Accessing publications onlineIBM posts publications for this and all other Tivoli products, as they becomeavailable and whenever they are updated, to the Tivoli Information Center Website at http://publib.boulder.ibm.com/tividd/td/link/tdprodlist.html.

In the Tivoli Information Center window, click Tivoli product manuals. Click theletter that matches the first letter of your product name to access your productlibrary. For example, click M to access the IBM Tivoli Monitoring library or click Oto access the IBM Tivoli OMEGAMON® library.

Note: If you print PDF documents on other than letter-sized paper, set the optionin the File → Print window that allows Adobe® Reader to print letter-sizedpages on your paper.

Ordering publicationsYou can order many Tivoli publications online at http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi.

viii IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide

http://www.ibm.com/software/webservers/appserv/was/library/

http://www.redbooks.ibm.com/

http://www.ibm.com/software/integration/wmq/

http://www-3.ibm.com/software/webservers/httpservers/library.html

http://publib.boulder.ibm.com/tividd/td/link/tdprodlist.html



http://www.ibm.com/software/globalization/terminology

http://publib.boulder.ibm.com/tividd/td/link/tdprodlist.html

http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi

http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968

In other countries, contact your software account representative to order Tivolipublications. To locate the telephone number of your local representative, performthe following steps:1. Go to http://www.elink.ibmlink.ibm.com/public/applications/publications/

cgibin/pbi.cgi.2. Select your country from the list and click Go.3. Click About this site in the main panel to see an information page that

includes the telephone number of your local representative.

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

For additional information, see Appendix A, “Accessibility,” on page 53.

Tivoli technical trainingFor Tivoli technical training information, refer to the following IBM TivoliEducation Web site at http://www.ibm.com/software/tivoli/education.

Support informationIf you have a problem with your IBM software, you want to resolve it quickly. IBMprovides the following ways for you to obtain the support you need:v IBM Support Assistant: You can search across a large collection of known

problems and workarounds, Technotes, and other information athttp://www.ibm.com/software/support/isa.

v Obtaining fixes: You can locate the latest fixes that are already available for yourproduct.

v Contacting IBM Software Support: If you still cannot solve your problem, andyou need to work with someone from IBM, you can use a variety of ways tocontact IBM Software Support.

For more information about these ways to resolve problems, see Appendix B,“Support information,” on page 55.

Conventions used in this bookThis reference uses several conventions for special terms and actions and foroperating system-dependent commands and paths.

Typeface conventionsThis book uses the following typeface conventions:

Bold

Preface ix

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/isa

v Lowercase commands and mixed case commands that are otherwisedifficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spinbuttons, fields, folders, icons, list boxes, items inside list boxes,multicolumn lists, containers, menu choices, menu names, tabs, propertysheets), labels (such as Tip:, and Operating system considerations:)

v Keywords and parameters in text

Italic

v Citations (examples: titles of books, diskettes, and CDs)v Words defined in text (example: a nonswitched line is called a

point-to-point line)v Emphasis of words and letters (words as words example: "Use the word

that to introduce a restrictive clause," letters as letters example: "TheLUN address must start with the letter L.")

v New terms in text (except in a definition list): a view is a frame in aworkspace that contains data.

v Variables and values you must provide: ... where myname represents...

Monospace

v Examples and code examplesv File names, programming keywords, and other elements that are difficult

to distinguish from surrounding textv Message text and prompts addressed to the userv Text that the user must typev Values for arguments or command options

Operating system-dependent variables and pathsThis guide uses the Windows convention for specifying environment variables andfor directory notation.

When using the Unix command line, replace %variable% with $variable forenvironment variables and replace each backslash (\) with a forward slash (/) indirectory paths. The names of environment variables are not always the same inWindows and UNIX®. For example, %TEMP% in the Windows operating system isequivalent to $tmp in a UNIX operating system.

Note: If you are using the bash shell on a Windows system, you can use the UNIXconventions.

Definitions for HOME and other directory variablesThe following table contains the default definitions that are used in this guide torepresent the HOME directory level for various product installation paths. You cancustomize the installation directory and HOME directory for your specificimplementation. If this is the case, you need to make the appropriate substitutionfor the definition of each variable represented in this table.

The value of path varies for these operating systems:v Windows: drive:\Program Filesv AIX®: /usrv Other UNIX: /opt

x IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide

Path variable Default definition Description

DB_INSTANCE_HOME Windows:

path\IBM\SQLLIB

UNIX:

v AIX, Linux®: /home/dbinstancename

v Solaris: /export/home/dbinstancename

The directory thatcontains thedatabase for yourTivoli IdentityManager product.

IDS_instance_HOME For IBM Directory Server Version 6.0

Windows:

drive\idsslapd-instance_owner_name

The value of drive might be C:\. Anexample of instance_owner_name might beldapdb2. For example, the log file mightbe C:\idsslapd-itimldap\logs\ibmslapd.log

UNIX:

INSTANCE_HOME/idsslapd-instance_name

On Linux and AIX systems, the defaulthome directory is the/home/instance_name/idsslapd-instance_name directory. On Solarissystems, for example, the directory is the/export/home/itimldap/idsslapd-itimldap. directory.

The directory thatcontains the IBMDirectory ServerVersion 6.0 instance.

HTTP_HOME Windows:

path\IBMHttpServer

UNIX:

path/IBMHttpServer

The directory thatcontains the IBMHTTP Server code.

ITIM_HOME Windows:

path\IBM\itim

UNIX:

path/IBM/itim

The base directorythat contains theTivoli IdentityManager code,configuration, anddocumentation.

WAS_HOME Windows:

path\IBM\WebSphere\AppServer

UNIX:

path/IBM/WebSphere/AppServer

The WebSpherehome directory.

WAS_NDM_HOME Windows:

path\IBM\WebSphere\DeploymentManager

UNIX:

path/IBM/WebSphere/DeploymentManager

The home directoryon the DeploymentManager.

Preface xi

Path variable Default definition Description

ITDI_HOME Windows:

v for version 6.1.1:

drive\Program Files\IBM\TDI\V6.1.1

UNIX:

v for version 6.1.1:

/opt/IBM/TDI/V6.1.1

The ITDI_HOME directory contains thejars/connectors subdirectory that containsfiles for the adapters. For example, thejars/connectors subdirectory contains thefiles for the UNIX adapter.Note: If Tivoli Directory Integrator is notautomatically installed with your TivoliIdentity Manager product, the defaultdirectory path for Tivoli DirectoryIntegrator might be as follows:

path/IBM/IBMDirectoryIntegrator

The directory whereTivoli DirectoryIntegrator isinstalled.

Tivoli_Common_Directory Windows:

path\ibm\tivoli\common\

UNIX:

path/ibm/tivoli/common/

The central locationfor allserviceability-relatedfiles, such as logsand first-failure datacapture.

xii IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide

Chapter 1. Overview of the Tivoli Access Manager ComboAdapter

An Adapter is a program that provides an interface between a managed resourceand the IBM Tivoli Identity Manager Server. Adapters might or might not resideon the managed resource, and the IBM Tivoli Identity Manager Server managesaccess to the resource by using your security system. Adapters function as trustedvirtual administrators on the target platform, performing such tasks as creatinglogin IDs, suspending IDs, and performing other functions administrators normallyrun manually.

The Tivoli Access Manager Combo Adapter leverages the IBM Tivoli DirectoryIntegrator functionality to facilitate communication between the IBM Tivoli IdentityManager Server and IBM Tivoli Access Manager Server. The following sectionsprovide information about the Tivoli Access Manager Combo Adapter:v “Features of the adapter”v “Architecture of the adapter”v “Supported configurations” on page 2

Features of the adapterYou can use the Tivoli Access Manager Combo Adapter to automate the followingadministrative tasks:v Creating new users on the Tivoli Access Manager Server.v Creating SSO credentials for users on the Tivoli Access Manager Server.v Modifying users’ SSO credentials and attributes on the Tivoli Access Manager

Server and its underlying directory server.v Changing user account passwords on the Tivoli Access Manager server.v Suspending, restoring, and deleting user accounts on the Tivoli Access Manager

server.v Reconciling user, SSO credentials and LDAP user attributes on the Tivoli Access

Manager Server.

Architecture of the adapterIBM Tivoli Identity Manager communicates with the Tivoli Access Manager ComboAdapter to administer IBM Tivoli Access Manager user accounts. You can performthe following actions on an account:v Addv Deletev Modifyv Change Passwordv Restorev Suspend

You can also search for account information and change an account password.

The Tivoli Access Manager Combo Adapter consists of IBM Tivoli DirectoryIntegrator AssemblyLines. When an initial request is made by IBM Tivoli Identity

© Copyright IBM Corp. 2006, 2009 1

Manager Server to the Tivoli Access Manager Combo Adapter, the AssemblyLinesare loaded into the Tivoli Directory Integrator Server. As a result, subsequentservice requests do not require those same AssemblyLines to be reloaded.

The AssemblyLines utilize the Tivoli Directory Integrator Tivoli Access Managerconnector and LDAP connector to undertake user management related tasks on thedirectory server. It does this remotely by using the login user ID and password ofa user that has administrator privileges.

Figure 1 shows the various components that work together to complete usermanagement tasks in a Tivoli Directory Integrator environment.

For additional information about Tivoli Directory Integrator, see the IBM TivoliDirectory Integrator: Getting Started Guide.

Supported configurationsThe Tivoli Access Manager Combo Adapter supports a number of differentconfigurations and is designed to operate with Tivoli Identity Manager 5.0.

The fundamental components of a Tivoli Access Manager Combo Adapterenvironment are:v a Tivoli Identity Manager Server,v an IBM Tivoli Directory Integrator Server,v a compatible directory server, andv the IBM Tivoli Access Manager Combo Adapter.

The Tivoli Access Manager Java™ Runtime Environment (JRTE) must also beinstalled on the same Java Runtime Environment (JRE) as used by Tivoli DirectoryIntegrator.

The Tivoli Access Manager Combo Adapter is both highly configurable and highlycustomizable. Please note that support can only extend to the configuration of theadapter such as adding mapping for additional attributes. Support cannot extendto customization by way of changes, additions or modifications to its TivoliDirectory Integrator Assembly Line scripts for example.

Figure 1. The architecture of the Tivoli Access Manager Combo Adapter

2 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide

The Tivoli Access Manager Combo adapter cannot support directory service loadbalancing or environments that utilize architectures such as Master/Masterdirectory server replication.

Although reconciliation of dynamic group supporting data may occur through theuse of the Tivoli Access Manager API method of reconciliation, managementincluding the addition or removal of Tivoli Access Manager accounts to or fromthese dynamic groups through IBM Tivoli Identity Manager is unsupported.

The Tivoli Access Manager Combo adapter supports Microsoft Windows ActiveDirectory and Microsoft Windows Active Directory Application Mode (ADAM)configured against Tivoli Access Manager.

Note: ADAM is supported only when SSL is implemented between IBM TivoliDirectory Integrator and the ADAM directory server. You should use theIdentity Manager Windows Active Directory (rather than the Tivoli AccessManager Combo service) to handle accounts in situations where:v the Tivoli Access Manager Combo adapter is managing a Tivoli Access

Manager deployment that is configured against Microsoft Windows ActiveDirectory, and

v the Tivoli Identity Manager Windows Active Directory service isimplemented on Tivoli Identity Manager to manage Windows ActiveDirectory accounts, which are also associated with the Tivoli AccessManager instance.

In such situations, anomalous results may result if you delete ActiveDirectory accounts that are associated with Tivoli Access Manager accounts.

Chapter 1. Overview of the Tivoli Access Manager Combo Adapter 3


Chapter 2. Planning to install the Tivoli Access ManagerCombo Adapter

Installing and configuring the adapter involves several steps that you mustcomplete in the appropriate sequence. Review the roadmaps before you begin theinstallation process.

Preinstallation roadmapYou must prepare the environment before you can install the adapter.

Table 1. Preinstallation roadmap

What to do Where to find more information

Verify that the software and hardwarerequirements for the adapter that you wantto install have been met.

See “Prerequisites” on page 6.

Collect the necessary information for theinstallation and configuration.

See “Installation worksheet for the adapter”on page 7.

Obtain the installation software Download the software from PassportAdvantage®. See “Downloading thesoftware” on page 7.

Installation roadmapYou must complete the necessary steps to install the adapter including completingpost-installation configuration tasks and verifying the installation.:

Table 2. Installation roadmap

What to do Where to find more information

Install the adapter. See Chapter 3, “Installing the Tivoli AccessManager Combo Adapter,” on page 9.

Import the adapter profile. See Chapter 4, “Importing the adapterprofile into the Tivoli Identity ManagerServer,” on page 17.

Create a service. See Chapter 5, “Creating a Tivoli AccessManager Combo service,” on page 19.

Configure the adapter. See Chapter 6, “Configuring the TivoliAccess Manager Combo Adapter,” on page25.

Verify the adapter profile installation. See Chapter 8, “Verifying the Tivoli AccessManager Combo Adapter profileinstallation,” on page 43.


PrerequisitesTable 3 identifies hardware, software, and authorization prerequisites to install theTivoli Access Manager Combo Adapter. Verify that all of the prerequisites havebeen met before installing the Tivoli Access Manager Combo Adapter.

Table 3. Prerequisites to install the adapter

Prerequisite Description

Operating System The Tivoli Access Manager Combo Adapter can be usedon any operating system that is supported by TivoliDirectory Integrator.

Network Connectivity TCP/IP network

System AdministratorAuthority

The person completing the Tivoli Access Manager ComboAdapter installation procedure must have systemadministrator authority to complete the steps in thischapter.

Tivoli Directory IntegratorServer

6.1.1 Fixpack 5

Tivoli Identity Manager server Version 5.1

IBM Tivoli Identity ManagerAdapter (also known as theRMI Dispatcher)

Version supplied in installation package or later.

IBM Tivoli Access ManagerJava Run-Time

Corresponding version to IBM Tivoli Access ManagerServer. The Tivoli Access Manager Combo Adaptersupports Tivoli Access Manager Server version 6.0 and6.1.

Tivoli Directory IntegratorTivoli Access ManagerConnector (supplied withTivoli Access Manager ComboAdapter)

Version supplied in installation package or later.

For information on the minimal system requirements and supported operatingsystems for Tivoli Directory Integrator, refer to the IBM Tivoli Directory IntegratorAdministrator Guide.

Note: The Tivoli Access Manager Combo adapter supports Microsoft WindowsActive Directory configured against Tivoli Access Manager. The TivoliAccess Manager Combo adapter can be used where Tivoli Access Manageris configured against Microsoft Windows Active Directory, and where theTivoli Identity Manager Windows Active Directory service is implementedon Tivoli Identity Manager to manage the same Windows Active Directoryaccounts associated with the Tivoli Access Manager instance. In thesesituations, the Identity Manager Windows Active Directory should managethose accounts rather than the Tivoli Access Manager Combo service. Beaware that anomalous results may result if Active Directory accounts thathave been associated with a Tivoli Access Manager account are deleted.


Installation worksheet for the adapterTable 4 identifies the information you will need to install the Tivoli AccessManager Combo Adapter.

Table 4. Required information to install the adapter

Required information Description

Administrator account on themanaged resource for runningthe Tivoli Access ManagerCombo Adapter.

An administrator account on the managed resource thathas administrative rights.

Tivoli Access ManagerAdministrator account

An administrator account in Tivoli Access Manager withadministrative rights. For example, sec_master.

Directory Service Administratoraccount

An administrative account on Tivoli Access Manager’sunderlying directory server. This account must haveenough access rights to manage Tivoli Access Managerdirectory accounts and group membership entries.

Downloading the softwareAfter you have purchased IBM Tivoli Identity Manager, you can download theadapter software from your account in IBM Passport Advantage Online at:http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

Chapter 2. Planning to install the Tivoli Access Manager Combo Adapter 7

http://www-01.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm


Chapter 3. Installing the Tivoli Access Manager ComboAdapter

To install the connector, extract the Tivoli Access Manager Combo zip file(Adapter50_TamCombo_5.0.x.zip) from the distribution package and follow theinstallation steps below.

Installing and configuring the Tivoli Access Manager Runtime for JavaSystem

The Tivoli Access Manager Runtime for Java must be installed and configured toallow secure communication between the Tivoli Directory Integrator Java RuntimeEnvironment and the Tivoli Access Manager Policy Server.

Note: The information provided in this guide is not intended to replace theinformation supplied in the Tivoli Access Manager for e-businessdocumentation. Please refer to the IBM Tivoli Access Manager for e-businessVersion 6.x Installation Guide or the IBM Tivoli Access Manager Base InstallationGuide for guidance on the installation and configuration of the Tivoli AccessManager Runtime for Java.

You can set up this system using either one of the following installation methods:v Installation using the installation wizard.v Installation using native utilities.

The installation of the Tivoli Access Manager Runtime for Java is described hereusing the installation wizard only. For installation using the native utilities, pleaserefer to the IBM Tivoli Access Manager Base Installation Guide or IBM Tivoli AccessManager for e-business Installation Guide.

Installing using the installation wizardThe install_amjrte installation wizard simplifies the setup of a Java RuntimeEnvironment (JRE) by installing and configuring the following components in theappropriate order:1. Tivoli Access Manager License.2. Tivoli Access Manager Runtime for Java.

Note: The wizard detects if a component is installed and does not attempt toreinstall it.

To install and configure Tivoli Access Manager Runtime for Java using theinstall_amjrte wizard, follow these steps:1. Ensure that all necessary operating system patches are installed. Also, ensure

that you have reviewed the most-recent release information, including systemrequirements, disk space requirements, and known Tivoli Access Managerdefects and limitations. See the IBM Tivoli Access Manager for e-business: ReleaseNotes®, or the Technotes in the Tivoli Access Manager support knowledgedatabase.


2. For Tivoli Access Manager version 6.x, ensure that IBM Java Runtime 1.4.2 SR2is installed before running the installation wizard. The correct Java RuntimeEnvironment is required for the installation software to function correctly.

3. Ensure that the Tivoli Access Manager Policy Server is up and running.4. To view status and messages in a language other than English (the default),

install your Tivoli Access Manager language support package before running aninstallation wizard.

5. On Windows systems only, exit from all running programs.6. On Red Hat Enterprise Linux 3.0 systems only, the following patches must be

applied:v compat-gcc-7.3-2.96.122v compat-libstdc++-7.3-2.96.122v compat-libstdc++-devel-7.3-2.96.122v compat-glibc-7.x-2.2.4.32.5v compat-gcc-c++-7.3-2.96.122v compat-db-4.0.14-5v rpm-4.2.1-4.2v rpm-build-4.2.1-4.2

7. Run the install_amjrte program, located in the root directory on the IBM TivoliAccess Manager Base CD for the supported AIX, HP-UX, Solaris, Linux andWindows platforms. The installation wizard begins by prompting you forconfiguration information, as described in the table below. Supply the requiredconfiguration information, or accept default values.

Note: * indicates a required option.

Table 5. install_amjrte configuration options

Configuration Option Description

Directory name *(prompted on Windows only)

Specifies the Tivoli Access Manager Runtime for Javadirectory. The default directories are:

UNIX or Linux/opt/PolicyDirector

WindowsC:\Program Files\Tivoli\Policy Director

Enable Tivoli CommonDirectory for logging

Select to enable Tivoli Common Directory, a centrallocation on systems running Tivoli software for storingfiles, such as trace and message logs.


Table 5. install_amjrte configuration options (continued)


Directory name *(for Tivoli Common Directory,prompted on Windows only)

Specifies the fully qualified path for the Tivoli CommonDirectory.

v If the location of the Tivoli Common Directory haspreviously been established on the system by theinstallation of another Tivoli application, the directorylocation will be displayed in the field but it cannot bemodified.

v If the location of the Tivoli Common Directory has notpreviously been established on the system, you canspecify its location.

If Tivoli Common Directory is enabled and the directorylocation has not been previously established, the defaultcommon directory name is:

UNIX or Linux/var/ibm/tivoli/common

WindowsC:\Program Files\ibm\tivoli\common

Beneath the Tivoli Common Directory, each Tivoli productstores its information in a product-specific subdirectory.Each product-specific directory is named with a3-character product identifier. For example,tivoli_common_dir/HPD for IBM Tivoli Access Manager:If Tivoli Common Directory is not enabled, Tivoli AccessManager will write its message and trace log data to thefollowing location:

UNIX or Linux/opt/PolicyDirector/log

WindowsC:\Program Files\Tivoli\Policy Director\log

Policy server host name * Specifies the host name or IP address of the Tivoli AccessManager policy server.The policy server manages the policy database (sometimesreferred to by its original name of master authorizationdatabase), updates the database replicas whenever achange is made to the master database, and replicates thepolicy information throughout the domains. The policyserver also maintains location information about otherresource managers operating in the domain. There must beat least one policy server defined for each domain.Examples:

pdmgrpdmgr.tivoli.com

Policy server SSL port * Specifies the port number on which the policy serverlistens for SSL requests. The default port number is 7135.

Chapter 3. Installing the Tivoli Access Manager Combo Adapter 11

Table 5. install_amjrte configuration options (continued)


JRE directory * Specifies the fully qualified path of the Tivoli DirectoryIntegrator Java Runtime Environment (JRE) that is beingconfigured for Tivoli Access Manager. You must specifythe JRE directory of the Tivoli Directory Integratorinstallation which you wish to communicate with theTivoli Access Manager Policy Server. For example, theTivoli Directory Integrator Java Runtime Environment maybe installed at:

UNIX or LinuxITDI_HOME/jvm/jre/

WindowsITDI_HOME\jvm\jre\

8. Compare the disk space that is required to install the Tivoli Access ManagerRuntime for Java component with the disk space that is available. If there issufficient space, continue the installation.

9. After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.

Configuring the Tivoli Directory Integrator Application into the TivoliAccess Manager secure domain

To make use of Tivoli Access Manager security, Tivoli Identity Manager must beconfigured into your Tivoli Access Manager secure domain. Tivoli Access Managerprovides a utility class called com.tivoli.pd.jcfg.SvrSslCfg that can be used toaccomplish the necessary configuration and unconfiguration tasks.

Tivoli Access Manager uses a self-generated and self-signed certificate toauthenticate its Secure Sockets Layer (SSL) communications. The Tivoli AccessManager authorization API Java classes must be able to determine the certificatethat Tivoli Access Manager is using in order to establish its SSL communication. Asa result, you also must establish a Tivoli Access Manager identity for the TivoliDirectory Integrator Java application.

The SvrSslCfg class is used to create a Tivoli Access Manager user account forTivoli Directory Integrator and to store the server’s configuration and certificateinformation in local configuration and keystore files. The SvrSslCfg option -actionconfig is used to create the Tivoli Access Manager application name, theconfiguration file, and the keystore file. Configuring an application server createsuser and server information in the user registry as well as creates localconfiguration and keystore files.

When using the SvrSslCfg class, ensure that the IBM Tivoli Directory IntegratorJRE is used. This is the same JRE that was used when configuring the Tivoli AccessManager JRTE. The command to establish an SSL connection between the TivoliDirectory Integrator host and the Tivoli Access Manager secure domain is asfollows:java com.tivoli.pd.jcfg.SvrSslCfg -action config-admin_id admin_user_ID-admin_pwd admin_password-appsvr_id application_server_name-appsvr_pwd application_server_password


-port port_number-mode { local | remote }-host Host_name_of_application_server-policysvr policy_server_name:port:rank [,...]-authzsvr authorization_server_name:port:rank [,...]-cfg_file fully_qualified_name_of_configuration_file-domain Tivoli_Acccess_Manager_domain-key_file fully_qualified_name_of_keystore_file-cfg_action { create | replace }

The list of actions available in the SvrSslCfg class are outlined in table below.

Table 6. Description of parameters for the SvrSslCfg configuration action

SvrSslCfg Parameter Value

–admin_id admin_user_ID A Tivoli Access Manager user with administrativeprivileges. For example, sec_master. This parameter isrequired.

–admin_pwd password Password associated with the Tivoli Access Manageradministrative user specified. This parameter isrequired.

–appsvr_id name The name of the server where the Tivoli DirectoryIntegrator application is installed. For example,itdi_tam. This parameter is required.

–port port_number The TCP/IP port which the application server listensto for policy server notifications. This parameter isrequired, but not used. Any integer can be specified(for example, 1234).

–mode remote The Tivoli Directory Integrator application serverprocesses requests remotely. This parameter isrequired and must be specified as remote.

–policysvr hostname:port:rank[,hostname2:port2:rank2...]

A list of Tivoli Access Manager policy servers towhich the application server can communicate.The format of this entry is host name, TCP/IP portnumber, and numeric rank, separated by colons.Multiple servers can be specified by separating themwith commas. For example, the following indicatestwo policy servers, both using default TCP/IP port7135, are available:

primary.myco.com:7135:1,secondary.myco.com:7135:2

This parameter is required.

–authzsvr hostname:port:rank[,hostname2:port2:rank2...]

A list of Tivoli Access Manager authorization serversto which the application server can communicate.The format of this entry is host name, TCP/IP portnumber, and numeric rank, separated by colons.Multiple servers can be specified by separating themwith commas. For example, the following indicates 2authorization servers, both using default TCP/IP port7136, are available:

secazn.myco.com:7136:2,primazn.myco.com:7136:1

This parameter is required. It can be the same value asdefined for -policysvr (above).


Table 6. Description of parameters for the SvrSslCfg configuration action (continued)

SvrSslCfg Parameter Value

–cfg_file file_name Fully qualified name of the configuration file on theapplication server.SvrSslCfg –action config creates this file.The filename should have a .conf suffix.You can specify any valid name.This parameter is required.

–key_file file_name Fully qualified name of the keystore file on theapplication server.SvrSslCfg –action config creates this file.The filename should have a .ks suffix.You can specify any valid name.This parameter is required.

–domain domain_name The Tivoli Access Manager domain for the applicationserver.This parameter is optional.The default value is the local domain.

–appsvr_pwd password The password for the user account in the user registryassociated with the application server.This parameter is optional. If it is specified, thepassword must meet the current password rules ineffect. If it is omitted, a default password isautomatically generated.

–host host_name This is typically the unique name of the host machinewhere the Tivoli Directory Integrator application isinstalled.This parameter is optional.The default value is the local host.Note: The host name is used to build a unique name(identity) for the application. The pdadmin user listcommand displays the application identity name inthe following format:

server_name/host_name

The pdadmin server list command will display theserver name is a slightly different format:

server_name-host_name

–cfg_action { create | replace } Indicates whether the configuration and keystore filesshould be created on the application server orreplaced.This parameter is optional. The default action isreplace.When the create option is specified but the filesalready exist, an exception is raised. When the replaceoption is specified, the configuration and keystore filesmust already exist.

For example, the following command could be used to configure IBM TivoliDirectory Integrator to use the IBM Tivoli Access Manager policy server onamserver.example.com, using standard ports and default install paths:/opt/IBM/TDI/V6.1.1/jvm/jre/bin/java -cp

/opt/PolicyDirector/java/export/pdjrte/PD.jar com.tivoli.pd.jcfg.SvrSslCfg-action config-admin_id sec_master-admin_pwd SEC_MASTER_PASSWORD


-appsvr_id itdi_tam-port 1234-mode remote-policysvr amserver.example.com:7135:1-authzsvr amserver.example.com:7136:1-cfg_file /opt/IBM/TDI/V6.1.1/timsol/PDCfgFile.conf-key_file /opt/IBM/TDI/V6.1.1/timsol/PDKeyFile.ks

For further information regarding configuring or unconfiguring an applicationserver such as Tivoli Directory Integrator into the secure domain, please refer tothe IBM Tivoli Access Manager for e-business Authorization Java Classes DeveloperReference.

Installing the Tivoli Access Manager Combo Adapter Utilities PackageThe Tivoli Access Manager Combo Adapter utilities package contains a number ofJava classes that are used by the Tivoli Access Manager Combo Adapter TDIassembly lines. To install the utilities package:1. Extract the TAMComboUtils.jar file from the compressed file into a temporary

directory.2. Copy or move TAMComboUtils.jar to an appropriate Tivoli Directory Integrator

location:

WindowsTivoli Directory Integrator version 6.1.1:ITDI_HOME\jars\3rdparty\IBM

UNIX or LinuxTivoli Directory Integrator version 6.1.1:ITDI_HOME/jars/3rdparty/IBM

3. Restart the IBM Tivoli Identity Manager (RMI Dispatcher) service if it is alreadyinstalled and running.Please refer to the dispatcher50.pdf file, which is contained in theAdapter-Dispatcher-5.xxx.zip file, for guidance on starting and stopping theadapter service.

Installing the RMI DispatcherTo install the RMI Dispatcher, extract the Adapter-Dispatcher-5.xxx.zip file,contained within the Tivoli Access Manager Combo package.

Please refer to the dispatcher50.pdf file (contained in the ZIP file above) forguidance on the installation and configuration of the RMI Dispatcher.



Chapter 4. Importing the adapter profile into the Tivoli IdentityManager Server

An IBM Tivoli Identity Manager adapter profile defines the types of resources thatthe Tivoli Identity Manager Server can manage. In this case, the profile is used tocreate a Tivoli Access Manager Combo Adapter service on the Tivoli IdentityManager Server. You must import the adapter profile into the Tivoli IdentityManager Server before using the Tivoli Access Manager Combo Adapter.

Before you import the adapter profile, verify that the following conditions are met:v The Tivoli Identity Manager Server is installed and running.v You have root or Administrator authority on the Tivoli Identity Manager Server.

The Tivoli Access Manager Combo adapter distribution package contains two JARfile versions of the adapter profile, only one of which should be used:

itamprofile.jarThe itamprofile.jar profile is intended for use when Tivoli AccessManager is configured against supported non-Windows-Active-Directorydirectory services.

itamprofileAD.jarThe itamprofileAD.jar profile is intended for use when Tivoli AccessManager is configured against Windows Active Directory, including ActiveDirectory Application Mode (ADAM) or other supported directoryservices.

Table 7 indicates which profile to use.

Table 7. Profile selection guide

itamprofile.jar itamprofileAD.jar

Tivoli Access Manager isconfigured against ActiveDirectory or ADAM

No Yes

Tivoli Access Manager isconfigured against anon-Active Directory service,such as IBM DirectoryServer.

Yes Yes (see Note)

Note:

The itamprofileAD.jar profile augments the Tivoli Identity Managerdirectory with attributes that can be mapped to Windows Active Directoryattributes. Although the itamprofileAD.jar profile can work with TivoliAccess Manager directory servers other than Windows Active Directory(such as IBM Directory Server), these additional attributes will be presentbut remain empty if the itamprofileAD.jar profile is used with thoseservers.

The itamprofileAD.jar profile should be used either when Tivoli AccessManager is configured against Windows Active Directory (or ADAM), or


when Tivoli Identity Manager manages multiple Tivoli Access Managerservices, where the Tivoli Access Manager instances are configured against amixture of both Windows Active Directory and Tivoli AccessManager-supported non-Windows Active Directory servers.

The itamprofileAD.jar profile can be imported after having imported theitamprofile.jar profile. This should be done if you want to manage aTivoli Access Manager instance configured against Windows ActiveDirectory. However, importing the itamprofile.jar after having importedan itamprofileAD.jar profile is unsupported, and may have spuriouseffects. In this case, the additional attributes that support Tivoli AccessManager Active Directory attributes would not be removed.

To import the adapter profile, complete the following steps:1. Log in to the Tivoli Identity Manager Server using an account that has the

authority to perform administrative tasks.2. Import the adapter profile using the import feature for your IBM Tivoli Identity

Manager product. Refer to the information center or the online help for specificinstructions about importing the adapter profile.

3. Restart the IBM Tivoli Identity Manager Adapter (Dispatcher) service.

If you receive an error related to the schema when you import the adapter profile,refer to the trace.log file for information about the error. The trace.log filelocation is specified using the handler.file.fileDir property defined in the IBMTivoli Identity Manager enRoleLogging.properties file. TheenRoleLogging.properties file is installed in the ITIM_HOME\data directory.


Chapter 5. Creating a Tivoli Access Manager Combo service

You must create a service for the Tivoli Access Manager Combo Adapter before theTivoli Identity Manager Server can use the adapter to communicate with themanaged resource. To create a service, complete these steps:1. Log in to the Tivoli Identity Manager Server using an account that has the

authority to perform administrative tasks.2. Create the service using the information for your IBM Tivoli Identity Manager

product. Refer to the information center or the online help for specificinstructions about creating a service.

To create or change a service, you must use the service form to provideinformation for the service. Service forms might vary depending on the adapter.The Tivoli Access Manager Combo Adapter service form contains the followingfields:

SERVICE SETUP TAB

Service nameSpecify a name that defines this Tivoli Access Manager ComboAdapter service on the Tivoli Identity Manager Server.

DescriptionOptional: Specify a description for this service.

TDI locationOptional: Specify the URL for the Tivoli Directory Integratorinstance. Valid syntax is rmi://ip-address:port/ITDIDispatcher,where ip-address is the Tivoli Directory Integrator host and port isthe port number for the RMI Dispatcher. For example, you mightspecify the URL as rmi://localhost:16231/ITDIDispatcher. Forinformation about changing the port number, refer to thedispatcher50.pdf file, which is contained in theAdapter-Dispatcher-5.0xxx.zip file.

TAM SETUP TAB

Reconciliation MethodThe Tivoli Access Manager Combo adapter has two methods ofreconciling Tivoli Access Manager user accounts and theirassociated directory repository attributes:

TAM APIThis method will function with Tivoli Access Managerversion 6.0 and 6.1. It is designed to use the Tivoli AccessManager administration Java API, and is facilitatedthrough the use of Tivoli Directory Integrator, its TivoliAccess Manager Connector, and the Tivoli Access ManagerPolicy Server.

LDAP – TAM v6.xThis method will function only with Tivoli Access Managerversion 6.0 and 6.1. It is designed to reconcile Tivoli AccessManager user accounts and their associated directoryrepository attributes directly from the director repositorythat the Tivoli Access Manager policy server is configured


against. If you are using Tivoli Access Manager version 6.0or 6.1, there may be some increase in reconciliationperformance as a result of using this reconciliation method.

Note: A Search Filter may be specified for the TivoliAccess Manager reconciliation query. You mayprovide an LDAP filter in the Query page to specifya subset of accounts only (no supporting data) to beincluded in the reconciliation. Both the Tivoli AccessManager API and LDAP reconciliation methodssupport Tivoli Access Manager user accountfiltering. If a subset of user accounts is required, aSearch Filter may be supplied that conforms to theTivoli Access Manager pattern used when listingUser accounts.

For example, a Search Filter to reconcile a subset ofTivoli Access Manager User accounts which wouldinclude JaneDoe, JonDoe and JimDolt might be:(eruid=J*Do*) The pattern for the eruid attribute is

interpreted as a literal string, with the exception ofthe asterisk (*) character, which is interpreted as ametacharacter that matches zero or more characters.Asterisks can be located at the beginning, in themiddle, or at the end of the pattern, and the patterncan contain multiple asterisks.

Do not reconcile SSO credentialsChecking this option will exclude SSO credentials from theretrieval of Tivoli Access Manager Accounts’ information during aTAM Combo service reconciliation.

Note: Simply checking this option will remove any current TivoliAccess Manager account credentials. This is because TivoliIdentity Manager will consider any non-returned credentialto mean that the credential no longer exists for the account.However, it is possible to retain any credentials that havebeen reconciled previously by excluding the SSO credentialsattribute from the reconciliation query.

LDAP Reconciliation Page SizeThis value is used for LDAP reconciliations only and is ignored forTivoli Access Manager API reconciliations. If a page size other than0 is specified, the Tivoli Access Manager Combo adapter will try touse page mode search when obtaining Tivoli Access Manager useraccount information. Page mode causes the directory server toreturn a specific number of entries (called pages) instead of allentries in one chunk. Not all directory servers support this option.To test if your directory server supports Page Mode, check theTivoli Directory Integrator log file (ibmdi.log) and look for areference to “Supported Controls of LDAP Server” whenperforming a successful test of the Tivoli Access Manager Comboservice by clicking the Test button for the Tivoli Access ManagerCombo Service. If your directory service supports Page Mode, it isrecommended that this value reflect the SearchResultSetSize valueof the RMI Dispatcher itim_listener.properties file. To locate thisvalue, please refer to the RMI Dispatcher Installation and


Configuration Guide (dispatcher50.pdf) supplied in theAdapter-Dispatcher-5.xxx.zip file.

TAM Admin UserSpecify the IBM Tivoli Access Manager Administrator accountname (e.g. sec_master). This account must have enough accessrights to manage IBM Tivoli Access Manager accounts and groupmemberships.

TAM Admin User PasswordSpecify the password for the IBM Tivoli Access ManagerAdministrator account.

TAM Config FileFile path name for the Tivoli Access Manager configuration filethat was created when the Tivoli Access Manager Java RuntimeEnvironment (JRTE) was installed and configured. This is anabsolute reference to the configuration file from the TivoliDirectory Integrator server.

Note: The Tivoli Access Manager JRTE must be installed on thesame Java Runtime Environment (JRE) as used by TivoliDirectory Integrator. Please refer to the appropriate TivoliAccess Manager guides for instructions on how to installand configure the Tivoli Access Manager Java RuntimeEnvironment.

Add AccountWhen creating a new Tivoli Access Manager account, the Addaccount field specifies whether the Adapter creates a completelynew user or re-uses an existing user entry in the Tivoli AccessManager User Registry. The Tivoli Access Manager User Entryobject class type can be either iNetOrgPerson or ePerson.

Add account options:

Create user entry in registry.Causes the Adapter to create a new user entry in the TivoliAccess Manager User Registry with a specific DN. If theentry already exists, requests for account provisioning willfail.

Import user entry from registry.Causes the Adapter to re-use an existing user entry fromthe Tivoli Access Manager User Registry. The user entrywill be extended with Tivoli Access Manager specificattributes. If an entry with a specified DN doesn’t exist, therequest will fail.

Import or Create user entry.Causes the Adapter to check if a user entry with a specificDN exists, and if so, this user entry is used. Otherwise anew registry entry for the Tivoli Access Manager account iscreated.

Delete user entry from RegistryThis check box determines what happens during IBM Tivoli AccessManager account de-provisioning. If the check box is checked,during the deletion of the Tivoli Access Manager account, the userentry is completely removed from the Tivoli Access Manager

Chapter 5. Creating a Tivoli Access Manager Combo service 21

registry. If the check box is left unchecked, only Tivoli AccessManager-specific attributes from the user entry are removed, butthe user entry remains in the registry.

Synchronize TAM password in SSO LockboxIf this check box is checked, all of the Tivoli Access Manager SSOcredentials the user owns will be synchronized with the IBMAccess Manager Account password.

TAM Domain NameSpecify the IBM Tivoli Access Manager Domain name. The domainname must not be the Tivoli Access Manager Administrationdomain. If this field is left blank, the domain will be the consideredto be the default IBM Tivoli Access Manager run-time domain.

TAM Management Domain NameThe management domain specified when the Tivoli AccessManager policy server was configured. This object represents theAccess Manager domain and is named using the secAuthorityattribute with the name of the domain as its value; for example:secAuthority=domain_name

If you do not provide a different name, the default name of themanagement domain is Default, making the secAuthorityInfoobject name secAuthority=Default. This field is used only forTivoli Access Manager version 6.1 and is not used for systemswhere Tivoli Access Manager is configured against WindowsActive Directory.

TAM LDAP Management Domain Location DNThe LDAP management domain location DN is the locationdistinguished name in the LDAP server where the managementdomain information is stored. If the LDAP management domainlocation DN is not specified, the management domain informationis stored in its own suffix by default. Whether the DN is specifiedor the default is used, the location must already exist in the LDAPserver. If the management domain location is not specified, themanagement domain location is assumed to be a standalone suffixon the LDAP server. Whether the default location is used, or adifferent location in the LDAP DIT is specified, the locationspecified for the management domain must already exist. This fieldis used only for Tivoli Access Manager version 6.1 and is not usedfor systems where Tivoli Access Manager is configured againstWindows Active Directory.

Object Class(es) for TAM EntryIf left blank, IBM Tivoli Access Manager directory entries will beinstances of the iNetOrgPerson and ePerson object class type (whenTivoli Access Manager is configured against IBM Directory Server),or the user object class (when Tivoli Access Manager is configuredagainst Windows Active Directory). If an entry is made, new TivoliAccess Manager entries will be instantiated as object class typesdefined by the field.

Notes:

1. These classes MUST already be defined in the IBM TivoliAccess Manager’s LDAP schema.


2. Multiple object classes can be specified, but must be providedas a comma-separated list.

3. The Object Class for TAM Entry is not modifiable. Should youwish to change this entry, a new service must be created withany new set of object classes. As a result, accounts created withthe new service will be provisioned using the object classesdefined in that service. Accounts created with the old servicewill have been provisioned using the object classes defined inthat service. It is not possible to modify the object classes thatdefine accounts already created.

REPOSITORY SETUP TAB

TAM Repository Admin IDSpecify the Tivoli Access Manager directory repositoryAdministrator’s Distinguish Name (such as cn=root). For WindowsActive Directory, you should fully qualify the Administrator’sDistinguished name. For example:CN=Administrator,CN=users,DC=company,DC=com

This account must have enough access rights to manage TivoliAccess Manager directory accounts and group membership entries.

PasswordSpecify the Tivoli Access Manager directory repositoryadministrator’s password.

TAM Repository URLSpecify the location and port number of the directory repositoryconfigured against Tivoli Access Manager. The valid syntax isldap://ip-address:port, where ip-address is the directory serverhost and port is the port number. For example, you might specifythe URL as ldap://9.38.215.218:389.

TAM Directory Server TypeSpecify the type of directory server that Tivoli Access Manager isconfigured against:v LDAP-based refers to any supported directory server other than

Microsoft Windows Active Directory or Microsoft WindowsActive Directory Application Mode.

v Active Directory should be used if a Microsoft Windows ActiveDirectory is configured against the managed Tivoli AccessManager instance.

v ADAM should be used if Tivoli Access Manager is configuredagainst an implementation of Microsoft Windows ApplicationMode.

TAM Repository SSL ConnectionCheck this option if Secure Sockets Layer is used by the TivoliDirectory Integrator LDAP Connector for communication with thedirectory server.

Once the service has been created, click Test to ensure that the connection to boththe directory server and to the Tivoli Access Manager Policy Server can beestablished. Configuration information for the adapter should be reported in theIBM Tivoli Directory log file (ibmdi.log) as a result of a successful test.

Chapter 5. Creating a Tivoli Access Manager Combo service 23

When testing the Tivoli Access Manager Combo service, the following messagemay be observed:

CTGIMT605E An error occurred while processing the CTGIMT401EAn error occurred while starting the tamTest_TAMCombo onmy_server-requestid_4329bac6-28ad-11b2-d8dc-00000930ab5b agent. Error:java.lang.NoClassDefFoundError: com/tivoli/pd/jutil/PDException operationon the IBM Tivoli Directory Integrator server. Error: {1}

This may be due to either of the following:v the Tivoli Directory Integrator JVM is not configured with Tivoli Access

Manager, orv the Dispatcher has not been stopped and restarted to pick up the change.

Ensure that the Tivoli Access Manager Runtime for Java has been installed andconfigured correctly. Alternatively, restart the RMI Dispatcher as described in thedispatcher50.pdf file, which is contained in the Adapter-Dispatcher-5.xxx.zipfile.


Chapter 6. Configuring the Tivoli Access Manager ComboAdapter

This chapter describes the configuration options for the Tivoli Access ManagerCombo Adapter.

The Tivoli Access Manager Combo Adapter is designed to work with theinetOrgPerson object class. This class is a default object class which containsattributes about people, and is used by Tivoli Access Manager. If you are using theinetOrgPerson schema for your Tivoli Access Manager, the Tivoli Access ManagerCombo Adapter may require simple UI customization for the account form. Formore detailed information about account form customization please refer to theIBM Tivoli Identity Manager Administration and Configuration Guide.

The Tivoli Access Manager Combo Adapter supports a standard set of attributesfor default object classes used in Tivoli Access Manager Servers. Standard userprovisioning operations such as add, delete, modify, suspend, restore, changepassword, search and test are supported by the Tivoli Access Manager ComboAdapter. Because Tivoli Access Manager Server requirements vary, you may needto customize or extend the Tivoli Access Manager Combo schema to supportadditional attributes or object classes.

The following sections provide information for configuring the adapter.v “Customizing the Tivoli Access Manager Combo Adapter profile”v “Standard parameters” on page 26v “Adapter attributes and object classes” on page 26v “Other Configuration Considerations” on page 32v “RMI Dispatcher Configuration Properties” on page 33

Customizing the Tivoli Access Manager Combo Adapter profileThe Tivoli Access Manager Combo Adapter is designed to work with theinetOrgPerson object class. This is a general purpose object class that containsattributes about people. If you are using the inetOrgPerson schema for the IBMDirectory Server configured against Tivoli Access Manager, the Tivoli AccessManager Combo adapter does not require customization.

When Tivoli Access Manager is configured against Windows Active Directory, theTivoli Access Manager Combo Adapter is designed to manage most of theWindows Active Directory User object class attributes.

However to manage any of the inetOrgPerson attributes or Windows ActiveDirectory Attributes, you will need to enable any required attributes on theAdapter Account Form:1. Log in to Tivoli Identity Manager as an Administrator.2. From the Tivoli Identity Manager GUI, go to Configuration then Form

Customization.3. Expand the Account tree and select itamaccount Account.4. Select the tab where you want to place an attribute.5. From the attribute list, select the attribute you wish to add.


6. The attribute will be added to the account form by double-clicking on it.7. Select Save Form Template.

If you are not using the IBM Directory Server inetOrgPerson object class orWindows Active Directory User object class attributes, and your object class has anattribute that is not an inetOrgPerson or User standard attribute, you will need tocustomize the Tivoli Access Manager Combo adapter.

Standard parametersThe Tivoli Access Manager Combo Adapter is configured to use a standard set ofparameters for the inetOrgPerson class. The Tivoli Access Manager Comboresource must support referential integrity.

inetOrgPersonThis is the default IBM Directory Server object class used to create newTivoli Access Manager user accounts when Tivoli Access Manager isconfigured against IBM Directory Server. The supporting object classes areorganizationalPerson, person, and top.

User This is the default Windows Active Directory object class used to createnew Tivoli Access Manager user accounts when Tivoli Access Manager isconfigured against Windows Active Directory. Not all of the User objectclass attributes are managed by default. However, the majority of theattributes that are managed through the Active Directory user propertiesdialogue box are catered for. Exceptions include non-modifiable attributessuch as the memberOf attribute and logonHours, which is of INTEGER8syntax and would be difficult to manage from the Tivoli Identity ManagerTAM Combo account form. Attributes such as userAccountControl arealso unsupported. For the list of Windows Active Directory User objectclass attributes that are supported by default, please refer to Table 10 onpage 27.

Adapter attributes and object classesAfter you install the adapter profile, the Tivoli Access Manager Combo Adaptersupports a standard set of attributes. Table 8 lists the standard attributes supportedby the adapter. Attributes not listed in Table 8 to Table 10 on page 27 will beautomatically mapped provided that a corresponding attribute with the samename, type, and syntax is associated with the TAM Combo account object classschema.

Table 8. Standard attributes supported by the Tivoli Access Manager Combo Adapter

TAM account property Attribute name in schema Schema

User ID eruid Directory String

User password erpassword Binary

Distinguish Name eritamdn DN

Common name (cn) cn Directory String

Surname (sn) sn Directory String

Description description Directory String

Max number of failed logon eritammaxfailedlogon Integer

Do Not Enforce PasswordPolicy

eritamppolicy Boolean


Table 8. Standard attributes supported by the Tivoli Access Manager ComboAdapter (continued)

TAM account property Attribute name in schema Schema

Do Not Change Password onNext Login

eritampvalid Boolean

Single Signon Capability eritamsinglesign Boolean

Group Membership(multi-value attribute)

eritamgroupname Directory String

SSO Credentials (multi-valueattribute)

eritamcred Directory String

Account status eraccountstatus Integer

Table 9. The inetOrgPerson attributes supported by the Tivoli Access Manager ComboAdapter

Attribute Attribute Attribute

BusinessCategory homePostalAddress PreferredLanguage

CarLicense initials RegisteredAddress

HomePhone L RoomNumber

DepartmentNumber Mail Secretary

preferreddeliverymethod manager UserPassword

DestinationIndicator mobile St

DisplayName Pager Street

EmployeeNumber physicalDeliveryOfficeName TelephoneNumber

EmployeeType postalAddress teletexTerminalIdentifier

FacisimileTelephoneNumber postalCode TelexNumber

GivenName postOfficeBox Title

Table 10. Mapping of Windows Active Directory User attributes supported by the TivoliAccess Manager Combo adapter

Windows ActiveDirectory Attribute

IBM DirectoryServer Attribute Description Note

accountExpires ntUserAcctExpires Account expires onAD Account Tab

Tivoli Directoryintegrator performsadvanced mapping tosupport this attribute.

c c Country/region onAD Address Tab

co co Country/region onAD Address Tab

company company Company on ADUser OrganizationTab

To support itsmanagement, thisattribute is added toTivoli IdentityManager’s IBMDirectory Serverschema during theimportation of theTAM Combo profile.

Chapter 6. Configuring the Tivoli Access Manager Combo Adapter 27

Table 10. Mapping of Windows Active Directory User attributes supported by the TivoliAccess Manager Combo adapter (continued)



countryCode countryCode Country/region onAD Address Tab

department department Department on ADUser OrganizationTab


displayName displayName Display name on ADGeneral Tab

facsimileTelephoneNumber

facsimileTelephoneNumber

Fax on ADTelephones Tab

homeDirectory NTUserHomeDir Home folder: Localpath/To on ADProfile Tab


homeDrive ntUserHomeDirDrive Home folder:Connect on ADProfile Tab


homePhone homePhone Home on ADTelephones Tab

info info Notes on ADTelephones Tab

initials initials Initials on ADGeneral Tab

ipPhone ipPhone IP phone on AD UserTelephones Tab


l l City on AD AddressTab

mail mail E-mail on ADGeneral Tab

manager manager DN of manager onAD Organization Tab

mobile mobile





otherFacsimileTelephoneNumber

otherFacsimileTelephoneNumber

Fax Number (Others)on AD UserTelephones Tab


otherHomePhone otherHomePhone Home Phone (Others)on AD UserTelephones Tab


otherIpPhone otherIpPhone IP Phone Number(Others) on AD UserTelephones Tab


otherMobile otherMobile Mobile Number(Others) on AD UserTelephones Ta


otherPager otherPager Pager Number(Others) on AD UserTelephones Tab






otherTelephone otherTelephone Phone Number(Others) on AD UserGeneral Tab


pager pager Pager on ADTelephones Tab

physicalDeliveryOfficeName

physicalDeliveryOfficeName

Office on AD GeneralTab

postalCode postalCode Zip/Postal Code onAD Address Tab

postOfficeBox postOfficeBox P.O. Box on ADAddress Tab

profilePath profilePath Profile path on ADUser Profile Tab


sAMAccountName sAMAccountName User logon name(pre-Windows 2000)on AD User AccountTab


scriptPath ntUserScriptPath Logon script on ADProfile Tab


st st State/province onAD Address Tab

streetAddress streetAddress Street on AD AddressTab

telephoneNumber telephoneNumber Telephone number onAD General Tab

title title Title on ADOrganization Tab

url url Web Page Address(Others) on ADGeneral Tab





userPrincipalName userPrincipalName User logon name onAD Account Tab

userWorkstations ntUserWorkstations Log On To/LogonWorkstations on ADAccount Tab


wWWHomePage wWWHomePage Web page on ADUser General Tab


Notes:

1. Although cn, sn and description attributes are multi-valued in the LDAPschema, Tivoli Access Manager supports only single-valued attributes. Valuesother than the first value will be ignored by Tivoli Access Manager.

2. The eritamcred attribute contains password information for Tivoli AccessManager resources. For security reasons, it is strongly recommended that thefile ITIM_HOME/data/enRoleHiddenSearchAttribute.properties be edited toinclude this attribute.

3. The Windows Active Directory User object class supports the sn attribute.However, this attribute is not a mandatory User object class attribute. As theIBM Directory Server inetOrgPerson object class mandates the use of the snattribute when creating a Tivoli Identity Manager TAM Combo account, if aWindows Active Directory User account does not have a value for sn, a dash (-)will be returned for sn during a reconciliation.

4. Windows Active Directory User attributes that correspond to inetOrgPersonattributes such as homepostaladdress may also be managed through TivoliIdentity Manager. These attributes should be available when customizing theaccount form.

5. In the case of both Microsoft Windows Active Directory and MicrosoftWindows Active Directory Application Mode (ADAM), the attributes listed arenot exhaustive. Directory server attributes with the same name(s) as providedthrough the itamaccount object class should function correctly through asame-name-to-same-name mapping by the TAM Combo adapter. However,management of custom directory service attributes that have a different nameto attributes of the itamaccount object class must be facilitated throughuser-customised advanced mapping.

Table 11. The objectclasses supported by the Tivoli Access Manager Combo Adapter.

Description Objectclass name in schema Superior

Account class itameraccount iNetOrgPerson

Service class eritamservice top

List of Tivoli Access Managergroups

eritamgroups top


Table 11. The objectclasses supported by the Tivoli Access Manager ComboAdapter. (continued)

Description Objectclass name in schema Superior

List of SSO resources eritamresources top

Other Configuration ConsiderationsIn non-Active Directory environments, most often Tivoli Access Manager usesobjects of the object class groupOfNames to create directory group objects. Thisobject class must use an attribute called member. However, some Tivoli AccessManager directory service deployments may use other group-based object classes,such as groupOfUniqueNames which uses the uniqueMember attribute forexample. This may cause Tivoli Access Manager account group membership to notbe reported correctly in Tivoli Identity Manager.

By default, (when using the LDAP-based reconciliation method only) groupmembership is determined by searching the group membership using the memberattribute. However, should your Tivoli Access Manager deployment use one ormore object classes that utilize member attribute names other than “member”,these attribute names must be specified.

To implement the determination of group membership through the use of memberattribute names other than “member” during LDAP-based reconciliation, you mustprovide a comma-separated list of those member attribute names as per thecom.ibm.itim.adapter.tamcombo.groupMembershipAttributeNames property inthe appropriate Tivoli Directory Integrator solution.properties or global.propertiesfile. The addition of this property to the properties file may be as follows:## -------------------------## ITIM TAM Combo properties## -------------------------com.ibm.itim.adapter.tamcombo.groupMembershipAttributeNames=Group_Objectclass_member_attribute_name1, Group_Objectclass_member_attribute_nameN

where Group_Objectclass_member_attribute_name1,Group_Objectclass_member_attribute_nameN denotes a comma-separated list ofknown directory server Group Object class member attribute names. For example,you might provide the following:com.ibm.itim.adapter.tamcombo.groupMembershipAttributeNames=member,uniqueMember

Notes:

1. The correct properties file to use should also contain the Tivoli IdentityManager Dispatcher properties under the heading "ITIM Dispatcher properties".

2. If a group object class member attribute name is supplied that does not exist,the functionality of LDAP-based search will not be affected but performancemay be impacted.

3. The group object class member attribute names supplied are consideredcase-insensitive.

4. If either the property is not supplied, or no group object class member attributenames are provided, then the group object class member attribute name will beconsidered to be member by default. If the property is supplied and member isto be considered a valid group object class member attribute name, it must beexplicitly provided in the comma-separated list of group object class memberattribute names provided as a value for the property.


RMI Dispatcher Configuration PropertiesFor guidance on setting Tivoli Directory Integrator configuration properties for theoperation of the Tivoli Access Manager Combo adapter, refer to thedispatcher50.pdf file, which is contained in the Adapter-Dispatcher-5.0xxx.zipfile.



Chapter 7. Configuring SSL authentication for the adapter

When configuring Secure Sockets Layer (SSL) communication for the TivoliDirectory Integrator-based adapters, you are configuring SSL between WebSphereApplication Server and Tivoli Directory Integrator. There are steps needed toconfigure the Tivoli Directory Integrator to use SSL as well as the steps needed toconfigure WebSphere using the default keystore and default truststore. Foradditional WebSphere SSL configuration information, see the WebSphere onlinehelp available from the WebSphere Application Server Administrative Console.

SSL terminologySSL server

For this SSL configuration, the Tivoli Directory Integrator side is the SSLServer. It listens for connection requests.

SSL clientFor these SSL configurations the workstation on which the Tivoli IdentityManager server and the WebSphere Application Server are installed is theSSL client. It issues connection requests to the Tivoli Directory Integrator.

Signed certificatesA signed digital certificate is an industry-standard method of verifying theauthenticity of an entity, such as a server, client, or application. Signedcertificates are issued by a third-party certificate authority for a fee. Someutilities, such as the iKeyman utility, can also issue signed certificates. ACertificate Authority or CA certificate must be used to verify the origin ofa signed digital certificate.

Signer certificates (Certificate Authority certificates)A Certificate Authority (CA) certificate must be used to verify the origin ofa signed digital certificate. When an application receives anotherapplication’s signed certificate, it uses a CA certificate to verify theoriginator of the certificate. Many applications, such as Web browsers, areconfigured with the CA certificates of well-known certificate authorities toeliminate or reduce the task of distributing CA certificates throughout thesecurity zones in a network.

Self-signed certificatesA self-signed certificate contains information about the owner of thecertificate and the owner’s signature. Basically, it is a signed certificate andCA certificate in one. If you choose to use self-signed certificates, you mustextract the CA certificate from it in order to configure SSL.

SSL keystoreThe SSL keystore is a key database file designated as a keystore. It containsthe SSL certificate.

Note: The keystore and truststore can be the same physical file.

SSL truststoreThe SSL truststore is a key database file designated as a truststore. The SSLtruststore contains the list of signer certificates (CA certificates) that definewhich certificates the SSL protocol trusts. Only a certificate issued by oneof these listed trusted signers is accepted.


Note: The truststore and keystore can be the same physical file.

One-way SSL authenticationFor one-way SSL, a keystore and certificate is only required on the SSLserver side (Tivoli Directory Integrator server) and a truststore is onlyrequired on the SSL client side (the Tivoli Identity Manager server).

Two-way SSL authentication (client-side authentication)For SSL using two-way SSL (client-side) authentication, both a keystorewith a certificate, and a truststore containing the signer certificate thatissued the other side’s certificate, are required on both the SSL server andSSL client sides.

SSL configurationsThe following steps describe how to configure WebSphere Application Server andTivoli Directory Integrator for one-way or two-way SSL communication. If youneed more information about any of the steps, go to the referenced task for thedetailed steps.

Configuring for one-way SSL authentication

To configure one-way SSL perform the following tasks:1. Create a keystore for the Tivoli Directory Integrator server. See “Creating a

keystore for the Tivoli Directory Integrator server” on page 38.2. Create a truststore for the Tivoli Directory Integrator server. See “Creating a

truststore for the Tivoli Directory Integrator server” on page 38.3. Create a certificate for the Tivoli Directory Integrator server. See“Creating a

server-signed certificate for the Tivoli Directory Integrator server” on page 39.4. Create a CA certificate for the Tivoli Directory Integrator server. See “Creating

a CA certificate for Tivoli Directory Integrator” on page 39.5. Import the Tivoli Directory Integrator CA certificate into the WebSphere

Application Server truststore. See “Importing the Tivoli Identity Manager CAcertificate into the WebSphere Application Server truststore” on page 42

6. Configure Tivoli Directory Integrator to use the keystores. See “ConfigureTivoli Directory Integrator to use the keystores” on page 40.

Note: The editing of the solution.properties file for steps 6, 7, and 8 can bedone in one operation. Doing so eliminates the need for a stop andrestart of the adapter service at the end of steps 6 and 7.

Tivoli Identify Manager(SSL client)

Truststore

CA certificate “A”

Tivoli Directory Integrator(SSL server)

Keystore

Certificate “A”

Figure 2. One-way SSL authentication (server authentication)


7. Configure Tivoli Directory Integrator to use the truststores. See “ConfigureTivoli Directory Integrator to use the truststores” on page 40.

8. Enable the adapter service to use SSL. See “Enabling the adapter service touse SSL” on page 41.

9. Stop and restart the adapter service.10. Stop and restart WebSphere Application Server.

Note: The truststore is not needed on the Tivoli Directory Integrator server forone-way SSL, but the configuration of truststore is needed for the RMI SSLinitialization to succeed.

Configuring for two-way SSL authentication

To configure two-way SSL perform the following tasks:1. Create a keystore for the Tivoli Directory Integrator server. See “Creating a

keystore for the Tivoli Directory Integrator server” on page 38.2. Create a truststore for the Tivoli Directory Integrator server. See “Creating a

truststore for the Tivoli Directory Integrator server” on page 38.3. Create a certificate for the Tivoli Directory Integrator server. See“Creating a

server-signed certificate for the Tivoli Directory Integrator server” on page 39.4. Create a CA certificate for the Tivoli Directory Integrator server. See “Creating

a CA certificate for Tivoli Directory Integrator” on page 39.5. Import the Tivoli Directory Integrator CA certificate into the WebSphere

Application Server truststore. See “Importing the Tivoli Identity Manager CAcertificate into the WebSphere Application Server truststore” on page 42

6. Configure Tivoli Directory Integrator to use the keystores. See “ConfigureTivoli Directory Integrator to use the keystores” on page 40.

Note: The editing of the solution.properties file for steps 6, 7, and 8 can bedone in one operation. Doing so eliminates the need for a stop andrestart of the adapter service at the end of steps 6 and 7.

Tivoli Identify Manager(SSL client)

Truststore

CA certificate “A”

Keystore

Certificate “B”

Tivoli Directory Integrator(SSL server)

Truststore

CA certificate “B”

Keystore

Certificate “A”

Figure 3. Two-way SSL authentication (client authentication)

Chapter 7. Configuring SSL authentication for the adapter 37

7. Configure Tivoli Directory Integrator to use the truststores. See “ConfigureTivoli Directory Integrator to use the truststores” on page 40.

8. Enable the adapter service to use SSL. See “Enabling the adapter service touse SSL” on page 41.

9. Create a certificate for the Tivoli Identity Manager server. See “Creating asigned certificate for the Tivoli Identity Manager server” on page 41.

10. Create a CA certificate for Tivoli Identity Manager. See “Creating a WebSphereApplication Server CA certificate for Tivoli Identity Manager” on page 42.

11. Import WAS CA Certificate into Tivoli Directory Integrator truststore. See“Importing the WebSphere CA certificate into the Tivoli Directory Integratortruststore” on page 40.

12. Stop and restart the adapter service.13. Stop and restart WebSphere Application Server.

Task performed on the SSL server (Tivoli Directory Integrator serverworkstation)

The Tivoli Directory Integrator acts as the SSL server. All of these tasks areperformed on the Tivoli Directory Integrator server.

Note: The file names and locations such as tdikeys.jks and ITDI_HOME\keys usedin theses tasks are examples and used for consistency. Your actual file namesand locations might be different.

Creating a keystore for the Tivoli Directory Integrator serverA keystore is a database of private keys and the associated certificates needed toauthenticate the corresponding public keys. Digital certificates are stored in akeystore file. A keystore also manages certificates from trusted entities.

Note: The keystore can be the same physical file as the truststore.1. Navigate to the ITDI_HOME\jvm\jre\bin directory.2. Launch the ikeyman.exe file (Windows operating systems) or ikeyman

(Unix/Linux operating systems).3. Select Key Database File > New.4. Select key database type of JKS.5. Type the keystore file name: tdikeys.jks.6. Type the location: ITDI_HOME\keys.

Note: This directory must already exist, otherwise the step fails.7. Click OK .8. Type the keystore a password, for example, secret.9. Click OK to continue.

Creating a truststore for the Tivoli Directory Integrator serverA truststore is a database of public keys for target servers. The SSL truststorecontains the list of signer certificates (CA certificates) that define which certificatesthe SSL protocol trusts. Only a certificate issued by one of these listed trustedsigners can be accepted.

Note: The truststore can be the same physical file as the keystore. You can skipthis task if you choose to use the same file for keystore and truststore.


1. Navigate to the ITDI_HOME\jvm\jre\bin directory.2. Launch the ikeyman.exe file (Windows operating systems) or ikeyman (UNIX

or Linux operating systems).3. Select Key Database File > New.4. Select key database type of JKS.5. Type the keystore file name: tditrust.jks.6. Type the location: ITDI_HOME\keys.

Note: This directory must already exist, otherwise the step fails.7. Click OK.8. Type the keystore a password, for example, secret.9. Click OK to continue.

Creating a server-signed certificate for the Tivoli DirectoryIntegrator server

A self-signed certificate contains information about the owner of the certificate andthe owner’s signature. This type of certificate is generally used in a testingenvironment. It is a signed certificate and CA certificate in one. If you choose touse self-signed certificates, you must extract the CA certificate from it in order toconfigure SSL.

Alternatively, you can purchase a certificate from a well-known authority such asVeriSign, which is the generally done in production environments. As anotheralternative, you can use a certificate server, such as the one included withMicrosoft Windows 2003 Advanced Server, to generate your own certificates.

To create the self-signed certificate:1. Navigate to the ITDI_HOME\jvm\jre\bin directory.2. Launch the ikeyman.exe file (Windows operating systems) or ikeyman (UNIX

or Linux operating systems.)3. Select Key Database File > Open.4. Browse to the keystore file created previously: ITDI_HOME\keys\tdikeys.jks5. Enter the keystore password: secret.6. Select Create > New Self Signed certificate.7. Set the Key Label to tdiserver.8. Use your system name (DNS name) as the Common Name (workstation

name).9. Enter your Organization, for example IBM.

10. Click OK.

Creating a CA certificate for Tivoli Directory IntegratorA Certificate Authority or CA certificate must be used to verify the origin of asigned digital certificate. When an application receives another application’s signedcertificate, it uses a CA certificate to verify the originator of the certificate. Manyapplications, such as Web browsers, are configured with the CA certificates ofwell-known certificate authorities to eliminate or reduce the task of distributing CAcertificates throughout the security zones in a network.1. Extract the Server certificate for client use by selecting Extract Certificate.2. Select Binary DER data as the data type.


3. Enter the certificate file name: idiserver.der.4. Enter the location as ITDI_HOME\keys.5. Click OK.6. Copy the idiserver.der certificate file to the workstation on which Tivoli

Identity Manager is installed.

Importing the WebSphere CA certificate into the TivoliDirectory Integrator truststore

1. Copy the SSL Client CA certificate file created in “Creating a WebSphereApplication Server CA certificate for Tivoli Identity Manager” on page 42,timclient.der, to the ITDI_HOME\keys directory on the workstation on whichTivoli Directory Integrator is installed.

2. Navigate to the ITDI_HOME\jvm\jre\bin directory.3. Launch the ikeyman.exe file (Windows operating systems) or ikeyman (UNIX

or Linux operating systems).4. Select Key Database File > Open.5. Select key database type of JKS.6. Type the keystore file name: tditrust.jks.7. Type the location: ITDI_HOME\keys.8. Click OK.9. Click Signer Certificates in the dropdown menu.

10. Click Add.11. Select Binary DER data as the data type.12. Use Browse to select the timclient.der file stored in ITDI_HOME\keys.13. Use timclient as the label.14. Click OK to continue.

Configure Tivoli Directory Integrator to use the keystores1. Navigate to the Tivoli Directory Integrator adapters solution directory

(ITDI_HOME\timsol).2. Open the Tivoli Directory Integrator solution.properties file in an editor.3. Edit the following lines under client authentication, uncomment them if

necessary, and set the location, password and type of keystore to match thekeystore you created in “Creating a keystore for the Tivoli Directory Integratorserver” on page 38:javax.net.ssl.keyStore=ITDI_HOME\keys\tdikeys.jks{protect}-javax.net.ssl.keyStorePassword=secretjavax.net.ssl.keyStoreType=JKS

4. Save your changes.5. Stop and restart the adapter service.

Configure Tivoli Directory Integrator to use the truststores1. Navigate to the Tivoli Directory Integrator adapters solution directory

(ITDI_HOME\timsol).2. Open the Tivoli Directory Integrator solution.properties file in an editor.3. Edit the following lines under client authentication, uncomment them if

necessary, and set the location, password and type of truststore to match thetruststore you created in “Creating a truststore for the Tivoli DirectoryIntegrator server” on page 38:


javax.net.ssl.trustStore=ITDI_HOME\keys\tditrust.jks{protect}-javax.net.ssl.trustStorePassword=secretjavax.net.ssl.trustStoreType=JKS


Enabling the adapter service to use SSL1. Navigate to the Tivoli Directory Integrator adapters solution directory

(ITDI_HOME\timsol).2. Open the Tivoli Directory Integrator solution.properties file in an editor.3. Edit the following two lines depending on the type of secure communications

you want to use.For no SSL:com.ibm.di.dispatcher.ssl=falsecom.ibm.di.dispatcher.ssl.clientAuth=false

For one-way SSL:com.ibm.di.dispatcher.ssl=truecom.ibm.di.dispatcher.ssl.clientAuth=false

For two-way SSL:com.ibm.di.dispatcher.ssl=truecom.ibm.di.dispatcher.ssl.clientAuth=true


Tasks performed on the SSL client (Tivoli Identity Manager andWebSphere Application Server workstation)

All the tasks are performed on the server workstation on which Tivoli IdentityManager and WebSphere Application Server are installed.

Note: The file names and locations such as timclient.der and c:\keys used intheses tasks are examples and used for consistency. Your actual file namesand locations might be different.

Creating a signed certificate for the Tivoli Identity Managerserver

As previously mentioned in the server-side tasks, you can alternatively use awell-known authority or your own certificate server to generate a certificate. Forthese cases, use the Personal certificates requests option under theNodeDefaultKeyStore step to produce a certificate request to send to thewell-known authority or to your certificate server. You use the accept option underPersonal certificates to load the data sent by the certificate authority in response tothe request.1. Connect to the WebSphere Application Server Administrative Console.2. Navigate to Security > SSL certificate and key management > Keystores and

certificates.3. Select NodeDefaultKeyStore.4. Select Personal certificates.5. Select Create a self-signed certificate.6. Enter appropriate values for the certificate fields:


v Set the Alias to timclient.v Use your system name (DNS name) as the Common Name (workstation

name).v Enter your Organization, for example IBM.

7. Click OK and save.8. Extract the CA certificate from the self-signed certificate.

Creating a WebSphere Application Server CA certificate forTivoli Identity Manager

1. Check the checkbox for the created certificate, and select Extract.2. Enter a file name: c:\keys\timclient.der.3. Select Binary DER data as the data type.4. Click OK.

Importing the Tivoli Identity Manager CA certificate into theWebSphere Application Server truststore

1. Copy the SSL server CA certificate file created in “Creating a CA certificate forTivoli Directory Integrator” on page 39, idiserver.der, to the c:\keys directoryon the workstation on which Tivoli Identity Manager is installed.

2. Connect to the WebSphere Application Server Administrative Console.3. Navigate to Security > SSL certificate and key management > Keystores and

certificates.4. Select NodeDefaultTrustStore.5. Select Signer certificates.6. Click Add.v Set the Alias to idiserver.v Specify the file name of the exported Tivoli Directory Integrator server

certificate: c:\ keys\idiserver.der.v Select Binary DER data as the data type.

7. Click OK to continue and save.


Chapter 8. Verifying the Tivoli Access Manager ComboAdapter profile installation

If the Tivoli Access Manager Combo Adapter profile is not already installed onyour system, you must import the adapter profile. See Chapter 4, “Importing theadapter profile into the Tivoli Identity Manager Server,” on page 17 forinformation about importing the adapter profile.

After you install the adapter profile, verify that the adapter profile wassuccessfully installed. If the adapter profile is not installed correctly, the adaptermight not function as intended.

To verify that the adapter profile was successfully installed, complete the followingsteps.v In the IBM Tivoli Identity Manager web console (http://ITIMhostname:9080/

itim/console/main), click Configure system > Manage Service Types from theleft navigation panel. Verify that “TAM Combo Profile” is listed as a service typein the table.

v Create a service using the Tivoli Access Manager Combo Adapter profile. Referto Chapter 5, “Creating a Tivoli Access Manager Combo service,” on page 19.

v Open an account on the service.

If you are unable to create a service using the Tivoli Access Manager ComboAdapter profile or open an account on the service, the adapter profile is notinstalled correctly. You might need to import the adapter profile again.



Chapter 9. Troubleshooting the Tivoli Access Manager ComboAdapter installation

Troubleshooting is the process of determining why a product does not function asit is designed to function. This chapter provides information and techniques foridentifying and resolving problems related to the Tivoli Access Manager ComboAdapter. It also provides information about troubleshooting errors that might occurduring installation.

Logging information formatLogs added to the log file for the adapter or the RMI Dispatcher have thefollowing format:<Log Level> [<Assembly Line_ProfileName>_<Request Id>]_[<Connector Name>] - <message>

Log LevelSpecifies the logging level that you configured for the adapter. The optionsare DEBUG, ERROR, INFO, and WARN. For information about using thelog4j.properties file to configure logging, refer to the dispatcher50.pdffile, which is contained in the Adapter-Dispatcher-5.0xxx.zip file.

Assembly LineSpecifies the name of the assembly line that is logging the information.

ProfileNameSpecifies the name of the profile. Profile names may vary based on theadapter that is running or the operating system.

Request IDSpecifies the number of the request. The Request ID is used to uniquelyidentify a specific request.

Connector NameSpecifies the adapter connector.

messageSpecifies the informational message .

The following is an example of a message that may be displayed in a log file:INFO [AssemblyLine.AssemblyLines/TAM ComboAdd_itamprofile_518536692232324188_91ea4bb8-2801-11b2-91ba-00000a2c0670.1297881434 - Load Attribute Map

When the Test button on the TAM Combo service form is clicked, service,environment and configuration values are sent to the Tivoli Directory Integratorlog during the test. The information collected during the test may assist indiagnosing issues.


Reconciliation of Supporting DataAlthough the reconciliation of group names only is not currently supported using asearch filter such as:(eritamgroup=pattern)

All supporting data can be reconciled through the use of the search filter in thereconciliation query. To reconcile supporting data only, the following search filtercould be used:(!(objectclass=eritamaccount))

Such a filter should reconcile all non-account information.

Runtime ProblemsRuntime Problems and recommended actions are described in the following table:

Table 12. Runtime Problems

Problem Recommended Action

When running TestConnection in TAM Combo,the Change a Service formdisplays errors such as thefollowing:

v CTGIMU107W

The connection to thespecified service cannot beestablished. Verify theservice information, andtry again.

v CTGIMT605E

An error occurred whileprocessing theCTGIMT401E An erroroccurred while starting thetamTest_TAM ComboTAM 6.1_test-no-requestid_xxxagent. Error:Script interpreter error,line=xx, col=xx ReferenceError : ’MgmtDomain’ notfound operation on theIBM Tivoli DirectoryIntegrator server. Error: {1}

Check that the correct version of TamComboUtils.jar(supplied in the adapter install package) is installed on thedispatcher server.


Table 12. Runtime Problems (continued)


Reconciliation doesn’t returnall Tivoli Access Manageraccounts. It returns 500 or2048 accounts only.

The default settings for LDAP and Tivoli Access Managerhave constraints on the search size limit. The best practice isas follows:

1. Modify the IBM Directory Server configuration file,slapd32.conf for LDAP 5.2 or ibmslap.conf for LDAP6.0. This file is located in the etc directory of the IBMDirectory Server. Set the ibm-slapdSizeLimit variable to0 (no limit).

2. Modify the Tivoli Access Manager LDAP ldap.confconfiguration file located in the etc directory of theTivoli Access Manager Policy Server. Set themax-search-size variable to greater than 2048 (thedefault setting). Setting the max-search-size to 0 wouldmean the search size is unlimited.

3. Modify the Tivoli Access Manager configuration file,pd.conf, located in the etc directory of the Tivoli AccessManager Policy Server. Set the ssl-v3-timeout variable to84600 (the maximum setting) and set the ssl-io-inactivityvariable to 0 (no limit).

Reconciliation doesn’t returnall Tivoli Access Manageraccounts. Reconciliation issuccessful but some accountsmissing.

For the adapter to reconcile a large number of accountssuccessfully, you may need to increase Websphere’s JVMmemory. The following steps must be completed on theWebSphere host machine:Note: The JVM memory should not be increased to a valuehigher than the System memory.

1. Login to the WebSphere Administrative Console.

2. Expand Servers in the left menu and select ApplicationServers.

3. A table displays the names of known application serverson your system. Click the link for your primaryapplication server.

4. Select Process Definition from within the Configurationtab.

5. Select the Java Virtual Machine property.

6. Enter a new value for the Maximum Heap Size. Thedefault value is 256 MB.

If the allocated JVM memory is not large enough, anattempt to reconcile a large number of accounts using theTivoli Access Manager Adapter will result in log file errors,and the reconciliation process will not complete successfully.The Adapter log files will contain entries statingErmPduAddEntry failed. The WebSphere_install_dir/logs/itim.log file will contain java.lang.OutOfMemoryErrorexceptions.

Chapter 9. Troubleshooting the Tivoli Access Manager Combo Adapter installation 47

Table 12. Runtime Problems (continued)


Reconciliation of very largenumbers of Tivoli AccessManager accounts times-out

During reconciliation of very large numbers of Tivoli AccessManager accounts (in the hundreds of thousands ormillions), initialization of the reconciliation may take sometime. This is of course hardware and performance-tuningdependent. Problems may occur as a result of timeout issuesif you have IBM Directory Server (and DB2) configuredagainst your Tivoli Access Manager Policy Server. Pleaserefer to the IBM Directory Server user guides on configuringthe ibm-slapdIdleTimeOut value in the ibmslapd.conf file.As an indicator, this value is known to have been increasedto greater than 10,000 for reconciliation of approximatelyfive million accounts.

Performance Tuning

Selection of groups to determine membershipReconciliation performance may be enhanced at the expense of not being able todetermine full group membership. It is possible - although not recommended - tosearch only a subset of Tivoli Access Manager groups for account membership.This may result in only a subset of groups, for which an account is a member,being reported for that account.

For example, if Account ‘A’ was a member of Tivoli Access Manager group ‘Y’ and‘Z’, then to increase reconciliation performance, it is possible to search only TivoliAccess Manager group ‘Y’ to determine if account ‘A’ is a member. However, thiswould result in the account only reporting in Tivoli Identity Manager that it is amember of Tivoli Access Manager group ‘Y’. It would not report that it wasactually also member of Tivoli Access Manager group ‘Z’.

To implement the search of specific Tivoli Access Manager groups for membershipto determine if each Tivoli Access Manager account is a member duringLDAP-based reconciliation, you should provide a comma-separated list of TivoliAccess Manager groups to be searched as per thecom.ibm.itim.adapter.tamcombo.searchMembershipGroups property in theappropriate Tivoli Directory Integrator solution.properties or global.properties file.The addition of this property to the properties file may be as follows:## -------------------------## ITIM TAM Combo properties## -------------------------com.ibm.itim.adapter.tamcombo.searchMembershipGroups=TAM_Group1, TAM_Group2

where TAM_Group1, TAM_Group2 denotes a comma-separated list of known(non-dynamic) Tivoli Access Manager groups. For example, you might provide thefollowing:com.ibm.itim.adapter.tamcombo.searchMembershipGroups=customers,employees

Notes:

1. The correct properties file to use should also contain the Tivoli IdentityManager Dispatcher properties under the heading, Tivoli Identity ManagerDispatcher properties.

2. If a list of Tivoli Access Manager groups is defined to be searched formembership, performance drops as the number of groups is increased. If all


Tivoli Access Manager groups are provided, there is no performance benefitover having defined no groups to be searched.

3. If a group name is supplied that did not exist, it will be ignored.4. The Group names supplied are considered case-insensitive.5. If either the property is not supplied, or no groups are provided to be searched,

then all groups will be searched.6. Setting of this configuration item will not impact the reconciliation of Tivoli

Access Manager groups, and all Tivoli Access Manager group names will bereturned by way of supporting data. As a result, errors may occur if an attemptis made to add an Tivoli Access Manager account to a Tivoli Access Managergroup for which it is already a member, but simply not reported as such byTivoli Identity Manager because this configuration has been set.

Extreme care should be exercised when implementing this feature in production. Itshould be considered an advanced configuration item and should not be requiredin most cases.

Chapter 9. Troubleshooting the Tivoli Access Manager Combo Adapter installation 49


Chapter 10. Uninstalling the Tivoli Access Manager ComboAdapter

To remove the Tivoli Access Manager Combo Adapter, complete the followingsteps:1. Stop the adapter service.2. Remove the adapter. For more specific information about removing the adapter,

see the online help or the information center for your Tivoli Identity Managerproduct.

Note: The RMI Dispatcher component must be installed on your system in orderfor adapters to function correctly in a Tivoli Directory Integratorenvironment. If you delete the adapter profile for the Tivoli Access ManagerCombo Adapter, do not uninstall the RMI Dispatcher.



Appendix A. Accessibility

Accessibility features help users with physical disabilities, such as restrictedmobility or limited vision, to use software products successfully. The majoraccessibility features in this product enable users to do the following:v Use assistive technologies, such as screen-reader software and digital speech

synthesizer, to hear what is displayed on the screen. Consult the productdocumentation of the assistive technology for details on using those technologieswith this product.

v Operate specific or equivalent features using only the keyboard.v Magnify what is displayed on the screen.

In addition, the product documentation was modified to include the followingfeatures to aid accessibility:v All documentation is available in both HTML and convertible PDF formats to

give the maximum opportunity for users to apply screen-reader software.v All images in the documentation are provided with alternative text so that users

with vision impairments can understand the contents of the images.

Navigating the interface using the keyboardStandard shortcut and accelerator keys are used by the product and aredocumented by the operating system. Refer to the documentation provided byyour operating system for more information.

Magnifying what is displayed on the screenYou can enlarge information on the product windows using facilities provided bythe operating systems on which the product is run. For example, in a MicrosoftWindows environment, you can lower the resolution of the screen to enlarge thefont sizes of the text on the screen. Refer to the documentation provided by youroperating system for more information.



Appendix B. Support information

Use the following options to obtain support for IBM products:v “Searching knowledge bases”v “Contacting IBM Software Support”

Searching knowledge basesIf you have a problem with your IBM software, you want it resolved quickly. Beginby searching the available knowledge bases to determine whether the resolution toyour problem is already documented.

Search the information center on your local system ornetwork

IBM provides extensive documentation that can be installed on your localcomputer or on an intranet server. You can use the search function of thisinformation center to query conceptual information, instructions for completingtasks, reference information, and support documents.

Search the InternetIf you cannot find an answer to your question in the information center, search theInternet for the latest, most complete information that might help you resolve yourproblem. To locate Internet resources for your product, open one of the followingWeb sites:v Performance and tuning information

Provides information needed to tune your production environment, available onthe Web at:http://publib.boulder.ibm.com/tividd/td/tdprodlist.htmlClick the I character in the A-Z product list to locate IBM Tivoli IdentityManager products. Click the link for your product, and then browse theinformation center for the Technical Supplements section.

v Redbooks and white papers are available on the Web at:http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.htmlBrowse to the Self Help section, in the Learn category, and click the Redbookslink.

v Technotes are available on the Web at:http://www.redbooks.ibm.com/redbooks.nsf/tips/

v Field guides are available on the Web at:http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

v For an extended list of other Tivoli Identity Manager resources, search thefollowing IBM developerWorks Web address:http://www.ibm.com/developerworks/

Contacting IBM Software SupportIBM Software Support provides assistance with product defects.





http://www.redbooks.ibm.com/redbooks.nsf/tips/

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

http://www.ibm.com/developerworks/

Before contacting IBM Software Support, your company must have an active IBMsoftware maintenance contract, and you must be authorized to submit problems toIBM. The type of software maintenance contract that you need depends on thetype of product you have:v For IBM distributed software products (including, but not limited to, Tivoli,

Lotus®, and Rational® products, as well as DB2 and WebSphere products thatrun on Windows or UNIX operating systems), enroll in Passport Advantage inone of the following ways:– Online: Go to the Passport Advantage Web page (http://www.lotus.com/

services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click Howto Enroll

– By phone: For the phone number to call in your country, go to the IBMSoftware Support Web site (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region.

v For IBM eServer™ software products (including, but not limited to, DB2 andWebSphere products that run in zSeries®, pSeries®, and iSeries® environments),you can purchase a software maintenance agreement by working directly withan IBM sales representative or an IBM Business Partner. For more informationabout support for eServer software products, go to the IBM Technical SupportAdvantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).

If you are not sure what type of software maintenance contract you need, call1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go tothe contacts page of the IBM Software Support Handbook on the Web(http://techsupport.services.ibm.com/guides/contacts.html) and click the name ofyour geographic region for phone numbers of people who provide support foryour location.

Follow the steps in this topic to contact IBM Software Support:1. Determine the business impact of your problem.2. Describe your problem and gather background information.3. Submit your problem to IBM Software Support.

Determine the business impact of your problemWhen you report a problem to IBM, you are asked to supply a severity level.Therefore, you need to understand and assess the business impact of the problemyou are reporting. Use the following criteria:

Severity 1 Critical business impact: You are unable to use the program,resulting in a critical impact on operations. This conditionrequires an immediate solution.

Severity 2 Significant business impact: The program is usable but isseverely limited.

Severity 3 Some business impact: The program is usable with lesssignificant features (not critical to operations) unavailable.

Severity 4 Minimal business impact: The problem causes little impact onoperations, or a reasonable circumvention to the problem hasbeen implemented.


http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home

http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home

http://techsupport.services.ibm.com/guides/contacts.html


http://www.ibm.com/servers/eserver/techsupport.html


Describe your problem and gather background informationWhen explaining a problem to IBM, be as specific as possible. Include all relevantbackground information so that IBM Software Support specialists can help yousolve the problem efficiently. To save time, know the answers to these questions:v What software versions were you running when the problem occurred?v Do you have logs, traces, and messages that are related to the problem

symptoms? IBM Software Support is likely to ask for this information.v Can the problem be re-created? If so, what steps led to the failure?v Have any changes been made to the system? (For example, hardware, operating

system, networking software, and so on.)v Are you currently using a workaround for this problem? If so, please be

prepared to explain it when you report the problem.

Submit your problem to IBM Software SupportYou can submit your problem in one of two ways:v Online: Go to the ″Submit and track problems″ page on the IBM Software

Support site (http://www.ibm.com/software/support/probsub.html). Enteryour information into the appropriate problem submission tool.

v By phone: For the phone number to call in your country, go to the contacts pageof the IBM Software Support Handbook on the Web (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of yourgeographic region.

If the problem you submit is for a software defect or for missing or inaccuratedocumentation, IBM Software Support creates an Authorized Program AnalysisReport (APAR). The APAR describes the problem in detail. Whenever possible,IBM Software Support provides a workaround for you to implement until theAPAR is resolved and a fix is delivered. IBM publishes resolved APARs on theIBM product support Web pages daily, so that other users who experience thesame problem can benefit from the same resolutions.

For more information about problem resolution, see Searching knowledge bases.

Appendix B. Support information 57

http://www.ibm.com/software/support/probsub.html




Appendix C. Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged should contact:

IBM Corporation2ZA4/10111400 Burnet RoadAustin, TX 78758U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this information and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

TrademarksThe following terms are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both:

AIXDB2developerWorkseServerIBMiSeriesLotusNotesOMEGAMONPassport AdvantagepSeriesRationalRedbooksTivoliWebSpherezSeries


Adobe, Acrobat, Portable Document Format (PDF), and PostScript® are eitherregistered trademarks or trademarks of Adobe Systems Incorporated in the UnitedStates, other countries, or both.

Cell Broadband Engine™ and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in theUnited States, other countries, or both.

Microsoft, Windows, Windows NT®, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel® Centrino®, Intel Centrinologo, Celeron®, Intel Xeon®, Intel SpeedStep®, Itanium®, and Pentium® aretrademarks or registered trademarks of Intel Corporation or its subsidiaries in theUnited States and other countries.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.

ITIL® is a registered trademark, and a registered community trademark of theOffice of Government Commerce, and is registered in the U.S. Patent andTrademark Office.

IT Infrastructure Library® is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Other company, product, and service names may be trademarks or service marksof others.

Appendix C. Notices 61


��

Printed in USA

SC23-9664-00

Documents

TAM COMBO ADAPTER