696
Tivoli ® Access Manager for e-business Installation Guide Version 6.1 GC23-6502-00

Am61 Install

Embed Size (px)

Citation preview

Tivoli Access Manager for e-business

Version 6.1

Installation Guide

GC23-6502-00

Tivoli Access Manager for e-business

Version 6.1

Installation Guide

GC23-6502-00

Note Before using this information and the product it supports, read the information in Appendix D, Notices, on page 641.

Edition notice This edition applies to version 6, release 1 of IBM Tivoli Access Manager (product number 5724-C08) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 2001, 2008. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

ContentsAbout this publication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiIntended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi What this publication contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii IBM Tivoli Access Manager for e-business library . . . . . . . . . . . . . . . . . . . . . xiii Related products and publications . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Accessing terminology online . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi Accessing publications online . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Ordering publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Tivoli technical training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Support information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii Conventions used in this publication . . . . . . . . . . . . . . . . . . . . . . . . . . xviii Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii Operating system-dependent variables and paths . . . . . . . . . . . . . . . . . . . . . xix

Part 1. Planning for installation . . . . . . . . . . . . . . . . . . . . . . . . 1Chapter 1. Installation overview . . . . . . . . . . . . . . . . . . . . . . . . . 3Planning for deployment . . . . . . . . . . . . . . . . . . Secure domain overview . . . . . . . . . . . . . . . . . . Tivoli Access Manager installation components . . . . . . . . . . . Tivoli Access Manager base components . . . . . . . . . . . . Tivoli Access Manager Web security components . . . . . . . . . Tivoli Access Manager distributed sessions management components . . Prerequisite products . . . . . . . . . . . . . . . . . . Supported registries . . . . . . . . . . . . . . . . . . . IBM Tivoli Directory Server . . . . . . . . . . . . . . . . IBM z/OS LDAP Server . . . . . . . . . . . . . . . . . IBM Lotus Domino Server . . . . . . . . . . . . . . . . Microsoft Active Directory . . . . . . . . . . . . . . . . Microsoft Active Directory Application Mode (ADAM) . . . . . . . Sun Java System Directory Server . . . . . . . . . . . . . . Novell eDirectory . . . . . . . . . . . . . . . . . . . Components and prerequisites provided with Tivoli Access Manager systems Tivoli Access Manager base systems . . . . . . . . . . . . . Tivoli Access Manager Web security systems . . . . . . . . . . Tivoli Access Manager distributed sessions management systems . . . Installation process . . . . . . . . . . . . . . . . . . . . Installation methods . . . . . . . . . . . . . . . . . . . Installation wizards . . . . . . . . . . . . . . . . . . . Native installation utilities . . . . . . . . . . . . . . . . Software Distribution installation method . . . . . . . . . . . Groups and administrator identities on UNIX and Linux systems . . . . Default port numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 . 4 . 5 . 5 . 8 . 9 . 10 . 13 . 13 . 13 . 13 . 13 . 14 . 14 . 14 . 15 . 15 . 17 . 19 . 21 . 23 . 23 . 26 . 26 . 30 . 33

Chapter 2. Internationalization . . . . . . . . . . . . . . . . . . . . . . . . . . 35Language support overview . . . . . . . . . . . . . . Installing language support packages for Tivoli Access Manager . . Installing language support packages for IBM Tivoli Directory Server AIX: Installing Tivoli Directory Server language packages . . . HP-UX: Installing Tivoli Directory Server language packages . . Linux: Installing Tivoli Directory Server language packages . . Solaris: Installing Tivoli Directory Server language packages . . Copyright IBM Corp. 2001, 2008

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

36 37 39 39 40 41 42

iii

Windows: Installing Tivoli Directory Server language packages Uninstalling Tivoli Access Manager language support packages . Uninstalling IBM Tivoli Directory Server language packages . Locale environment variables . . . . . . . . . . . . LANG variable on UNIX or Linux systems . . . . . . . LANG variable on Windows systems . . . . . . . . . Using locale variants . . . . . . . . . . . . . . Message catalogs . . . . . . . . . . . . . . . . Text encoding (code set) support . . . . . . . . . . . Location of code set files . . . . . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

43 44 45 46 47 48 48 49 50 50

Part 2. Base system installation . . . . . . . . . . . . . . . . . . . . . . . 51Chapter 3. Setting up the registry server . . . . . . . . . . . . . . . . . . . . . 53Setting up IBM Tivoli Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Preinstallation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Installing using the installation wizard . . . . . . . . . . . . . . . . . . . . . . . . . 57 Installing using native utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Configuring a directory server instance for IBM Tivoli Directory Server . . . . . . . . . . . . . . 87 Configuring IBM Tivoli Directory Server for Tivoli Access Manager . . . . . . . . . . . . . . . 100 Setting up IBM z/OS LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Updating schema files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Adding suffixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Configuring Tivoli Access Manager for LDAP . . . . . . . . . . . . . . . . . . . . . . 106 Native authentication user administration . . . . . . . . . . . . . . . . . . . . . . . . 107 Setting up Lotus Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Creating a Tivoli Access Manager administrative user for Domino (versions 6.5, 7.0.1, 7.0.2, and 8.0) . . . . 110 Installing a Lotus Notes client on a Tivoli Access Manager system . . . . . . . . . . . . . . . . 112 Setting up Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Active Directory considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Creating an Active Directory domain . . . . . . . . . . . . . . . . . . . . . . . . . 115 Joining an Active Directory domain . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Creating an Active Directory administrative user . . . . . . . . . . . . . . . . . . . . . 118 Changing Active Directory replication settings . . . . . . . . . . . . . . . . . . . . . . 119 Setting up Microsoft Active Directory Application Mode (ADAM) . . . . . . . . . . . . . . . . . 119 Installing and configuring Active Directory Application Mode (ADAM) for Tivoli Access Manager (Overview) 120 Installing Access Manager with support for Active Directory Application Mode (ADAM) . . . . . . . . 120 Configuring the Tivoli Access Manager schema for Active Directory Application Mode (ADAM) . . . . . 121 Configuring a default Tivoli Access Manager directory partition . . . . . . . . . . . . . . . . 122 Adding an administrator to the Tivoli Access Manager metadata directory partition . . . . . . . . . . 124 Allowing anonymous bind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Setting up Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Configuring the Novell eDirectory for Tivoli Access Manager . . . . . . . . . . . . . . . . . 127 When using Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Management domain location . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Setting up the Sun Java System Directory Server . . . . . . . . . . . . . . . . . . . . . . 130

Chapter 4. Setting up a policy server . . . . . . . . . . . . . . . . . . . . . . 135LDAP data format selection . . . . . . . . . . . . . . . . . . . Tivoli Access Manager management domains. . . . . . . . . . . . . . Creating a management domain location (example) . . . . . . . . . . Management domain location for an Active Directory Application Mode (ADAM) Installing using the installation wizard . . . . . . . . . . . . . . . . Installing using native utilities . . . . . . . . . . . . . . . . . . . AIX: Installing the policy server . . . . . . . . . . . . . . . . . HP-UX: Installing the policy server . . . . . . . . . . . . . . . . Linux: Installing the policy server . . . . . . . . . . . . . . . . Solaris: Installing the policy server . . . . . . . . . . . . . . . . Windows: Installing the policy server . . . . . . . . . . . . . . . . . . . . . . . . registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 136 137 137 138 139 139 141 143 144 147

iv

Tivoli Access Manager Installation Guide

Chapter 5. Setting up an authorization server . . . . . . . . . . . . . . . . . . 149Installing using the installation wizard . . . Installing using native utilities . . . . . . AIX: Installing an authorization server . . HP-UX: Installing an authorization server . Linux: Installing an authorization server . Solaris: Installing an authorization server . Windows: Installing an authorization server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 150 151 152 153 155 156

Chapter 6. Setting up a development system . . . . . . . . . . . . . . . . . . . 159Installing using the installation wizard . . . . . Installing using native utilities . . . . . . . . AIX: Installing a development (ADK) system . . HP-UX: Installing a development (ADK) system . Linux: Installing a development (ADK) system . Solaris: Installing a development (ADK) system . Windows: Installing a development (ADK) system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 160 160 161 163 164 166

Chapter 7. Setting up an Access Manager Runtime for Java system . . . . . . . . . 169Installing using the installation wizard . . . . . . . Installing using native utilities . . . . . . . . . . AIX: Installing Access Manager Runtime for Java . . HP-UX: Installing Access Manager Runtime for Java . Linux: Installing Access Manager Runtime for Java . . Solaris: Installing Access Manager Runtime for Java . Windows: Installing Access Manager Runtime for Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 171 171 172 173 174 176

Chapter 8. Setting up a policy proxy server system . . . . . . . . . . . . . . . . 177Installing using the installation wizard . . . Installing using native utilities . . . . . . AIX: Installing a policy proxy server . . HP-UX: Installing a policy proxy server . Linux: Installing a policy proxy server . . Solaris: Installing a policy proxy server . . Windows: Installing a policy proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 178 178 179 181 182 184

Chapter 9. Setting up a runtime system . . . . . . . . . . . . . . . . . . . . . 187Installing using the installation wizard . . . . Installing using native utilities . . . . . . . AIX: Installing Access Manager Runtime . . HP-UX: Installing Access Manager Runtime . Linux: Installing Access Manager Runtime . Solaris: Installing Access Manager Runtime . Windows: Installing Access Manager Runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 189 189 190 191 192 194

Chapter 10. Setting up a Web Portal Manager system . . . . . . . . . . . . . . . 197Installing using the installation wizard . . . . . . Installing using native utilities . . . . . . . . . AIX: Installing a Web Portal Manager system . . . HP-UX: Installing a Web Portal Manager system . Linux: Installing a Web Portal Manager system . . Solaris: Installing a Web Portal Manager system . . Windows: Installing a Web Portal Manager system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 199 200 202 204 207 210

Part 3. Web security system installation . . . . . . . . . . . . . . . . . . . 213Chapter 11. Setting up the Access Manager Attribute Retrieval Service . . . . . . . 215Installing using the installation wizard . Installing using native utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 . 216

Contents

v

AIX: Installing the Access Manager Attribute Retrieval Service . . HP-UX: Installing the Access Manager Attribute Retrieval Service . Linux: Installing the Access Manager Attribute Retrieval Service . Solaris: Installing the Access Manager Attribute Retrieval Service . Windows: Installing the Access Manager Attribute Retrieval Service

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

216 217 218 219 219

Chapter 12. Setting up the plug-in for Edge Server . . . . . . . . . . . . . . . . 221Preinstallation requirements . . . . . . . . . . . . AIX: Installing the plug-in for Edge Server . . . . . . . Red Hat Enterprise Linux: Installing the plug-in for Edge Server Solaris: Installing the plug-in for Edge Server. . . . . . . Windows: Installing the plug-in for Edge Server . . . . . . Overview of the plug-in for Edge Server configuration . . . Server configuration model . . . . . . . . . . . . Server configuration concepts . . . . . . . . . . . Object space configuration model. . . . . . . . . . Single sign-on configuration model . . . . . . . . . Configuration procedure summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 222 223 224 226 227 228 229 231 232 233

Chapter 13. Setting up the plug-in for Web servers . . . . . . . . . . . . . . . . 235Preinstallation requirements . . . . . . . . . . Installing using the installation wizard . . . . . . . Installing using native utilities . . . . . . . . . . Installing the plug-in for Apache Web Server . . . . Installing the plug-in for IBM HTTP Server . . . . Installing the plug-in for Internet Information Services Installing the plug-in for Sun Java System Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 237 238 238 243 249 250

Chapter 14. Setting up a Web security development system . . . . . . . . . . . . 255Installing using the installation wizard . . . . . . . . . . Installing using native utilities . . . . . . . . . . . . . AIX: Installing a Web security development (ADK) system . . HP-UX: Installing a Web security development (ADK) system . Linux: Installing a Web security development (ADK) system . Solaris: Installing a Web security development (ADK) system . Windows: Installing a Web security development (ADK) system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 256 257 258 259 260 261

Chapter 15. Setting up WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . 263Installing using the installation wizard Installing using native utilities . . . AIX: Installing WebSEAL . . . HP-UX: Installing WebSEAL . . Linux: Installing WebSEAL . . . Solaris: Installing WebSEAL . . Windows: Installing WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 265 265 266 268 269 271

Part 4. Session management system installation . . . . . . . . . . . . . . . 273Chapter 16. Setting up a session management server . . . . . . . . . . . . . . . 275Preinstallation requirements . . . . . . . . . . . Installing using the installation wizard . . . . . . . . Installing using native utilities . . . . . . . . . . . AIX: Installing a session management server system . . HP-UX: Installing a session management server system . Linux: Installing a session management server system . . Solaris: Installing a session management server system . Windows: Installing a session management server system Creating the login history database . . . . . . . . . Deploying the Integrated Solutions Console extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 278 281 281 282 283 283 284 285 287

vi

Tivoli Access Manager Installation Guide

Deploying the Session Management Server application . . . . . . . . . . . . . Deploying using the smscfg utility . . . . . . . . . . . . . . . . . . . Deploying using Session Management Server Integrated Solutions Console (ISC) . . . . Configuring the session management server . . . . . . . . . . . . . . . . . Configuring the session management server using the smscfg utility . . . . . . . . Configuring the session management server using the Integrated Solutions Console (ISC) .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

287 287 288 288 288 289

Chapter 17. Setting up the session management command line. . . . . . . . . . . 291Preinstallation requirements . . . . . . . . . . . . Installing using the installation wizard . . . . . . . . . Installing using native utilities . . . . . . . . . . . . AIX: Installing the session management command line . . HP-UX: Installing the session management command line . Linux: Installing the session management command line . . Solaris: Installing the session management command line . Windows: Installing the session management command line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 292 294 294 295 297 298 300

Part 5. Reference information . . . . . . . . . . . . . . . . . . . . . . . . 303Chapter 18. Installing prerequisite products . . . . . . . . . . . . . . . . . . . 307Installing the IBM Global Security Kit (GSKit) . . . . . AIX: Installing the IBM Global Security Kit (GSKit) . . . HP-UX: Installing the IBM Global Security Kit (GSKit) . Linux: Installing the IBM Global Security Kit (GSKit) . . Solaris: Installing the IBM Global Security Kit (GSKit) . . Windows: Installing the IBM Global Security Kit (GSKit) . Setting up the GSKit iKeyman utility . . . . . . . Installing IBM Java Runtime . . . . . . . . . . . AIX: Installing IBM Java Runtime . . . . . . . . HP-UX: Installing IBM Java Runtime . . . . . . . Linux: Installing IBM Java Runtime . . . . . . . . Solaris: Installing IBM Java Runtime . . . . . . . . Windows: Installing IBM Java Runtime . . . . . . . Installing the IBM Tivoli Security Utilities . . . . . . . AIX: Installing the IBM Tivoli Security Utilities . . . . HP-UX: Installing IBM Tivoli Security Utilities . . . . Linux: Installing IBM Tivoli Security Utilities . . . . . Solaris: Installing IBM Tivoli Security Utilities . . . . Windows: Installing IBM Tivoli Security Utilities . . . Installing the IBM Tivoli Directory Server client . . . . . AIX: Installing the IBM Tivoli Directory Server client . . HP-UX: Installing the IBM Tivoli Directory Server client . Linux: Installing the IBM Tivoli Directory Server client . Solaris: Installing the IBM Tivoli Directory Server client . Windows: Installing the IBM Tivoli Directory Server client Installing IBM WebSphere Application Server . . . . . AIX: Installing WebSphere Application Server . . . . HP-UX: Installing WebSphere Application Server . . . Linux: Installing WebSphere Application Server . . . . Solaris: Installing WebSphere Application Server . . . Windows: Installing WebSphere Application Server . . . Installing the Web Administration Tool . . . . . . . . AIX: Installing the Web Administration Tool . . . . . HP-UX: Installing the Web Administration Tool . . . . Linux: Installing the Web Administration Tool . . . . Solaris: Installing the Web Administration Tool . . . . Windows: Installing the Web Administration Tool . . . Installing the Web Administration Tool into WebSphere . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 308 308 309 310 311 311 314 314 315 316 317 317 319 319 319 320 321 322 323 323 324 325 326 327 329 329 330 331 332 332 334 334 335 336 337 338 340

Chapter 19. Uninstalling components . . . . . . . . . . . . . . . . . . . . . . 343Contents

vii

Unconfiguring Tivoli Access Manager components Unconfiguring IBM Tivoli Directory Server . . Unconfiguring the database . . . . . . Deleting a directory server instance . . . . Removing packages . . . . . . . . . . AIX: Removing packages . . . . . . . HP-UX: Removing packages . . . . . . Linux: Removing packages . . . . . . . Solaris: Removing packages . . . . . . Windows: Removing packages . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

344 345 345 346 347 347 349 350 352 353

Chapter 20. Installation wizard scenarios . . . . . . . . . . . . . . . . . . . . 355Installing the IBM Tivoli Directory Server (install_ldap_server Pre-installation requirements . . . . . . . . . . install_ldap_server scenario . . . . . . . . . . Installing the policy server (install_ammgr wizard) . . . . wizard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 356 357 365

Chapter 21. Installation wizard options . . . . . . . . . . . . . . . . . . . . . 373Access Manager Runtime Access Manager Runtime Access Manager Runtime install_amacld . . . . install_amadk . . . . install_amjrte . . . . install_ammgr . . . . install_amproxy . . . install_amrte . . . . install_amsms . . . . install_amsmscli . . . install_amweb . . . . install_amwebadk . . . install_amwebars . . . install_amwpi . . . . install_amwpm . . . . install_ldap_server . . (LDAP) . . . (Active Directory) (Domino) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 378 385 388 392 393 395 400 404 405 416 420 426 430 431 435 438

Chapter 22. pdconfig optionsAccess Access Access Access Access Access Access Access Access Access Access Access Access

. . . . . . . . . . . . . . . . . . . . . . . . . 443. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 447 451 453 454 455 457 458 460 461 463 464 467

Manager Runtime LDAP . . . . . . . Manager Runtime Active Directory . . . Manager Runtime Domino . . . . . . Manager Attribute Retrieval Service . . . . Manager Authorization Server . . . . . . Manager Runtime for Java . . . . . . . Manager Plug-in for Edge Server . . . . . Manager Plug-in for Web Servers on UNIX . . Manager Plug-in for Web Servers on Windows . Manager Policy Server . . . . . . . . . Manager Policy Proxy Server . . . . . . Manager Web Portal Manager . . . . . . Manager WebSEAL . . . . . . . . . .

Chapter 23. Enabling Secure Sockets Layer (SSL) security . . . . . . . . . . . . . 469Configuring IBM Tivoli Directory Server for SSL access . . Creating the key database file . . . . . . . . . . Requesting or creating a personal certificate . . . . . Using certificates from a Certificate Authority (CA). . . Using self-signed certificates . . . . . . . . . . Configuring a key database file for Tivoli Directory Server Enabling SSL for Tivoli Directory Server . . . . . . Verifying that SSL has been enabled on the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 470 471 471 473 475 476 478

viii

Tivoli Access Manager Installation Guide

Enabling FIPS . . . . . . . . . . . . . . . . . . . . . . Configuring IBM z/OS LDAP servers for SSL access . . . . . . . . . . Setting the security options . . . . . . . . . . . . . . . . . . Creating a key database file . . . . . . . . . . . . . . . . . Configuring Microsoft Active Directory for SSL access . . . . . . . . . . Verifying that SSL is enabled on the Active Directory server . . . . . . . Exporting the certificate from the Active Directory server. . . . . . . . Importing the certificate on the LDAP client system . . . . . . . . . Testing SSL access . . . . . . . . . . . . . . . . . . . . . Configuring Active Directory Application Mode (ADAM) for SSL access . . . Setting up Active Directory Application Mode (ADAM) to use SSL (Example) . Configuring Novell eDirectory server for SSL access . . . . . . . . . . Creating an organizational certificate authority object . . . . . . . . . Creating a self-signed certificate . . . . . . . . . . . . . . . . Creating a server certificate for the LDAP server . . . . . . . . . . Enabling SSL . . . . . . . . . . . . . . . . . . . . . . Adding the self-signed CA certificate to the IBM key file . . . . . . . . Configuring Sun Java System Directory Server for SSL access . . . . . . . Obtaining a server certificate . . . . . . . . . . . . . . . . . Installing the server certificate . . . . . . . . . . . . . . . . . Enabling SSL access . . . . . . . . . . . . . . . . . . . . Configuring the Tivoli Directory Server client for SSL access. . . . . . . . Creating the key database file . . . . . . . . . . . . . . . . . Adding the signer certificate to the client key database file . . . . . . . Configuring the client for SSL communications . . . . . . . . . . . Testing SSL access from the client . . . . . . . . . . . . . . . Configuring SSL for server and client authentication . . . . . . . . . . Creating the key database file on the client . . . . . . . . . . . . Requesting or creating a personal certificate on the client . . . . . . . . Using certificates from a Certificate Authority (CA) on the client . . . . . Using self-signed certificates on the client . . . . . . . . . . . . . Adding the signer certificate to the server key database file . . . . . . . Testing SSL access when using server and client authentication . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

479 481 481 482 484 484 484 485 485 487 487 491 491 492 492 493 493 494 494 495 495 497 497 498 499 499 500 500 501 501 503 504 505

Chapter 24. AIX: Setting up a standby policy server . . . . . . . . . . . . . . . . 507Preinstallation requirements . . . . . . . . . . . . . . . . . . . . . HACMP environment scenario . . . . . . . . . . . . . . . . . . . . Example HACMP configuration . . . . . . . . . . . . . . . . . . . Creating a standby policy server environment . . . . . . . . . . . . . . . Script: Setting UIDs for both the primary and standby systems . . . . . . . . . Script: Linking files and directories on the primary system . . . . . . . . . . Example: Verifying the primary server directories, soft links, and permissions . . . . Script: Linking from the AIX system files to the shared directory on the standby system Example: Verifying standby server directories, soft links and permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 509 511 519 523 525 526 528 529

Chapter 25. Setting up a Tivoli Directory Server proxy environment . . . . . . . . . 531Configuring the Tivoli Directory Server proxy . . . . . Type of configuration information . . . . . . . . Synchronizing server instances . . . . . . . . . Creating server instances . . . . . . . . . . . Global administration group . . . . . . . . . . Configuring the Tivoli Directory Server proxy server . . Adding back-end servers to the proxy server . . . . . Partitioning to back-end servers . . . . . . . . . Setting up a proxy environment for Tivoli Access Manager Configuring Tivoli Access Manager to use the proxy . . . Redirecting the policy server to the proxy . . . . . . Setting access controls for the proxy . . . . . . . . Unconfiguring Tivoli Access Manager from the proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 532 533 533 533 534 535 536 538 539 540 541 541

Contents

ix

Chapter 26. Tivoli Access Manager utilitiesamauditcfg . . . amwebcfg . . . amwpmcfg . . . bassslcfg . . . . install_component . ivrgy_tool . . . mgrsslcfg . . . . pdbackup . . . pdconfig . . . . pdjrtecfg . . . . pdproxycfg . . . pdsmsclicfg . . . pdversion . . . pdwpicfg . . . . smscfg. . . . . svrsslcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . 543. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544 548 553 557 560 565 568 570 574 575 579 582 585 587 590 597

Chapter 27. Using response files . . . . . . . . . . . . . . . . . . . . . . . . 603Prerequisite systems . . . Base systems . . . . . Web security systems . . . Session management systems Response file template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 603 604 605 605

Chapter 28. Using software package definition files . . . . . . . . . . . . . . . . 617 Appendix A. Installing IBM Tivoli Directory Integrator . . . . . . . . . . . . . . . 625 Appendix B. User registry differences . . . . . . . . . . . . . . . . . . . . . . 627General concerns . . . . . . . . . . . . . . . . . . LDAP concerns . . . . . . . . . . . . . . . . . . . Sun Java System Directory Server concerns . . . . . . . . Microsoft Active Directory Application Mode (ADAM) concerns . URAF concerns . . . . . . . . . . . . . . . . . . . Lotus Domino Server concerns . . . . . . . . . . . . Microsoft Active Directory Server concerns . . . . . . . . Length of names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 627 628 628 629 629 629 631

Appendix C. Support information . . . . . . . . . . . . . . . . . . . . . . . . 635Searching knowledge bases . . . . . . . . . Searching information centers . . . . . . . Searching the Internet . . . . . . . . . Obtaining fixes . . . . . . . . . . . . . Registering with IBM Software Support . . . . Receiving weekly software updates . . . . . . Contacting IBM Software Support . . . . . . Determining the business impact . . . . . . Describing problems and gathering information . Submitting problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 635 635 635 636 636 637 637 638 638

Appendix D. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655

x

Tivoli Access Manager Installation Guide

About this publicationIBM Tivoli Access Manager (Tivoli Access Manager) is the software that is required to run applications in the Tivoli Access Manager product suite. It enables the integration of Tivoli Access Manager applications that provide a wide range of authorization and management solutions. Sold as an integrated solution, these products provide an access control management solution that centralizes network and application security policy for e-business applications. The IBM Tivoli Access Manager for e-business: Installation Guide explains how to install and configure IBM Tivoli Access Manager for e-business, including Tivoli Access Manager systems, session management systems, and Web security systems.

Intended audienceThis guide is for system administrators responsible for the installation and deployment of Tivoli Access Manager. Readers should be familiar with the following: v PC and UNIX operating systems v Database architecture and concepts v Security management v Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and Telnet v Lightweight Directory Access Protocol (LDAP) and directory services v Authentication and authorization If you are enabling Secure Sockets Layer (SSL) communication, you also should be familiar with SSL protocol, key exchange (public and private), digital signatures, cryptographic algorithms, and certificate authorities.

What this publication containsPart 1, Planning for installation v Chapter 1, Installation overview, on page 3 Provides an overview of installing Tivoli Access Manager software using installation wizards or native installation utilities. v Chapter 2, Internationalization, on page 35 Instructs how to install language packages to enable Tivoli Access Manager for non-English environments. Part 2, Base system installation Chapter 3, Setting up the registry server, on page 53 describes how to set up and configure supported registries for use with Tivoli Access Manager. Also describes how to set up and configure a Tivoli Directory Server proxy server. Chapter 4 through Chapter 10 provide instructions on how to install and configure Tivoli Access Manager components and prerequisite products to set up Tivoli Access Manager base systems. Instructions are provided for both installation wizards and native command line utilities. Copyright IBM Corp. 2001, 2008

xi

Chapter 4, Setting up a policy server, on page 135 Chapter 5, Setting up an authorization server, on page 149 Chapter 6, Setting up a development system, on page 159 Chapter 7, Setting up an Access Manager Runtime for Java system, on page 169 v Chapter 8, Setting up a policy proxy server system, on page 177 v Chapter 9, Setting up a runtime system, on page 187 v Chapter 10, Setting up a Web Portal Manager system, on page 197 v v v v Part 3, Web security system installation Chapter 11 through Chapter 15 provide instructions on how to install and configure Tivoli Access Manager components and prerequisite products to set up Tivoli Access Manager Web Security systems. Instructions are provided for both installation wizards and native command line utilities. v Chapter 11, Setting up the Access Manager Attribute Retrieval Service, on page 215 v Chapter 12, Setting up the plug-in for Edge Server, on page 221 v Chapter 13, Setting up the plug-in for Web servers, on page 235 v Chapter 14, Setting up a Web security development system, on page 255 v Chapter 15, Setting up WebSEAL, on page 263 Part 4, Session management system installation Chapter 16 provides instructions on how to install and configure Tivoli Access Manager components and prerequisite products to set up Tivoli Access Manager session management systems. Instructions are provided for both installation wizards and native command line utilities. v Chapter 16, Setting up a session management server, on page 275 v Chapter 17, Setting up the session management command line, on page 291 Part 5, Reference information includes the following chapters: v Chapter 18, Installing prerequisite products, on page 307 Describes how to install prerequisite products that are required on specific Tivoli Access Manager systems. These products include the IBM Global Security Kit (GSKit), the IBM Java Runtime, the IBM Tivoli Security Utilities, the IBM Tivoli Directory Server client, IBM WebSphere Application Server, the IBM WebSphere Application Server Refresh Pack, and the IBM Tivoli Directory Server Web Administration Tool. v Chapter 19, Uninstalling components, on page 343 Provides instructions for unconfiguring and removing prerequisite products and Tivoli Access Manager packages. v Chapter 20, Installation wizard scenarios, on page 355 Provides scenarios and descriptions of configuration options that you are prompted for using installation wizards. v Chapter 21, Installation wizard options, on page 373 Provides descriptions of installation and configuration options that you are prompted for during Tivoli Access Manager configuration using installation wizards. v Chapter 22, pdconfig options, on page 443

xii

Tivoli Access Manager Installation Guide

v

v

v

v

v

v

Provides descriptions of configuration options that you are prompted for during Tivoli Access Manager configuration using the pdconfig utility. Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 469 Explains how to enable SSL data encryption for secure communications between the registry server and IBM Tivoli Directory Server clients. Chapter 24, AIX: Setting up a standby policy server, on page 507 Describes how to set up a standby policy server in the event of a system failure (on AIX only). This capability requires additional software and hardware, including High Availability Cluster Multiprocessing (HACMP) software. Chapter 25, Setting up a Tivoli Directory Server proxy environment, on page 531 Describes how to set up a Tivoli Directory Server proxy environment. Chapter 26, Tivoli Access Manager utilities, on page 543 Provides reference information about utilities used when setting up Tivoli Access Manager systems. Chapter 27, Using response files, on page 603 Provides instructions for how to use response files to install multiple products on multiple systems at the same time. Chapter 28, Using software package definition files, on page 617

Provides instructions for using the Software Distribution component of IBM Tivoli Configuration Manager to install Tivoli Access Manager systems. v Appendix B, User registry differences, on page 627 Provides reference information about user registry differences when setting up Tivoli Access Manager systems. v Appendix C, Support information, on page 635 Provides information for obtaining technical support for IBM products.

PublicationsThis section lists publications in the IBM Tivoli Access Manager for e-business library and related documents. The section also describes how to access Tivoli publications online and how to order Tivoli publications.

IBM Tivoli Access Manager for e-business libraryReview the descriptions of the Tivoli Access Manager library, the prerequisite publications, and the related publications to determine which publications you might find helpful. After you determine the publications you need, refer to the instructions for accessing publications online. Additional information about the Tivoli Access Manager for e-business product itself can be found at the following Web address: http://www.ibm.com/software/tivoli/products/access-mgr-e-bus The Tivoli Access Manager library is organized into the following categories: v Release information on page xiv v Installation and upgrade documentation on page xiv v Administration documentation on page xiv v Reference documentation on page xiv v Problem determination documentation on page xvAbout this publication

xiii

v Performance tuning documentation on page xv

Release informationv IBM Tivoli Access Manager for e-business: Release Notes, GC23-6501-00 Provides information about installing and getting started, system requirements, known installation and configuration problems, and problem workarounds.

Installation and upgrade documentationv IBM Tivoli Access Manager for e-business: Installation Guide, GC23-6502-00 Explains how to install and configure Tivoli Access Manager for e-business. v IBM Tivoli Access Manager for e-business: Upgrade Guide, SC23-6503-00 Explains how to upgrade to Tivoli Access Manager for e-business version 6.1. v IBM Tivoli Access Manager for e-business: Quick Start Guide, GI11-8174-00 Provides a high-level overview of a Tivoli Access Manager for e-business version 6.1 installation.

Administration documentationv IBM Tivoli Access Manager for e-business: Administration Guide, SC23-6504-00 Describes the concepts and procedures for using Tivoli Access Manager. Provides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin utility. v IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide, SC23-6505-00 Provides background material, administrative procedures, and technical reference information for using WebSEAL to manage the resources of your secure Web domain. v IBM Tivoli Access Manager for e-business: Plug-in for Edge Server Administration Guide, SC23-6506-00 Provides administration instructions for integrating Tivoli Access Manager with the IBM WebSphere Edge Server application. v IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide, SC23-6507-00 Provides administration procedures, and technical reference information for securing your Web domain using a Web server plug-in. v IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide, SC23-6509-00 Provides deployment considerations and operational instructions for the session management server. v IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman Users Guide, SC23-6510-00 Provides information for network or system security administrators who plan to enable SSL communication in their Tivoli Access Manager environment. v IBM Tivoli Access Manager for e-business: Auditing Guide, SC23-6511-00 Provides information about configuring and managing audit events using the native Tivoli Access Manager approach and the Common Auditing and Reporting Service. Information about installing and configuring the Common Auditing and Reporting Service that can be used for generating and viewing operational reports is also provided.

Reference documentationv IBM Tivoli Access Manager for e-business: Command Reference, SC23-6512-00

xiv

Tivoli Access Manager Installation Guide

Provides reference information about the commands, utilities, and scripts that are provided with Tivoli Access Manager. v IBM Tivoli Access Manager for e-business: Administration C API Developer Reference, SC23-6513-00 Provides reference information about using the C language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks. v IBM Tivoli Access Manager for e-business: Administration Java Classes Developer Reference, SC23-6514-00 Provides reference information about using the Java language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks. v IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference, SC23-6515-00 Provides reference information about using the C language implementation of the authorization API to enable an application to use Tivoli Access Manager security. v IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer Reference, SC23-6516-00 Provides reference information about using the Java language implementation of the authorization API to enable an application to use Tivoli Access Manager security. v IBM Tivoli Access Manager for e-business: Web Security Developer Reference, SC23-6517-00 Provides programming and reference information for developing authentication modules.

Problem determination documentationv IBM Tivoli Access Manager for e-business: Problem Determination Guide, GI11-8156-00 Provides problem determination information for Tivoli Access Manager. v IBM Tivoli Access Manager for e-business: Error Message Reference, GI11-8157-00 Provides explanations and recommended actions for the messages and return code that are generated by Tivoli Access Manager.

Performance tuning documentationv IBM Tivoli Access Manager for e-business: Performance Tuning Guide, SC23-6518-00 Provides performance tuning information for an environment consisting of Tivoli Access Manager with the IBM Tivoli Directory Server as the user registry.

Related products and publicationsThis section lists the IBM products that are related to and included with a Tivoli Access Manager solution.

IBM Global Security KitTivoli Access Manager provides data encryption through the use of the Global Security Kit (GSKit) version 7.0. GSKit is included on the IBM Tivoli Access Manager Base CD for your particular platform, as well as on the IBM Tivoli Access Manager Web Security CDs, the IBM Tivoli Access Manager Shared Session Management CDs, and the IBM Tivoli Access Manager Directory Server CDs.

About this publication

xv

The GSKit package provides the iKeyman key management utility, gsk7ikm, which is used to create key databases, public-private key pairs, and certificate requests. The IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman Users Guide is available on the Tivoli Information Center Web site in the same section as the Tivoli Access Manager product documentation.

IBM Tivoli Directory ServerIBM Tivoli Directory Server version 6.1 is included on the IBM Tivoli Access Manager Directory Server set of CDs for the desired operating system. Additional information about Tivoli Directory Server can be found at the following Web address: http://www.ibm.com/software/tivoli/products/directory-server/

IBM Tivoli Directory IntegratorIBM Tivoli Directory Integrator version 6.1.1 is included on the IBM Tivoli Directory Integrator CD for the desired operating system. Additional information about IBM Tivoli Directory Integrator can be found at the following Web address: http://www-306.ibm.com/software/tivoli/products/directory-integrator/

IBM DB2 Universal DatabaseIBM DB2 Universal Database Enterprise Server Edition version 9.1 is provided on the IBM Tivoli Access Manager Directory Server set of CDs and is installed with the Tivoli Directory Server software. DB2 is required when using Tivoli Directory Server or z/OS LDAP servers as the user registry for Tivoli Access Manager. For z/OS LDAP servers, you must separately purchase DB2. Additional information about DB2 can be found at the following Web address: http://www.ibm.com/software/data/db2

IBM WebSphere Application ServerWebSphere Application Server version 6.1 is included on the IBM Tivoli Access Manager WebSphere Application Server set of CDs for the desired operating system. WebSphere Application Server enables the support of the Web Portal Manager interface, which is used to administer Tivoli Access Manager; the Web Administration Tool, which is used to administer Tivoli Directory Server; the Common Auditing and Reporting Service, which is used to process and report on audit events; the session management server, which is used to managed shared session in a Web security server environment and the Attribute Retrieval Service. Additional information about WebSphere Application Server can be found at the following Web address: http://www.ibm.com/software/webservers/appserv/infocenter.html

Accessing terminology onlineThe Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available at the following Tivoli software library Web site: http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

xvi

Tivoli Access Manager Installation Guide

The IBM Terminology Web site consolidates the terminology from IBM product libraries in one convenient location. You can access the Terminology Web site at the following Web address: http://www.ibm.com/software/globalization/terminology

Accessing publications onlineThe Tivoli Software Library provides a variety of Tivoli publications such as white papers, data sheets, demonstrations, Redbooks, and announcement letters. The publications for this product and many other Tivoli products are available online in Portable Document Format (PDF) or Hypertext Markup Language (HTML) format, or both in the Tivoli software library at the following Web address: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html To locate product publications in the library, click the first letter of the product name or scroll until you find the product name. Then click the name of the product. Product publications include release notes, installation guides, users guides, administrators guides, and developers references. Note: To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is available when you click File Print).

Ordering publicationsYou can order many Tivoli publications online at http:// www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss. You can also order by telephone by calling one of these numbers: v In the United States: 800-879-2755 v In Canada: 800-426-4968 In other countries, contact your software account representative to order Tivoli publications. To locate the telephone number of your local representative, perform the following steps: 1. Go to http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss. 2. Select your country from the list and click Go. 3. Click About this site in the main panel to see an information page that includes the telephone number of your local representative.

AccessibilityAccessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive technologies to hear and navigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface.

Tivoli technical trainingFor Tivoli technical training information, refer to the following IBM Tivoli Education Web site at http://www.ibm.com/software/tivoli/education.

About this publication

xvii

Support informationIf you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: Online Go to the IBM Software Support site at http://www.ibm.com/software/ supportand follow the instructions. IBM Support Assistant The IBM Support Assistant (ISA) is a free local software serviceability workbench that helps you resolve questions and problems with IBM software products. The ISA provides quick access to support-related information and serviceability tools for problem determination. To install the ISA software, go to http://www.ibm.com/software/support/isa. Problem Determination Guide For more information about resolving problems, see the IBM Tivoli Access Manager for e-business: Problem Determination Guide.

Conventions used in this publicationThis publication uses several conventions for special terms and actions, operating system-dependent commands and paths, and margin graphics.

Typeface conventionsThis publication uses the following typeface conventions: Bold v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) v Keywords and parameters in text Italic v Citations (examples: titles of publications, diskettes, and CDs v Words defined in text (example: a nonswitched line is called a point-to-point line) v Emphasis of words and letters (words as words example: "Use the word that to introduce a restrictive clause."; letters as letters example: "The LUN address must start with the letter L.") v New terms in text (except in a definition list): a view is a frame in a workspace that contains data. v Variables and values you must provide: ... where myname represents.... Monospace v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options

xviii

Tivoli Access Manager Installation Guide

Operating system-dependent variables and pathsThis publication uses the UNIX convention for specifying environment variables and for directory notation. When using the Windows command line, replace $variable with % variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. The names of environment variables are not always the same in the Windows and UNIX environments. For example, %TEMP% in Windows environments is equivalent to $TMPDIR in UNIX environments. Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions.

About this publication

xix

xx

Tivoli Access Manager Installation Guide

Part 1. Planning for installationChapter 1. Installation overview . . . . . . . 3 Planning for deployment . . . . . . . . . . 3 Secure domain overview . . . . . . . . . . 4 Tivoli Access Manager installation components . . . 5 Tivoli Access Manager base components . . . . 5 Access Manager Application Development Kit 5 Access Manager Authorization Server . . . . 5 Access Manager Policy Proxy Server . . . . 5 Access Manager Policy Server . . . . . . 6 Access Manager Runtime . . . . . . . . 6 Access Manager Runtime for Java . . . . . 6 Access Manager Web Portal Manager . . . . 7 Access Manager License . . . . . . . . 7 IBM Tivoli Security Utilities . . . . . . . 7 Tivoli Access Manager Web security components . 8 Access Manager Attribute Retrieval Service . . 8 Access Manager Plug-in for Edge Server . . . 8 Access Manager Plug-in for Web Servers . . . 8 Access Manager Web Security Runtime . . . 8 Access Manager Web Security Application Development Kit . . . . . . . . . . . 8 Access Manager WebSEAL. . . . . . . . 8 Tivoli Access Manager distributed sessions management components . . . . . . . . . 9 Access Manager Session Management Server . 9 Access Manager Session Management Command Line . . . . . . . . . . . 9 Prerequisite products . . . . . . . . . . 10 IBM Global Security Kit (GSKit) . . . . . 10 IBM Java Runtime . . . . . . . . . . 11 IBM Tivoli Directory Server client . . . . . 11 IBM Tivoli Directory Server . . . . . . . 11 IBM Tivoli Directory Server Web Administration Tool . . . . . . . . . 11 IBM WebSphere Application Server . . . . 12 IBM Network Authentication Service Toolkit 12 Supported registries . . . . . . . . . . . 13 IBM Tivoli Directory Server . . . . . . . . 13 IBM z/OS LDAP Server . . . . . . . . . 13 IBM Lotus Domino Server . . . . . . . . 13 Microsoft Active Directory . . . . . . . . 13 Microsoft Active Directory Application Mode (ADAM) . . . . . . . . . . . . . . 14 Sun Java System Directory Server . . . . . . 14 Novell eDirectory . . . . . . . . . . . 14 Components and prerequisites provided with Tivoli Access Manager systems . . . . . . . . . . 15 Tivoli Access Manager base systems . . . . . 15 Tivoli Access Manager Web security systems . . 17 Tivoli Access Manager distributed sessions management systems . . . . . . . . . . 19 Installation process . . . . . . . . . . . . 21 Installation methods . . . . . . . . . . . 23 Installation wizards . . . . . . . . . . . 23 Installing in graphical mode . . . . . . . 23 Installing in console mode . . . . . . . 24 Copyright IBM Corp. 2001, 2008

Installing in response file mode . . . Native installation utilities . . . . . Software Distribution installation method Edit and import the software package definition files . . . . . . . . Generate a software package block file Deploy the software package blocks . Groups and administrator identities on UNIX Linux systems . . . . . . . . . . Default port numbers . . . . . . . .

. . .

. . .

. 25 . 26 . 26 . 27 . 28 . 28 . 30 . 33 35 36 37 39 39 40 41 42 43 44 45 45 45 45 45 45 46 47 48 48 49 50 50

. . . . . . and . . . .

Chapter 2. Internationalization . . . . . . . Language support overview . . . . . . . . . Installing language support packages for Tivoli Access Manager . . . . . . . . . . . . . Installing language support packages for IBM Tivoli Directory Server . . . . . . . . . . . . . AIX: Installing Tivoli Directory Server language packages . . . . . . . . . . . . . . HP-UX: Installing Tivoli Directory Server language packages . . . . . . . . . . . Linux: Installing Tivoli Directory Server language packages . . . . . . . . . . . . . . Solaris: Installing Tivoli Directory Server language packages . . . . . . . . . . . Windows: Installing Tivoli Directory Server language packages . . . . . . . . . . . Uninstalling Tivoli Access Manager language support packages . . . . . . . . . . . . Uninstalling IBM Tivoli Directory Server language packages . . . . . . . . . . . AIX: Removing language packages . . . . HP-UX: Removing language packages . . . Linux: Removing language packages . . . . Solaris: Removing language packages. . . . Windows: Removing language packages . . . Locale environment variables . . . . . . . . LANG variable on UNIX or Linux systems . . . LANG variable on Windows systems . . . . . Using locale variants . . . . . . . . . . Message catalogs . . . . . . . . . . . . Text encoding (code set) support . . . . . . . Location of code set files . . . . . . . . .

1

2

Tivoli Access Manager Installation Guide

Chapter 1. Installation overviewIt is important that you create a deployment plan before installing Tivoli Access Manager software on the systems in your distributed environment. If you already have Tivoli Access Manager software installed, review your previous deployment plan to determine the best method for upgrading to the most current version, and follow the instructions provided in the IBM Tivoli Access Manager for e-business: Upgrade Guide. Note: For the latest release information, including system requirements, disk space and memory requirements, and known defects and limitations, consult the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. This chapter includes the following sections: v Planning for deployment v Secure domain overview on page 4 v Tivoli Access Manager installation components on page 5 v Supported registries on page 13 v Components and prerequisites provided with Tivoli Access Manager systems on page 15 v Installation process on page 21 v Installation methods on page 23 v Groups and administrator identities on UNIX and Linux systems on page 30 v Default port numbers on page 33

Planning for deploymentBefore you implement a particular Tivoli Access Manager solution, you must determine the specific security and management capabilities that are required for your network. The first step in planning the deployment of a Tivoli Access Manager security environment is to define the security requirements for your computing environment. Defining security requirements means determining the business policies that must apply to users, programs, and data. This definition should include: v Objects to be secured v Actions permitted on each object v Users that are permitted to perform the actions Enforcing a security policy requires an understanding of the flow of access requests through your network topology. Your plan should identify proper roles and locations for firewalls, routers, and subnets. Deploying a Tivoli Access Manager security environment also requires identifying the optimal points within the network for installing software that evaluates user access requests, and grants or denies the requested access. Implementation of a security policy requires understanding the quantity of users, data, and throughput that your network must accommodate. You must evaluate Copyright IBM Corp. 2001, 2008

3

performance characteristics, scalability, and the need for failover capabilities. Integration of previous versions of software, databases, and applications with Tivoli Access Manager software must also be considered. After you have an understanding of the features that you want to deploy, you can decide which Tivoli Access Manager systems and blades can be combined to best implement your security policy. For Tivoli Access Manager, a blade is a component that provides application-specific services and components. For useful planning documentation, including actual business scenarios, see supplemental product information at the following Web sites: http://www.ibm.com/redbooks/ http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

Secure domain overviewThe computing environment in which Tivoli Access Manager enforces security policies for authentication, authorization, and access control is called a secure domain. The initial secure domain, called the management domain, is created when you install and configure the following systems: Policy server Maintains the master authorization database for the management domain. In addition, it updates authorization database replicas and maintains location information about other Tivoli Access Manager servers. Registry Provides a database of the user identities known to Tivoli Access Manager. It also provides a representation of groups in Tivoli Access Manager roles that are associated with users. These core systems must exist for Tivoli Access Manager to perform fundamental operations, such as permitting or denying user access to protected objects (resources). All other Tivoli Access Manager services and components are built on this base. You can deploy Tivoli Access Manager on multiple systems or install all the software necessary to configure and use the management domain on one standalone system. A single system setup is useful only when prototyping a deployment or developing and testing an application. After you configure the policy server and registry server, you can set up additional systems in the management domain, such as an authorization server or application development system. You can also create additional secure domains (if using an LDAP registry) to securely partition data into separate, logical groupings. For information about creating multiple domains, see the IBM Tivoli Access Manager for e-business: Administration Guide.

4

Tivoli Access Manager Installation Guide

Tivoli Access Manager installation componentsThis section introduces Tivoli Access Manager base and prerequisite components, which are generally common to all Tivoli Access Manager installations. Use these installation components to set up Tivoli Access Manager systems listed in Components and prerequisites provided with Tivoli Access Manager systems on page 15. Sections include the following: v Tivoli Access Manager base components v Tivoli Access Manager Web security components on page 8 v Tivoli Access Manager distributed sessions management components on page 9 v Prerequisite products on page 10

Tivoli Access Manager base componentsThe Tivoli Access Manager base system includes the following installation components. These components are on the IBM Tivoli Access Manager Base CD for the supported platforms. Use these installation components to set up base systems listed in Components and prerequisites provided with Tivoli Access Manager systems on page 15.

Access Manager Application Development KitThe Access Manager Application Development Kit provides a development environment that enables you to code third-party applications to query the authorization server for authorization decisions. This kit contains support for using both C APIs and Java classes for authorization and administration functions. To run the Java program or to compile and run your own Java programs, you must install and configure a Tivoli Access Manager Runtime for Java system.

Access Manager Authorization ServerThe Access Manager Authorization Server provides access to the authorization service for third-party applications that use the Tivoli Access Manager authorization API in remote cache mode. The authorization server also acts as a logging and auditing collection server to store records of server activity.

Access Manager Policy Proxy ServerThe Access Manager Policy Proxy Server is used to set up a proxy server, which acts as an intermediary between a less trusted network and a more trusted network. This server ensures security and provides administrative control and caching services. It is associated with, or part of, a gateway server that separates the enterprise network from the outside network, and a firewall server that protects the enterprise network from outside intrusion. In a Tivoli Access Manager environment, the proxy server runs on behalf of the policy server for a given number of authorization applications and administrative functions, such as pdadmin commands.

Chapter 1. Installation overview

5

Access Manager Policy ServerThe Access Manager Policy Server maintains the master authorization database for the management domain as well as the policy databases associated with other secure domains that you might decide to create. This server is key to the processing of access control, authentication, and authorization requests. It also updates authorization database replicas and maintains location information about other Tivoli Access Manager servers. Tivoli Access Manager supports the use of one standby policy server. However, the standby policy server must be installed on a supported AIX system that has the High Availability Cluster Multiprocessing (HACMP) software installed and configured on it. The HACMP software provides a clustering solution that is designed to provide high-availability access to business-critical data and application through component redundancy and application failover. In environments with a standby policy server, when the policy server goes down, the standby policy server takes over and acts as the primary policy server until the primary policy server assumes its original role. In turn, the standby policy server reverts back to a standby role. At any given time, there is only one active policy server and only one shared copy of the policy databases.

Access Manager RuntimeThe Access Manager Runtime contains runtime libraries and supporting files that applications can use to access Tivoli Access Manager servers. You must install and configure the Access Manager Runtime component on each system that runs Tivoli Access Manager, with the exception of Access Manager Runtime for Java systems, the Access Manager Attribute Retrieval Service, and the distributed sessions management systems.

Access Manager Runtime for JavaThe Access Manager Runtime for Java offers a reliable environment for developing and deploying Java applications in a Tivoli Access Manager secure domain. Use it to add Tivoli Access Manager authorization and security services to new or existing Java applications. You can use the pdjrtecfg command to configure a Java Runtime Environment (JRE) to use Tivoli Access Manager Java security. Note that if you plan to install the Web Portal Manager interface, this component is required. It is also required with the Access Manager Application Development Kit component if you are a developer using Access Manager Runtime for Java classes. For more information, see the IBM Tivoli Access Manager for e-business: Administration Java Classes Developer Reference and the IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer Reference.

6

Tivoli Access Manager Installation Guide

Access Manager Web Portal ManagerThe Access Manager Web Portal Manager is a Web-based graphical user interface (GUI) used for Tivoli Access Manager administration. The GUI counterpart to the pdadmin command line interface, Web Portal Manager provides management of users, groups, roles, permissions, policies, and other Tivoli Access Manager tasks. A key advantage of using Web Portal Manager is that you can perform these tasks remotely, without requiring any special network configuration. The Web Portal Manager interface also includes a set of delegated management services that enables a business to delegate user administration, group and role administration, security administration, and application access provisioning to participants (sub-domains) in the business system. These sub-domains can further delegate management and administration to trusted sub-domains under their control. Supported browsers for the Web Portal Manager interface are as follows: v Microsoft Internet Explorer 5.5, 6.0 and 7.0 v Mozilla 1.7

Access Manager LicenseThis component contains license information for Tivoli Access Manager. The Access Manager License component is installed automatically when an installation wizard is used to install either the Access Manager Runtime or the Access Manager Runtime for Java component. This component is provided separately for any supported platform on the IBM Tivoli Access Manager Base CD, the IBM Tivoli Access Manager Shared Session Management CD, or the IBM Tivoli Access Manager Web Security CD.

IBM Tivoli Security UtilitiesThe IBM Tivoli Security Utilities provides common utilities that are required by Access Manager Runtime. This component is provided separately for any supported platform on the IBM Tivoli Access Manager Base CD, the IBM Tivoli Access Manager Shared Session Management CD, or the IBM Tivoli Access Manager Web Security CD.

Chapter 1. Installation overview

7

Tivoli Access Manager Web security componentsTivoli Access Manager Web security includes the following installation components. These components are on the IBM Tivoli Access Manager Web Security CD for the supported platforms. Use these installation components to set up Web security systems listed in Tivoli Access Manager Web security systems on page 17.

Access Manager Attribute Retrieval ServiceThe Access Manager Attribute Retrieval Service is used in conjunction with the WebSEAL authorization decision information (ADI) feature. This service provides communication and format translation services between the WebSEAL entitlement service library and an external provider of authorization decision information. For more information, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide.

Access Manager Plug-in for Edge ServerThe Access Manager Plug-in for Edge Server adds authentication and authorization functionality to the IBM WebSphere Edge Server product. When implemented as an authorization service in your secure domain, this plug-in can provide single signon solutions to resources within that domain. For more information, see the IBM Tivoli Access Manager for e-business: Plug-in for Edge Server Administration Guide.

Access Manager Plug-in for Web ServersAccess Manager Plug-in for Web Servers manages the security of your Web-based resources by acting as the gateway between your clients and secure Web space. The plug-in implements the security policies that protect your Web object space. The plug-in can provide single sign-on solutions, support Web servers running as virtual hosts and incorporate Web application server resources into its security policy. For more information, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide.

Access Manager Web Security RuntimeThe Access Manager Web Security Runtime contains shared authentication library files used for Web Security systems, such as Access Manager WebSEAL and the Access Manager Plug-in for Web Servers.

Access Manager Web Security Application Development KitThe Access Manager Web Security ADK contains development APIs for the Tivoli Access Manager cross-domain authentication service (CDAS), the Tivoli Access Manager cross-domain mapping framework (CDMF), and the Tivoli Access Manager password strength module.

Access Manager WebSEALAccess Manager WebSEAL is a security manager for Web-based resources. WebSEAL is a high performance, multithreaded Web server that applies fine-grained security policy to the protected Web object space. WebSEAL can provide single sign-on solutions and incorporate backend Web application server resources into its security policy.

8

Tivoli Access Manager Installation Guide

Tivoli Access Manager distributed sessions management componentsThe Tivoli Access Manager distributed sessions management systems includes the following installation components. These components are on the IBM Tivoli Access Manager Shared Session Management CD for the supported platforms. Use these installation components to set up distributed sessions management systems listed in Components and prerequisites provided with Tivoli Access Manager systems on page 15.

Access Manager Session Management ServerAccess Manager Session Management Server (SMS) is an optional Tivoli Access Manager component that runs as an IBM WebSphere Application Server service. It manages user sessions across complex clusters of Tivoli Access Manager security servers, ensuring that session policy remains consistent across the participating servers. Using the session management server allows Access Manager WebSEAL and Access Manager Plug-in for Web Servers to share a unified view of all current sessions and permits an authorized user to monitor and administer user sessions. The session management server permits the sharing of session information and also makes available session statistics and provides secure and high-performance failover and single sign-on capabilities for clustered environments. User sessions can be administered and monitored using the Access Manager Session Management Command Line or the Integrated Solutions Console (ISC).

Access Manager Session Management Command LineThe session management server can be administered by the Access Manager Session Management Command Line component, using either the pdadmin command line utility located on the specified Tivoli Access Manager authorization server, or using the pdsmsadmin utility. Note: If you wish to use pdadmin to administer the session management server, you must first install and configure the authorization server before installing the command line interface.

Chapter 1. Installation overview

9

Prerequisite productsTivoli Access Manager includes the following prerequisite products. These products are required when setting up specific Tivoli Access Manager systems. For a list of required installation components necessary to set up a Tivoli Access Manager system, see Table 1 on page 15. Note that when using the installation wizards, the software prerequisites are automatically installed in the appropriate order.

IBM Global Security Kit (GSKit)IBM Global Security Kit (GSKit) provides Secure Sockets Layer (SSL) data encryption between Tivoli Access Manager systems and supported registry servers. The GSKit package also installs the iKeyman key management utility (gsk7ikm), which enables you to create key databases, public-private key pairs, and certificate requests. You must install GSKit before installing most other Tivoli Access Manager components. GSKit is a prerequisite to the Access Manager Runtime component, which is required on all Tivoli Access Manager systems with the exception of the Access Manager Attribute Retrieval Service, Access Manager Runtime for Java, Tivoli Access Manager Session Management Server or Access Manager Web Portal Manager. For information about using this utility to enable SSL with a supported registry server, see Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 469 or refer to the IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman Users Guide. Note: OpenSSL is included in GSKit and can be used for cryptographic operations (as per the OpenSSL license agreement). FIPS Enablement: Tivoli Access Manager 6.1 includes enablement for Federal Information Processing Standard 140-2 (FIPS 140-2). FIPS enablement provides Tivoli Access Manager with government-approved cryptography wherever cryptography is required. Tivoli Access Manager uses cryptography in the following areas: v Creation and replacement of internal, self-signed certificates. These certificates are used by Access Manager Runtime and Tivoli Access Manager security servers to authenticate with each other. v Runtime and servers utilize a secure communication protocol to communicate between each other. Federal Information Processing Standard 140-2 (FIPS 140-2) is a standard that describes U.S. Federal Government requirements that IT products should meet for Sensitive but Unclassified (SBU) use. The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. There are four levels of security: from Level 1 (lowest) to Level 4 (highest). These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules can be deployed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/ electromagnetic compatibility (EMI/EMC), and self-testing.

10

Tivoli Access Manager Installation Guide

The specifics for FIPS 140-2 are described at this Web site: http://csrc.nist.gov/cryptval/140-2.htm Enablement of FIPS for Tivoli Access Manager is only meant to satisfy the requirement of the Tivoli Access Managers cyptographic operations from an application aspect. Tivoli Access Manager is not responsible for other products or prerequisite products enablement of FIPS. If in FIPS mode, Transport Layer Security version 1 (TLS v1) will be used as the secure communication protocol instead of SSL v3. To communicate with the Tivoli Access Manager policy server using a secure communication protocol, TLS is the required protocol. An attempt to communicate using SSL v3 (non-FIPS mode) when the policy server is configured in FIPS mode will result in a socket-closed exception.

IBM Java RuntimeThe IBM Java Runtime provided with Tivoli Access Manager is required when installing and using language support packages and when using Tivoli Access Manager installation wizards. The Access Manager Runtime for Java component only supports the IBM Java Runtime.

IBM Tivoli Directory Server clientThe client application is provided on the IBM Tivoli Access Manager Directory Server CD with IBM Tivoli Directory Server, the IBM Tivoli Access Manager Base CD, or the IBM Tivoli Access Manager Web Security CD for the supported AIX, HP-UX, HP-UX on Integrity, Linux, Solaris, Solaris on x86_64 and Windows platforms. You must install the IBM Tivoli Directory Server client on each system that runs Tivoli Access Manager, with the following exceptions: v The Tivoli Access Manager system is on a supported Windows system that is either the Active Directory domain or is joined to the Active Directory domain where the Tivoli Access Manager policy server is to be configured. v You are setting up the Access Manager Attribute Retrieval Service, Access