Deployment Overview Guide

IBM® Security Privileged Identity ManagerVersion 1.0

Deployment Overview Guide

SC27-4382-00

��

IBM® Security Privileged Identity ManagerVersion 1.0

Deployment Overview Guide

SC27-4382-00

��

NoteBefore using this information and the product it supports, read the information in Notices.

Edition notice

Note: This edition applies to version 1.0 of IBM Security Privileged Identity Manager (product number5725-H30) and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2012.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

About this publication . . . . . . . . ixAccess to publications and terminology . . . . . ixAccessibility . . . . . . . . . . . . . . xTechnical training. . . . . . . . . . . . . xSupport information . . . . . . . . . . . . x

Chapter 1. Privileged identitymanagement. . . . . . . . . . . . . 1

Chapter 2. Planning. . . . . . . . . . 5What you must prepare . . . . . . . . . . 5Downloading IBM Security Privileged IdentityManager . . . . . . . . . . . . . . . . 5Hardware and software requirements . . . . . . 6

AccessProfile language support . . . . . . . 8Workstation configuration support . . . . . . 8Managed resources support . . . . . . . . 8

Planning for high availability . . . . . . . . . 9Roadmap for configuring shared access for amanaged resource . . . . . . . . . . . . 9

Chapter 3. Installation . . . . . . . . 15Installing IBM Security Identity Manager, Version6.0 . . . . . . . . . . . . . . . . . 15Installing IBM Security Access Manager forEnterprise Single Sign-On, Version 8.2 . . . . . 15

Preparing the IMS Server . . . . . . . . . 16Preparing the AccessAgent . . . . . . . . 16Verifying the installation and configuration . . . 17

Installing IBM Security Access Manager forEnterprise Single Sign-on Adapter, Version 6.0 . . . 17Upgrade to IBM Security Privileged IdentityManager . . . . . . . . . . . . . . . 18

Upgrading IBM Tivoli Identity Manager, Version5.1 . . . . . . . . . . . . . . . . 19Upgrading IBM Security Access Manager forEnterprise Single Sign-On . . . . . . . . 19Upgrading IBM Tivoli Identity Manager and IBMTivoli Access Manager for Enterprise SingleSign-on . . . . . . . . . . . . . . . 21

Chapter 4. Configuration for IBMSecurity Privileged Identity Manager . . 23Shared access configuration . . . . . . . . . 23Setting the minimum AccessAgent version on thePrivileged Identity Management AccessProfile . . . 24Uploading AccessProfiles to the IMS Server . . . 24Adding a policy in the User Policy template forPrivileged Identity Manager on the IMS Server . . 26

Creating a user policy template only for privilegedidentity management users . . . . . . . . . 26Mapping the authentication service . . . . . . 27Configuring a group policy to prompt the client forpasswords (RDP) . . . . . . . . . . . . 28Adding privileged identity management policies inAccessAdmin. . . . . . . . . . . . . . 29Uploading policy definitions and objects . . . . 29

Chapter 5. Automating the credentialcheck-out and check-in process. . . . 31Automation overview . . . . . . . . . . . 31

Shared access credential check-out process . . . 31Configuring the shared access credential usageprompt . . . . . . . . . . . . . . . 32Configuring the re-authentication prompt . . . 32Shared access credential check-in process . . . 32IBM Security Identity Manager password changeprocess . . . . . . . . . . . . . . . 32Additional examples that can trigger check-outand check-in automation . . . . . . . . . 33

Automatic check out and check in with clientapplication logon . . . . . . . . . . . . 34

Logging on with PuTTY . . . . . . . . . 34Logging on with the Microsoft Remote DesktopConnection (RDP) client . . . . . . . . . 35Logging on with IBM Personal Communications 36Logging on with the VMware vSphere Client . . 37

Manual check-out . . . . . . . . . . . . 37

Chapter 6. Administering . . . . . . . 39Administering shared access. . . . . . . . . 39Privileged administrator view . . . . . . . . 40Privileged user view . . . . . . . . . . . 41Manual checkout and check in of shared credentials 41Managing multiple AccessProfiles for the sameclient application . . . . . . . . . . . . 42

Identifying AccessProfile collision . . . . . . 42Merging AccessProfiles . . . . . . . . . 42

Accessing administrative consoles . . . . . . . 43

Chapter 7. Modifying AccessProfiles 45Modifying AccessProfiles for the IBM PersonalCommunications application. . . . . . . . . 45Modifying AccessProfiles for the PuTTY application 47

Chapter 8. Reports and audit logs . . . 49Types of available reports. . . . . . . . . . 49Configuring the audit logs to include privilegedidentity events . . . . . . . . . . . . . 50Configuring or administering IBM Tivoli CommonReporting . . . . . . . . . . . . . . . 51

Importing the reports into Tivoli CommonReporting . . . . . . . . . . . . . . 52

© Copyright IBM Corp. 2012 iii

Viewing reports with Tivoli Common Reporting 52Update IMS view to show Privileged IdentityManagement events . . . . . . . . . . . 53Shared access objects for custom reports . . . . . 54Viewing audit logs with the AccessAdmin utility . . 54

Chapter 9. Troubleshooting . . . . . . 55Troubleshooting server connectivity and availability 55Troubleshooting the audit log . . . . . . . . 55Troubleshooting checklist . . . . . . . . . . 56Information center resources for troubleshootingshared access . . . . . . . . . . . . . . 56

Appendix A. Optional configurationtasks . . . . . . . . . . . . . . . 57Optional configuration for shared access. . . . . 57Creating your own privileged identity managementAccessProfiles . . . . . . . . . . . . . 57Modifying lease time . . . . . . . . . . . 58

Appendix B. Requirements forcomponent products. . . . . . . . . 59IBM Security Access Manager for Enterprise SingleSign-On, Version 8.2 . . . . . . . . . . . 59

Hardware and software requirements. . . . . 59IBM Security Identity Manager, Version 6.0 . . . . 64

Hardware requirements . . . . . . . . . 64Operating system support . . . . . . . . 64Virtualization support . . . . . . . . . . 65Java Runtime Environment support . . . . . 66

WebSphere Application Server support . . . . 66Database server support . . . . . . . . . 66Directory server support . . . . . . . . . 67Directory Integrator support . . . . . . . . 67Report server support . . . . . . . . . . 68Browser requirements for client connections . . 68Adapter level support . . . . . . . . . . 69

Appendix C. References . . . . . . . 71Report examples. . . . . . . . . . . . . 71

Example: User information . . . . . . . . 71Example: Application usage . . . . . . . . 72Example: Shared access audit history . . . . . 73Example: Shared access entitlements by owner . 74Example: Shared access entitlements by role . . 75

AccessAgent PIM API reference . . . . . . . 76CheckOut . . . . . . . . . . . . . . 76CheckIn . . . . . . . . . . . . . . 77Message reference . . . . . . . . . . . 77

Appendix D. Accessibility features forIBM Security Privileged Identity Manager . 81

Glossary . . . . . . . . . . . . . . 83

Index . . . . . . . . . . . . . . . 85

Notices . . . . . . . . . . . . . . 87

iv IBM® Security Privileged Identity Manager: Deployment Overview Guide

Figures

1. IBM Security Privileged Identity Manager usersand components . . . . . . . . . . . 1

2. Flowchart for configuring shared access for amanaged resource . . . . . . . . . . 10

3. User information audit report . . . . . . 71

4. Application usage audit report . . . . . . 725. Shared access audit history report . . . . . 736. Shared access entitlements by owner report 747. Shared access entitlements by role report 75

© Copyright IBM Corp. 2012 v

vi IBM® Security Privileged Identity Manager: Deployment Overview Guide

Tables

1. Privileged identity management users and tasks 32. Supported prerequisite software and versions. 63. Types of supported managed resources and the

client application. . . . . . . . . . . . 74. Supported managed resource types with the

bundled AccessProfiles. . . . . . . . . . 85. Configuring managed resources that are

supported by the IBM Security IdentityManager adapter . . . . . . . . . . . 12

6. Configuring managed resources that are notsupported by the IBM Security IdentityManager adapter . . . . . . . . . . . 12

7. Defining roles and provisioning policies togrant ownership of sponsored accounts . . . 13

8. Configuring shared access for the newmanaged resource . . . . . . . . . . 14

9. Upgrade matrix . . . . . . . . . . . 2010. Shared access configuration tasks . . . . . 2311. Password entry options . . . . . . . . 3212. Additional events that can trigger automated

check-out or check-in behavior. . . . . . . 3313. Shared access administration tasks . . . . . 3914. Data reference for shared access. . . . . . 3915. Common administrative consoles for IBM

Security Privileged Identity Manager. . . . . 4316. Audit logs and reports for the IBM Security

Privileged Identity Manager solution. . . . . 4917. Troubleshooting audit log problems and

solutions. . . . . . . . . . . . . . 55

18. Lists some of the common problems andpossible solutions. . . . . . . . . . . 56

19. Hardware requirements for IMS Server 5920. Hardware requirements for IMS Server

(virtualization) . . . . . . . . . . . 5921. Supported software . . . . . . . . . . 6022. Hardware requirements for AccessAgent and

AccessStudio . . . . . . . . . . . . 6123. Supported operating systems . . . . . . 6124. Supported web browsers . . . . . . . . 6225. Supported web browsers . . . . . . . . 6326. Supported software for authentication devices 6327. Version compatibility for the IBM Security

Access Manager for Enterprise Single Sign-Oncomponents . . . . . . . . . . . . 64

28. Hardware requirements for IBM SecurityIdentity Manager. . . . . . . . . . . 64

29. Operating system support. . . . . . . . 6430. Virtualization support . . . . . . . . . 6531. Database server support . . . . . . . . 6632. Directory server support . . . . . . . . 6733. Supported versions of IBM Tivoli Directory

Integrator . . . . . . . . . . . . . 6734. Prerequisites to run the UNIX and Linux

adapter . . . . . . . . . . . . . . 6935. List of message identifiers. . . . . . . . 77

© Copyright IBM Corp. 2012 vii

viii IBM® Security Privileged Identity Manager: Deployment Overview Guide

About this publication

IBM Security Privileged Identity Manager Deployment Overview Guide describes theprocess of setting up and logging on to managed resources with privilegedidentities.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Privileged Identity Manager library.”v Links to “Online publications.”v A link to the “IBM Terminology website.”

IBM® Security Privileged Identity Manager library

The IBM Security Privileged Identity Manager Deployment Overview Guide,SC27-4382-00, is available in the IBM Security Privileged Identity Manager library.

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Privileged Identity Manager Information CenterThe http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.ispim.doc_10/ic-homepage.html site displays the informationcenter welcome page for this product.

IBM Security Identity Manager Information CenterThe http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isim.doc_6.0/ic-homepage.htm site displays the information centerwelcome page for the IBM Security Identity Manager product.

IBM Security Access Manager for Enterprise Single Sign-On Information CenterThe http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamesso.doc/ic-homepage.html site displays the informationcenter welcome page for the IBM Security Access Manager for EnterpriseSingle Sign-On product.

IBM Security Information CenterThe http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp sitedisplays an alphabetical list of and general information about all IBMSecurity product documentation.

IBM Publications CenterThe http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss site offers customized search functions to help you find all the IBMpublications you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

© Copyright IBM Corp. 2012 ix

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.ispim.doc_10/ic-homepage.html

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.ispim.doc_10/ic-homepage.html

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isim.doc_6.0/ic-homepage.htm


http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamesso.doc/ic-homepage.html


http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/globalization/terminology

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

For additional information, see Appendix D, “Accessibility features for IBMSecurity Privileged Identity Manager,” on page 81.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

The IBM Security Identity Manager Troubleshooting Guide and IBM Security AccessManager for Enterprise Single Sign-On Troubleshooting Guide provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

See Chapter 9, “Troubleshooting,” on page 55 for instructions andproblem-determination resources for IBM Security Privileged Identity Manager.

Note: The Community and Support tab on the product information center canprovide additional support resources.

x IBM® Security Privileged Identity Manager: Deployment Overview Guide

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/probsub.html

Chapter 1. Privileged identity management

IBM Security Privileged Identity Manager helps organizations manage, automate,and track the use of shared privileged identities.

Overview of Privileged Identity Management (PIM)

IBM Security Privileged Identity Manager is a software solution based on IBMSecurity Identity Manager and IBM Security Access Manager for Enterprise SingleSign-On.

The solution provides:v Centralized administration, secure access, and storage of privileged shared

account credentialsv Role-based access control for shared accountsv Lifecycle management of shared accounts ownershipv Single sign-on through automated check-out and check-in of shared credentialsv Auditing of shared credentials access activitiesv Integration with the broader Identity and Access Management Governance

portfolio

Privileged identity refers to the pre-built accounts in nearly every operating systemand application. Privileged accounts are general user identities distinguished bythe assignment of security, administrative, or system authorities.

IBM Security IdentityManager Server

Shared Access Module

IBM Security AccessManager for Enterprise

Single Sign-OnPrivileged Identity

Manager agent

Reporting ConsoleIdentity Manager Admin Console

Web Application

Identity ManagerSelf Service

Web Application

MVS/RACF

Linux/UNIX

Windows

Managed resourcesor endpoints

Applications

For example: PuTTY,SSH, IBM PersonalCommunications.IBM Security Access

Manager for EnterpriseSingle Sign-On

IMS Server

Privileged Administrator



Privileged User

Privileged User

OS400

Figure 1. IBM Security Privileged Identity Manager users and components

© Copyright IBM Corp. 2012 1

Privileged identities are typically distinguished by the names they use. Forexample, administrator, sa, root, db2admin.

Unlike a personal identity like jdoe, you can access privileged accounts only witha privileged password, and account access is hard to disable. In an enterpriseenvironment, multiple administrators might share access to a single user ID foreasier administration. When multiple administrators share accounts, you can nolonger definitively prove that an account was used by one administrator asopposed to another. You lose personal accountability and audit compliance.

To better manage privileged identities, a user receives an individual identity to asystem:v If they need it.v When they need it.v On the condition that they need it.v If they have access to it.

With a reusable or shared access user ID, you can log on to a system without anyknowledge of the password for the privileged identity. Instead, a user can checkout or lease a reusable ID from a shared access repository for a limited time.

How the solution works

You reestablish accountability and traceability when you can map check-out andcheck-in actions of shared privileged accounts to .

For example:1. An organization defines privileged roles, for example SystemAdmin_Staff or

Operations_Database_Admin in IBM Security Identity Manager. These roles aretied to appropriate system and account entitlements.You can also tie the roles to pools of accounts. For example, if multiple usersmight use a privilege simultaneously, you might tie a pool of 15 databaseadministrator accounts to the Operations_Database_Admin.

2. When a user, for example jdoe, accesses a system where a privileged ID isrequired, the IBM Security Access Manager for Enterprise Single Sign-On clientautomatically checks out the required account.

3. The IBM Security Access Manager for Enterprise Single Sign-On client thenautomatically injects the credentials into the users session.You can configure the credential check-out automation to work for desktopapplications, terminal applications, and mainframe applications.

4. After finishing the tasks that require the privileged account, the automaticcheck-in process returns the privileged user ID to the credential vault.

Primary user types

Each privileged identity management user type has a different role and objective toachieve with the solution.

2 IBM® Security Privileged Identity Manager: Deployment Overview Guide

Table 1. Privileged identity management users and tasks

User type Tasks

Privilegedadministrator

v Uses the IBM Security Identity Manager console to

– Manage shared accounts, credentials, and credential pools.

– Configure roles and policies for shared account and sharedaccess.

v Uses the IBM Tivoli® Common Reporting console to accessshared access reports.

Privileged User v Uses the IBM Security Identity Manager self-service userinterface to manually check out and check in shared credentials.

v Uses the IBM Security Access Manager for Enterprise SingleSign-On shared access agent to access systems and applicationswith shared credentials.

Component software

IBM Security Privileged Identity Manager has several components, which aredescribed in this section.

IBM Security Identity Manager shared access module

IBM Security Identity Manager includes shared access management, whichextends its core features. This module is the centerpiece of the IBMSecurity Privileged Identity Manager solution. The core features includeuser account provisioning and identity and access governance framework.Installing this module is optional during the IBM Security IdentityManager installation.

Highlights:v Account provisioning framework provides centralized account and

password management for privileged users.v Shared access uses secure check-in, check-out, and logging of account

credentials from a credential vault server.v Administrative control of shared credential access ensures individual

accountability.v Java™ APIs and Web Services APIs make it possible for application

clients to programmatically access shared credentials.v There is role-based access control for shared credential access and shared

account ownership.v There is lifecycle management of privileged identities. These tasks

include management of access requests; approval and revalidation ofaccount ownership, role-based access requests; and shared credentialaccess.

v There is end-to-end auditing for administration and shared credentialaccess activities.

v There are web applications for shared credential administration andmanual check-out and check-in.

IBM Security Access Manager for Enterprise Single Sign-On

IBM Security Access Manager for Enterprise Single Sign-On providesautomated check-out and check-in of shared access credentials from theIBM Security Identity Manager Server.

Chapter 1. Privileged identity management 3

The AccessAgent client software connects to the Integrated ManagementSystem (IMS) Server. It provides the privileged identity management logonautomation on clients from AccessProfiles on the IMS Server.

Administrators use AccessStudio to create and maintain AccessProfiles. AnAccessProfile contains a definition of the logon and change passwordscreen characteristics of an application. It also contains the workflowinstructions on how to automate application logons.

Architecture overview

The privileged identity management solution consists of AccessProfiles on a clientcomputer with AccessAgent. The AccessAgent communicates through web serviceswith the IBM Security Identity Manager Server.

The main components of the solution involve communication between:v IBM Security Identity Manager Serverv IBM Security Access Manager for Enterprise Single Sign-On Adapterv IBM Security Access Manager for Enterprise Single Sign-On IMS Serverv IBM Security Access Manager for Enterprise Single Sign-On AccessAgent client


Chapter 2. Planning

Installing and configuring IBM Security Privileged Identity Manager involvesseveral steps. Review the prerequisites and roadmap before you begin theinstallation process.

What you must prepareFollow this process to prepare for the IBM Security Privileged Identity Managersolution.1. Review the hardware and software requirements. See “Hardware and software

requirements” on page 6.2. Install and configure IBM Security Identity Manager, Version 6.0, if you did not

yet do so. For installation instructions, see the IBM Security Identity ManagerInformation Center.

Note: Install the Shared Access module.3. Install and configure IBM Security Access Manager for Enterprise Single

Sign-On, Version 8.2, if you did not yet do so.v Install IMS Server, Version 8.2.0.0.686.v Install AccessAgent, Version 8.2.0.3001, on Windows client computers that

require automated check-out and check-in of credentials.v Install AccessStudio, Version 8.2.0.0505.For installation instructions, see the IBM Security Access Manager forEnterprise Single Sign-On Information Center.If IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2, isalready installed:v Install the required fix packs, 8.2.0-ISS-SAMESSO-IMS-FP0003 and

8.2.0-ISS-SAMESSO-AA-FP0011. See the Fix Pack readme file for installationand configuration instructions.

v Ensure that the version of AccessStudio is 8.2.0.0505.4. Install and configure IBM Security Access Manager for Enterprise Single

Sign-On Adapter for IBM Security Identity Manager if you did not yet do so.See the IBM Security Access Manager for Enterprise Single Sign-On AdapterInstallation and Configuration Guide at http://pic.dhe.ibm.com/help/topic/com.ibm.itim_pim.doc/tamesso/install_config/tamesso_html_mstr.htm.

Downloading IBM Security Privileged Identity ManagerYou can download the IBM Security Privileged Identity Manager solution from theIBM Passport Advantage® website.

Before you begin

You must have a customer account number and password for IBM PassportAdvantage Online.

To learn more, go to the IBM Passport Advantage Online website athttp://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm






http://pic.dhe.ibm.com/help/topic/com.ibm.itim_pim.doc/tamesso/install_config/tamesso_html_mstr.htm

http://pic.dhe.ibm.com/help/topic/com.ibm.itim_pim.doc/tamesso/install_config/tamesso_html_mstr.htm

http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

Review the Hardware and Software requirements for any required fix packs. See“Hardware and software requirements.”

Note: If you previously installed IBM Security Access Manager for EnterpriseSingle Sign-On, Version 8.2:v Install the fix packs 8.2.0-ISS-SAMESSO-IMS-FP0003 and 8.2.0-ISS-SAMESSO-AA-

FP0011 or later versions. See the Fix Pack readme file for the installation andconfiguration instructions.

v Install the new AccessStudio 8.2.0.0505 build. See the IBM Security AccessManager for Enterprise Single Sign-On Installation Guide for the instructions.

About this task

The IBM Security Privileged Identity Manager solution includes:v IBM Security Identity Managerv IBM Security Access Manager for Enterprise Single Sign-On Adapterv IBM Security Access Manager for Enterprise Single Sign-On

Procedure1. Go to the IBM Security Privileged Identity Manager, Version 1.0, download

page.2. Go to the AccessProfiles Library.

Hardware and software requirementsCheck the hardware and software requirements before you install the IBM SecurityPrivileged Identity Manager solution.

Software requirements

The IBM Security Privileged Identity Manager solution supports the followingsoftware:

Table 2. Supported prerequisite software and versions.

Required software and components Version

IBM Security Identity Manager

v Shared Access module

v IBM Security Access Manager for Enterprise Single Sign-On Adapter

6.0

IBM Security Access Manager for Enterprise Single Sign-On

v IMS Server, Version 8.2.0.0.686

v AccessAgent, Version 8.2.0.3001

v AccessStudio, Version 8.2.0.0505

8.2

See Appendix B, “Requirements for component products,” on page 59 for thedetailed requirements for each product component.

To view the latest hardware and software requirements,v For IBM Security Identity Manager, see http://www.ibm.com/support/

docview.wss?uid=swg27020534.


http://www.ibm.com/support/docview.wss?uid=swg24033465





v For IBM Security Access Manager for Enterprise Single Sign-On, seehttp://www.ibm.com/support/docview.wss?uid=swg27036350.

Software considerations

There are additional software support considerations for IBM Security PrivilegedIdentity Manager.

Language supportAccessAgent supports shared credential check-out and check-in automationonly on English versions of Microsoft Windows.

PuTTYAccessAgent supports access to 32-bit PuTTY, Version 0.58, onv 32-bit Windows XPv 32-bit and 64-bit Windows 7

Remote Desktop Protocol (RDP) client

v AccessAgent supports access to 64-bit Remote Desktop Protocol (RDP)client on 64-bit Windows 7.

v AccessAgent supports access to 32-bit Remote Desktop Protocol (RDP)client on 32-bit Windows XP and 32-bit Windows 7.

IBM Personal Communications clientAccessAgent supports access to 32-bit IBM Personal Communicationsclient, Version 5.9, onv 32-bit Windows XPv 32-bit and 64-bit Windows 7

VMware vSphere clientAccessAgent supports access to 32-bit VMware vSphere client, Version5.0.0, onv 32-bit Windows XPv 32-bit and 64-bit Windows 7

Important: If your IMS Server deployment has customized AccessProfiles for anyof the provided logon applications, consider taking steps to ensure that earlierversions are not overwritten by the bundled AccessProfiles. For example, back upthe AccessProfiles. You cannot single sign-on to the same client application withmultiple AccessProfiles that have the same signature.

Managed resources and client application requirements

IBM Security Privileged Identity Manager provides privileged identitymanagement access to several managed resources.

Table 3. Types of supported managed resources and the client application.

If you log on toAccess the managed resource with thefollowing client application

Remote desktops Microsoft Remote Desktop Connection client

Terminal services PuTTY / SSH client

Mainframes IBM Personal Communications client

Virtual machines VMware vSphere Client

Chapter 2. Planning 7


Hardware requirements

There are no additional hardware requirements for IBM Security PrivilegedIdentity Manager, apart from the requirements for the following products.

IBM Security Identity ManagerSee the IBM Security Identity Manager, Version 6.0, information center.

IBM Security Access Manager for Enterprise Single Sign-OnSee the IBM Security Access Manager for Enterprise Single Sign-On,Version 8.2, information center.

Accounts and privileges

To deploy the IBM Security Privileged Identity Manager, you must haveadministrator privileges.

To check out shared access credentials from the credential vault, you must haveIBM Security Identity Manager credentials.

AccessProfile language supportIBM Security Privileged Identity Manager, Version 1.0, includes Privileged IdentityManagement AccessProfiles that supports English versions of the client application.

Privileged identity management automation with AccessProfiles is supported onlyon the English language versions of the PuTTY Client, Microsoft RDP Client, IBMPersonal Communications, and the VMware vSphere Client.

Table 4. Supported managed resource types with the bundled AccessProfiles.

Resource types UNIX Windows Mainframes VMware ESXi

English Yes Yes Yes Yes

Note: You access managed resources from Windows client computers.

Workstation configuration supportThe IBM Security Privileged Identity Manager automates the credential check-outand check-in to mainframes, terminal, and windows applications. It also supportsdeployments on personal workstations.

The IBM Security Privileged Identity Manager does not support deployment on:v Private desktopsv Shared desktops

Managed resources supportThe IBM Security Privileged Identity Manager supports automated check-out andcheck-in for managed resources.v Linux/UNIXv Windowsv Mainframes

Note: The AccessAgent client component provides automated check-in andcheck-out from Windows client computers.





Planning for high availabilityHigh availability ensures that services are always available.

If you require a high availability deployment, allocate additional resources forrecovery processes, software, and hardware.

Privileged identity management has no additional high availability dependenciesapart from the requirements for IBM Security Identity Manager and IBM SecurityAccess Manager for Enterprise Single Sign-On.

There are no additional planning considerations apart from the high availabilityconsiderations for the following products:

IBM Security Identity Manager, Version 6.0See the IBM Security Identity Manager Information Center.

IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2See the IBM Security Access Manager for Enterprise Single Sign-OnInformation Center.

Roadmap for configuring shared access for a managed resourceThis roadmap provides high-level steps for configuring shared access for a newmanaged resource in IBM Security Identity Manager.

Flowchart for configuring shared access for a managed resource

Configure shared access for a managed resource for one of the following reasons:v Setting up the privileged identity management solution for the first time.v Adding a service type or application.v Adding a managed resource.





Step 1: Ensure that all prerequisites are met

Verify the prerequisites for IBM Security Identity Manager.

Requirement See

Install the Shared Access Module on the IBMSecurity Identity Manager Server.

“Installing IBM Security Identity Manager,Version 6.0” on page 15

Figure 2. Flowchart for configuring shared access for a managed resource


Requirement See

Note: You can skip this step if you do notwant to deploy automated single sign-on.

Install the AccessAgent client on computersthat require automated check-in andcheck-out.

“Installing IBM Security Access Manager forEnterprise Single Sign-On, Version 8.2” onpage 15

Step 2: Import or configure service types in IBM Security IdentityManager for the managed resource

For each resource type, configure the profile information in IBM Security IdentityManager either by importing the service type or by creating the service type for amanual service.

See “Importing service types” and “Creating service types” in the ConfigurationGuide in the IBM Security Identity Manager Information Center.

Step 3: Import or configure the client application for IBMSecurity Access Manager for Enterprise Single Sign-On

Identify the client application used to access the managed resource. Complete theinstallation and configuration of the client application on client computersaccording to the vendor provided instructions. For the list of supported clientapplications, see “Hardware and software requirements” on page 6.

Remember: If you have not uploaded the AccessProfiles for IBM SecurityPrivileged Identity Manager, see “Uploading AccessProfiles to the IMS Server” onpage 24.

Note: You can skip this step if you do not want to deploy automated singlesign-on.

Step 4: Customize the service form template to include theunique identifier (eruri) field

Add the unique identifier (eruri) field to the service form template.

For more information, see “Customizing the service form template to include theunique identifier (eruri) field” in the Administration Guide in the IBM SecurityIdentity Manager Information Center.

Step 5: Configure the new managed resource in IBM SecurityIdentity Manager

You must follow these steps every time there is a new managed resource on yoursystem.

Is the new managed resource supported bythe IBM Security Identity Manageradapter? See

Yes Table 5 on page 12

No Table 6 on page 12





Table 5. Configuring managed resources that are supported by the IBM Security IdentityManager adapter

Steps

See the following topics in the IBMSecurity Identity Manager InformationCenter

Note: This step does not apply to agentlessadapters.Install and configure the

IBM Security Identity Manager adapter forthe managed resource.

Adapter documentation in the IBM SecurityIdentity Manager Information Center

Create the IBM Security Identity Managerservice instance for the managed resource.

“Creating services” in the AdministrationGuide.


Set the service unique identifier in themanaged resource service definition in IBMSecurity Identity Manager. Use theadministrative console to set the uniqueidentifier for connecting to the managedresource on the AccessAgent. For example,the unique identifier might be an IP addressor host name of the server.

Since the unique identifier field iscase-sensitive on IBM Security IdentityManager, enter the unique identifier inlowercase. By default, IBM Security AccessManager for Enterprise Single Sign-Onprocesses the value in lowercase.Note: Unique identifiers for computernames that are in the form of domain\name orname@domain must be as it is.

“Setting the service unique identifier” in theAdministration Guide.

Table 6. Configuring managed resources that are not supported by the IBM Security IdentityManager adapter

Steps


Create the IBM Security Identity Managerservice instance with the manual servicetype.

“Manual services and service types” in theConfiguration Guide.

“Creating manual services” in theAdministration Guide.


Table 6. Configuring managed resources that are not supported by the IBM Security IdentityManager adapter (continued)

Steps



Set the service unique identifier in themanaged resource service definition in IBMSecurity Identity Manager. Use theadministrative console to set the uniqueidentifier for connecting to the managedresource on the AccessAgent. For example,the unique identifier might be an IP addressor host name of the server.

Since the unique identifier field iscase-sensitive on IBM Security IdentityManager, enter the unique identifier inlowercase. By default, IBM Security AccessManager for Enterprise Single Sign-Onprocesses the value in lowercase.

“Setting the service unique identifier” in theAdministration Guide.

Step 6: Define roles and provisioning policies to grant ownershipof sponsored accounts

Perform these tasks in IBM Security Identity Manager.

Table 7. Defining roles and provisioning policies to grant ownership of sponsored accounts

Steps


Reconcile groups and accounts. “Managing reconciliation schedules” in theAdministration Guide.

Define roles and provisioning policies togrant ownership of sponsored accounts.

“Creating a provisioning policy” in theAdministration Guide.

“Creating roles” in the Administration Guide.

“Specifying owners of a role” in theAdministration Guide.

Identify or create groups for privilegedaccess to managed resources.

“Creating groups” in the AdministrationGuide.

“Defining access on a group” in theAdministration Guide.


Table 7. Defining roles and provisioning policies to grant ownership of sponsoredaccounts (continued)

Steps


Provision or adopt privileged accounts toauthorized owners. The account that is usedfor shared access must be a sponsoredaccount. The ownership type for the accountcan be anything other than Individual.

If an account does not exist on the service,see “Requesting accounts on a service” inthe Administration Guide.

If an account exists on the service, see“Assigning an account to a user” in theAdministration Guide.

For general information about sponsoredaccounts, see “Managing accounts” in theAdministration Guide.

Step 7: Configure shared access for the new managed resource

Perform these tasks in IBM Security Identity Manager.

Table 8. Configuring shared access for the new managed resource

Steps


Add the privileged accounts to be shared tothe credential vault. Designate a sponsoredaccount to be shared by storing itscredentials (user ID and password) in acredential vault. Access to these credentialsis governed by a role-based shared accesspolicy.

“Adding credentials to the vault” in theAdministration Guide.

Create the credential pools, typically basedon groups of the service. Use the credentialpools to organize shared credentials thathave the same privileged access.

“Creating a credential pool” in theAdministration Guide.

Define roles and shared access policies togrant access to shared credentials. Sharedaccess policies authorize role members toshare credentials or credential pools.

“Creating a shared access policy” in theAdministration Guide.

For an overview of shared access, see the "Shared access" topic in the IBM SecurityIdentity Manager Information Center.Related information:

For additional information about the Privileged Identity Manager deployment,see the IBM Security Identity Manager wiki.




https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Tivoli%20Identity%20Manager/page/Privileged%20identity%20management


Chapter 3. Installation

Install the IBM Security Privileged Identity Manager components that are requiredin your environment.

Note:

v To upgrade from earlier versions of installed product components, see “Upgradeto IBM Security Privileged Identity Manager” on page 18.

v Install IBM Security Identity Manager and IBM Security Access Manager forEnterprise Single Sign-On on separate systems.

Complete the following tasks:v “Installing IBM Security Identity Manager, Version 6.0”v “Installing IBM Security Access Manager for Enterprise Single Sign-On, Version

8.2”v “Installing IBM Security Access Manager for Enterprise Single Sign-on Adapter,

Version 6.0” on page 17Related information:

For additional information about the Privileged Identity Manager deployment,see the IBM Security Identity Manager wiki.

Installing IBM Security Identity Manager, Version 6.0Install IBM Security Identity Manager with the shared access module.

To install IBM Security Identity Manager, follow the directions in the IBM SecurityIdentity Manager Installation Guide. You can access the guide in the IBM SecurityIdentity Manager Information Center.v The IBM Security Identity Manager installation wizard asks if you want to

install the shared access module. To deploy IBM Security Privileged IdentityManager, you must install the shared access module.

v If you install the shared access module into a WebSphere cluster environment,you must complete configuration steps after the installation finishes. See thetopic "Shared access module configuration" in the IBM Security Identity ManagerInstallation Guide.

v Before you begin installation, review the hardware and software requirements in“IBM Security Identity Manager, Version 6.0” on page 64.

Installing IBM Security Access Manager for Enterprise Single Sign-On,Version 8.2

Install IBM Security Access Manager for Enterprise Single Sign-On with theAccessAgent client to provide automated shared access credential check-in andcheck-out for IBM Security Privileged Identity Manager.

To install IBM Security Access Manager for Enterprise Single Sign-On, follow thedirections in the IBM Security Access Manager for Enterprise Single Sign-OnInstallation Guide in the IBM Security Access Manager for Enterprise Single Sign-OnInformation Center.




http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm




Use the instructions to install:v IMS Server, Version 8.2.0.0.686

v AccessAgent, Version 8.2.0.3001

Note: To verify the installation, configure AccessAgent to communicate with theIMS Server.

v Optional: AccessStudio, Version 8.2.0.0505

To modify the bundled AccessProfiles, install AccessStudio on an administrativecomputer to develop custom AccessProfiles.

Note: If you have an earlier version of the components, see “Upgrading IBMSecurity Access Manager for Enterprise Single Sign-On” on page 19.

Complete the following tasks:1. Prepare the IMS Server.2. Prepare the AccessAgent.3. Verify the configuration.

Preparing the IMS ServerConfigure the IMS Server to support the management of privileged identities.

Note: The virtual appliance server deployment mode for the IMS Server is notsupported in IBM Security Privileged Identity Manager.

Install IMS Server, Version 8.2.0.0.686, using the IMS Server installer fromPassport Advantage. Then, upload the AccessProfiles to the IMS Server. See“Uploading AccessProfiles to the IMS Server” on page 24.

Note: If the installed IMS Server is a version earlier than 8.2.0.0.686, for example,8.2.0.0.502, you must upgrade the IMS Server. See “Upgrading the IMS Serverfrom 8.2.0.0.502 to 8.2.0.0.686” on page 20.

Preparing the AccessAgentYou must prepare the AccessAgent client computers.

Before you begin

Ensure that the client computer meets the hardware and software prerequisites. See“Hardware and software requirements” on page 6.

Note: If you have a version of AccessAgent that is earlier than version 8.2.0.3001,you must upgrade the AccessAgent component. See “Upgrading IBM SecurityAccess Manager for Enterprise Single Sign-On” on page 19.

About this task

Before you deploy the AccessAgent in a production environment with manycomputers, you can install the AccessAgent client on one computer. Then, completeand verify the rest of the IBM Security Privileged Identity Manager configurationtasks. If the verification is successful, continue with the AccessAgent deployment.


Procedure1. Open the AccessAgent installer folder.2. Navigate to the Config folder.3. Open the DeploymentScript.vbs file with a text editor.4. Search for the following text:

’ Add your own ISIM host name here.’ Examples:’ 192.168.0.50’ trusty.server.com:9443’ https://trusty.server.comDim HOSTS: HOSTS = Array()

5. Specify the IBM Security Identity Manager IP address inside the Array (). Forexample:Dim HOSTS: HOSTS = Array("9.127.13.178")

6. Install AccessAgent. See the IBM Security Access Manager for Enterprise SingleSign-On Installation Guide.

Verifying the installation and configurationVerify if you have successfully installed and configured the IMS ServerAccessAgent to support privileged identity management.

Before you begin

Ensure that:v The required components are installed and configured.v The Privileged Identity Management AccessProfiles are uploaded in the IMS

Server. See “Uploading AccessProfiles to the IMS Server” on page 24.

About this task

Before deploying AccessAgent to actual users for check-out and check-inautomation, validate all the server configurations by using a single installation ofAccessAgent.

Procedure1. Start the managed resource client application.2. Test the credential check-out and check-in automation. See the following

scenarios:v “Logging on with PuTTY” on page 34v “Logging on with the Microsoft Remote Desktop Connection (RDP) client”

on page 35v “Logging on with IBM Personal Communications” on page 36v “Logging on with the VMware vSphere Client” on page 37

3. Ensure that the privileged identity management scenarios work according toyour requirements. If the test fails, see Chapter 9, “Troubleshooting,” on page55.

Installing IBM Security Access Manager for Enterprise Single Sign-onAdapter, Version 6.0

Install the IBM Security Access Manager for Enterprise Single Sign-On Adapter tomanage provisioning of users to the IMS Server.

Chapter 3. Installation 17

To install IBM Security Access Manager for Enterprise Single Sign-On Adapter,follow the instructions in the IBM Security Access Manager for Enterprise SingleSign-On Adapter Installation and Configuration Guide in the IBM Security IdentityManager Information Center.

After you install the IBM Security Access Manager for Enterprise Single Sign-OnAdapter files, you must integrate the adapter into the IBM Security PrivilegedIdentity Manager environment by completing the required configuration tasks.Follow the instructions in the IBM Security Access Manager for Enterprise SingleSign-On Adapter Installation and Configuration Guide.

Upgrade to IBM Security Privileged Identity ManagerYou can upgrade to IBM Security Privileged Identity Manager from existingdeployments of the component software.

You can upgrade from any of these existing deployments:v IBM Tivoli Identity Manager, Version 5.0 or 5.1

See “Upgrading IBM Tivoli Identity Manager, Version 5.1” on page 19.v IBM Tivoli Access Manager for Enterprise Single Sign-On, Version 8.1 or earlier.

See “Upgrading IBM Security Access Manager for Enterprise Single Sign-On” onpage 19

v A deployment that consists of all of the following products:– IBM Tivoli Identity Manager, Version 5.1 or 5.0– IBM Tivoli Access Manager for Enterprise Single Sign-On, Version 8.1 or

earlier– IBM Tivoli Access Manager for Enterprise Single Sign-On Adapter, Version

5.1.See “Upgrading IBM Tivoli Identity Manager and IBM Tivoli Access Managerfor Enterprise Single Sign-on” on page 21.

Upgrade considerations

What is available by default after the upgrade:v IBM Security Identity Manager provisioning and governance for users and

managed resources.v Bundled adapters to manage various types of LDAP servers and UNIX servers,

such as AIX®, HP-UX, Linux, and Solaris.v IBM Security Role and Policy Modeler and Role loaders.v Automated check-out, check-in, and single sign-on for target resources that are

accessed directly through the following applications:– PuTTY– RDP– IBM Personal Communications– VMware vSphere

v Separate reports for IBM Security Identity Manager shared access events andAccessAgent check-in, check-out, or single sign-on events.

Types of common customizations that might require more effort:




v Customization of default AccessProfiles to meet local needs. For example,support for different languages, differing prompts, different commands in acommand prompt or shell.

v Development of new AccessProfiles for additional IBM Security PrivilegedIdentity Manager applications.

v Consolidation of audit logs from IBM Security Identity Manager, IBM SecurityAccess Manager for Enterprise Single Sign-On, and target resources into SecurityInformation and Event Management (SIEM) solutions.

Upgrading IBM Tivoli Identity Manager, Version 5.1Upgrade IBM Tivoli Identity Manager to IBM Security Identity Manager.

In this scenario, you previously deployed IBM Tivoli Identity Manager, Version 5.1.Now, you want to upgrade to IBM Security Privileged Identity Manager.v If your IBM Security Privileged Identity Manager deployment does not require

automated checkout and checkin, your only task is to upgrade IBM TivoliIdentity Manager, Version 5.1 to IBM Security Identity Manager, Version 6.0.

v If your IBM Security Privileged Identity Manager deployment requiresautomated checkout and checkin, you must first upgrade IBM Tivoli IdentityManager, Version 5.1, and then do a new install of the other IBM SecurityPrivileged Identity Manager components:– IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2– IBM Security Access Manager for Enterprise Single Sign-On Adapter, Version

6.0

For IBM Tivoli Identity Manager upgrade, you can complete either an in-placesystem upgrade or a separate system upgrade with data migration. Mostdeployments use a separate system upgrade with data migration.

The IBM Security Identity Manager installation wizard runs as part of the upgrade.When prompted by the wizard, be sure to select the Shared Access Module.Follow the instructions for your upgrade type in the IBM Security Identity ManagerInstallation Guide in the IBM Security Identity Manager Information Center:v “IBM Security Identity Manager upgrade”v “Separate system upgrade and data migration”

Note: In the separate system upgrade, you do not immediately replace the IBMTivoli Identity Manager Server. Instead, you create a separate deployment of IBMSecurity Identity Manager and migrate data from the old IBM Tivoli IdentityManager Server to the new IBM Security Identity Manager Server.

Upgrading IBM Security Access Manager for Enterprise SingleSign-On

In this case, you previously installed IBM Security Access Manager for EnterpriseSingle Sign-On. Now, you want to deploy IBM Security Privileged IdentityManager.v Install IBM Security Identity Manager, Version 6.0, with the shared access

module.See “Installing IBM Security Identity Manager, Version 6.0” on page 15.

v Upgrade IBM Security Access Manager for Enterprise Single Sign-On.


Table 9. Upgrade matrix

If you haveAction for the IMSServer

Action forAccessAgent

Action forAccessStudio

IBM Security AccessManager forEnterprise SingleSign-On, Version 8.1or earlier

Install IMS Server,Version 8.2.0.0.686.

See the IBM SecurityAccess Manager forEnterprise SingleSign-On InstallationGuide.

Install AccessAgent,Version 8.2.0.3001.


Install AccessStudio,Version 8.2.0.0505.


v IMS Server,Version8.2.0.0.502 withor without fixpacks or interimfixes

v AccessAgent,Version 8.2.0.0501with or without fixpacks or interimfixes

v AccessStudio,Version 8.2.0.0501with or without fixpacks or interimfixes

Upgrade to IMSServer, Version8.2.0.0.686, using8.2.0-ISS-SAMESSO-IMS-FP0003.

See “Upgrading theIMS Server from8.2.0.0.502 to8.2.0.0.686.”

Upgrade toAccessAgent, Version8.2.0.3001, using8.2.0-ISS-SAMESSO-AA-FP0011.

See “UpgradingAccessAgent from8.2.0.0501 to8.2.0.3001” on page21.

Install AccessStudio,Version 8.2.0.0505.


v Install IBM Security Access Manager for Enterprise Single Sign-On Adapter,Version 6.0.See “Installing IBM Security Access Manager for Enterprise Single Sign-onAdapter, Version 6.0” on page 17.

Upgrading the IMS Server from 8.2.0.0.502 to 8.2.0.0.686If you have installed IMS Server, Version 8.2.0.0.502, with or without fix packs orinterim fixes, you must install 8.2.0-ISS-SAMESSO-IMS-FP0003 and configure theIMS Server to support privileged identity management.

Procedure1. Install the IMS Server fix pack 8.2.0-ISS-SAMESSO-IMS-FP0003. See the fix pack

readme file. Download the file from IBM Support & downloads.2. Upload the AccessProfiles in the IMS Server.3. Add a policy in the User Policy template for Privileged Identity Manager on

the IMS Server.4. Configure the audit logs to include privileged identity events.5. Create a user policy template only for privileged identity management users.6. Map the authentication service.7. “Update IMS view to show Privileged Identity Management events” on page

53.8. Optional: Add privileged identity management policies in AccessAdmin.9. Optional: Upload policy definitions and objects.


http://www.ibm.com/support/us/en/

Upgrading AccessAgent from 8.2.0.0501 to 8.2.0.3001If you have installed AccessAgent, Version 8.2.0.0501, with or without fix packsor interim fixes, you must install 8.2.0-ISS-SAMESSO-AA-FP0011 and install the IBMSecurity Identity Manager certificates on the computer where AccessAgent isinstalled.

Before you begin

Ensure that the client computer meets the hardware and software prerequisites. See“Hardware and software requirements” on page 6.

About this task

Before you deploy the AccessAgent in a production environment with manycomputers, you can install the AccessAgent client on one computer. Then, completeand verify the rest of the IBM Security Privileged Identity Manager configurationtasks. If the verification is successful, continue with the AccessAgent deployment.

When you install AccessAgent, deploy the IBM Security Identity Manager SSLcertificates on each AccessAgent client computer.

If you are deploying the AccessAgent on multiple computers, use a wrappinginstallation package that installs the AccessAgent fix pack and the IBM SecurityIdentity Manager certificates.

Procedure1. Install the AccessAgent fix pack 8.2.0-ISS-SAMESSO-AA-FP0011. See the fix pack

readme file.2. Run the following command to install or import the IBM Security Identity

Manager certificates on the computer where you installed the AccessAgent. Ifyou have an:

x86 architecturerundll32.exe aa_installpath\AA\ECSS\PIMSlnHelper.dll,Believeisim_ip_host

x64 architecturerundll32.exe aa_installpath\AA\ECSS\PIMSlnHelper64.dll,Believeisim_ip_host

For example: rundll32.exe c:\Program Files\IBM\ISAM ESSO\AA\ECSS\PIMSlnHelper.dll,Believe "9.127.13.16"

3. If the computer requires a client application to access a specific managedresource, install the client application.

Upgrading IBM Tivoli Identity Manager and IBM Tivoli AccessManager for Enterprise Single Sign-on

Upgrade an existing deployment of Tivoli Identity Manager plus Tivoli AccessManager for Enterprise Single Sign-on to an IBM Security Privileged IdentityManager deployment.

In this scenario, you previously deployed all of the following products:v IBM Tivoli Identity Manager, Version 5.1v IBM Tivoli Access Manager for Enterprise Single Sign-On, Version 8.1


v IBM Tivoli Access Manager for Enterprise Single Sign-On Adapter, Version 5.1

Now, you want to upgrade to use IBM Security Privileged Identity Manager. Thetasks are:1. Upgrade IBM Tivoli Identity Manager, Version 5.1, to IBM Security Identity

Manager, Version 6.0, with the shared access module.Complete the instructions in “Upgrading IBM Tivoli Identity Manager, Version5.1” on page 19.

2. Upgrade IBM Tivoli Access Manager for Enterprise Single Sign-On, Version 8.1,to IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2.v If IBM Tivoli Access Manager for Enterprise Single Sign-On, Version 8.1, or

earlier is installed, upgrade to version 8.2.See the IBM Security Access Manager for Enterprise Single Sign-On InstallationGuide.

v If IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2 isinstalled:– Upgrade to IMS Server, Version 8.2.0.0.686, using 8.2.0-ISS-SAMESSO-

IMS-FP0003.See “Upgrading the IMS Server from 8.2.0.0.502 to 8.2.0.0.686” onpage 20.

– Upgrade to AccessAgent, Version 8.2.0.3001, using 8.2.0-ISS-SAMESSO-AA-FP0011.See “Upgrading AccessAgent from 8.2.0.0501 to 8.2.0.3001” on page 21.

– Install AccessStudio, Version 8.2.0.0505

See the IBM Security Access Manager for Enterprise Single Sign-OnInstallation Guide.

3. Upgrade IBM Tivoli Access Manager for Enterprise Single Sign-On Adapter,Version 5.1, to IBM Security Identity Manager, Version 6.0.Upgrade the adapter to IBM Security Access Manager for Enterprise SingleSign-On Adapter, Version 6.0. Follow the instructions in the IBM Security AccessManager Enterprise Single Sign-On Adapter Installation and Configuration Guide.See the following sections:v Before you begin the upgrade, determine whether you must migrate existing

group shared accounts. See “Migrating Group Sharing Account to PrivilegedIdentity Management”.

v If you must remove group shared accounts, see “Removing the GroupSharing Account feature”.

v “Upgrading the IBM Security Access Manager Enterprise Single Sign-OnAdapter”.


Chapter 4. Configuration for IBM Security Privileged IdentityManager

There are several required configuration tasks that you must perform so that IBMSecurity Privileged Identity Manager operates properly. This chapter covers thosetasks. There are also several optional configuration tasks that are covered in theAppendix.

Shared access configurationYou can complete configuration tasks for shared access as needed for yourdeployment.

Table 10 describes configuration tasks that you might want to complete, dependingon the requirements of your deployment.

Table 10. Shared access configuration tasks

Configuration task Description

Configuring the credential defaultsettings

Specifies the default settings for each credential that isadded to the credential vault.

Customizing the service formtemplate to include the uniqueidentifier (eruri) attribute

Updates the managed resource service form templateto include a field for the unique identifier that youuse to connect to the managed resource.

Configuring an external credentialvault server

Specifies the required properties to configure anexternal credential vault server.

Customization of the checkoutoperation

The shared access module supports both synchronousand asynchronous checkout of shared accounts.Synchronous checkout is enabled by default. If youwant to use asynchronous checkout, you must enableand configure it.

Shared access approval andrecertification

You can add an approval process to the defaultoperation for adding credentials to the vault. You canalso define a custom workflow to recertify credentialsin the vault.

Customizing the checkout form You can customize the form that is used for checkoutof shared accounts. You can add more attributes to befilled out during checkout. This customizationincreases individual accountability when credentialsare shared.

Shared access Tivoli CommonReporting reports

You can configure reports that show:

v Shared access audit history

v Shared access entitlements for a specified owner

v Shared access entitlements for a specified role.

Consult the IBM Security Identity Manager documentation to understand whichconfiguration tasks apply to your deployment:v Shared access documentation

On this page in the IBM Security Identity Manager Information Center, see the"System configuration" section to find links to the documentation for sharedaccess configuration tasks.


http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/overview/cpt/sam_doc.htm

v IBM Security Identity Manager Information CenterTo find information about a task in Table 10 on page 23, go to this informationcenter. On the home page, locate the information center search field, and enterthe configuration task name as shown in the Configuration task column of thetable. For example, to use an external credential vault server, enter "Configuringan external credential vault server".

Setting the minimum AccessAgent version on the Privileged IdentityManagement AccessProfile

Set the minimum AccessAgent version for each of the Privileged IdentityManagement AccessProfiles if you have a mixed deployment of computers runningon different AccessAgent versions. For example, one computer is running onAccessAgent, Version 8.1 and another computer is running on AccessAgent,Version 8.2.

About this task

Complete this task for Concurrent_profiles_bgMonitor_Wnd_Explorer.eas ANDPIM_Profiles_With_General_RDP_Flow.eas OR PIM_Profiles.eas.

Procedure1. Open the EAS file in the AccessStudio.2. Set the minimum AccessAgent version for each of the AccessProfile from the

AccessProfile pane.a. Select the AccessProfile.b. Click the General properties pane.c. Enter 8.2.0.3001 in the Minimum AccessAgent version field.d. Repeat these steps for each AccessProfile included in the EAS file.

3. Save the EAS file.4. Repeat these steps for each of the EAS file.

Uploading AccessProfiles to the IMS ServerTo activate and use the Privileged Identity Management AccessProfiles, upload theAccessProfiles to the IMS Server.

Before you begin

If you have multiple AccessProfiles, see “Managing multiple AccessProfiles for thesame client application” on page 42 for a better understanding before you uploadAccessProfiles to the IMS Server.

If you have a mixed deployment of computers running on different AccessAgentversions, see “Setting the minimum AccessAgent version on the Privileged IdentityManagement AccessProfile.”

About this task

There are four Privileged Identity Management AccessProfiles available for uploadto the IMS Server.

You must upload the following Privileged Identity Management AccessProfiles:



v Use_Shared_Credentials_Authentication_Service.eas

v Concurrent_profiles_bgMonitor_Wnd_Explorer.eas

Then, upload either of these Privileged Identity Management AccessProfiles:v PIM_Profiles_With_General_RDP_Flow.eas

This AccessProfile contains both PIM workflows and non PIM workflows.Use this AccessProfile if the non PIM workflows for RDP are required for nonPIM users.The non PIM workflows are provided in the IBM Security Access Manager forEnterprise Single Sign-On bundled AccessProfiles. The non PIM workflows thatare included in this AccessProfile might be outdated. See the AccessProfilesLibrary for the latest version.

Note:

– This AccessProfile is just an example of a merged AccessProfile.– If the non PIM workflows included in this AccessProfile is outdated,

download the latest version of the AccessProfile from the AccessProfilesLibrary and merge it with the RDP AccessProfile for the PIM workflow. TheRDP Profile ID is profile_RDP_main.

v PIM_Profiles.eas

This AccessProfile contains the PIM workflows only.Use this AccessProfile if you want to use the PIM workflows only.

You can get these AccessProfiles from the AccessProfiles Library.

If you cannot find or download these AccessProfiles from the AccessProfilesLibrary, you can get the files from this location:

<IMS Server installation folder>\com.ibm.tamesso.ims-delhi.build.boot\src\config\data\config\pim\Profiles.

For example: C:\Program Files\IBM\ISAM ESSO\IMS Server\com.ibm.tamesso.ims-delhi.build.boot\src\config\data\config\pim\Profiles.

Procedure1. Open the command prompt.2. Navigate to <IMS Server installation folder>\bin.3. Run the following command:

uploadSync.bat <was_admin> <was_admin_password>--dataFile "<accessprofile_absolute_path>".

For example:C:\Program Files\IBM\ISAM ESSO\IMS Server\bin>uploadSync.bat wasadminp@ssw0rd --dataFile "C:\Program Files\IBM\ISAM ESSO\IMSServer\com.ibm.tamesso.ims-delhi.build.boot\src\config\data\config\pim\Profiles\Concurrent_profiles_bgMonitor_Wnd_Explorer.eas"

Chapter 4. Configuring 25

http://www-01.ibm.com/support/docview.wss?uid=swg21470500







Related information:

AccessProfiles Library

Adding a policy in the User Policy template for Privileged IdentityManager on the IMS Server

Use this topic to configure the shared access credential usage policy, through theuser policy template, for all users.

Before you begin

Upload the IBM Security Privileged Identity Manager AccessProfiles in the IMSServer.

About this task

Complete this task only if you upgraded the IMS Server using the8.2.0-ISS-SAMESSO-IMS-FP0003 fix pack.

Procedure1. Log on to the IBM Integrated Solutions Console with the WebSphere®

administrator credentials. For example: wasadmin.2. On the Integrated Solutions Console navigation pane, select Applications >

Application Types > WebSphere Enterprise Applications.3. Stop the ISAMESSOConfig and ISAMESSOIMS applications.4. Modify the ims.xml configuration file.

v For WebSphere Application Server Stand-alone Deployment:<WAS_profile>/config/tamesso/config/

v For WebSphere Application Server Network Deployment:<Dmgr_profile>/config/tamesso/config/

5. Add the following lines under the <main> element:<encentuate.ims.pim.enabled.service.list>

<value xml:lang="en">Use_Shared_Credentials</value></encentuate.ims.pim.enabled.service.list>

6. Start the ISAMESSOConfig application.7. For WebSphere Application Server Stand-alone Deployment, start the

ISAMESSOIMS application.For WebSphere Application Server Network Deployment, resynchronize thenodes and restart the cluster.

Creating a user policy template only for privileged identitymanagement users

Configure a user policy template in AccessAdmin to segregate PIM and non-PIMusers. Segregation lets you configure prompts that display for selected groups ofusers and hide the prompt from the rest of the users. If there is no segregation, thedialog box prompt displays for every user when the privileged identitymanagement client applications are used.

Before you begin

See “Configuring the shared access credential usage prompt” on page 32.



Procedure1. Log on to AccessAdmin.2. Create or modify an existing user policy template for privileged identity

management users.a. Under User Policy Templates, click New template.b. Type a name for the template. For example: PIM admins only.c. Expand the Authentication Service Policies group.d. Expand Use Shared Credentials.e. For Password entry of injection policy per authentication service, choose

Ask.f. Click Update.g. Apply the user policy template to privileged identity management users.

See the topic “Applying a User Policy Template” in the IBM Security AccessManager for Enterprise Single Sign-On Information Center.

3. Create or modify an existing user policy template for non-privileged identitymanagement users. For example: Non-PIM users only.a. For the policy template, expand Authentication Service Policies.b. Expand Use Shared Credentials.c. For Password entry of injection policy per authentication service, choose

Never.d. Click Update.e. Apply the user policy template to users not using privileged identity

management. See the topic “Applying a User Policy Template” in the IBMSecurity Access Manager for Enterprise Single Sign-On Information Center.

Mapping the authentication serviceDefine an IBM Security Identity Manager authentication service. The credentialsstored against the authentication service in the users Wallet is authenticated withIBM Security Identity Manager during check-out and check-in.

Before you begin

If you did not already do so:v Obtain details about the authentication service ID that are required for this

configuration.1. Log on to the IMS Configuration Utility.2. From the Basic Settings menu, select Authentication Services. A list of

available authentication services is displayed.3. Select the appropriate authentication service to view the authentication

service ID and the account data template.

About this task

For more information about authentication services, see the topic “Managingauthentication services” in the IBM Security Access Manager for Enterprise SingleSign-On AccessStudio Guide.






You can choose to create an authentication service or use an existing authenticationservice. To create an authentication service, see the topic “Creating authenticationservices” in the IBM Security Access Manager for Enterprise Single Sign-OnAccessStudio Guide.

If the IBM Security Access Manager for Enterprise Single Sign-On Adapter is usedthen map the provisioned IBM Security Identity Manager credentials with the IBMSecurity Identity Manager authentication service as defined in the PIMconfiguration policy.

Procedure1. Log on to AccessAdmin. For example: https://ims_hostname:ihs_ssl_port/

admin

2. In the System group, click System policies.3. In the System policies page, expand PIM Configuration Policies.4. Specify the following values:

ISIM URLSpecify the IBM Security Identity Manager URL. For example:https://isim_host:port/itim/services/WSSharedAccessService

ISIM Authentication Service IDSpecify the configured IBM Security Identity Manager authenticationservice ID. For example: pim_auth_service.

5. Click Update.

Configuring a group policy to prompt the client for passwords (RDP)If you use a Remote Desktop Connection client for privileged access to a Windowshost, configure the RDP policy to prompt for, not store, passwords.

Before you begin

You must have administrator privileges to configure the Windows group policy.

About this task

The procedure documented here is an example only. For more information aboutconfiguring a group policy for the RDP client in Windows, go to the Microsoftwebsite at http://www.microsoft.com. Search for RDP Always prompt client forpassword upon connection.

Procedure1. Log on as an administrator.2. Start the Group Policy tool.

a. Click Start > Run.b. Type gpedit.msc.c. Press Enter.

3. Browse for the policy:

Windows XP:Click Computer Configuration > Administrative Templates >Windows Components > Terminal Services > Encryption and Security> Always prompt client for password upon connection.


http://www.microsoft.com

Windows 7:Click Computer Configuration > Administrative Templates >Windows Components > Remote Desktop Services > Remote DesktopConnection Client > Do not allow passwords to be saved.

4. From the Action menu, click Edit.5. Choose Enabled.6. Click OK.

Adding privileged identity management policies in AccessAdminThe policyConfig.xml file controls the policies that are displayed in theAccessAdmin user interface. To display the privileged identity managementpolicies in AccessAdmin, the existing policyConfig.xml file must be replaced withthe updated version.

About this task

Do this task only if you have already configured the IMS Server using the IMSConfiguration Wizard, before you installed IMS Server fix pack8.2.0-ISS-SAMESSO-IMS-FP0003.

Procedure1. Back up the policyConfig.xml file from the following locations:



2. Copy the policyConfig.xml from the <IMS_Server_installation_directory>\com.ibm.tamesso.ims-delhi.build.boot\BUILD\config. For example:C:\Program Files\IBM\ISAM ESSO\IMS Server\com.ibm.tamesso.ims-delhi.build.boot\BUILD\config

3. Paste the copied policyConfig.xml in the following locations:v For WebSphere Application Server Stand-alone Deployment:

<WAS_profile>/config/tamesso/config/


What to do next

Upload policy definitions and objects.

Uploading policy definitions and objectsTo support privileged identity management, upload thepim_policy_definitions.xml and pim_policy_mgmnt_objects.xml files in the IMSServer.

About this task

Do this task only if you have already configured the IMS Server using the IMSConfiguration Wizard before you installed IMS Server fix pack8.2.0-ISS-SAMESSO-IMS-FP0003.


The pim_policy_definitions.xml and pim_policy_mgmnt_objects.xml files arelocated in <IMS_Server_folder>\com.ibm.tamesso.ims-delhi.build.boot\src\config\data\config\pim\.

For example: C:\Program Files\IBM\ISAM ESSO\IMS Server\com.ibm.tamesso.ims-delhi.build.boot\src\config\data\config\pim\

Procedure1. Open the command prompt.2. Navigate to <IMS Server installation folder>\bin.3. Run the following command:

uploadSync.bat <was_admin> <was_admin_password>--dataFile "<pim_policy_xml_absolute_path>".

For examples:v C:\Program Files\IBM\ISAM ESSO\IMS Server\bin>uploadSync.bat wasadmin

p@ssw0rd --dataFile "C:\Program Files\IBM\ISAM ESSO\IMSServer\com.ibm.tamesso.ims-delhi.build.boot\src\config\data\config\pim\pim_policy_definitions.xml"

v C:\Program Files\IBM\ISAM ESSO\IMS Server\bin>uploadSync.bat wasadminp@ssw0rd --dataFile "C:\Program Files\IBM\ISAM ESSO\IMSServer\com.ibm.tamesso.ims-delhi.build.boot\src\config\data\config\pim\pim_policy_mgmt_objects.xml"

4. For WebSphere Application Server Stand-alone Deployment, restart theISAMESSOIMS application.For WebSphere Application Server Network Deployment, resynchronize thenodes and restart the cluster.


Chapter 5. Automating the credential check-out and check-inprocess

You can automate the check out and check in of shared access credentials from theIBM Security Identity Manager Server for convenience.

In some cases, you need to customize the AccessProfiles that automates thecheck-out and check-in process. This topic covers when to customize theAccessProfiles.

Automation overviewA sequence of steps takes place when user initiates check-out and check-in. Thistopic describes the details of these associated processes.

Shared access credential check-out processIn a privileged identity management workflow, you can check out shared accesscredentials for a managed resource automatically.

You can log on to a managed resource with a shared access credential withoutknowing the shared access credential.1. Choose the supported application for the managed resource. For example:

PuTTY.See “Software requirements” on page 6.

2. Specify the target managed resource.3. When prompted, log on with shared credentials.

Note: You can also choose not log on to a managed resource with a sharedaccess credential. See “Configuring the shared access credential usage prompt”on page 32.

4. When prompted with the AccessAgent reauthentication prompt, specify yourIBM Security Access Manager for Enterprise Single Sign-On password. See“Configuring the re-authentication prompt” on page 32.IBM Security Access Manager for Enterprise Single Sign-On authenticates andretrieves your credentials from your single sign-on Wallet.v If your Wallet contains valid IBM Security Identity Manager credentials, IBM

Security Access Manager for Enterprise Single Sign-On retrieves the list ofcredential pools from the IBM Security Identity Manager Server.

v If your Wallet does not contain any IBM Security Identity Managercredentials, you are prompted to provide them.

5. When prompted, choose a credential pool to check out shared accesscredentials.After you choose the credential pool, IBM Security Privileged Identity Manager:a. Checks out the shared access credential from the IBM Security Identity

Manager.b. Enters the shared access credential into the client application.You are logged on to the managed resource with a shared access credential.When you check out a credential through the automated check-out process,there is no option to enter the check-out justification comment.


Configuring the shared access credential usage promptThe prompt asking the user whether to use shared credentials to log on to amanaged resource, when using any of the client logon applications, can beconfigured using the injection policy.

Procedure1. Open the Wallet Manager.2. On the Authentication Service column, search for Use shared credentials and

select any of the Password Entry options.

Table 11. Password entry options

Password entry Description

Automatic logon Use only shared credentials to log on to themanaged resources.

Always Always prompt the user to use sharedcredentials to log on or not to the managedresources.

Ask Prompt the user to use shared credentials tolog on or not to the managed resources.

Never Do not use shared credentials to log on tothe managed resources.

Configuring the re-authentication promptFor additional security, IBM Security Access Manager for Enterprise SingleSign-Onusers can be asked to re-authenticate when they access managed resources.See this topic to configure whether to require the users to re-authenticate everytime a user accesses a client logon application and commands the use of sharedcredentials.

Procedure1. Open AccessAdmin.2. Click Authentication service policies.3. Select the authentication service Use Shared Credentials.4. Under Password Policies, specify whether to require re-authentication before

performing single sign-on using the automatic sign-on mode.

Shared access credential check-in processThe software automatically checks in shared access credentials when you log out,exit, or close the client application.

If the credential check-in process is not triggered automatically, the credentialremains checked out to the user until the lease time expires. You can check out ashared access credential only for a limited amount of time. The specific amount oftime is the lease time. See the IBM Security Identity Manager Information Center formore information about shared access credential lease.

IBM Security Identity Manager password change processIf there is a change in the IBM Security Identity Manager password, the IBMSecurity Access Manager for Enterprise Single Sign-On Adapter automaticallycaptures the password change.


To ensure that any password changes that you initiate for IBM Security IdentityManager is applied successfully for IBM Security Identity Manager, install the IBMSecurity Access Manager for Enterprise Single Sign-On Adapter for IBM SecurityIdentity Manager.

For more information, see the IBM Security Access Manager for Enterprise SingleSign-On Adapter Installation and Configuration Guide.

Additional examples that can trigger check-out and check-inautomation

Different events can determine the automation behavior. For example, when youstart multiple sessions or when sessions are terminated abnormally.

Table 12. Additional events that can trigger automated check-out or check-in behavior.

When Automated check-out or check-in behavior

You

v Start a second client application session.

v Connect to the same resource as yourclient application session.

v Choose the same credential pool.

The user is prompted whether to use analready checked out credential. The user canchoose to reuse or check out a newcredential.Note: If you choose a different credentialpool, a separate check-out occurs.

No check-out is necessary.

Check-out does not affect initial clientapplication session credentials.

AccessAgent reuses the checked outcredential from the previous session.

v You use a client application.

v A session is terminated abnormallybecause of a system crash or deliberatetermination.

AccessAgent checks in all credentials for auser.

There is no connection to the IBM SecurityIdentity Manager Server.

After the client application closes properlyor terminates, AccessAgent continuouslyattempts to check in all credentials that auser checked out.

This process prevents any checked outcredentials from being used outside the IBMSecurity Access Manager for EnterpriseSingle Sign-On domain.

You restart a client computer, and there arestill credentials that are pending forcheck-in.

AccessAgent retries the check-in when acorresponding user logs on to IBM SecurityAccess Manager for Enterprise SingleSign-On.

This approach avoids locking credentials sothat they can be checked out by users.

Chapter 5. Automating the credential check-out and check-in process 33

Table 12. Additional events that can trigger automated check-out or check-inbehavior. (continued)

When Automated check-out or check-in behavior

You use the managed resource using achecked out credential, from the client logonapplication, and after the lease expires onthe checked out credential. For example:

v You are done using the client logonapplication and the managed resource butforgot to close the client logon application.

v You are away from the computer for along time.

AccessAgent checks in credentials when theIBM Security Identity Manager administratorconfigured lease time expires.Note: One hour before the lease timeexpiration, a notification tells you when thelease time is almost expired. You must stopusing the credentials or have AccessAgentterminate the application when the leaseexpires.

If you do not respond to the notification, theapplication is terminated.

See the IBM Security Identity ManagerInformation Center for more informationabout lease expiry configurations.

When you use the managed resource using achecked out credential, from the client logonapplication, and after the lease expires onthe checked out credential. For example: Thecomputer goes into hibernate mode, and thecredential is not checked in.

IBM Security Identity Manager performslease expiry handling based on how thelease expiry handling is configured. Forexample:

v The credentials can be checked in or

v Notification e-mails can be sent

See the IBM Security Identity ManagerInformation Center for more information.

Automatic check out and check in with client application logonTo log on with a client application, you can use the shared access credentials thatyou checked out and checked in automatically or manually.

With single sign-on automation

Use the IBM Security Access Manager for Enterprise Single Sign-On AccessAgentclient to provide check-out and check-in automation of shared access credentials.You must install and configure the AccessAgent client on computers from wherethe client application is accessed.

Without single sign-on automation

Use the IBM Security Identity Manager self-service user interface console to checkout and check in shared access credentials for a resource. After you check out acredential, provide the shared access credentials when the client applicationprompts you.

Logging on with PuTTYYou can use PuTTY to log on to a remote terminal host from Windows with sharedprivileged identities.

Before you begin

If you did not already do so:


v Configure the managed resource that you are going to access from PuTTY forshared access.

v Upload the Privileged Identity Management AccessProfile for PuTTY to the IMSServer. See “Uploading AccessProfiles to the IMS Server” on page 24.

v Ensure that there are IBM Security Identity Manager credentials in the Wallet.

About this task

You can configure the PuTTY AccessProfile for different log on prompts. See“Modifying AccessProfiles for the PuTTY application” on page 47.

Procedure1. Start PuTTY.2. Specify the target host name or IP address.3. When prompted to log on with shared access credentials, choose Yes.4. When prompted with the Shared Access Selection window, select one of the

credential pools.

Results

The AccessProfile checks out the credentials from IBM Security Identity Managerand injects the logon credential in the terminal server logon prompt.

Logging on with the Microsoft Remote Desktop Connection(RDP) client

You can log on to a remote desktop with shared privileged identities with RemoteDesktop Connection.

Before you begin

If you did not already do so:v Configure the managed resource that you are going to access from the RDP

client for shared access.v Upload the AccessProfile for the Microsoft Remote Desktop Connection RDP

client to the IMS Server. See “Uploading AccessProfiles to the IMS Server” onpage 24.

v Configure a group policy to always prompt RDP clients for a password beforemaking a connection.

About this task

The IBM Security Privileged Identity Manager AccessProfile for Microsoft RemoteDesktop Connection RDP client does not support the injection of shared credentialsat the RDP lock screen on the computer to where the user did a remote desktopconnection.

Procedure1. Start the Microsoft Remote Desktop Connection client by clicking Start > All

Programs > Accessories > Remote Desktop Connection.2. Specify the target host name or IP address.3. Click Connect.4. When prompted to log on with shared access credentials, choose Yes.


5. When prompted with the Shared Access Selection window, select one of thecredential pools.

6. Enter the AccessAgent authentication credentials.

Results

The AccessProfile checks out the credentials from IBM Security Identity Manager,and injects the logon credential in the remote desktop logon prompt.

Logging on with IBM Personal CommunicationsUse the IBM Personal Communications application to log on to a mainframeapplication with shared access identity. You must configure the bundled privilegedidentity management AccessProfile for your mainframe application beforecheck-out and check-in automation can work.

Before you begin

Configure the AccessProfile for your mainframe application. See “ModifyingAccessProfiles for the IBM Personal Communications application” on page 45.

About this task

For check-out and check-in automation to work with your custom mainframeapplications, you must apply specific changes to the bundled IBM SecurityPrivileged Identity Manager AccessProfile.

Customization is necessary because:v Each mainframe or terminal application might contain different output phrases.v The AccessProfile or application signature must contain a similar phrase as the

one displayed by the mainframe application. So, when the application displaysthe phrase, the logon automation by the AccessProfile can proceed.

The following steps describe an outline of one of the ways that the sharedcredential check-out automation might work.

Procedure1. Start IBM Personal Communications.2. Specify the target host name or IP address.

Note: The window title of IBM Personal Communications must match thesession name.

3. Select the application.4. When prompted to log on with shared access credentials, choose Yes.5. When prompted with the Shared Access Selection window, select one of the

credential pools.

Results

The AccessProfile checks out the credentials from IBM Security Identity Managerand injects the logon credential in the mainframe logon prompt.


Logging on with the VMware vSphere ClientUse the VMware vSphere Client to log on to a virtual machine with shared accesscredentials.

Before you begin

If you did not already do so:v Configure the managed resource for shared access.v Upload the shared access AccessProfile for VMware vSphere Client to the IMS

Server. See “Uploading AccessProfiles to the IMS Server” on page 24.

Procedure1. Start the VMware vSphere Client.2. When the ISAMESSO AccessAgent dialog box is displayed:

a. Specify the target host name or IP address.b. Click OK.

If you successfully checked out the shared access credentials, the credentials areinjected into the VMware vSphere logon prompt. If the check-out failed, thereare no credentials injected.

3. Click Login.4. When prompted to log on with shared access credentials, choose Yes.5. When AccessAgent prompts for re-authentication, enter the AccessAgent

credentials.6. When prompted with the Shared Access Selection window, select one of the

credential pools.

Results

The AccessProfile checks out the credentials from IBM Security Identity Manager,and injects the logon credentials in the VMware vSphere Client logon prompt.

Manual check-outFor workflows and applications not supported by the bundled privileged identitymanagement AccessProfiles, you can check out credentials manually through theIBM Security Identity Manager self-service user interface.

The privileged identity management authentication service policy configuration inthe IMS Configuration Utility determines whether a prompt is displayed for anIBM Security Identity Manager managed resource.

For supported client applications, if you do not want AccessAgent to check outand inject credentials automatically, select No. See “Shared access credentialcheck-out process” on page 31.



Chapter 6. Administering

When your IBM Security Privileged Identity Manager deployment is configured,you can administer shared access features.

Administering shared accessThe IBM Security Identity Manager shared access module provides centralizedmanagement of shared and privileged accounts.

Table 13 describes administration tasks that you might want to complete,depending on the requirements of your deployment.

Table 13. Shared access administration tasks

Administration Task Description

Setting the service uniqueidentifier

In the managed resource service definition, set theunique identifier for connecting to the managedresource. For example, the unique identifier might be anIP address or the host name of the server.

Managing the credential vault As an administrator, you can manage the credentials forshared accounts through the credential vault.

Managing the credential pool As an administrator, you can use IBM Security IdentityManager to manage credential pools. A credential poolprovides a way to group credentials that have similaraccess privileges. This grouping can be defined as aservice group or a set of service groups.

Managing shared access policies Shared access policies authorize role members to sharecredentials or credential pools.

Shared access bulk load As an administrator, you can use the shared accesscomma-separated value (CSV) file to add accounts tothe credential vault or add and update the credentialpools in bulk. You can also modify credential settingsfor the accounts that are in the credential vault.

Shared access objects for customreports

You can generate custom reports by using the SharedAccess objects. Use the shared access entities, such asCredential, Credential Pool, Credential Lease, andShared Access Policy to generate the custom reports.

Table 14 describes data references you can during administration tasks.

Table 14. Data reference for shared access

Data Reference Description

Default access control items Use the default access control items for shared access tomanage access security.

Shared access tables Database tables that IBM® Security Identity Managercreates and uses to store information related to SharedAccess Module.


Table 14. Data reference for shared access (continued)

Data Reference Description

Shared access classes For Directory Server schema, shared access module hasseveral types object classes, such as credentialcomponent, credential, credential pool, credential lease,and shared access policy.

Auditing schema You can use auditing schema to track shared accesspolicy management, credential lease management,credential pool management, and credentialmanagement.

For more information:v “Roadmap for configuring shared access for a managed resource” on page 9v Shared access documentation

On this page in the IBM Security Identity Manager Information Center, see the"Administration" section to find links to the documentation for administeringshared access.

v IBM Security Identity Manager Information CenterTo find information about a task in either Table 13 on page 39 or Table 14 onpage 39, go to this information center. On the home page, locate the informationcenter search window, and enter the administration task name or data referencename, as listed in the table. For example, to administer shared access policies,enter "Managing shared access policies".

Privileged administrator viewIn IBM Security Identity Manager, the shared access feature includes a defaultgroup and a default view for privileged administrators. The default view showsthe administrative tasks that can be accessed by users who have the groupmembership.

The scope of activities for members of the Privileged Administrator group is:v Manage a service, including the user accounts and requests for that servicev Manage and load privileged accounts from the managed service into the

credential vault

A privileged administrator can manage and delegate the activities that are shownin administration console view for the Privileged Administrator group. ThePrivileged Administrator group can also view nearly all tasks on the self serviceconsole.

For more information:v Shared access documentation

On this page in the IBM Security Identity Manager Information Center, see thesection "Features" for links to topics on privileged administrators

v IBM Security Identity Manager Information CenterTo find more information about privileged administrators, go to this informationcenter. On the home page, locate the information center search window, andenter "Scope of the Privileged Administrator group".






Privileged user viewIn IBM Security Identity Manager, the shared access feature includes a defaultgroup and a default view for privileged users. The default view shows the tasksthat can be accessed by users who have the group membership.

The scope of activities for members of the Privileged User group is:v Manage their own profilev Change their passwordv Check in and check out shared accounts from the credential vault

The Privileged User group has no default view on the administration console, andno default access control items.


On this page in the IBM Security Identity Manager Information Center, see thesection "Features" for links to topics on privileged users.

v IBM Security Identity Manager Information CenterTo find more information about privileged users, go to this information center.On the home page, locate the information center search window, and enter"Scope of the Privileged User group".

Manual checkout and check in of shared credentialsUse the IBM Security Identity Manager self-service user interface console to accessshared credentials.

Some IBM Security Privileged Identity Manager deployments do not requireautomated access to shared credentials. These deployments use only the IBMSecurity Identity Manager component. In these deployments, users who havesufficient privileges, such as membership in the Privileged Users group, canmanually access shared credentials.v For initial access to the self service user interface console, see the topic “Initial

login and password information” in the IBM Security Identity Manager ProductOverview Guide in the IBM Security Identity Manager Information Center.

v When you log in to the self-service interface, go to the My Shared Accesssection of the entry panel. From this section, you can select wizards to assist youwith the following tasks:– Checking out a credential

Check out the credential of your authorized shared accesses.– Checking in a credential

Check in the credential that you checked out previously.– Viewing a password

View the password for the credentials.v From anywhere in the self-service user interface, you can start the Help system

to view help topics. In the Shared access section of the Help system, see:– “Checking out a credential or credential pool”– “Viewing the password for a shared credential”– “Checking in credentials”

Chapter 6. Administering 41




On this page in the IBM Security Identity Manager Information Center, see thesection "User scenarios for shared access" to view links to topics on user access.

v IBM Security Identity Manager Information CenterTo find more information about manual access to shared credentials, go to thisinformation center. On the home page, locate the information center searchwindow, and enter "Checking out a credential or credential pool".

Managing multiple AccessProfiles for the same client applicationEach application signature for an AccessProfile must be unique. Single sign-oncannot occur if there are multiple AccessProfiles with the same applicationsignature on the IMS Server. If you have more than one AccessProfile for the sameapplication, consider deleting or modifying copies of the AccessProfile.

Note: Duplicate AccessProfiles with signature detection conflicts are also logged inthe AccessAgent logs as errors.

For example, a Remote Desktop Connection (RDP) AccessProfile is already on theIMS Server.v You might already have a custom Remote Desktop Connection (RDP)

AccessProfile for logging on to remote desktops.v If you upload a new privileged identity management AccessProfile with the

same application signature, single sign-on does not trigger.v Consider the actions you can take to resolve the issue.

– Delete the existing AccessProfile for the RDP application from the IMS Serverif the AccessProfile is not in use.

– Merge the AccessProfiles.

Important: Privileged identity management AccessProfiles work only withAccessAgent, Version 8.2.

Identifying AccessProfile collisionYou can use the AccessStudio message pane logs to determine whether there aremultiple AccessProfiles for the same client application on the IMS Server.

Before deployment, complete these steps on a test computer with the AccessAgentinstalled:1. Ensure that you are logged on to AccessAgent.2. Import data from the IMS Server with AccessStudio.3. Start the client application you are testing for AccessProfile collision.4. From the AccessStudio real-time logs, look for the phrase:

...multiple AccessProfiles were found.

Merging AccessProfilesIf you want both the privileged identity management AccessProfiles and theAccessProfiles you already have, then you must consider advanced AccessProfilemerging.

For help with advanced AccessProfile merging, contact IBM Services.




Accessing administrative consolesTable 15. Common administrative consoles for IBM Security Privileged Identity Manager.

Consoles Example URL

IBM Security Access Manager for EnterpriseSingle Sign-On AccessAdmin

https://ims_hostname:ihs_ssl_port/admin

IBM Security Access Manager for EnterpriseSingle Sign-On IMS Configuration Utility

https://ims_hostname:ihs_ssl_port/admin

IBM Security Identity Manageradministrative console

https://TAM60-Server/ITIMServer/itim/console

IBM Security Identity Manager self-serviceconsole

https://TAM60-Server/ITIMServer/itim/self

Chapter 6. Administering 43


Chapter 7. Modifying AccessProfiles

Modify the AccessProfile to customize its functions for the application.

Some custom mainframe applications have additional logon requirements.

For example:v Specifying additional logon credential fields for credential injection.v Simulating different keyboard keys to shift the terminal entry focus.

To customize advanced AccessProfiles that are not covered in this section, see theIBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guide.Alternatively, search the IBM website for “Advanced AccessProfile Redbooks®” forguidance.

Use the privileged identity management AccessProfiles for IBM PersonalCommunications as a template.

For more information, seev “Modifying AccessProfiles for the IBM Personal Communications application”v “Modifying AccessProfiles for the PuTTY application” on page 47

Modifying AccessProfiles for the IBM Personal Communicationsapplication

Modify the Personal Communications AccessProfile to customize its behavior.

Before you begin

If you did not already do so:v Install AccessStudio.v Install the IBM Personal Communications client.v Open the Personal Communications application.v Upload the AccessProfile to the IMS Server.

Tip: Before you apply any modifications, you can take a local backup of theAccessProfile. To back up the AccessProfile to file, you can save the AccessProfileto a location on your computer.

About this task

The window title of the Personal Communications application must match thesession name.

Procedure1. Start AccessStudio.2. Import the Privileged Identity Management AccessProfile package into the

AccessStudio workspace by clicking File > Import data from IMS.3. In the AccessProfile pane, open profile_PCOMM_main.


4. Select the States tab.5. In the AccessProfile state diagram canvass, select the Run a VBScript or

JScript action under the second state.6. In the Properties pane, select the Form Editor tab.7. Click Open Script Editor.8. Edit the script.

a. Select a unique text from the mainframe application screen.b. Remove the variable portion of the text.c. Retain the non-variable portion of the text in the form of a regular

expression. For example:v Unique text: Welcome UserA

v Variable: UserA

v Non-variable: Welcome

v Regular expression of the non-variable text: Welcome.*

This regular expression matches any instances of text that might bedisplayed as:

WELCOME-WELCOME-EXAMPLE APPLICATION WELCOME

This regular expression does not match the following instances:welcomeWelcomeExample WelcomeW.E.L.C.O.M.E

d. Modify the second argument for each pc.SetPropValue entry. You can addthe regular expression or replace the existing regular expression.pc.SetPropValue "text_to_identify_the_welcome_screen",

"^.*WELCOME.*$|.*User\sID\s:.*"

pc.SetPropValue "text_to_identify_and_initiate_PIM_workflow",".*WELCOME\sTO\sCICS.*|.*User\sID\s:.*"

pc.SetPropValue "text_is_found_for_injecting_username",".*[Ll]ogin.*:.*|.*LOGIN.*:.*|.*WELCOME\sTO\sCICS.*|.*Userid.*|.*User\sID.*"

pc.SetpropValue "text_is_found_for_injecting_password",".*(?i)(please type your password|missing password).*"

pc.SetpropValue "text_is_found_for_not_injecting_password",".*(?i)(your userid is invalid).*"

pc.SetPropValue "text_is_first_displayed_for_access_denied_or_failure",".*[Dd]enied.*|.*DENIED.*|.*[Ii]nvalid.*|.*not\sdefined\.*"

pc.SetPropValue "text_is_found_for_successful_logon",".*[Ll]ast login.*:.*|.*LAST LOGIN.*:.*|.*Microsoft\sWindows.*|.*Sign-on\sis\scomplete.*|.*Enterprise\sSummary.*"

pc.SetPropValue "Wnd_sig_Username","/child::wnd[@class_name=""PCSWS:Main:00400000""]"

pc.SetPropValue "wnd_for_text_identication_on_mainframe_screen","/child::wnd[@class_name=""PCSWS:Main:00400000""]/child::wnd[@class_name=""PCSWS:Pres:00400000"" and @ctrl_id=2]"


pc.SetPropValue "Parent_Wnd_Signature","/child::wnd[@class_name=""PCSWS:Main:00400000""]/child::wnd[@class_name=""PCSWS:Pres:00400000"" and @ctrl_id=2]"

9. Test the AccessProfile.a. Start Test Mode.b. Start IBM Personal Communications.

10. After the test is completed, save the AccessProfile. The AccessProfile on theIMS Server is updated.

Note: If you are working from a local copy of the AccessProfile, remember topublish the completed AccessProfile to the IMS Server.

Modifying AccessProfiles for the PuTTY applicationModify the PuTTY application AccessProfile to customize its behavior.

Before you begin

If you did not already do so:v Install AccessStudio.v Install the PuTTY client.v Open the PuTTY application.v Upload the AccessProfile to the IMS Server.

Tip: Before you apply any modifications, you can take a local backup of theAccessProfile. To back up the AccessProfile to file, you can save the AccessProfileto a location on your computer.

Procedure1. Start AccessStudio.2. Import the Privileged Identity Management AccessProfile package into the

AccessStudio workspace by clicking File > Import data from IMS.3. In the AccessProfile pane, open profile_putty_main.4. Select the States tab.5. In the AccessProfile state diagram canvass, select the Run a VBScript or

JScript action under the second state.6. In the Properties pane, select the Form Editor tab.7. Click Open Script Editor.8. Edit the script.

a. Select a unique text from the mainframe application screen.b. Remove the variable portion of the text.c. Retain the non-variable portion of the text in the form of a regular

expression. For example:v Unique text: Welcome UserA

v Variable: UserA

v Non-variable: Welcome

v Regular expression of the non-variable text: Welcome.*

This regular expression matches any instances of text that might bedisplayed as:

Chapter 7. Modifying AccessProfiles 47

WELCOME-WELCOME-EXAMPLE APPLICATION WELCOME

This regular expression does not match the following instances:welcomeWelcomeExample WelcomeW.E.L.C.O.M.E

d. Modify the second argument for each pc.SetPropValue entry. You can addthe regular expression or replace the existing regular expression.pc.SetpropValue "text_is_found_for_injecting_password",

".*[Pp]assword.*|.*PASSWORD.*"

pc.SetpropValue "text_is_found_for_not_injecting_password",".*[Dd]enied.*|.*DENIED.*"

pc.SetPropValue "text_is_first_displayed_for_access_denied_or_failure",".*[Dd]enied.*|.*DENIED.*|.*[Ii]nvalid.*|.*not\sdefined\.*"

pc.SetPropValue "text_is_found_for_successful_logon",".*[Ll]ast login.*:.*|.*LAST LOGIN.*:.*|.*$.*|.*>.*|.*#.*|.*Microsoft\sWindows.*|.*Sign-on\sis\scomplete.*|.*Enterprise\sSummary.*"

pc.SetPropValue "Parent_Wnd_Signature","/child::wnd[@title~"".*- PuTTY"" and @class_name=""PuTTY""]"

pc.SetPropValue "wnd_for_text_identication_on_mainframe_screen","/child::wnd[@title~"".*- PuTTY"" and @class_name=""PuTTY""]"

9. Test the AccessProfile.a. Start Test Mode.b. Start IBM Personal Communications.

10. After the test is completed, save the AccessProfile. The AccessProfile on theIMS Server is updated.

Note: If you are working from a local copy of the AccessProfile, remember topublish the completed AccessProfile to the IMS Server.


Chapter 8. Reports and audit logs

Use the reports or audit logs to investigate security events or collect metrics abouthow you are using privileged identities.

To view reports about privileged identity management activities, install IBM TivoliCommon Reporting. Use IBM Tivoli Common Reporting to view, and customizeavailable shared access reports from IBM Security Access Manager for EnterpriseSingle Sign-On and IBM Security Identity Manager.

Types of available reportsIBM Security Privileged Identity Manager records some audit logs for all sharedaccess events.

Audit logs and reports are available as:v IMS Server audit log entries.v IBM Tivoli Common Reporting BIRT-based reports.

The privileged identity AccessProfile includes actions that generate an audit logentry. You can configure additional audit log entries for either successful orunsuccessful logon attempts.

To view the IBM Security Privileged Identity Manager reports, you must importand deploy the reports into IBM Tivoli Common Reporting.

Table 16. Audit logs and reports for the IBM Security Privileged Identity Manager solution.

Report or audit log Parameters or examples Description

Privileged ID Check-outApplicationName

Name of the application. For example:PuTTY.

ServiceURIEndpoint host name or IP address of themanaged resource you are logging on to.

Shared Access IDShared Access ID of the privileged account.

Privileged User IDUser ID of the privileged account.

Return codeReturn code of the checkout function. See“Message reference” on page 77 for theexample codes.

Audit log report viewedin AccessAdmin.


Table 16. Audit logs and reports for the IBM Security Privileged Identity Managersolution. (continued)

Report or audit log Parameters or examples Description

Privileged ID Check-inApplicationName

Name of the application. For example:PuTTY.

ServiceURIEndpoint host name or IP address of themanaged resource you are logging on to.

Shared Access IDShared Access ID of the privileged account.

Privileged User IdUser ID of the privileged account.

Return codeReturn code of the checkout function. See“Message reference” on page 77 for theexample codes.

Audit log report viewedin AccessAdmin.

Shared access audithistory report

See “Example: Shared access audit history” onpage 73.

BIRT-based reportviewed on a reportingworkstation with IBMTivoli CommonReporting.

Shared accessentitlements by owner

See “Example: Shared access entitlements byowner” on page 74.


Shared accessentitlements by role

See “Example: Shared access entitlements byrole” on page 75.


User Information Report See “Example: User information” on page 71. BIRT-based reportviewed on a reportingworkstation with IBMTivoli CommonReporting.

Application UsageReport

See “Example: Application usage” on page 72. BIRT-based reportviewed on a reportingworkstation with IBMTivoli CommonReporting.

Configuring the audit logs to include privileged identity eventsConfigure the ims.xml file to include IBM Security Privileged Identity Managerevent codes in the IMS Server audit log tables. Use these event codes to track andlog the check-out and check-in of shared access credentials.

About this task

Complete this task only if you upgraded the IMS Server using the8.2.0-ISS-SAMESSO-IMS-FP0003 fix pack.

The IMS Server does not display the full content of the audit log. View the fullcontent using IBM Tivoli Common Reporting.


Procedure1. Log on to the IBM Integrated Solutions Console with the WebSphere

administrator credentials. For example: wasadmin.2. On the Integrated Solutions Console navigation pane, select Applications >

Application Types > WebSphere Enterprise Applications.3. Stop the ISAMESSOConfig and ISAMESSOIMS applications.4. Access the ims.xml file with a text editor.



5. Add the following event codes at the end of the list of values specified underthe <encentuate.ims.log.UserAdminLog.SearchableEventCodes> tag.v 42050001

v 42050002

Note:

v Put all values in a single line, with no extra spaces, and separated by acomma.

v You are not required to copy the values that are already in the ims.xml file.Append the new event codes specified in this step.

For example:<encentuate.ims.log.UserAdminLog.SearchableEventCodes><value xml:lang="en">42000007,42000002,42000001,4200002C,4200002F,4204000D,4204000E,4204000F,42000030,43002025,43005070,43005080,43005081,43005082,43001002,43005056,43005095,43005094,43005093,43005096,43002002,4300A101,4300A108,4300A10A,4300A10E,4300A10D,4300A001,42000003,43005057,43005090,43005084,4300B037,4300B038,4300A120,43011005,4300F004,4300F001,43001008,43011008,43011009,43011004,43005077,4300F006,4300F005,42050001,42050002</value></encentuate.ims.log.UserAdminLog.SearchableEventCodes>

6. Start the ISAMESSOConfig application.7. Take one of the following actions:

v For WebSphere Application Server Stand-alone Deployment, start theISAMESSOIMS application.

v For WebSphere Application Server Network Deployment, resynchronize thenodes and restart the cluster.

Configuring or administering IBM Tivoli Common ReportingAn administrator can use IBM Tivoli Common Reporting to view the shared accessreports that are available from IBM Security Access Manager for Enterprise SingleSign-On and IBM Security Identity Manager.

You can view, administer, and run the available reports with the IBM TivoliCommon Reporting software.

Note: For more information about customizing the default shared access reportlayouts, see the IBM Security Identity Manager Information Center.

Chapter 8. Reports and audit logs 51


Importing the reports into Tivoli Common ReportingImporting the report packages places the reports in an IBM Tivoli CommonReporting instance that you can access.

Before you beginv Install IBM Security Identity Manager, Version 6.0. For more information, see the

IBM Security Identity Manager Installation Guide.v Install IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2.

For more information, see the IBM Security Access Manager for Enterprise SingleSign-On Installation Guide.

v Install or upgrade to IBM Tivoli Common Reporting, Version 2.1.1.

About this task

Install the reports into Tivoli Common Reporting to run IBM Security IdentityManager, Version 6.0, and IBM Security Access Manager for Enterprise SingleSign-On, Version 8.2, reports from IBM Tivoli Common Reporting. Both IBMSecurity Access Manager for Enterprise Single Sign-On and IBM Security IdentityManager include a subset of reports that you can install into IBM Tivoli CommonReporting.

Procedure1. Import the IBM Security Identity Manager, Version 6.0, report package into IBM

Tivoli Common Reporting.2. Import the IBM Security Access Manager for Enterprise Single Sign-On, Version

8.2, report package into IBM Tivoli Common Reporting.3. Configure the data source in IBM Tivoli Common Reporting to work with each

report package.

Results

Importing the reports places them in Common Reporting > Public Folders >Tivoli Products.

Viewing reports with Tivoli Common ReportingYou can use the report console to view a larger collection of shared access andprivileged identity reports from a single console.

Before you beginv Install and configure IBM Tivoli Common Reporting.v Install the Business Intelligence Reporting Tool (BIRT) reports for both IBM

Security Identity Manager Server and IBM Security Access Manager forEnterprise Single Sign-On.

Procedure1. Log on to the Tivoli Common Reporting instance.2. Expand Reporting > Common Reporting.3. Click IBM Security Products.4. Expand the following options to see related privileged identity reports:

v SAM Enterprise Single Sign-On 8.2– User Information


– Application Usagev Security Identity Manager 6.0

– Shared access audit history– Shared access entitlements by owner– Shared access entitlements by role

Update IMS view to show Privileged Identity Management eventsTo use Tivoli Common Reporting to view the Privileged Identity Manager reports,delete view ImsAppUsageInfoR from the database schema. Recreate it with the viewusing the script that is applicable to your database.

Note: Complete this task only if you upgraded the IMS Server using the8.2.0-ISS-SAMESSO-IMS-FP0003 fix pack.

The CREATE VIEW script varies for each database.

Note: Remove the line breaks when you copy the script.

IBM DB2®

CREATE VIEW <schema_name>.ImsAppUsageInfoRAS SELECT ua.enterpriseId AS entId,ua.sociId AS sociId, ua.appId AS authService,ua.appUid AS appUid, ua.eventCode AS event,ua.resultCode AS result, ua.clientIpAddr AS client,ua.logImsServerId AS server, ua.logTime AS time,ua.description AS descriptionFROM IMSLOGUserActivity ua WHERE (ua.eventCode = 1107296257OR ua.eventCode = 1107296258 OR ua.eventCode = 1107296263OR ua.eventCode = 1107296259 OR ua.eventCode = 1124114696OR ua.eventCode = 1124114698 OR ua.eventCode = 1124114433OR ua.eventCode = 1124114701 OR ua.eventCode = 1124114702OR ua.eventCode = 1107623937 OR ua.eventCode = 1107623938);

Microsoft SQL ServerCREATE VIEW <schema_name>.ImsAppUsageInfoRAS SELECT ua.enterpriseId as entId,ua.sociId as sociId, ua.appId as authService,ua.appUid as appUid, ua.eventCode as event,ua.resultCode as result, ua.clientIpAddr as client,ua.logImsServerId as server, ua.logTime as time,ua.description as descriptionFROM IMSLOGUserActivity ua WHERE (ua.eventCode=1107296257 ORua.eventCode =1107296258 OR ua.eventCode=1107296263OR ua.eventCode =1107296259 OR ua.eventCode=1124114696OR ua.eventCode=1124114698 OR ua.eventCode=1124114433OR ua.eventCode=1124114701 OR ua.eventCode=1124114702OR ua.eventCode=1107623937 OR ua.eventCode=1107623938)

OracleCREATE VIEW <schema_name>.ImsAppUsageInfoRAS SELECT ua.enterpriseId as entId,ua.sociId as sociId, ua.appId as authService,ua.appUid as appUid, ua.eventCode as event,ua.resultCode as result, ua.clientIpAddr as client,ua.logImsServerId as server, ua.logTime as time,ua.description as descriptionFROM IMSLOGUserActivity ua WHERE (ua.eventCode=1107296257 ORua.eventCode =1107296258 OR ua.eventCode=1107296263OR ua.eventCode =1107296259 OR ua.eventCode=1124114696OR ua.eventCode=1124114698 OR ua.eventCode=1124114433OR ua.eventCode=1124114701 OR ua.eventCode=1124114702OR ua.eventCode=1107623937 OR ua.eventCode=1107623938)

Chapter 8. Reports and audit logs 53

Shared access objects for custom reportsYou can generate custom reports by using the Shared Access objects in IBMSecurity Identity Manager.

Use the Shared Access entities, such as Credential, Credential Pool, CredentialLease, and Shared Access Policy to generate the custom reports. For moreinformation, see Shared access objects for custom reports in the IBM Security IdentityManager Administration Guide in the IBM Security Identity Manager InformationCenter.

Viewing audit logs with the AccessAdmin utilityWhen you automatically log on with shared access credentials, an audit log entryis created. You can use the AccessAdmin utility to view audit log entries.

About this task

For more information about viewing:v IMS Server audit logs, see the IBM Security Access Manager for Enterprise Single

Sign-On Administrator Guide.v IBM Security Identity Manager audit logs, see the IBM Security Identity

Manager information center.

Procedure1. Log on to the managed resource with shared access credentials to generate

valid audit entries.2. Log on to AccessAdmin.3. Under System, click Audit logs.4. Under Choose search criterion, choose the event name. For example:

Privileged ID Check Out.


Chapter 9. Troubleshooting

You can diagnose and troubleshoot errors that occur during the IBM SecurityPrivileged Identity Manager installation.

Troubleshooting server connectivity and availabilityA network connection problem or an unconfigured managed resource are commoninstallation problems.

Problems

The IBM Security Identity Manager Server is not available or cannot be contacted.

Causes

Some possible causes:v The network connection is disconnected.v The managed resource is not configured for shared access.

Solutionsv Check the network connection.v If you are the administrator, ensure that the IBM Security Identity Manager

Server is started.v Ensure that the managed resource is already configured for shared access.v Check out the credentials manually from the IBM Security Identity Manager

Server and choose not to log on with shared credentials. Specify the logoncredentials manually.

Troubleshooting the audit logThis section describes audit log problems and solutions.

Table 17. Troubleshooting audit log problems and solutions.

Problem Solution

Event number mismatch. Update the AccessProfile custom audit logaction if you are defining custom auditcodes.

The event code changes are not reflected onthe client.

Synchronize the AccessAgent computer withthe IMS Server.


Troubleshooting checklistThis section describes some of common problems and possible solutions.

Table 18. Lists some of the common problems and possible solutions.

Problem Solutions

When the IBM Security Identity ManagerServer is not available.

v Check the network connection.

v Ensure that the managed resource isconfigured for shared access.

The managed resource is not configured forshared access for IBM Security IdentityManager.

v Configure the managed resource forshared access with IBM Security IdentityManager.

v Avoid logging with shared accesscredentials.

All the available shared access credentialsare checked out.

v Wait for a few minutes until there areavailable shared credentials.

v Find out the identity of checked outcredentials from the IBM Security IdentityManager. Ask the credential owner tocheck in their credentials.

There are no IBM Security Identity ManagerServer credentials in the Wallet.

Follow the instructions on the screen toenter the credentials. The credentials musthave privileges to check out shared accesscredentials.

The account used to log on to the managedresource does not have correct entitlementson IBM Security Identity Manager.

Use IBM Security Identity Manager toensure that the account used to log on hascorrect permissions for the available sharedaccess accounts.

Information center resources for troubleshooting shared accessThe IBM Security Identity Manager Information Center provides additionalinformation about troubleshooting issues with shared access.

To troubleshoot the shared access module, see:v “Fixing data replication errors for invalid object names” in the IBM Security

Identity Manager Installation Guide.

You might see a data replication error during installation, if you:– Run DBConfig to drop all database tables.– Do not run SAConfig to repopulate the tables that are specific to the shared

access module.Complete the steps in this topic to reconfigure the shared access module.

v “Troubleshooting shared access module problems” in the IBM Security IdentityManager Troubleshooting Guide.This section describes how to fix configuration problems that can prevent acredential from displaying in the Self Service user interface. It also describeshow to reconfigure the shared access module when LDAP is configured.


Appendix A. Optional configuration tasks

There are several optional configuration tasks for IBM Security Privileged IdentityManager.

Optional configuration for shared accessComplete the optional tasks to configure shared access if needed for yourdeployment.

Manual configuration of the shared access module

After the initial installation of IBM Security Identity Manager, you might need toreconfigure your directory server or your database. You can use the ldapConfigand the DBConfig tools provided by the IBM Security Identity Manager. If you usethose tools to modify the IBM Security Identity Manager configuration, you mustalso reconfigure the shared access module.

You can use the SAConfig tool to populate the default data for the shared accessmodule and regenerate key files for the credential vault server. See the topic Sharedaccess module configuration in the IBM Security Identity Manager Installation Guide.

Configuration of an external credential vault server

The IBM Security Identity Manager installation automatically installs andconfigures a credential vault server. This server does the check-out and check-in ofshared access credentials. A typical installation does not require any manualconfiguration of the credential vault server.

Optionally, you can deploy multiple IBM Security Identity Manager servers that alluse one credential vault server. This configuration reduces the managementactivities required to update the credential vault servers when you change thecredentials. For example, this configuration is useful in a WebSphere cluster.

You can configure each of the IBM Security Identity Manager servers to use anexternal credential vault server. See Configuring an external credential vault server inthe IBM Security Identity Manager Information Center.

Creating your own privileged identity management AccessProfilesUse the IBM Security Privileged Identity Manager AccessProfile to start developingor enhancing your own privileged identity management scenarios.

Before you begin

If you did not already do so:v Install AccessStudio, Version 8.2.0.0505.v Ensure that you have the Privileged Identity Management AccessProfiles. You

can download the AccessProfiles from the AccessProfiles Library.

Procedure1. In AccessStudio, open the sample AccessProfile.



2. Build or enhance the Privileged Identity Management AccessProfile. For moreinformation, see Chapter 7, “Modifying AccessProfiles,” on page 45.

3. Debug and start your AccessProfile.4. Upload your AccessProfile to the IMS Server.

Modifying lease timeIf you manually check out shared access credentials from IBM Security IdentityManager Server, you can modify the lease expiry time for shared accesscredentials.

To modify the lease time expiry for a credential, see the IBM Security IdentityManager information center and search for "lease time expiry". You cannot modifythe lease expiry time when you check out or check in credentials automatically.


Appendix B. Requirements for component products

IBM Security Privileged Identity Manager is a solution based on IBM SecurityIdentity Manager and IBM Security Access Manager for Enterprise Single Sign-On.

IBM Security Access Manager for Enterprise Single Sign-On, Version8.2

View the hardware and software requirements for IBM Security Access Managerfor Enterprise Single Sign-Onat the time the product was released.

To view the latest hardware and software requirements for IBM Security AccessManager for Enterprise Single Sign-On, see http://www.ibm.com/support/docview.wss?uid=swg27036350.

Hardware and software requirementsVerify the different requirements and compatible versions for each of the IBMSecurity Access Manager for Enterprise Single Sign-On components. You musthave administrator privileges to install the required software.

Requirements for the IMS Server

Hardware requirements depend on usage. For the hardware requirements ofsoftware that is not listed in this section, see the documentation provided with thatproduct.

Note: The IMS Server runs on the WebSphere Application Server on Windowsserver platform only. With, the IMS Server hardware requirements are alreadyaccommodated when you comply to the WebSphere Application Server hardwarerequirements.

Hardware requirements

Table 19. Hardware requirements for IMS Server

Software Hardware

IBM DB2 v 2 GB RAM

v 20 GB disk space

IBM WebSphere Application Server NetworkDeployment

v 2 GHz processor

v 8 GB disk space

v 3 GB RAM

IBM HTTP Server v 1 GB RAM

v 1 GB disk space

Hardware requirements (virtualization)

Table 20. Hardware requirements for IMS Server (virtualization)

Software Virtual hardware requirements (minimum)

v VMware ESX and ESXi 3.5 or 4.0 v 2 Virtual processors

v 4 GB Virtual RAM




Supported operating systems

v Microsoft Windows Server 2003 (x86), Standard, Datacenter, andEnterprise Editions

v Microsoft Windows Server 2008 Service Pack 2 (x86 and x64), Standard,Datacenter, and Enterprise Editions

v Microsoft Windows Server 2008 R2 Service Pack 1 (x64) Standard,Datacenter, and Enterprise Editions

Supported software

Install and configure the following software to successfully install and runthe IMS Server:

Note:

v Sample instructions and guidelines on installing the supported softwareare provided. For the detailed and up-to-date procedures, see therelevant product documentation.

v IBM WebSphere Application Server (Base and Network DeploymentEdition) x86 works only with IBM HTTP Server x86 and vice versa.

v IBM WebSphere Application Server (Base and Network DeploymentEdition) x64 works only with IBM HTTP Server x64 and vice versa.

v Do not combine x86 and x64 middleware versions. If you use amiddleware for x64, use the x64 version of the other middleware andoperating systems.

Table 21. Supported software

Middleware Supported software Supported version

Applicationserver

IBM WebSphere ApplicationServer (Base and NetworkDeployment Edition)

v 7.0 (x86 and x64) with the latest fixpack

Web server IBM HTTP Server v 7.0 (x86 and x64) with the latest fixpack

Database server IBM DB2 (Workgroup andEnterprise Server Edition) withDB2 JDBC driver 4.0

v 9.5 (x86 and x64)

v 9.7 (x86 and x64)

Oracle database v 10g R2 (x86 and x64)

v 11g R1 (x86 and x64)

v 11g R2 (x86 and x64)

Microsoft SQL Server(Standard and EnterpriseEditions) with SQL JDBCdriver 3.0

v 2005 Service Pack 4 (x86 and x64)


v 2008 R2 (x86 and x64)

Directoryserver

Microsoft Windows ActiveDirectory

v 2003 Service Pack 2 (x86)


v 2008 R2 Service Pack 1 (x64)

IBM Tivoli Directory Server v 6.2.0 (x86 and x64)

v 6.3.0 (x86 and x64)

LDAP compatible directoryserver

v 3.0


Table 21. Supported software (continued)

Middleware Supported software Supported version

Reporting tool IBM Tivoli Common Reporting v 2.1

v 1.2

Required fix packs

Download the latest fix packs for the following products:v For IBM DB2, go to www-01.ibm.com/support/

docview.wss?uid=swg27007053

Note: For Oracle or Microsoft SQL Server, download the latest servicepacks and patches from the product website.

v For IBM WebSphere Application Server v7.0 and related subcomponents,go to www-01.ibm.com/support/docview.wss?uid=swg27014463– IBM WebSphere Application Server v7.0– IBM HTTP Server v7.0– IBM HTTP Server v7.0 plug-in for WebSphere– IBM Update Installer v7.0

Note: For WebSphere Application Server v7.0, use fix pack 17 or later.

Requirements for AccessAgent and AccessStudio

The following are the hardware, network, and software requirements forAccessAgent and AccessStudio. AccessAgent and AccessStudio works only onWindows platforms.

The following table list the hardware requirements for AccessAgent andAccessStudio:

Table 22. Hardware requirements for AccessAgent and AccessStudio

PlatformAccessAgent minimumrequirements

AccessStudio minimumrequirements

Windows XP memory 512 MB 512 MB

Windows Vista memory 1 GB 1 GB

Windows 7 memory 1 GB 1 GB

Hard disk space 200 MB 300 MB

Supported operating systems

Table 23. Supported operating systems

Platform x86 x64

Microsoft Windows XPProfessional

Service Pack 3 Service Pack 2

Microsoft Windows Vista Service Pack 2 Service Pack 2

Microsoft Windows 7 Service Pack 1 Service Pack 1

Microsoft Windows Server2003


Appendix B. Requirements for component products 61




Table 23. Supported operating systems (continued)

Platform x86 x64

Microsoft Windows Server2008


Note:

v Use a 32-bit AccessAgent installer on a Windows 32-bit operatingsystem. A 32-bit AccessAgent is not supported on a 64-bit Windowsoperating system.

v Use a 64-bit AccessAgent installer on a 64-bit Windows operatingsystem.

v AccessAgent is not supported on Microsoft Windows XP, WindowsVista, and Windows 7 WOW64 mode.

v AccessAgent is not supported on Microsoft Windows 7 XP mode.v A 32-bit AccessStudio can be installed on a 32-bit or 64-bit Windows

operating system.

Supported software

Install the following components before you install AccessStudio 8.2:v AccessAgent version 8.2v Microsoft .NET Framework 2.0 for Windows XP Professional onlyv Microsoft .NET Framework 2.0 Language Pack for Windows XP

Professional onlyTo support languages other than English, download the Microsoft .NETFramework 2.0 Redistributable Package (x86) Language Pack fortranslation of messages. Go to the Microsoft website athttp://www.microsoft.com and search for “.NET Framework Version 2.0Redistributable Language Pack”.

The following are the supported software for virtualization:v Citrix XenApp version 5.0 and 6.0v Citrix ICA Client and Web plug-in version 12.xv Microsoft App-V version 4.6 (x86 and x64)v Microsoft Hyper-V Server

The AccessAgent installation automatically installs the following software:v Microsoft C Runtime Libraryv MSXML version 4.0 and 6.0

Supported web browsers

Table 24. Supported web browsers

Web browsers Supported Versions

Microsoft Windows Internet Explorer v 7.0

v 8.0

v 9.0

Mozilla Firefox v 3.5

v 3.6


http://www.microsoft.com

Requirements for IMS Configuration Utility, AccessAdmin,AccessAssistant, and Web Workplace

This section lists the supported web browsers for IMS Configuration Utility,AccessAdmin, AccessAssistant, and Web Workplace.

Supported web browsers

Table 25. Supported web browsers

Web browsers Supported Versions

Microsoft Windows Internet Explorer v 7.0

v 8.0

v 9.0

Mozilla Firefox v 3.5

v 3.6

Requirements for authentication devices

This section lists the supported software for biometrics, smart cards, or RFIDs forauthentication.

Table 26. Supported software for authentication devices

Category Supported software Supported version

Biometric BIO-key Biometric ServiceProvider

v 1.9.x (x86)

v 1.10.x (x86)

UPEK BioAPI SDK v 3.0 (x86)

v 3.5 (x86)

Digital Persona GoldFingerprint RecognitionSoftware

v 3.2 (x86)

Smart Card Gemalto Classic Client 6.0 (x86)

Gemalto Access Client 5.5 (x86)

SafeSign Identity Client 3.0 (x86)

Charismatics Smart SecurityInterface

4.8 (x86)

Spanish DNIe (x86)

Hybrid Smart Card Gemalto Classic Client v6

Gemalto Prox-DU

OMNIKEY 5x21

Passive RFID RFIdeas pcProxAPI SDK 6.5 (x86) and (x64)

Active RFID Ensure Tech ETSecure SDK 4.0 (x86)

Compatibility Matrix

The following matrix summarizes the version compatibility for the IBM SecurityAccess Manager for Enterprise Single Sign-On components.


Table 27. Version compatibility for the IBM Security Access Manager for Enterprise SingleSign-On components

IMS Server version AccessAgent version AccessStudio version

8.2 8.2 8.2

8.2 8.1 8.1

IBM Security Identity Manager, Version 6.0View the hardware and software requirements for IBM Security Identity Managerat the time the product was released.

To view the latest hardware and software requirements for IBM Security IdentityManager, see http://www.ibm.com/support/docview.wss?uid=swg27020534.

Hardware requirementsIBM Security Identity Manager has these hardware requirements:

Table 28. Hardware requirements for IBM Security Identity Manager

System components Minimum values* Suggested values**

System memory (RAM) 2 gigabytes 4 gigabytes

Processor speed Single 2.0-gigahertz Intel orpSeries® processor

Dual 3.2-gigahertz Intel orpSeries processors

Disk space for product andprerequisite products

20 gigabytes 25 gigabytes

* Minimum values: These values enable a basic use of IBM Security Identity Manager.

** Suggested values: You might need to use larger values that are appropriate for yourproduction environment.

Operating system supportIBM Security Identity Manager supports multiple operating systems.

The IBM Security Identity Manager installation program checks to ensure thatspecific operating systems and levels are present before starting the installationprocess.

Table 29. Operating system support

Operating system Platform Patch or maintenance level

AIX Version 6.1 and AIXVersion 7.1

System p® None

Oracle Solaris 10 SPARC None

Windows Server 2008 StandardEdition and Enterprise Edition

x86-32, x86-64 None

Windows Server 2008 Release 2Standard Edition andEnterprise Edition

x86-64 None



Table 29. Operating system support (continued)

Operating system Platform Patch or maintenance level

Red Hat Linux Enterprise 5.0,Red Hat Linux Enterprise 6.0

System z®, Systemp, x86-32, x86-64

v For 5.0, Update 1 through Update5.

v For both 5.0 and 6.0, SecurityEnhanced Linux must bedisabled. See the topic "Red HatLinux Server Configuration" inthe IBM Security Identity ManagerInstallation Guide.

SUSE Linux Enterprise Server10.0, SUSE Linux EnterpriseServer 11.0

System z, System p,x86-32, x86-64

None

Virtualization supportIBM Security Identity Manager supports virtualization environments.

See Table 30 for a list of the virtualization products thatIBM Security IdentityManager supports at the time of product release.

Table 30. Virtualization support

Product Applicable operating systems

IBM AIX Workload Partitioning (WPAR) andLogical Partitioning (LPAR) 6.1 and 7.1 andfuture fix packs

All supported operating system versionsautomatically applied

IBM PowerVM Hypervisor (LPAR, DPAR,Micro-Partition), any supported version andfuture fix packs

AIX

IBM PR/SM, any version, and future fixpacks


IBM z/VM Hypervisor 5.4 and any futurefix packs


IBM z/VM Hypervisor 6.1 and any futurefix packs

Linux

KVM in SUSE Linux Enterprise Server(SLES) 11


Red Hat KVM as delivered with Red HatEnterprise Linux (RHEL) 5.4 and future fixpacks

Linux, Windows

Red Hat KVM as delivered with Red HatEnterprise Linux (RHEL) 6.0 and future fixpacks


Sun Solaris 10 Global/Local Zones (SPARC)10 and future fix packs


Sun/Oracle Logical Domains (LDoms) anyversion and future fix packs

Solaris

VMware ESXi 4.0 and future fix packs All supported operating system versionsautomatically applied

VMware ESXi 5.0 and future fix packs All supported operating system versionsautomatically applied


Java Runtime Environment supportIBM Security Identity Manager requires Java Runtime Environment (JRE), version1.6, SR10 Fix Pack 1.

This version is installed in the WAS_HOME/java directory when WebSphereApplication Server, Version 7.0, Fix Pack 23 is installed.

Use of an independently installed development kit for Java, from IBM or othervendors, is not supported. The Java Runtime Environment requirements for using abrowser to create a client connection to the IBM Security Identity Manager serverare different than the JRE requirements for running the WebSphere ApplicationServer.

WebSphere Application Server supportIBM Security Identity Manager runs as an enterprise application in a WebSphereApplication Server environment.

IBM Security Identity Manager requires:v WebSphere Application Server, Version 7.0v WebSphere Fix Pack 23 for WebSphere Application Server, Version 7.0, and SDKv WebSphere interim fix PM64800v WebSphere interim fix PM66514v WebSphere interim fix 7.0.0.23-WS-WAS-IFPM71296

Note: You must apply Fix Pack 23 before applying the interim fixes.

WebSphere supports each of the operating systems that IBM Security IdentityManager supports. Review the WebSphere website for WebSphere requirements foreach operating system: http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27012369

Database server supportIBM Security Identity Manager supports multiple database server products.

Table 31. Database server support

Database server Fix pack Notes®

IBM DB2 Enterprise Version 9.5 Fix Pack 3b IBM DB2 Enterprise 9.5 is not supported on Linux 32-bitoperating systems or on any Linux operating systems onpSeries hardware. IBM DB2 9.5 WorkGroup Edition is bundledfor Linux 32-bit operating systems.

IBM DB2 Enterprise Version 9.7 Fix Pack 4 v On Linux, DB2 9.7 Enterprise Server Edition is onlysupported on 64-bit architectures. See http://www.ibm.com/support/docview.wss?uid=swg27020534.

v IBM DB2 9.7 Workgroup Edition is required on Linux 32-bitoperating systems.

v IBM Tivoli Directory Server requires Fix Pack 2.

v Red Hat Linux 6.0 requires Fix Pack 4.


http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27012369

http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27012369



Table 31. Database server support (continued)

Database server Fix pack Notes®

Microsoft SQL Server 2008,Enterprise EditionMicrosoft SQL Server 2008, R2

none v WebSphere Application Server supports Microsoft SQL Server2008, Enterprise Edition

v IBM Security Identity Manager must be running on asupported Windows operating system if Microsoft SQLServer is used for the IBM Security Identity Managerdatabase. For information about JDBC driver support withMicrosoft SQL Server 2008, see http://www.ibm.com/support/docview.wss?uid=swg27020534.

Oracle 10g Release 2 (Version10.2.0.2) and Oracle 11g Release 2

none v The Oracle 11.1.0.7 database driver is required for bothOracle 10gR2 and Oracle 11g databases.

v Oracle 11g version 11.1.0.7.0 supports Windows Server 200832 and 64-bit operating systems.

v Support is available for Oracle11gR2 with Oracle11gR1 ojdbc5driver only.

Directory server supportIBM Security Identity Manager supports multiple directory servers.

Table 32. Directory server support

Directory server Fixpacks

Notes

IBM Tivoli Directory Server, Version6.2

FP1 IBM Tivoli Directory Server supports theoperating system releases that IBMSecurity Identity Manager supports.IBM Tivoli Directory Server, Version

6.3none

Sun Directory Server EnterpriseEdition 6.3.1

none See Oracle documentation to verifyoperating system support.

Oracle Directory Server EnterpriseEdition 11.1.1

none

Directory Integrator supportIBM Security Identity Manager supports IBM Tivoli Directory Integrator.

You can optionally install IBM Tivoli Directory Integrator for use with IBMSecurity Identity Manager.

IBM Tivoli Directory Integrator enables communication between the installedagentless adapters and IBM Security Identity Manager. See the IBM Security IdentityManager Installation Guide.

Table 33. Supported versions of IBM Tivoli Directory Integrator

Release Fix pack

IBM Tivoli Directory Integrator, Version 7.1 Fix Pack 5

IBM Tivoli Directory Integrator, Version 7.1.1 Fix Pack 1 and LimitedAvailability Fix7.1.1-TIV-TDI-LA0001




IBM Tivoli Directory Integrator supports each of the operating system versions thatIBM Security Identity Manager supports.

Report server supportIBM Security Identity Manager supports IBM Tivoli Common Reporting, Version2.1.1.

The following fix packs and iFixes are required. Install the fixes in the followingorder:1. IBM Tivoli Common Reporting, Version 2.1.1, interim fix 22. IBM Tivoli Common Reporting, Version 2.1.1, interim fix 53. IBM Tivoli Integrated Portal Fix Pack 2.2.0.74. IBM Tivoli Common Reporting, Version 2.1.1, interim fix 6

To obtain fixes:v Download the latest fixes for IBM Tivoli Common Reporting Server from the Fix

Central website at http://www.ibm.com/support/fixcentral/.v Obtain and install the IBM Tivoli Integrated Portal Fix Pack 2.2.0.7 before

installing IBM Tivoli Common Reporting, Version 2.1.1, interim fix 6. Forinstructions on how to obtain IBM Tivoli Integrated Portal Fix Pack 2.2.0.7, seethe IBM developerWorks® topic: Tivoli Common Reporting 2.1.1 Interim Fix 6.

Browser requirements for client connectionsIBM Security Identity Manager has browser requirements for client connections.

IBM Security Identity Manager supports the following browser versions:v Microsoft Internet Explorer 8.0v Microsoft Internet Explorer 9.0v Mozilla Firefox 3.6 (on AIX only)

Note: Firefox 3.6 requires the Next-Generation Java plug-in, which is included inJava 6 Update 10 and newer.

v Mozilla Firefox 10 Extended Support Release (not supported on AIX)v IBM Security Identity Manager software distribution does not include the

supported browsers.v The IBM Security Identity Manager administrative user interface uses applets

that require a Java plug-in provided by Sun Microsystems JRE Version 1.6 orlater. When the browser requests a page that contains an applet, it attempts toload the applet with the Java plug-in. If the required JRE is not on the system,the browser either prompts the user for the correct Java plug-in, or fails tocomplete the presentation of the items in the window. The IBM Security IdentityManager user interface is displayed correctly for all pages that do not contain aJava applet, regardless of JRE installation.

v You must enable cookies in the browser to establish a session with IBM SecurityIdentity Manager.

v Do not start two or more separate browser sessions from the same clientcomputer. The two sessions are regarded as one session ID, which causesproblems with the data.


http://www.ibm.com/support/fixcentral/

https://www.ibm.com/developerworks/mydeveloperworks/blogs/0587adbc-8477-431f-8c68-9226adea11ed/entry/tivoli_common_reporting_2_1_1_intermin_fix_62?lang=en

Adapter level supportThe IBM Security Identity Manager installation program always installs a numberof adapter profiles.

The installation program installs these profiles:v AIX profile (UNIX and Linux adapter)v Solaris profile (UNIX and Linux adapter)v HP-UX profile (UNIX and Linux adapter)v Linux profile (UNIX and Linux adapter)v LDAP profiles (LDAP adapter)

The IBM Security Identity Manager installation program optionally installs the IBMSecurity Identity Manager LDAP adapter and IBM Security Identity ManagerUNIX and Linux adapter. Newer versions of the adapters might be available as aseparate download. Install the latest versions before you use the adapters.

You must take additional steps to install adapters if you jdo not install themduring the IBM Security Identity Manager installation.

The following table lists the UNIX and Linux systems and versions that aresupported by the UNIX and Linux adapter.

Table 34. Prerequisites to run the UNIX and Linux adapter

Operating system Version

AIX AIX 6.1, AIX 7.1

HP-UX HP-UX 11iv1, HP-UX 11iv1 trusted, HP-UX 11iv2, HP-UX 11iv2trusted, HP-UX 11iv3, HP-UX 11iv3 trusted

Red Hat Linux Red Hat Enterprise Linux Enterprise Server 6.0, Red Hat EnterpriseLinux Enterprise Server 6.1, Red Hat Enterprise Linux EnterpriseServer 6.2

Oracle Solaris Oracle Solaris 10

SUSE Linux SLES 10.0, SLES 11.0

The following directory server versions that are supported by the LDAP adapter:v IBM Tivoli Directory Server 6.1, IBM Tivoli Directory Server 6.2, IBM Tivoli

Directory Server 6.3v Sun Directory Server Enterprise Edition 6.3, Sun Directory Server Enterprise

Edition 6.3.1

The LDAP adapter supports an LDAP directory that uses the RFC 2798 scheme.This scheme supports communication between the IBM Security Identity Managerand systems that run IBM IBM Tivoli Directory Server or Sun Directory ServerEnterprise Edition. The IBM Security Identity Manager LDAP Adapter InstallationGuide describes how to configure the LDAP adapter.

Adapters are available at the following IBM Passport Advantage website:

http://www.ibm.com/software/sw-lotus/services/cwepassport.nsf/wdocs/passporthome




Installation and configuration guides for adapters are available in the IBM SecurityIdentity Manager Information Center.


Appendix C. References

IBM Security Privileged Identity Manager involves shared access-related reportsand APIs.

Report examplesThis appendix provides examples of the shared access-related reports that youdeploy on the Tivoli Common Reporting instance. Use the included reports totrack how shared access privileged identities are used.

Example: User informationThe user information report contains the activity of one or more users, sorted byevent, result, and time. The report also displays the computer IP address of theuser and the full name of the user.

test.example.com\linlin2

test.example.com\peter2

test.example.com\annie1

test.example.com\chuck1

test.example.com\benson1

test.example.com\james01

test.example.com\testadmin1

192.0.2.3

192.0.2.4

192.0.2.25

192.0.2.20

192.0.2.23

192.0.2.11

192.0.2.8

Figure 3. User information audit report


Example: Application usageAn application usage report contains the authentication service activity of one ormore users, sorted by event and time. The report also displays the IP address ofthe computer and the full name of each user.

To view related shared access events, select one of the following events as reportparameters:v Privileged ID Check Inv Privileged ID Check Out



192.0.2.12

192.0.2.12

192.0.2.12

192.0.2.26

192.0.2.26

192.0.2.3

192.0.2.3

192.0.2.3

192.0.2.3

192.0.2.3

192.0.2.3

192.0.2.3

192.0.2.3

192.0.2.8

192.0.2.8


test.example.com\jamess01












Figure 4. Application usage audit report


Example: Shared access audit historyThis report shows the shared access audit history.

Figure 5. Shared access audit history report

Appendix C. References 73

Example: Shared access entitlements by ownerThis report lists shared access entitlements for an Owner. You can filter the reportby service business unit, service, shared access entitlement owner business unit,and shared access entitlement owner.

Figure 6. Shared access entitlements by owner report


Example: Shared access entitlements by roleThis report lists shared access entitlements for a role. You can filter the report bybusiness unit, role, and entitlement type.

Figure 7. Shared access entitlements by role report


AccessAgent PIM API referenceUse the AccessAgent PIM (API) reference to identify the available IBM SecurityPrivileged Identity Manager application programming interfaces.

CheckOutUse CheckOut to check out a credential from the IBM Security Identity Manager.HRESULT CheckOut([in] ISERuntime* RuntimeObj,[in] BSTR ItimSvcUrl,[in] BSTR ItimAuthSvcId,[in] BSTR PrivCredBag,[in] VARIANT_BOOL IsPrivCredBagLocal,[in] BSTR ApplicationName,[in] VARIANT_BOOL ServiceLowerCaseConventionEnabled,[in] VARIANT_BOOL ReAuthPasscodeEnabled,[in] VARIANT_BOOL CheckInAllBeforeCheckOutEnabled,[in] BSTR RoleSelectionDlgParentHwndSignature,[in] VARIANT_BOOL SilentModeEnabled,[in, defaultvalue("true")] VARIANT_BOOL IsRegistrationEnabled,[out,retval] int* pRet);

RuntimeObjRun time object obtained from the scripting host.

ItimSvcUrlURL of the IBM Security Identity Manager service. For example:https://itim.ibm.com:9081/WAR_CICO/services/CICOManager.

ItimAuthSvcIdAuthentication service ID of IBM Security Identity Manager. The user Walletmust contain the IBM Security Identity Manager credential.

PrivCredBagPrivileged credential bag stores:v Checked-out privileged credentials.v Application managed resource authentication service ID.

IsPrivCredBagLocalSpecify whether to use local bag for the privileged credential bag.

ItimTokenBagThis parameter is not used. It is included for backward compatibility.

IsItimTokenBagLocalSpecify whether to use local bag for IBM Security Identity Manager token bag.

CheckInAllBeforeCheckOutEnabledSpecify whether to reauthenticate user credentials before you check out.

ReAuthPasscodeEnabledSpecify whether to check in all credentials before checkout.

RoleSelectionDlgParentHwndSignatureSignature of the role selection dialog box parent window. If the parameter is anempty string, the role selection dialog box parent window is NULL.

SilentModeEnabledIf this parameter is true, no dialogs and prompts are displayed.

IsRegistrationEnabledIf this parameter is true, the background process automatically checks in the


shared credential. It occurs when the process fails to check in the credential, forexample, a user exits the program in an unexpected way.

CheckInUse CheckIn to check in shared access credentials into the IBM Security IdentityManager credential vault.HRESULT CheckIn([in] ISERuntime* RuntimeObj,[in] BSTR PrivCredBag,[in] VARIANT_BOOL IsPrivCredBagLocal,[out,retval] int* pRet);

RuntimObjRuntime object obtained from the scripting host.

PrivCredBagPrivileged credential bag that contains the checked out credentials. It storesthe:v Checked-out credentials.v Application (endpoint) authentication service ID.

IsPrivCredBagLocalSpecify whether the bag is local or global.

Message referenceYou can search and view the error message codes for your AccessProfiles.

How to use the following messages

You can view the error codes in the audit logs.

Table 35. List of message identifiers.Error Code Identifier Description

0 CICO_MGR_SUCCESS Check-out and check-in is successful.

1 CICO_MGR_GENERAL_ERROR There is an unexpected or unknown error.Contact the Administrator.

2 CICO_MGR_SCRIPT_HOST_RUNTIME_ERROR There might be an error in theAccessAgent module. Contact theAdministrator.

3 CICO_MGR_ESSO_ID_RETRIEVAL_FAILED Cannot retrieve the AccessAgent User IDfrom AAScriptSupport. There might be anerror in the AccessAgent module. Contactthe Administrator.

4 CICO_MGR_REAUTH_PASSCODE_FAILED Re-authentication password failed. Ensurethat the entered credential is correct.

5 CICO_MGR_ISIM_CRED_RETRIEVAL_FAILED IBM Security Identity Manager credentialscannot be retrieved from the Wallet.Recapture the IBM Security IdentityManager credential and make sure it issaved properly.

6 CICO_MGR_AUTH_SVC_ID_NOT_FOUND Application authentication service ID isnot found in PrivCredBag. It can be anAccessProfile problem. Contact theAdministrator.

7 CICO_MGR_ISIM_SRV_CONNECTION_FAILED Connection to IBM Security IdentityManager Server cannot be established.Check network connections and the IBMSecurity Identity Manager URL setting.

9 CICO_MGR_LOGON_ISIM_FAILED Log on to IBM Security Identity Managerfailed. Check whether your IBM SecurityIdentity Manager credentials are correct.


Table 35. List of message identifiers. (continued)Error Code Identifier Description

11 CICO_MGR_GET_ROLES_LIST_FAILED Get shared access list failed. Contact theIBM Security Identity ManagerAdministrator.

12 CICO_MGR_EMPTY_ROLES_LIST Shared access list from IBM SecurityIdentity Manager is empty. Shared accessis not properly set in the IBM SecurityIdentity Manager. Contact the IBMSecurity Identity Manager Administrator.

13 CICO_MGR_SHOW_ROLE_POPUP_FAILED Cannot show the Shared Access Selectionwindow. There might be an error in theAccessAgent module. Contact theAdministrator.

14 CICO_MGR_CHECKOUT_FAILED Check out from IBM Security IdentityManager failed. Contact the IBM SecurityIdentity Manager Administrator.

15 CICO_MGR_LOGOFF_ISIM_FAILED Log off from IBM Security IdentityManager failed. Contact the IBM SecurityIdentity Manager Administrator.

17 CICO_MGR_CHECKIN_FAILED Check in to IBM Security IdentityManager failed. Contact the IBM SecurityIdentity Manager Administrator.

18 CICO_MGR_RESPONSE_MSG_PARSE_ERROR An unknown exception is returned byIBM Security Identity Manager. Look inthe IBM Security Identity Manager logs.

19 CICO_MGR_USER_CANCELLED_ROLE_POPUP The user canceled the shared access dialogbox prompt.

20 CICO_MGR_PROPERTIES_CONTAINER_ERROR An error occurred on an operation thatrequires the properties container ofAccessAgent. There might be an error inthe AccessAgent module. Contact theAdministrator.

22 CICO_MGR_INVALID_ISIM_AUTH_SVC_ID Cannot retrieve the IBM Security IdentityManager Authentication Service ID fromthe system policy. Check the IMS Serversystem policy setting and do a fullsynchronization to the IMS Server.

23 CICO_MGR_ISIM_URL_NOT_DEFINED_FOR_CUSTOMER IBM Security Identity Manager serviceURL is not defined for this customeraccount. Check the IMS Server systempolicy setting and do a fullsynchronization to the IMS Server.

31 CICO_MGR_ISIM_CRED_INCOMPLETE The credential information from IBMSecurity Identity Manager or Bgmonitor isnot complete. Contact the Administrator.Note: Bgmonitor is a required componentfor managing the privileged identitymanagement workflow.

35 CICO_MGR_SERVICEURI_NOT_DEFINED Check-out and check-in service of theendpoint is not configured in the IBMSecurity Identity Manager. Contact theIBM Security Identity ManagerAdministrator.

36 CICO_MGR_NO_CREDENTIAL_AVAILABLE All available credentials are checked out.Try again later.

37 CICO_MGR_NO_RESPONSE_LOGIN No response from IBM Security IdentityManager for logon action.

38 CICO_MGR_NO_RESPONSE_GETSHAREDACCESS No response from IBM Security IdentityManager for getsharedaccess action. Itmight be an error in IBM Security IdentityManager. Contact the IBM SecurityIdentity Manager Administrator.

39 CICO_MGR_NO_RESPONSE_CHECKOUT No response from IBM Security IdentityManager for checkout action. It might bean error in IBM Security Identity Manager.Contact the IBM Security IdentityManager Administrator.


Table 35. List of message identifiers. (continued)Error Code Identifier Description

40 CICO_MGR_NO_RESPONSE_LOGOUT No response from IBM Security IdentityManager for logout action. It might be anerror in IBM Security Identity Manager.Contact the IBM Security IdentityManager Administrator.

41 CICO_MGR_NO_RESPONSE_CHECKIN No response from IBM Security IdentityManager for checkin action. It might bean error in IBM Security Identity Manager.Contact the IBM Security IdentityManager Administrator.

42 CICO_MGR_ISIM_USER_ID_NOT_MATCH_SAME_AA_USER Checked out IBM Security IdentityManager username does not match IBMSecurity Identity Manager username inthe Wallet during check-in. The IBMSecurity Identity Manager username ischanged after check-out and beforecheck-in. This is audit logged. No actionrequired.

43 CICO_MGR_ISIM_USER_ID_NOT_MATCH_DIFFERENT_AA_USER AccessAgent username at checkout doesnot match AccessAgent username oncheck-in. Log on using the oldAccessAgent username to check in.

44 CICO_MGR_ISIM_OBJECT_NOT_FOUND IBM Security Identity Manager returns anexception of CTGIMX202E. The object is notfound. It might be an error in IBMSecurity Identity Manager. Contact theIBM Security Identity ManagerAdministrator.

500 CICO_MGR_REUSE_ISIM_CREDENTIAL The IBM Security Identity Managercredential is reused. No action required.

501 CICO_MGR_LEASE_EXPIRE The lease expired. Terminate the process.No action required.



Appendix D. Accessibility features for IBM Security PrivilegedIdentity Manager

Accessibility features help users who have a disability, such as restricted mobilityor limited vision, to use information technology products successfully.

Accessibility features

IBM Security Privileged Identity Manager conforms to Section 508 standards foraccessibility.

The following list includes the major accessibility features in IBM Security PrivilegedIdentity Manager:v Support for the Freedom Scientific JAWS screen reader applicationv Keyboard-only operationv Interfaces that are commonly used by screen readersv Keys that are discernible by touch but do not activate just by touching themv Industry-standard devices for ports and connectorsv The attachment of alternate input and output devices

The IBM Security Privileged Identity Manager Information Center, and its relatedpublications, are accessibility-enabled. The accessibility features of the informationcenter are described at http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.iehsc.doc/iehs34_accessibility.html.

Keyboard navigation

This product uses standard Microsoft Windows navigation keys.

Related accessibility information

You can view the publications for IBM Security Privileged Identity Manager in AdobePortable Document Format (PDF) with the Adobe Acrobat Reader. The PDFs areavailable in the information center.

The following keyboard navigation and accessibility features are available in theform designer:v You can use the tab keys and arrow keys to move between the user interface

controls.v You can use the Home, End, Page Up, and Page Down keys for additional

navigation.v You can start any applet, such as the form designer applet, in a separate

window. The applet enables Alt+Tab to toggle between that applet and the webinterface and for more screen workspace. To start the window, click Launch as aseparate window.

v You can change the appearance of applets such as the form designer by usingthemes. Themes provide high contrast color schemes that help users with visionimpairments to differentiate between controls.


http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.iehsc.doc/iehs34_accessibility.html

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.iehsc.doc/iehs34_accessibility.html

IBM and accessibility

See the IBM Human Ability and Accessibility Center for for information about theIBM commitment to accessibility.


http://www.ibm.com/able

Glossary

This glossary includes terms and definitions forIBM Security Privileged Identity Manager.

The following cross-references are used in thisglossary:v See refers you from a term to a preferred

synonym, or from an acronym or abbreviationto the defined full form.

v See also refers you to a related or contrastingterm.

To view glossaries for other IBM products, go towww.ibm.com/software/globalization/terminology (opens in new window).

account. An entity that contains a set of parametersthat define the application-specific attributes of a user,which include the identity, user profile, and credentials.

adapter. An intermediary software component thatlets two other software components communicate withone another.

application server. A server program in a distributednetwork that provides the execution environment foran application program.

audit trail. A chronological record of events ortransactions. An audit trail is used for examining orreconstructing a sequence of events or transactions,managing security, and recovering lost transactions.

credential. Information acquired during authenticationthat describes a user, group associations, or othersecurity-related identity attributes, and that is used toperform services such as authorization, auditing, ordelegation. For example, a user ID and password arecredentials that allow access to network and systemresources.

credential pool. A group of credentials with similaraccess privileges. The pool can be defined as a servicegroup or a set of service groups.

credential vault. A configured repository that storescredentials for shared access management.

deprovision. To remove a service or component. Forexample, to deprovision an account means to delete anaccount from a resource.

digital certificate. An electronic document used toidentify an individual, a system, a server, a company,or some other entity, and to associate a public key with

the entity. A digital certificate is issued by acertification authority and is digitally signed by thatauthority.

directory server. A server that can add, delete, change,or search directory information on behalf of a client.

event. An occurrence of significance to a task orsystem. Events can include completion or failure of anoperation, a user action, or the change in state of aprocess.

endpoint. The system that is the origin or destinationof a session.

IMS Server. An integrated management system forIBM Security Access Manager for Enterprise SingleSign-On that provides a central point of secure accessadministration for an enterprise. It enables centralizedmanagement of user identities, AccessProfiles,authentication policies, provides loss management,certificate management, and audit management for theenterprise.

managed resource. An entity that exists in the runtimeenvironment of an IT system and that can be managed.

password. In computer and network security, aspecific string of characters used by a program,computer operator, or user to access the system and theinformation stored within it.

permission. Authorization to perform activities, suchas reading and writing local files, creating networkconnections, and loading native code.

plug-in. A separately installable software module thatadds function to an existing program, application, orinterface.

policy. A set of considerations that influence thebehavior of a managed resource or a user.

profile. Data that describes the characteristics of auser, group, resource, program, device, or remotelocation.

provisioning policy. A policy that defines the accessto various managed resources, such as applications oroperating systems. Access is granted to all users, userswith a specific role, or users who are not members of aspecific role.

resource. A hardware, software, or data entity. Seealso managed resource.


http://www-306.ibm.com/software/globalization/terminology/

http://www-306.ibm.com/software/globalization/terminology/

single sign-on (SSO). An authentication process inwhich a user can access more than one system orapplication by entering a single user ID and password.

shared access. Access to a resource or application byusing a shared credential.

shared access policy. Shared access policy authorizesrole members to share access by credentials orcredential pools. A policy can be defined for a specificcredential pool, specific credential, all pool orcredentials with the same organization containercontext.

Wallet. A secured data store of access credentials of auser and related information, which includes user IDs,passwords, certificates, encryption keys.


Index

AAccessAdmin 27, 50, 54AccessAgent 5, 6, 55, 76

preparing client computers 16, 21supported browsers 59supported operating systems 59testing 17

AccessAgent requirements32-bit requirements 5964-bit requirements 59hardware requirements 59software requirements 59

accessibility xaccessibility features for this product 81AccessProfile 17, 34, 55

customizing 45IBM Personal Communications 36,

45PuTTY 57VMware vSphere Client 37

AccessProfilespreparing 27uploading 27

AccessStudio 6, 17, 45AccessStudio requirements

32-bit requirements 5964-bit requirements 59hardware requirements 59software requirements 59supported browsers 59supported operating systems 59

API 76Application Programming Interface (API)

See APIaudit logs 49

privileged identity 50troubleshooting 55viewing 54

authentication service 27

BBusiness Intelligence Reporting Tool

(BIRT) 52

Ccheck-in 31

examples 33process 32

check-out 31examples 33process 31

CheckIn 77checklist

troubleshooting 56CheckOut 76client application 33configuring

additional tasks 57

configuring IBM Tivoli CommonReporting 51

configuring solution 23credential vault 31credentials

check in 41checkout 41

Ddata files, uploading 27downloading software, IBM Passport

Advantage 5

Eeducation xerror messages

See system messagesevent code 49events 50examples

check-in behavior 33check-out behavior 33

extending lease time 58

Ffix packs 5

Ggpedit.msc tool 28Group Policy editor 28

Hhardware requirements 6

IIBM

Software Support xSupport Assistant x

IBM Passport Advantage 5IBM Personal Communications 7, 17, 36,

45requirements 6

IBM Security Access Manager forEnterprise Single Sign-On 31

AccessAgent 6AccessStudio 6check-in 33check-out 33configuring logs 50downloading 5preparing 5software requirements 6

IBM Security Access Manager forEnterprise Single Sign-On (continued)

viewing audit logs 54IBM Security Identity Manager

check-in 33check-out 31, 33connectivity 55downloading 5installing 15preparing 5Shared Access module 6software requirements 6troubleshooting 55, 56viewing audit logs 54

IBM Tivoli Common Reportingadministering 51configuring 49, 51importing reports 52

IBM WebSphere Application Server 27IMS Configuration Utility 27IMS Server 5, 6, 27, 55

application server requirements 59database requirements 59directory server requirements 59fix pack requirements 59preparing 27virtual appliance requirements 59web server requirements 59

installing softwareAccessAgent 15IBM Security Access Manager for

Enterprise Single Sign-On 15IBM Security Identity Manager 15IBM Tivoli Common Reporting 15

Llease time, extending 58

Mmainframe applications 36mainframes 7

requirements 6Microsoft Remote Desktop

Connection 7, 35Microsoft Remote Desktop Services

See RDPMicrosoft Remote Desktop Services (RDS)

See terminal server

Oonline

publications ixterminology ix

operating systems 8requirements 8

overviewprivileged identity management 1


Pplanning 5, 6

preparations 5supported configurations 8

policies, preparing 27preparing client computers

AccessAgent 16, 21preparing policies 27privileged identities 31privileged identity administrator

view 40privileged identity management

components 1overview 1

privileged user view 41problem-determination xpublications

accessing online ixlist of for this product ix

PuTTY 7, 17, 57AccessProfile 47logging on 34requirements 6

RRDP 7, 17, 35

requirements 6Remote Desktop Protocol

See RDPRemote Desktop Protocol (RDP)

See RDPRemote Desktop Services (RDS)

See RDPremote terminals 34reports 49

See also audit logsapplication usage 72shared access 50shared access audit history 73shared access entitlements by

owner 74shared access entitlements by role 75types 49user information 71viewing 52

requirements 6browser 68configurations 8database server 66directory integrator 67directory server 67hardware 64host access client 8Java Runtime Environment 66JRE 66languages 8operating system 64RDP client 8report server 68software 64supported adapter levels 69Telnet SSH client 8Tivoli Reporting Server 68web application server 66

Ssecure shell (SSH) 6, 7shared access 31, 32

administering 39administration 39configuration 23configuring reports 51

Shared Access module 5, 6software requirements 6, 16, 21, 64SSH 7supported configurations

personal desktop 8supported platforms

Linux 8UNIX 8Windows 8

system messageserror messages 77

Tterminal host 34terminal server 34terminal services 7terminology ixtesting AccessAgent 17Tivoli Common Reporting 52

requirements 59Tivoli Reporting Server

requirements 68training xtroubleshooting x

checklist 56connectivity 55installation 55

UUpgrade

all components 21overview 18

upgradingTivoli Identity Manager 19

uploading AccessProfiles 27

Vviewing audit logs 54virtual appliance

hardware requirements 59software requirements 59

virtual appliances 37virtual machines 37virtualization

supported products 65VMware vSphere Client 37

XXML files 27


Notices

This information was developed for products and services offered in the U.S.A. IBM may not offer theproducts, services, or features discussed in this document in other countries. Consult your local IBMrepresentative for information on the products and services currently available in your area. Anyreference to an IBM product, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product, program, or service thatdoes not infringe any IBM intellectual property right may be used instead. However, it is the user'sresponsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not give you any license to these patents. You can sendlicense inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual PropertyDepartment in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any other country where suchprovisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOTLIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore,this statement might not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein; these changes will be incorporated in new editions of the publication.IBM may make improvements and/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM websites are provided for convenience only and do not inany manner serve as an endorsement of those websites. The materials at those websites are not part ofthe materials for this IBM product and use of those websites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate withoutincurring any obligation to you.


Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some casespayment of a fee.

The licensed program described in this document and all licensed material available for it are providedby IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement orany equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, theresults obtained in other operating environments may vary significantly. Some measurements may havebeen made on development-level systems and there is no guarantee that these measurements will be thesame on generally available systems. Furthermore, some measurement may have been estimated throughextrapolation. Actual results may vary. Users of this document should verify the applicable data for theirspecific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, theirpublished announcements or other publicly available sources. IBM has not tested those products andcannot confirm the accuracy of performance, compatibility or any other claims related to non-IBMproducts. Questions on the capabilities of non-IBM products should be addressed to the suppliers ofthose products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal withoutnotice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject to change withoutnotice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject to change before theproducts described become available.

This information contains examples of data and reports used in daily business operations. To illustratethem as completely as possible, the examples include the names of individuals, companies, brands, andproducts. All of these names are fictitious and any similarity to the names and addresses used by anactual business enterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrate programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programsin any form without payment to IBM, for the purposes of developing, using, marketing or distributingapplication programs conforming to the application programming interface for the operating platform forwhich the sample programs are written. These examples have not been thoroughly tested under allconditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of theseprograms. You may copy, modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing application programs conformingto IBM's application programming interfaces.


If you are viewing this information in softcopy form, the photographs and color illustrations might not bedisplayed.

Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International BusinessMachines Corp., registered in many jurisdictions worldwide. Other product and service names might betrademarks of IBM or other companies. A current list of IBM trademarks is available on the Web atCopyright and trademark information; at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks ortrademarks of Adobe Systems Incorporated in the United States, other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer and TelecommunicationsAgency which is now part of the Office of Government Commerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon,Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or itssubsidiaries in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in theUnited States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Office of GovernmentCommerce, and is registered in the U.S. Patent and Trademark Office.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracleand/or its affiliates.

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, othercountries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp.and Quantum in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marks of others.

Notices 89


��

Printed in USA

SC27-4382-00

Documents

Deployment Overview Guide