IBM

Tivoli

Access

Manager

Upgrade

Guide

Version

5.1

White

Paper

���

IBM

Tivoli

Access

Manager

Upgrade

Guide

Version

5.1

White

Paper

���

Note

Before

using

this

information

and

the

product

it

supports,

read

the

information

in

Appendix

B,

“Notices,”

on

page

167.

First

Edition

(December

2003)

This

edition

applies

to

version

5,

release

1,

modification

0

of

IBM

Tivoli

Access

Manager

(product

number

5724-C08)

and

to

all

subsequent

releases

and

modifications

until

otherwise

indicated

in

new

editions.

©

Copyright

International

Business

Machines

Corporation

2003.

All

rights

reserved.

US

Government

Users

Restricted

Rights

–

Use,

duplication

or

disclosure

restricted

by

GSA

ADP

Schedule

Contract

with

IBM

Corp.

White

Paper

Contents

Preface

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. vii

Publications

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. vii

Release

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. vii

Base

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. vii

Web

security

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. viii

Developer

references

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. viii

Technical

supplements

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. ix

Related

publications

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. ix

IBM

Global

Security

Kit

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. ix

IBM

Tivoli

Directory

Server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. x

IBM

DB2

Universal

Database

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. x

IBM

WebSphere

Application

Server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. x

IBM

Tivoli

Access

Manager

for

Business

Integration

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. x

IBM

Tivoli

Access

Manager

for

WebSphere

Business

Integration

Brokers

.

.

.

.

.

.

.

.

.

.

.

.

. xi

IBM

Tivoli

Access

Manager

for

Operating

Systems

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xi

IBM

Tivoli

Identity

Manager

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xii

Accessing

publications

online

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xii

Accessibility

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xii

Contacting

software

support

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xii

Conventions

used

in

this

book

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xiii

Typeface

conventions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xiii

Operating

system

differences

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xiii

Chapter

1.

Introduction

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 1

Scenario

1:

Large

user

base

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 1

Scenario

2:

Small

user

base

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 3

Scenario

3:

Using

a

registry

other

than

IBM

Directory

Server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 5

Supported

platforms,

including

required

patches

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 6

Chapter

2.

Upgrading

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 13

AIX:

Upgrading

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 13

AIX:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 13

AIX:

Upgrading

the

policy

server

using

a

single

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 14

AIX:

Upgrading

the

policy

server

using

two

systems

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 15

AIX:

Retiring

the

original

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 18

HP-UX:

Upgrading

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 19

HP-UX:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 19

HP-UX:

Upgrading

the

policy

server

using

a

single

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 19

HP-UX:

Upgrading

the

policy

server

using

two

systems

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 22

HP-UX:

Retiring

the

original

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 25

Linux

on

zSeries:

Upgrading

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 25

Linux

on

zSeries:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 25

Linux

on

zSeries:

Upgrading

the

policy

server

using

a

single

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 26

Linux

on

zSeries:

Upgrading

the

policy

server

using

two

systems

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 27

Linux

on

zSeries:

Retiring

the

original

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 30

Solaris:

Upgrading

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 30

Solaris:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 30

Solaris:

Upgrading

the

policy

server

using

a

single

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 31

Solaris:

Upgrading

the

policy

server

using

two

systems

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 33

Solaris:

Retiring

the

original

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 36

Windows:

Upgrading

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 36

Windows:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 36

Windows:

Upgrading

the

policy

server

using

a

single

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 37

Windows:

Upgrading

the

policy

server

using

two

systems

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 39

Windows:

Retiring

the

original

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 41

White

Paper

©

Copyright

IBM

Corp.

2003

iii

Chapter

3.

Upgrading

an

authorization

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 43

AIX:

Upgrading

an

authorization

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 43

HP-UX:

Upgrading

an

authorization

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 45

Linux

on

zSeries:

Upgrading

an

authorization

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 47

Solaris:

Upgrading

an

authorization

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 48

Windows:

Upgrading

an

authorization

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 50

Chapter

4.

Upgrading

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 53

AIX:

Upgrading

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 53

AIX:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 53

AIX:

Upgrading

WebSEAL

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 54

HP-UX:

Upgrading

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 57

HP-UX:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 57

HP-UX:

Upgrading

WebSEAL

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 58

Linux

on

xSeries:

Upgrading

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 62

Linux

on

xSeries:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 62

Linux

on

xSeries:

Upgrading

WebSEAL

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 62

Linux

on

zSeries:

Upgrading

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 65

Linux

on

zSeries:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 65

Linux

on

zSeries:

Upgrading

WebSEAL

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 65

Solaris:

Upgrading

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 69

Solaris:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 69

Solaris:

Upgrading

WebSEAL

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 70

Windows:

Upgrading

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 73

Windows:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 73

Windows:

Upgrading

WebSEAL

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 74

Chapter

5.

Upgrading

a

runtime

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 79

AIX:

Upgrading

a

runtime

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 79

HP-UX:

Upgrading

a

runtime

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 80

Linux

on

zSeries:

Upgrading

a

runtime

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 82

Solaris:

Upgrading

a

runtime

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 84

Windows:

Upgrading

a

runtime

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 85

Chapter

6.

Upgrading

a

Java

runtime

environment

system

.

.

.

.

.

.

.

.

.

.

.

.

. 89

AIX:

Upgrading

a

Java

runtime

environment

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 89

HP-UX:

Upgrading

a

Java

runtime

environment

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 90

Linux

on

zSeries:

Upgrading

a

Java

runtime

environment

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 92

Solaris:

Upgrading

a

Java

runtime

environment

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 93

Windows:

Upgrading

a

Java

runtime

environment

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 94

Chapter

7.

Upgrading

a

development

(ADK)

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 97

AIX:

Upgrading

a

development

(ADK)

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 97

HP-UX:

Upgrading

a

development

(ADK)

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 98

Linux

on

zSeries:

Upgrading

a

development

(ADK)

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 100

Solaris:

Upgrading

a

development

(ADK)

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 101

Windows:

Upgrading

a

development

(ADK)

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 103

Chapter

8.

Upgrading

a

plug-in

for

Web

Servers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 105

Chapter

9.

Upgrading

a

Web

Portal

Manager

system

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 107

Chapter

10.

Upgrading

IBM

Directory

Server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 109

AIX:

Upgrading

IBM

Directory

Server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 109

AIX:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 109

AIX:

Upgrading

from

IBM

SecureWay

Directory,

Version

3.2.1

or

3.2.2

.

.

.

.

.

.

.

.

.

.

.

.

.

. 110

AIX:

Upgrading

from

IBM

Tivoli

Directory

Server,

Version

4.1

or

5.1

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 112

Upgrading

from

IBM

Directory

Server

4.1

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 112

Upgrading

from

IBM

Directory

Server

5.1

with

DB2

8.1,

32-bit

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 113

White

Paper

iv

IBM

Tivoli

Access

Manager:

Upgrade

Guide

Upgrading

from

IBM

Directory

Server

5.1

with

DB2

7.2

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 115

HP-UX:

Upgrading

IBM

Directory

Server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 118

HP-UX:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 118

HP-UX:

Upgrading

from

IBM

Directory

Server,

Version

4.1

or

5.1

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 119

Linux:

Upgrading

IBM

Directory

Server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 120

Linux:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 120

Linux:

Upgrading

from

SecureWay

Directory

Version

3.2.1

or

3.2.2

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 121

Linux:

Upgrading

from

IBM

Tivoli

Directory

Server,

Version

4.1

or

5.1

.

.

.

.

.

.

.

.

.

.

.

.

.

. 123

Solaris:

Upgrading

IBM

Directory

Server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 124

Solaris:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 124

Solaris:

Upgrading

from

SecureWay

Directory,

Version

3.2.1

or

3.2.2

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 125

Solaris:

Upgrading

from

IBM

Tivoli

Directory

Server,

Version

4.1

or

5.1

.

.

.

.

.

.

.

.

.

.

.

.

.

. 128

Windows:

Upgrading

IBM

Directory

Server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 128

Windows:

Upgrade

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 128

Windows:

Upgrading

from

IBM

SecureWay

Directory,

Version

3.2.1

or

3.2.2

.

.

.

.

.

.

.

.

.

.

.

. 130

Windows:

Upgrading

from

IBM

Tivoli

Directory

Server,

Version

4.1

or

5.1

.

.

.

.

.

.

.

.

.

.

.

.

. 132

Upgrading

Tivoli

Access

Manager

when

using

IBM

Directory

Server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 133

Windows:

Upgrading

Tivoli

Access

Manager

when

using

IBM

Directory

Server

.

.

.

.

.

.

.

.

.

.

. 133

UNIX:

Upgrading

Tivoli

Access

Manager

when

using

IBM

Directory

Server

.

.

.

.

.

.

.

.

.

.

.

. 134

Migrating

a

network

of

replication

servers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 135

Chapter

11.

Restoring

a

system

to

its

prior

level

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 139

Restoring

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 139

AIX:

Restoring

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 139

HP-UX:

Restoring

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 139

Linux:

Restoring

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 140

Linux

for

zSeries:

Restoring

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 141

Solaris:

Restoring

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 141

Windows:

Restoring

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 142

Restoring

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 143

AIX:

Restoring

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 143

HP-UX:

Restoring

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 144

Linux:

Restoring

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 145

Linux

on

zSeries:

Restoring

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 146

Solaris:

Restoring

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 147

Windows:

Restoring

a

WebSEAL

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 148

Appendix

A.

Upgrade

utilities

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 151

ivrgy_tool

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 152

pdbackup

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 154

pdconfig

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 162

pdjrtecfg

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 163

Appendix

B.

Notices

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 167

Trademarks

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 168

Glossary

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 171

Index

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 177

White

Paper

Contents

v

White

Paper

vi

IBM

Tivoli

Access

Manager:

Upgrade

Guide

Preface

IBM®

Tivoli®

Access

Manager

(Tivoli

Access

Manager)

is

the

base

software

that

is

required

to

run

applications

in

the

Access

Manager

product

suite.

It

enables

the

integration

of

Access

Manager

applications

that

provide

a

wide

range

of

authorization

and

management

solutions.

Sold

as

an

integrated

solution,

these

products

provide

an

access

control

management

solution

that

centralizes

network

and

application

security

policy

for

e-business

applications.

Note:

IBM

Tivoli

Access

Manager

is

the

new

name

of

the

previously

released

software

entitled

Tivoli

SecureWay®

Policy

Director.

Also,

for

users

familiar

with

the

Tivoli

SecureWay

Policy

Director

software

and

documentation,

the

term

management

server

is

now

referred

to

as

policy

server.

This

white

paper

explains

how

to

upgrade

Tivoli

Access

Manager

Base

and

Web

Security

software

from

a

Version

3.8,

3.9,

or

4.1

level

to

Version

5.1.

Publications

Review

the

descriptions

of

the

Tivoli

Access

Manager

library,

the

prerequisite

publications,

and

the

related

publications

to

determine

which

publications

you

might

find

helpful.

After

you

determine

the

publications

you

need,

refer

to

the

instructions

for

accessing

publications

online.

Additional

information

about

the

IBM

Tivoli

Access

Manager

for

e-business

product

itself

can

be

found

at:

http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/

The

Tivoli

Access

Manager

library

is

organized

into

the

following

categories:

v

“Release

information”

v

“Base

information”

v

“Web

security

information”

on

page

viii

v

“Developer

references”

on

page

viii

v

“Technical

supplements”

on

page

ix

Release

information

v

IBM

Tivoli

Access

Manager

for

e-business

Read

This

First

(GI11-4155-00)

Provides

information

for

installing

and

getting

started

using

Tivoli

Access

Manager.

v

IBM

Tivoli

Access

Manager

for

e-business

Release

Notes

(GI11-4156-00)

Provides

late-breaking

information,

such

as

software

limitations,

workarounds,

and

documentation

updates.

Base

information

v

IBM

Tivoli

Access

Manager

Base

Installation

Guide

(SC32-1362-00)

Provides

installation,

configuration,

and

removal

instructions

for

the

Tivoli

Access

Manager

Base

software.

This

book

is

a

subset

of

IBM

Tivoli

Access

Manager

for

e-business

Web

Security

Installation

Guide

and

is

intended

for

use

with

White

Paper

©

Copyright

IBM

Corp.

2003

vii

http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/

other

Tivoli

Access

Manager

products,

such

as

IBM

Tivoli

Access

Manager

for

Business

Integration

and

IBM

Tivoli

Access

Manager

for

Operating

Systems.

v

IBM

Tivoli

Access

Manager

Base

Administration

Guide

(SC32-1360-00)

Describes

the

concepts

and

procedures

for

using

Tivoli

Access

Manager

services.

Provides

instructions

for

performing

tasks

from

the

Web

Portal

Manager

interface

and

by

using

the

pdadmin

command.

Web

security

information

v

IBM

Tivoli

Access

Manager

for

e-business

Web

Security

Installation

Guide

(SC32-1361-00)

Provides

installation,

configuration,

and

removal

instructions

for

the

Tivoli

Access

Manager

Base

and

Web

Security

software.

This

book

is

a

superset

of

IBM

Tivoli

Access

Manager

Base

Installation

Guide.

v

IBM

Tivoli

Access

Manager

for

e-business

WebSEAL

Administration

Guide

(SC32-1359-00)

Provides

background

material,

administrative

procedures,

and

technical

reference

information

for

using

WebSEAL

to

manage

the

resources

of

your

secure

Web

domain.

v

IBM

Tivoli

Access

Manager

for

e-business

IBM

WebSphere

Application

Server

Integration

Guide

(SC32-1368-00)

Provides

installation,

removal,

and

administration

instructions

for

integrating

Tivoli

Access

Manager

with

IBM

WebSphere®

Application

Server.

v

IBM

Tivoli

Access

Manager

for

e-business

IBM

WebSphere

Edge

Server

Integration

Guide

(SC32-1367-00)

Provides

installation,

removal,

and

administration

instructions

for

integrating

Tivoli

Access

Manager

with

the

IBM

WebSphere

Edge

Server

application.

v

IBM

Tivoli

Access

Manager

for

e-business

Plug-in

for

Web

Servers

Integration

Guide

(SC32-1365-00)

Provides

installation

instructions,

administration

procedures,

and

technical

reference

information

for

securing

your

Web

domain

using

the

plug-in

for

Web

servers.

v

IBM

Tivoli

Access

Manager

for

e-business

BEA

WebLogic

Server

Integration

Guide

(SC32-1366-00)

Provides

installation,

removal,

and

administration

instructions

for

integrating

Tivoli

Access

Manager

with

BEA

WebLogic

Server.

v

IBM

Tivoli

Access

Manager

for

e-business

IBM

Tivoli

Identity

Manager

Provisioning

Fast

Start

Guide

(SC32-1364-00)

Provides

an

overview

of

the

tasks

related

to

integrating

Tivoli

Access

Manager

and

Tivoli

Identity

Manager

and

explains

how

to

use

and

install

the

Provisioning

Fast

Start

collection.

Developer

references

v

IBM

Tivoli

Access

Manager

for

e-business

Authorization

C

API

Developer

Reference

(SC32-1355-00)

Provides

reference

material

that

describes

how

to

use

the

Tivoli

Access

Manager

authorization

C

API

and

the

Tivoli

Access

Manager

service

plug-in

interface

to

add

Tivoli

Access

Manager

security

to

applications.

v

IBM

Tivoli

Access

Manager

for

e-business

Authorization

Java

Classes

Developer

Reference

(SC32-1350-00)

White

Paper

viii

IBM

Tivoli

Access

Manager:

Upgrade

Guide

Provides

reference

information

for

using

the

Java™

language

implementation

of

the

authorization

API

to

enable

an

application

to

use

Tivoli

Access

Manager

security.

v

IBM

Tivoli

Access

Manager

for

e-business

Administration

C

API

Developer

Reference

(SC32-1357-00)

Provides

reference

information

about

using

the

administration

API

to

enable

an

application

to

perform

Tivoli

Access

Manager

administration

tasks.

This

document

describes

the

C

implementation

of

the

administration

API.

v

IBM

Tivoli

Access

Manager

for

e-business

Administration

Java

Classes

Developer

Reference

(SC32-1356-00)

Provides

reference

information

for

using

the

Java

language

implementation

of

the

administration

API

to

enable

an

application

to

perform

Tivoli

Access

Manager

administration

tasks.

v

IBM

Tivoli

Access

Manager

for

e-business

Web

Security

Developer

Reference

(SC32-1358-00)

Provides

administration

and

programming

information

for

the

cross-domain

authentication

service

(CDAS),

the

cross-domain

mapping

framework

(CDMF),

and

the

password

strength

module.

Technical

supplements

v

IBM

Tivoli

Access

Manager

for

e-business

Command

Reference

(SC32-1354-00)

Provides

information

about

the

command

line

utilities

and

scripts

provided

with

Tivoli

Access

Manager.

v

IBM

Tivoli

Access

Manager

Error

Message

Reference

(SC32-1353-00)

Provides

explanations

and

recommended

actions

for

the

messages

produced

by

Tivoli

Access

Manager.

v

IBM

Tivoli

Access

Manager

for

e-business

Problem

Determination

Guide

(SC32-1352-00)

Provides

problem

determination

information

for

Tivoli

Access

Manager.

v

IBM

Tivoli

Access

Manager

for

e-business

Performance

Tuning

Guide

(SC32-1351-00)

Provides

performance

tuning

information

for

an

environment

consisting

of

Tivoli

Access

Manager

with

the

IBM

Tivoli

Directory

server

as

the

user

registry.

Related

publications

This

section

lists

publications

related

to

the

Tivoli

Access

Manager

library.

The

Tivoli

Software

Library

provides

a

variety

of

Tivoli

publications

such

as

white

papers,

datasheets,

demonstrations,

redbooks,

and

announcement

letters.

The

Tivoli

Software

Library

is

available

on

the

Web

at:

http://www.ibm.com/software/tivoli/library/

The

Tivoli

Software

Glossary

includes

definitions

for

many

of

the

technical

terms

related

to

Tivoli

software.

The

Tivoli

Software

Glossary

is

available,

in

English

only,

from

the

Glossary

link

on

the

left

side

of

the

Tivoli

Software

Library

Web

page

http://www.ibm.com/software/tivoli/library/

IBM

Global

Security

Kit

Tivoli

Access

Manager

provides

data

encryption

through

the

use

of

the

IBM

Global

Security

Kit

(GSKit),

Version

7.

GSKit

is

included

on

the

IBM

Tivoli

Access

Manager

Base

CD,

the

IBM

Tivoli

Access

Manager

Web

Administration

Interfaces

CDs,

and

the

IBM

Tivoli

Access

Manager

Directory

Server

CDs

for

supported

platforms.

White

Paper

Preface

ix

http://www.ibm.com/software/tivoli/library/http://www.ibm.com/software/tivoli/library/

The

GSKit

package

provides

the

iKeyman

key

management

utility,

gsk7ikm,

which

is

used

to

create

key

databases,

public-private

key

pairs,

and

certificate

requests.

The

following

document

is

available

on

the

Tivoli

Information

Center

Web

site

in

the

same

section

as

the

IBM

Tivoli

Access

Manager

product

documentation:

v

IBM

Global

Security

Kit

Secure

Sockets

Layer

and

iKeyman

User’s

Guide

(SC32-1363-00)

Provides

information

for

network

or

system

security

administrators

who

plan

to

enable

SSL

communication

in

their

Tivoli

Access

Manager

environment.

IBM

Tivoli

Directory

Server

IBM

Tivoli

Directory

Server,

Version

5.2,

is

included

on

the

IBM

Tivoli

Access

Manager

Directory

Server

CD

for

the

desired

operating

system.

Note:

IBM

Tivoli

Directory

Server

is

the

new

name

for

the

previously

released

software

known

as:

v

IBM

Directory

Server

(Version

4.1

and

Version

5.1)

v

IBM

SecureWay

Directory

Server

(Version

3.2.2)

IBM

Directory

Server

Version

4.1,

IBM

Directory

Server

Version

5.1,

and

IBM

Tivoli

Directory

Server

Version

5.2

are

all

supported

by

IBM

Tivoli

Access

Manager

Version

5.1.

Additional

information

about

IBM

Tivoli

Directory

Server

can

be

found

at:

http://www.ibm.com/software/network/directory/library/

IBM

DB2

Universal

Database

IBM

DB2®

Universal

Database™

Enterprise

Server

Edition,

Version

8.1

is

provided

on

the

IBM

Tivoli

Access

Manager

Directory

Server

CD

and

is

installed

with

the

IBM

Tivoli

Directory

Server

software.

DB2

is

required

when

using

IBM

Tivoli

Directory

Server

as

the

user

registry

for

Tivoli

Access

Manager.

Additional

information

about

DB2

can

be

found

at:

http://www.ibm.com/software/data/db2/

IBM

WebSphere

Application

Server

IBM

WebSphere

Application

Server,

Version

5.0.2,

is

included

on

the

IBM

Tivoli

Access

Manager

Web

Administration

Interfaces

CD

for

the

desired

operating

system.

WebSphere

Application

Server

enables

the

support

of

the

Web

Portal

Manager

interface

and

the

IBM

Tivoli

Directory

Server

Web

Administration

Tool.

Additional

information

about

IBM

WebSphere

Application

Server

can

be

found

at:

http://www.ibm.com/software/webservers/appserv/infocenter.html

IBM

Tivoli

Access

Manager

for

Business

Integration

IBM

Tivoli

Access

Manager

for

Business

Integration,

available

as

a

separately

orderable

product,

provides

a

security

solution

for

IBM

MQSeries®,

Version

5.2,

and

IBM

WebSphere

MQ

for

Version

5.3

messages.

IBM

Tivoli

Access

Manager

for

Business

Integration

allows

WebSphere

MQSeries

applications

to

send

data

with

privacy

and

integrity

by

using

keys

associated

with

sending

and

receiving

applications.

Like

WebSEAL

and

IBM

Tivoli

Access

Manager

for

Operating

Systems,

IBM

Tivoli

Access

Manager

for

Business

Integration,

is

one

of

the

resource

managers

that

use

the

services

of

IBM

Tivoli

Access

Manager.

White

Paper

x

IBM

Tivoli

Access

Manager:

Upgrade

Guide

http://www.ibm.com/software/network/directory/library/http://www.ibm.com/software/data/db2/http://www.ibm.com/software/webservers/appserv/infocenter.html

Additional

information

about

IBM

Tivoli

Access

Manager

for

Business

Integration

can

be

found

at:

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/

The

following

documents

associated

with

IBM

Tivoli

Access

Manager

for

Business

Integration

Version

5.1

are

available

on

the

Tivoli

Information

Center

Web

site:

v

IBM

Tivoli

Access

Manager

for

Business

Integration

Administration

Guide

(SC23-4831-01)

v

IBM

Tivoli

Access

Manager

for

Business

Integration

Problem

Determination

Guide

(GC23-1328-00)

v

IBM

Tivoli

Access

Manager

for

Business

Integration

Release

Notes

(GI11-0957-01)

v

IBM

Tivoli

Access

Manager

for

Business

Integration

Read

This

First

(GI11-4202-00)

IBM

Tivoli

Access

Manager

for

WebSphere

Business

Integration

Brokers

IBM

Tivoli

Access

Manager

for

WebSphere

Business

Integration

Brokers,

available

as

part

of

IBM

Tivoli

Access

Manager

for

Business

Integration,

provides

a

security

solution

for

WebSphere

Business

Integration

Message

Broker,

Version

5.0

and

WebSphere

Business

Integration

Event

Broker,

Version

5.0.

IBM

Tivoli

Access

Manager

for

WebSphere

Business

Integration

Brokers

operates

in

conjunction

with

Tivoli

Access

Manager

to

secure

JMS

publish/subscribe

applications

by

providing

password

and

credentials-based

authentication,

centrally-defined

authorization,

and

auditing

services.

Additional

information

about

IBM

Tivoli

Access

Manager

for

WebSphere

Integration

Brokers

can

be

found

at:

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/

The

following

documents

associated

with

IBM

Tivoli

Access

Manager

for

WebSphere

Integration

Brokers,

Version

5.1

are

available

on

the

Tivoli

Information

Center

Web

site:

v

IBM

Tivoli

Access

Manager

for

WebSphere

Business

Integration

Brokers

Administration

Guide

(SC32-1347-00)

v

IBM

Tivoli

Access

Manager

for

WebSphere

Business

Integration

Brokers

Release

Notes

(GI11-4154-00)

v

IBM

Tivoli

Access

Manager

for

Business

Integration

Read

This

First

(GI11-4202-00)

IBM

Tivoli

Access

Manager

for

Operating

Systems

IBM

Tivoli

Access

Manager

for

Operating

Systems,

available

as

a

separately

orderable

product,

provides

a

layer

of

authorization

policy

enforcement

on

UNIX

systems

in

addition

to

that

provided

by

the

native

operating

system.

IBM

Tivoli

Access

Manager

for

Operating

Systems,

like

WebSEAL

and

IBM

Tivoli

Access

Manager

for

Business

Integration,

is

one

of

the

resource

managers

that

use

the

services

of

IBM

Tivoli

Access

Manager.

Additional

information

about

IBM

Tivoli

Access

Manager

for

Operating

Systems

can

be

found

at:

http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/

White

Paper

Preface

xi

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/

The

following

documents

associated

with

IBM

Tivoli

Access

Manager

for

Operating

Systems

Version

5.1

are

available

on

the

Tivoli

Information

Center

Web

site:

v

IBM

Tivoli

Access

Manager

for

Operating

Systems

Installation

Guide

(SC23-4829-00)

v

IBM

Tivoli

Access

Manager

for

Operating

Systems

Administration

Guide

(SC23-4827-00)

v

IBM

Tivoli

Access

Manager

for

Operating

Systems

Problem

Determination

Guide

(SC23-4828-00)

v

IBM

Tivoli

Access

Manager

for

Operating

Systems

Release

Notes

(GI11-0951-00)

v

IBM

Tivoli

Access

Manager

for

Operating

Systems

Read

Me

First

(GI11-0949-00)

IBM

Tivoli

Identity

Manager

IBM

Tivoli

Identity

Manager

Version

4.5,

available

as

a

separately

orderable

product,

enables

you

to

centrally

manage

users

(such

as

user

IDs

and

passwords)

and

provisioning

(that

is

providing

or

revoking

access

to

applications,

resources,

or

operating

systems.)

Tivoli

Identity

Manager

can

be

integrated

with

Tivoli

Access

Manager

through

the

use

of

the

Tivoli

Access

Manager

Agent.

Contact

your

IBM

account

representative

for

more

information

about

purchasing

the

Agent.

Additional

information

about

IBM

Tivoli

Identity

Manager

can

be

found

at:

http://www.ibm.com/software/tivoli/products/identity-mgr/

Accessing

publications

online

The

publications

for

this

product

are

available

online

in

Portable

Document

Format

(PDF)

or

Hypertext

Markup

Language

(HTML)

format,

or

both

in

the

Tivoli

software

library:

http://www.ibm.com/software/tivoli/library

To

locate

product

publications

in

the

library,

click

the

Product

manuals

link

on

the

left

side

of

the

library

page.

Then,

locate

and

click

the

name

of

the

product

on

the

Tivoli

software

information

center

page.

Product

publications

include

release

notes,

installation

guides,

user’s

guides,

administrator’s

guides,

and

developer’s

references.

Note:

To

ensure

proper

printing

of

PDF

publications,

select

the

Fit

to

page

check

box

in

the

Adobe

Acrobat

Print

window

(which

is

available

when

you

click

File

→

Print).

Accessibility

Accessibility

features

help

a

user

who

has

a

physical

disability,

such

as

restricted

mobility

or

limited

vision,

to

use

software

products

successfully.

With

this

product,

you

can

use

assistive

technologies

to

hear

and

navigate

the

interface.

You

also

can

use

the

keyboard

instead

of

the

mouse

to

operate

all

features

of

the

graphical

user

interface.

Contacting

software

support

Before

contacting

IBM

Tivoli

Software

Support

with

a

problem,

refer

to

the

IBM

Tivoli

Software

Support

site

by

clicking

the

Tivoli

support

link

at

the

following

Web

site:

http://www.ibm.com/software/support/

White

Paper

xii

IBM

Tivoli

Access

Manager:

Upgrade

Guide

http://www.ibm.com/software/tivoli/products/identity-mgr/http://www.ibm.com/software/tivoli/library/http://www.ibm.com/software/support/

If

you

need

additional

help,

contact

software

support

by

using

the

methods

described

in

the

IBM

Software

Support

Guide

at

the

following

Web

site:

http://techsupport.services.ibm.com/guides/handbook.html

The

guide

provides

the

following

information:

v

Registration

and

eligibility

requirements

for

receiving

support

v

Telephone

numbers,

depending

on

the

country

in

which

you

are

located

v

A

list

of

information

you

should

gather

before

contacting

customer

support

Conventions

used

in

this

book

This

reference

uses

several

conventions

for

special

terms

and

actions

and

for

operating

system-dependent

commands

and

paths.

Typeface

conventions

The

following

typeface

conventions

are

used

in

this

reference:

Bold

Lowercase

commands

or

mixed

case

commands

that

are

difficult

to

distinguish

from

surrounding

text,

keywords,

parameters,

options,

names

of

Java

classes,

and

objects

are

in

bold.

Italic

Variables,

titles

of

publications,

and

special

words

or

phrases

that

are

emphasized

are

in

italic.

Monospace

Code

examples,

command

lines,

screen

output,

file

and

directory

names

that

are

difficult

to

distinguish

from

surrounding

text,

system

messages,

text

that

the

user

must

type,

and

values

for

arguments

or

command

options

are

in

monospace.

Operating

system

differences

This

book

uses

the

UNIX

convention

for

specifying

environment

variables

and

for

directory

notation.

When

using

the

Windows

command

line,

replace

$variable

with

%variable%

for

environment

variables

and

replace

each

forward

slash

(/)

with

a

backslash

(\)

in

directory

paths.

If

you

are

using

the

bash

shell

on

a

Windows

system,

you

can

use

the

UNIX

conventions.

White

Paper

Preface

xiii

http://techsupport.services.ibm.com/guides/handbook.html

White

Paper

xiv

IBM

Tivoli

Access

Manager:

Upgrade

Guide

Chapter

1.

Introduction

The

process

of

upgrading

Tivoli

Access

Manager

to

Version

5.1

requires

you

to

consider

the

interdependencies

between

the

various

Tivoli

Access

Manager

components

and

other

software

components,

on

which

the

system

depends.

For

example,

a

user

logging

into

WebSEAL

might

interact

with

the

WebSEAL

component

directly,

but

for

the

authentication

to

complete,

WebSEAL

must

be

able

to

communicate

with

the

authentication

server

(for

example,

LDAP).

Being

mindful

of

this

interdependency

helps

maintain

service

continuity

during

the

upgrade.

This

guide

takes

a

system-level

approach

to

the

upgrade

process

by

considering

the

interaction

of

the

various

components

present

in

a

production

environment.

While

there

are

many

different

ways

to

deploy

Tivoli

Access

Manager

components,

this

guide

presents

specific

scenarios,

which

account

for

a

large

proportion

of

Tivoli

Access

Manager

deployments.

No

additional

hardware

is

required;

however,

in

some

cases,

additional

machines

can

reduce

the

risks

involved

in

the

upgrade.

Carefully

review

the

scenarios

and

determine

the

one,

which

best

matches

your

deployment.

If

your

environment

does

not

exactly

match

a

scenario,

you

may

mix

and

match

between

them,

using

the

procedures

that

correspond

to

your

configuration.

In

any

case,

you

should

create

your

own

internal

upgrade

guide

based

on

the

procedures

in

this

white

paper

and

enhance

it

with

the

details

of

your

own

environment.

Your

custom

upgrade

guide

should

include

enough

detail

to

complete

the

upgrade

and

should

be

thoroughly

tested

in

a

lab

environment

before

applied

in

a

live

production

environment.

The

following

list

provides

suggestions

for

the

type

of

information

to

include

in

your

custom

upgrade

guide:

v

Hostnames/IP

addresses

of

servers

v

Components

installed

on

the

servers

v

Networking

devices,

such

as

firewalls

and

load

balancers

v

How

to

add/remove

WebSEAL

servers

to/from

the

load

balancers

v

How

to

access

the

machines

v

Exact

commands

to

execute

for

each

step

of

each

procedure

Scenario

1:

Large

user

base

The

key

issue

to

consider

in

this

scenario

involves

the

ldap_host1

system—a

single

system

that

functions

as

both

the

policy

server

and

the

primary

LDAP

server

(IBM

Directory

Server).

Because

these

servers

share

the

same

LDAP

client

(IBM

Directory),

and

because

only

one

version

of

IBM

Directory

client

can

be

installed

on

a

single

system,

you

cannot

upgrade

one

server

without

upgrading

the

other.

Rather

than

impact

the

active

policy

server,

the

following

‘two

server’

upgrade

procedure

installs

a

second

V5.1

policy

server

on

ldap_host2

(LDAP

server

peer).

If

you

do

not

want

to

use

an

IBM

Directory

Server

peer

for

this

purpose,

you

can

simply

introduce

an

additional

server

to

act

as

the

new

policy

server.

Conditions:

v

Service

must

remain

available

during

migration.

v

Tivoli

Access

Manager

user

accounts

number

in

the

millions.

White

Paper

©

Copyright

IBM

Corp.

2003

1

v

You

must

be

able

to

fall

back

to

a

previous

version

in

the

event

of

failure

with

minimal

downtime

(this

precludes

restoring

from

tape

backup).

v

If

absolutely

necessary,

you

will

provide

additional

hardware

to

support

the

upgrade

process.

IBM

Directory

Server

Primary

Peer:

Indicates

the

server,

against

which

the

policy

server

is

configured.

This

system

also

provides

authentication

services

for

the

WebSEAL

servers.

Other

IBM

Directory

Server

Peers:

Indicates

the

backup

servers

for

the

policy

server.

Also

provides

authentication

services

for

the

WebSEAL

servers.

1.

Upgrade

IBM

Directory

Server

on

ldap_host2.

To

do

so,

follow

these

steps:

a.

Review

“Migrating

a

network

of

replication

servers”

on

page

135.

b.

Upgrade

IBM

Directory

Server.

For

instructions,

see

Chapter

10,

“Upgrading

IBM

Directory

Server,”

on

page

109.

c.

Test

that

IBM

Directory

Server

is

up

and

running

using

the

following

command:

ldapsearch

-h

ldap_host2

-s

base

–p

port

objectclass=*

If

the

last

line

from

the

output

of

the

ldapsearch

command

(ibm-slapdisconfigurationmode)

is

set

to

TRUE,

this

indicates

that

there

was

a

problem

during

the

migration

and

the

server

started

in

configuration

mode.

Examine

the

ibmslapd.log

for

errors.

If

no

specific

error

is

given,

try

restarting

IBM

Directory

Server.

d.

Verify

that

replication

still

works

by

creating

a

new

Tivoli

Access

Manager

user

on

the

primary

peer

(ldap_host1)

and

verify

that

it

gets

replicated

to

this

server.2.

Upgrade

the

policy

server

using

the

two

system

approach

with

ldap_host2

as

the

new

system

and

ldap_host1

as

the

original

system.

After

the

upgrade

is

complete,

ldap_host2

will

host

IBM

Tivoli

Directory

Server,

Version

5.2,

and

Tivoli

Access

Manager

Policy

Server,

Version

5.1.

The

other

servers

still

have

the

older

versions

of

the

software.

Note:

Maintain

the

original

policy

server

until

the

other

Tivoli

Access

Manager

components

have

been

upgraded.

This

allows

for

the

option

of

restoring

the

original

version

should

the

need

arise.

At

this

time,

it

is

important

to

note

that

any

policy

modification

resulting

in

an

update

to

one

policy

server

must

also

be

made

on

the

other

one.

This

means

that

new

ACLs

and

other

policy-related

configurations

should

be

performed

on

both

the

new

and

the

old

system

while

the

two

systems

are

running

in

parallel.

White

Paper

2

IBM

Tivoli

Access

Manager:

Upgrade

Guide

3.

Upgrade

the

WebSEAL

servers

(webseal_host1,

webseal_host2,

webseal_host3).

The

WebSEAL

servers

are

still

configured

to

use

the

policy

server

residing

on

ldap_host1.

However,

because

there

is

backward

compatibility

between

the

5.1

policy

server

and

previous

versions

of

WebSEAL,

you

can

configure

the

two

WebSEAL

servers

to

use

the

new

policy

server.

This

offers

a

risk-free

way

of

moving

over

to

the

new

policy

server.

If,

for

some

reason,

a

WebSEAL

server

does

not

function

properly

with

the

new

policy

server,

simply

point

it

back

to

the

old

one.

Changing

which

policy

server

WebSEAL

uses

involves

changing

the

master-host

entry

in

the

WebSEAL

configuration

file

(described

in

detail

in

the

WebSEAL

upgrade

procedure).

Another

item

to

consider

concerns

user

activity

on

the

system

during

your

upgrade.

If

you

plan

to

upgrade

a

WebSEAL

server

while

users

are

trying

to

access

the

system,

you

must

isolate

each

WebSEAL

server

before

you

upgrade

it.

To

do

so,

change

the

port

on

which

the

WebSEAL

server

listens

or

configure

your

load

balancer

so

that

it

does

not

route

traffic

to

the

WebSEAL

server.

The

following

steps

should

be

applied

to

each

WebSEAL

server

in

succession.

a.

If

required,

isolate

the

WebSEAL

server

from

customer

use

by

changing

the

listening

port

or

by

reconfiguring

your

load

balancer.

b.

Upgrade

WebSEAL.

For

instructions,

see

Chapter

4,

“Upgrading

a

WebSEAL

server,”

on

page

53.

c.

If

you

have

other

instances

of

WebSEAL

on

this

host,

start

them

in

the

same

manner

as

you

did

the

default

instance

cd

/opt/pdweb/bin

./webseald

-config

etc/webseald-instance.conf

-foreground

d.

If

you

took

measures

to

isolate

the

WebSEAL

server

from

customer

use,

reverse

those

measures

now

and

then

restart

WebSEAL.4.

After

the

WebSEAL

servers

have

been

upgraded,

you

have

at

least

one

instance

of

each

Tivoli

Access

Manager

component

running

the

new

version

of

the

software.

You

may

keep

this

configuration

up

and

running

until

you

feel

that

the

new

version

is

stable

enough

to

rely

on

completely.

When

you

are

ready

to

make

the

switch,

retire

the

original

policy

server

(ldap_host1).

For

instructions,

see

information

about

retiring

the

original

policy

server

in

Chapter

2

on

page

13.

5.

Upgrade

IBM

LDAP

on

ldap_host1

and

ldap_host3.

To

do

so,

repeat

step

1

on

page

2.

Scenario

2:

Small

u