IBM€¦ · Novell eDirectory ................................30 ............................30...

IBM Tivoli Access Manager for e-business

Web Security ��

�� 5.1

SA30-2208-00

��

�!

� �� , 525 ��

� 1 �(2003� 11�)

� �� , IBM Tivoli Access Manager(�� 5724-C08)� �� 5, �� 1, ��

�� 0 � �� .

© Copyright International Business Machines Corporation 2001, 2003. All rights reserved.

��

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

� 1 � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

� 1 � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Tivoli Access Manager �� . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Tivoli Access Manager Base �� . . . . . . . . . . . . . . . . . . . . . . . . . 6

Tivoli Access Manager Web Security �� . . . . . . . . . . . . . . . . . . . . . . 9

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Tivoli Access Manager �� . . . . . . . . . . . . . . . . . . . . . . . . . . 12


Tivoli Access Manager Web Security �� . . . . . . . . . . . . . . . . . . . . . . 17

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

� 2 � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

IBM Tivoli Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

OS/390� IBM Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

IBM z/OS Security Server LDAP Server . . . . . . . . . . . . . . . . . . . . . . . 28

Lotus Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Microsoft Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Netscape iPlanet � Sun ONE Directory Server . . . . . . . . . . . . . . . . . . . . . 29

© Copyright IBM Corp. 2001, 2003 iii

Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30


Tivoli Access Manager Web Security �� . . . . . . . . . . . . . . . . . . . . . 32

�� (�� ) . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

� 3 � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

IBM Tivoli Directory Server� �� . . . . . . . . . . . . . . . . . . . . 47

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

UNIX �� LANG �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Windows �� LANG �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

�� (�� ) �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

� 2 � Base �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

� 4 � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

IBM Tivoli Directory Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

IBM z/OS � OS/390 Security Server �� . . . . . . . . . . . . . . . . . . . . . . . . 83

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Tivoli Access Manager for LDAP �� . . . . . . . . . . . . . . . . . . . . . . . . 85

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Lotus Domino �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Domino� �� Tivoli Access Manager �� . . . . . . . . . . . . . . . . . . . . 88

Domino �� Lotus Notes �� . . . . . . . . . . . . . . . . . . . . . . 90

Microsoft Active Directory �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Active Directory �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Active Directory �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92



Active Directory �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Novell eDirectory �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Novell eDirectory �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Sun ONE Directory Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

� 5 � Policy Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

iv IBM Tivoli Access Manager for e-business: Web Security ��

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

AIX: Policy Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

HP-UX: Policy Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Linux: Policy Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Solaris: Policy Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Windows: Policy Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

� 6 � Authorization Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . 115

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

AIX: Authorization Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . 116

HP-UX: Authorization Server �� . . . . . . . . . . . . . . . . . . . . . . . . . 117

Linux: Authorization Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Solaris: Authorization Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Windows: Authorization Server �� . . . . . . . . . . . . . . . . . . . . . . . . . 121

� 7 � Development(ADK) �� . . . . . . . . . . . . . . . . . . . . . . . . 123

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

AIX: Development(ADK) �� . . . . . . . . . . . . . . . . . . . . . . . . 124

HP-UX: Development(ADK) �� . . . . . . . . . . . . . . . . . . . . . . . 125

Linux: Development(ADK) �� . . . . . . . . . . . . . . . . . . . . . . . . 126

Solaris: Development(ADK) �� . . . . . . . . . . . . . . . . . . . . . . . . 128

Windows: Development(ADK) �� . . . . . . . . . . . . . . . . . . . . . . . 129

� 8 � Java Runtime Environment �� . . . . . . . . . . . . . . . . . . . . . 131

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

AIX: Java Runtime Environment �� . . . . . . . . . . . . . . . . . . . . . . 132

HP-UX: Java Runtime Environment �� . . . . . . . . . . . . . . . . . . . . . 133

Linux: Java Runtime Environment �� . . . . . . . . . . . . . . . . . . . . . 134

Solaris: Java Runtime Environment �� . . . . . . . . . . . . . . . . . . . . . 135

Windows: Java Runtime Environment �� . . . . . . . . . . . . . . . . . . . . 136

� 9 � Policy Proxy Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . 139

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

AIX: Policy Proxy Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

HP-UX: Policy Proxy Server ��. . . . . . . . . . . . . . . . . . . . . . . . . . 141

Linux: Policy Proxy Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Solaris: Policy Proxy Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Windows: Policy Proxy Server �� . . . . . . . . . . . . . . . . . . . . . . . . . 145

� 10 � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

AIX: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

� v

HP-UX: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Linux: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Solaris: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Windows: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

� 11 � Web Portal Manager �� . . . . . . . . . . . . . . . . . . . . . . . 155

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

AIX: Web Portal Manager �� . . . . . . . . . . . . . . . . . . . . . . . . 158

HP-UX: Web Portal Manager �� . . . . . . . . . . . . . . . . . . . . . . . 161

Linux: Web Portal Manager �� . . . . . . . . . . . . . . . . . . . . . . . 163

Solaris: Web Portal Manager �� . . . . . . . . . . . . . . . . . . . . . . . 165

Windows: Web Portal Manager �� . . . . . . . . . . . . . . . . . . . . . . 168

� 3 � Web Security �� . . . . . . . . . . . . . . . . . . . . . . . 171

� 12 � Attribute Retrieval Service �� . . . . . . . . . . . . . . . . . . . . . . . 173

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

AIX: Attribute Retrieval Service �� . . . . . . . . . . . . . . . . . . . . . . . . 175

HP-UX: Attribute Retrieval Service �� . . . . . . . . . . . . . . . . . . . . . . . 176

Linux: Attribute Retrieval Service �� . . . . . . . . . . . . . . . . . . . . . . . . 177

Solaris: Attribute Retrieval Service �� . . . . . . . . . . . . . . . . . . . . . . . 178

Windows: Attribute Retrieval Service �� . . . . . . . . . . . . . . . . . . . . . . . 179

� 13 � Plug-in for Edge Server �� . . . . . . . . . . . . . . . . . . . . . . . . 181

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

AIX: Tivoli Access Manager Plug-in for Edge Server ��. . . . . . . . . . . . . . . . . . 182

Red Hat Enterprise Linux 2.1: Tivoli Access Manager Plug-in for Edge Server �� . . . . . . . . 183

Solaris: Tivoli Access Manager Plug-in for Edge Server �� . . . . . . . . . . . . . . . . . 185

Windows: Tivoli Access Manager Plug-in for Edge Server �� . . . . . . . . . . . . . . . . 186

Plug-in for Edge Server �� . . . . . . . . . . . . . . . . . . . . . . . . 188

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

� 14 � Plug-in for Web Servers �� . . . . . . . . . . . . . . . . . . . . . . . . 197

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Plug-in for Apache Web Server �� . . . . . . . . . . . . . . . . . . . . . . . . 200

Plug-in for IBM HTTP Server �� . . . . . . . . . . . . . . . . . . . . . . . . . 203

Plug-in for Internet Information Services �� . . . . . . . . . . . . . . . . . . . . . 208

Plug-in for Sun ONE Web Server �� . . . . . . . . . . . . . . . . . . . . . . . . 209

� 15 � Tivoli Access Manager for WebLogic �� . . . . . . . . . . . . . . . . . . . 213

vi IBM Tivoli Access Manager for e-business: Web Security ��

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

AIX: Tivoli Access Manager for WebLogic �� . . . . . . . . . . . . . . . . . . . . 218

HP-UX: Tivoli Access Manager for WebLogic �� . . . . . . . . . . . . . . . . . . . 220

Solaris: Tivoli Access Manager for WebLogic �� . . . . . . . . . . . . . . . . . . . 223

Windows: Tivoli Access Manager for WebLogic �� . . . . . . . . . . . . . . . . . . 225

startWebLogic �� CLASSPATH �� . . . . . . . . . . . . . . . . . . . . . . 228

Tivoli Access Manager for WebLogic �� . . . . . . . . . . . . . . . . . . . . . . . 229

� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Tivoli Access Manager � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

BEA WebLogic Server �� . . . . . . . . . . . . . . . . . . . . . . . . 234

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

� 16 � Tivoli Access Manager for WebSphere �� . . . . . . . . . . . . . . . . . . . 239

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

AIX: Tivoli Access Manager for WebSphere �� . . . . . . . . . . . . . . . . . . . . 242

HP-UX: Tivoli Access Manager for WebSphere �� . . . . . . . . . . . . . . . . . . . 244

Linux: Tivoli Access Manager for WebSphere �� . . . . . . . . . . . . . . . . . . . 245

Solaris: Tivoli Access Manager for WebSphere �� . . . . . . . . . . . . . . . . . . . 247

Windows: Tivoli Access Manager for WebSphere �� . . . . . . . . . . . . . . . . . . 248

� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

WebSphere� �� Tivoli Access Manager �� . . . . . . . . . . . . . . . . . . . 250

WebSphere �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

WebSphere, �� 4.0.6, �� . . . . . . . . . . . . . . . . . . . . . . . . . . 251

WebSphere, �� 5.0.2 �� 5.1, �� . . . . . . . . . . . . . . . . . . . . . . 252

Tivoli Access Manager for WebSphere �� . . . . . . . . . . . . . . . . . . . . . . . 254

WebSphere �� . . . . . . . . . . . . . . . . . . . . . . . . . . 255

WebSphere, �� 4.0.6 �� . . . . . . . . . . . . . . . . . . . . . 256

WebSphere, �� 5.0.2 �� 5.1, �� . . . . . . . . . . . . . . . . . 257

� 17 � WebSEAL Development(ADK) �� . . . . . . . . . . . . . . . . . . . 261

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

AIX: WebSEAL Development(ADK) �� . . . . . . . . . . . . . . . . . . . . 262

HP-UX: WebSEAL Development(ADK) �� . . . . . . . . . . . . . . . . . . . 264

Linux: WebSEAL Development(ADK) �� . . . . . . . . . . . . . . . . . . . . 265

Solaris: WebSEAL Development(ADK) �� . . . . . . . . . . . . . . . . . . . 266

Windows: WebSEAL Development(ADK) �� . . . . . . . . . . . . . . . . . . . 268

� 18 � WebSEAL Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

� vii

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

AIX: WebSEAL Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

HP-UX: WebSEAL Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Linux: WebSEAL Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Solaris: WebSEAL Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Windows: WebSEAL Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . 278

� 4 � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

� 19 � �� . . . . . . . . . . . . . . . . . . . . . . . . 285

Global Security Kit �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

AIX: Global Security Kit �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

HP-UX: Global Security Kit �� . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Linux: Global Security Kit �� . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Solaris: Global Security Kit �� . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Windows: Global Security Kit �� . . . . . . . . . . . . . . . . . . . . . . . . . 288

GSKit iKeyman �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

IBM Tivoli Directory Client �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

AIX: IBM Tivoli Directory Client �� . . . . . . . . . . . . . . . . . . . . . . . . 291

HP-UX: IBM Tivoli Directory Client ��. . . . . . . . . . . . . . . . . . . . . . . 292

Linux: IBM Tivoli Directory Client �� . . . . . . . . . . . . . . . . . . . . . . . 292

Solaris: IBM Tivoli Directory Client �� . . . . . . . . . . . . . . . . . . . . . . . 293

Windows: IBM Tivoli Directory Client �� . . . . . . . . . . . . . . . . . . . . . . 293

IBM JRE �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

AIX: IBM JRE, �� 1.3.1.5 �� . . . . . . . . . . . . . . . . . . . . . . . . . . 295

HP-UX: IBM JRE, �� 1.3.1 �� . . . . . . . . . . . . . . . . . . . . . . . . . 295

Linux: IBM JRE, �� 1.3.1 �� . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Solaris: IBM JRE, �� 1.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Windows: IBM JRE, �� 1.3.1 ��. . . . . . . . . . . . . . . . . . . . . . . . . 297

WebSphere Application Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . 298

AIX: WebSphere Application Server �� . . . . . . . . . . . . . . . . . . . . . . . 299

HP-UX: WebSphere Application Server �� . . . . . . . . . . . . . . . . . . . . . . 301

Linux: WebSphere Application Server �� . . . . . . . . . . . . . . . . . . . . . . 303

Solaris: WebSphere Application Server �� . . . . . . . . . . . . . . . . . . . . . . 306

Windows: WebSphere Application Server �� . . . . . . . . . . . . . . . . . . . . . 308

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

AIX: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

HP-UX: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Linux: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Solaris: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Windows: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

WebSphere� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

� 20 � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Tivoli Access Manager �� . . . . . . . . . . . . . . . . . . . . . . . . 319

IBM Tivoli Directory Server �� . . . . . . . . . . . . . . . . . . . . . . . . . 320

Tivoli Access Manager for WebSphere �� . . . . . . . . . . . . . . . . . . . . . 321

viii IBM Tivoli Access Manager for e-business: Web Security ��

AIX: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

HP-UX: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Linux: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Solaris: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Windows: �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

� 21 � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

install_ldap_server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

install_ldap_server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

install_ammgr �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

� 22 � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Access Manager Runtime(LDAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Access Manager Runtime(Active Directory) . . . . . . . . . . . . . . . . . . . . . . . 348

Access Manager Runtime(Domino) . . . . . . . . . . . . . . . . . . . . . . . . . . 351

install_amacld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

install_amadk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

install_amjrte . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

install_ammgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

install_amproxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

install_amrte . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

install_amwas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

install_amweb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

install_amwebadk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

install_amwebars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

install_amwls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

install_amwpi_apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

install_amwpi_ihs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

install_amwpi_iis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

install_amwpi_iplanet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

install_amwpm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

install_ldap_server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

� 23 � pdconfig �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Access Manager Runtime -- LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Access Manager Runtime -- Active Directory . . . . . . . . . . . . . . . . . . . . . . 379

Access Manager Runtime -- Domino . . . . . . . . . . . . . . . . . . . . . . . . . 381

Access Manager Attribute Retrieval Service . . . . . . . . . . . . . . . . . . . . . . . 382

Access Manager Authorization Server . . . . . . . . . . . . . . . . . . . . . . . . . 383

Access Manager Java Runtime Environment . . . . . . . . . . . . . . . . . . . . . . . 384

Access Manager Plug-in for Edge Server . . . . . . . . . . . . . . . . . . . . . . . . 385

UNIX� Access Manager Plug-in for Web Servers. . . . . . . . . . . . . . . . . . . . . 386

Windows� Access Manager Plug-in for Web Servers . . . . . . . . . . . . . . . . . . . 388

Access Manager Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Access Manager Policy Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . 390

Access Manager Web Portal Manager . . . . . . . . . . . . . . . . . . . . . . . . . 391

� ix

Access Manager WebSEAL Server . . . . . . . . . . . . . . . . . . . . . . . . . . 392

� 24 � SSL(Secure Sockets Layer) �� . . . . . . . . . . . . . . . . . . . . . . . 393

SSL �� IBM Tivoli Directory Server �� . . . . . . . . . . . . . . . . . . . . 394

� �� . . . . . . . . . . . . . . . . . . . . . . . . . 394

CA(Certificate Authority)�� . . . . . . . . . . . . . . . . . . . . 395

� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

SSL �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

SSL �� IBM z/OS � OS/390 �� . . . . . . . . . . . . . . . . . . . 399

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

SSL �� Microsoft Active Directory �� . . . . . . . . . . . . . . . . . . . . 402

Active Directory �� . . . . . . . . . . . . . . . . . . . . . . . . 402

LDAP �� . . . . . . . . . . . . . . . . . . . . . . . . 403

SSL �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

SSL �� Novell eDirectory �� . . . . . . . . . . . . . . . . . . . . . . 404

� CA(Certificate Authority) �� . . . . . . . . . . . . . . . . . . . . . . 405

� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

LDAP �� . . . . . . . . . . . . . . . . . . . . . . . . . 406

SSL �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

� �� CA �� IBM � � �� . . . . . . . . . . . . . . . . . . . . . . 407

SSL �� ONE Directory Server �� . . . . . . . . . . . . . . . . . . . . . . 408

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

SSL �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

SSL �� IBM Tivoli Directory Client �� . . . . . . . . . . . . . . . . . . . . 411

� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

SSL �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

LDAP �� . . . . . . . . . . . . . . . . . . . . . . . . . . 414

� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

CA(Certificate Authority)�� . . . . . . . . . . . . . . . . . . . . 415

� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

SSL �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

� 25 � AIX: Standby Policy Server �� . . . . . . . . . . . . . . . . . . . . . . . 421

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

HACMP �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

HACMP �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Standby Policy Server �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

��: �� standby �� UID �� . . . . . . . . . . . . . . . . . . 439

��: �� . . . . . . . . . . . . . . . . . . . . . . 441

��: �� , �� . . . . . . . . . . . . . . . . . . . 442

��: AIX �� Standby �� . . . . . . . . . . . . . 444

��: Standby �� , �� . . . . . . . . . . . . . . . . . . 446

x IBM Tivoli Access Manager for e-business: Web Security ��

� 26 � Tivoli Access Manager �� . . . . . . . . . . . . . . . . . . . . . . . 449

amwebcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

AMWLSConfigure -action config . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

AMWLSConfigure -action unconfig . . . . . . . . . . . . . . . . . . . . . . . . . . 459

AMWLSConfigure -action create_realm . . . . . . . . . . . . . . . . . . . . . . . . . 460

AMWLSConfigure -action delete_realm . . . . . . . . . . . . . . . . . . . . . . . . . 462

amwpmcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

ivrgy_tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

migrateEAR4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

migrateEAR5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

pdbackup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

pdconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

pdjrtecfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

pd_start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

pdwascfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

pdweb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

pdwebpi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

pdwebpi_start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

pdwpi-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

pdwpicfg -action config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506

pdwpicfg -action unconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509

wesosm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

wslstartwte . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513

wslstopwte . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514

� 27 � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

XML Parser Toolkit �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

Pluggable Authentication Module �� . . . . . . . . . . . . . . . . . . . . . . . . 530

Apache Axis Servlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

JArgs command line option parsing suite for Java . . . . . . . . . . . . . . . . . . . . . 532

Java DOM �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Alfalfa Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

Kerberos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

InfoZip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535

gSOAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536

Apache Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

� xi

xii IBM Tivoli Access Manager for e-business: Web Security ��

��

IBM® Tivoli® Access Manager(Tivoli Access Manager)� Access Manager ��

�� . � �� Access

Manager �� .

�� e-business ��

�� policy� ��

��.

�: IBM Tivoli Access Manager� �� Tivoli SecureWay® Policy Director�

�� . ��, Tivoli SecureWay Policy

Director �� Policy Server� ��

��.

IBM Tivoli Access Manager for e-business ��

� �� Tivoli Access Manager for e-business� ��

�� .

� ��

� �� IBM Tivoli Access Manager� ��

�� .

�� .

v PC � UNIX® � ��

v ��

v ��

v HTTP, TCP/IP, FTP(File Transfer Protocol) � Telnet� � ��

�

v LDAP(Lightweight Directory Access Protocol) � ��

v ��

SSL(Secure Sockets Layer) �� , SSL ��, � �(��

��), �� , �� CA(Certificate Authority)� � �

�� .

© Copyright IBM Corp. 2001, 2003 xiii

� ��

� 1 � �� .

v 3 �� 1 � ��

�� Tivoli Access Manager ��

� �� .

v 25 �� 2 � ��

Tivoli Access Manager ��

�� .

v 43 �� 3 � ��

� �� Tivoli Access Manager� ��

�� .

� 2 � �Base �� .

v 57 �� 4 � ��

Tivoli Access Manager� � ��

�� .

� 5 �� 11� �� Tivoli Access Manager Base ��

� Tivoli Access Manager ��

�� . ��

� �� .

v 105 �� 5 � �Policy Server ��

v 115 �� 6 � �Authorization Server ��

v 123 �� 7 � �Development(ADK) ��

v 131 �� 8 � �Java Runtime Environment ��

v 139 �� 9 � �Policy Proxy Server ��

v 147 �� 10 � ��

v 155 �� 11 � �Web Portal Manager ��

� 3 � �Web Security �� Tivoli Access Manager Web Security �


�� .

�� .

v 173 �� 12 � �Attribute Retrieval Service ��

v 181 �� 13 � �Plug-in for Edge Server ��

v 197 �� 14 � �Plug-in for Web Servers ��

v 213 �� 15 � �Tivoli Access Manager for WebLogic ��

xiv IBM Tivoli Access Manager for e-business: Web Security ��

v 239 �� 16 � �Tivoli Access Manager for WebSphere ��

v 261 �� 17 � �WebSEAL Development(ADK) ��

v 271 �� 18 � �WebSEAL Server ��

� 4 � �� .

v 285 �� 19 � ��


�� . �� Global Security Kit(GSKit), IBM Tivoli

Directory Client, IBM JRE, IBM WebSphere Application Server � IBM Tivoli

Directory Server �� .

v 319 �� 20 � ��


�� .

v 327 �� 21 � ��

��

��.

v 345 �� 22 � ��

�� Tivoli Access Manager� ��

�� .

v 377 �� 23 � �pdconfig �

pdconfig �� Tivoli Access Manager� ��

� �� .

v 393 �� 24 � �SSL(Secure Sockets Layer) ��

�� IBM Tivoli Directory Client �� SSL ��

�� .

v 421 �� 25 � �AIX: Standby Policy Server ��

�� , Standby Policy Server� ��

��(AIX®� ��). � �� HACMP(High Availability Cluster

Multiprocessing) �� .

v 449 �� 26 � �Tivoli Access Manager ��


�� .

v 515 �� 27 � ��

��

��.

�� xv

��

�� Tivoli Access Manager ��, ��

� � � �� . ��

�� .

IBM Tivoli Access Manager for e-business ��

� �� .

http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/

Tivoli Access Manager �� .

v ��

v ��

v � ��

v xvii ��

v xviii ��

��

v IBM Tivoli Access Manager for e-business Read This First(GA30-2205-00)


v IBM Tivoli Access Manager for e-business �� (GA30-2206-00)

�� , ��

��.

��

v IBM Tivoli Access Manager �� (SA30-2207-00)

Web Portal Manager �� Tivoli Access Manager ��

�� . � �� IBM Tivoli Access Manager

for e-business �� , IBM Tivoli Access Manager

for Business Integration � IBM Tivoli Access Manager for Operating Systems

� �� Tivoli Access Manager �� .

v IBM Tivoli Access Manager Base Administration Guide(SC32-1360-00)


pdadmin �� Web Portal Manager ��

� �� .

� ��

v IBM Tivoli Access Manager for e-business �� (SA30-2208-00)

xvi IBM Tivoli Access Manager for e-business: Web Security ��

http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/

Tivoli Access Manager �� , ��

� �� . � �� IBM Tivoli Access Manager ��

�� .

v IBM Tivoli Access Manager for e-business WebSEAL Administration

Guide(SC32-1359-00)

WebSEAL� ��

, �� .

v IBM Tivoli Access Manager for e-business IBM WebSphere Application Server

�� (SA30-2209-00)

Tivoli Access Manager� IBM WebSphere® Application Server� ��

��, �� .

v IBM Tivoli Access Manager for e-business IBM WebSphere Edge Server ��

��(SA30-2211-00)

Tivoli Access Manager� IBM WebSphere Edge Server ��

�� , �� .

v IBM Tivoli Access Manager for e-business Plug-in for Web Servers Integration

Guide(SC32-1365-00)

�� , ��

� �� .

v IBM Tivoli Access Manager for e-business BEA WebLogic Server ��

(SA30-2210-00)

Tivoli Access Manager� BEA WebLogic Server� �� , ��

�� .

v IBM Tivoli Access Manager for e-business IBM Tivoli Identity Manager

Provisioning Fast Start Guide(SC32-1364-00)

Tivoli Access Manager � Tivoli Identity Manager ��

� �� Provisioning Fast Start �� .

��

v IBM Tivoli Access Manager for e-business Authorization C API Developer

Reference(SC32-1355-00)

Tivoli Access Manager �� C API � Tivoli Access Manager ��


�� .

v IBM Tivoli Access Manager for e-business Authorization Java Classes Developer


�� xvii

�� API� Java™ �� Tivoli Access

Manager �� .

v IBM Tivoli Access Manager for e-business Administration C API Developer


�� API� �� Tivoli Access Manager ��

�� . � �� API� C ��

��.

v IBM Tivoli Access Manager for e-business Administration Java Classes Developer


�� API� Java �� Tivoli Access Manager

�� .

v IBM Tivoli Access Manager for e-business Web Security Developer


CDAS(Cross-Domain Authentication Service), CDMF(Cross-Domain Mapping

Framework) � Password Strength ��

��.

��

v IBM Tivoli Access Manager Upgrade Guide(SC32-1369-00)

Tivoli Access Manager for e-business� �� 5.1 ��

� ��.

v IBM Tivoli Access Manager for e-business Command Reference (SC32-1354-00)


�� .

v IBM Tivoli Access Manager Error Message Reference(SC32-1353-00)

Tivoli Access Manager�� .

v IBM Tivoli Access Manager for e-business Problem Determination

Guide(SC32-1352-00)

Tivoli Access Manager� �� .

v IBM Tivoli Access Manager for e-business Performance Tuning

Guide(SC32-1351-00)

�� IBM Tivoli Directory Server� � Tivoli Access

Manager� �� .

��


xviii IBM Tivoli Access Manager for e-business: Web Security ��

Tivoli Software Library�� white papers, datasheets, demonstrations, redbooks

� announcement letters� �� Tivoli �� . ��

� Tivoli Software Library� �� .

http://www.ibm.com/software/tivoli/library/

Tivoli Software Glossary�� Tivoli ��

��. Tivoli Software Glossary� �� . Tivoli

Software Library(http://www.ibm.com/software/tivoli/library/)� �� Glossary ��

� ��.

IBM Global Security KitTivoli Access Manager� IBM Global Security Kit(GSKit) �� 7.0� ��

�� . GSKit� �� IBM Tivoli Access

Manager Base CD� IBM Tivoli Access Manager Web Security CD, IBM Tivoli

Access Manager Web Administration Interfaces CD � IBM Tivoli Access Manager

Directory Server CD� �� .

GSKit �� , ��-��

�� iKeyman � �� gsk7ikm� ��. �� Tivoli

Information Center �� IBM Tivoli Access Manager ��

� �� .

v IBM Global Security Kit Secure Sockets Layer and iKeyman User’s

Guide(SC32-1363-00)

Tivoli Access Manager �� SSL ��

�� .

IBM Tivoli Directory ServerIBM Tivoli Directory Server, �� 5.2� �� IBM Tivoli Access

Manager Directory Server CD� �� .

�: IBM Tivoli Directory Server� ��

�� .

v IBM Directory Server(�� 4.1 � �� 5.1)

v IBM SecureWay Directory Server(�� 3.2.2)

IBM Directory Server �� 4.1, IBM Directory Server �� 5.1 � IBM Tivoli

Directory Server �� 5.2� �� IBM Tivoli Access Manager �� 5.1� � �

��.

IBM Tivoli Directory Server� �� .

http://www.ibm.com/software/network/directory/library/

�� xix




IBM DB2 Universal DatabaseIBM DB2® Universal Database™ Enterprise Server Edition, �� 8.1� IBM Tivoli

Access Manager Directory Server CD�� IBM Tivoli Directory Server

�� . IBM Tivoli Directory Server, z/OS™ �� OS/390®

LDAP �� Tivoli Access Manager� �� DB2� �

� ��.

DB2� �� .

http://www.ibm.com/software/data/db2/

IBM WebSphere Application ServerIBM WebSphere Application Server, �� 5.0.2� �� IBM Tivoli

Access Manager Web Administration Interfaces CD� �� . WebSphere

Application Server� �� Web Portal Manager ��, Attribute Retrieval

Service � IBM Tivoli Directory Server �� .

IBM WebSphere Application Server� ��

�.

http://www.ibm.com/software/webservers/appserv/infocenter.html

IBM Tivoli Access Manager for Business IntegrationIBM Tivoli Access Manager for Business Integration� ��

��, IBM MQSeries® �� 5.2 �� IBM WebSphere® MQ �� 5.3

�� . IBM Tivoli Access Manager for Business Integration� ��

� �� WebSphere MQSeries ��

�� . WebSEAL � IBM

Tivoli Access Manager for Operating Systems, IBM Tivoli Access Manager for

Business Integration�, IBM Tivoli Access Manager� ��

� � ��.

IBM Tivoli Access Manager for Business Integration� ��

� �� .

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/

IBM Tivoli Access Manager for Business Integration �� 5.1� ��

� Tivoli Information Center �� .

v IBM Tivoli Access Manager for Business Integration �� (SA30-1825-01)

v IBM Tivoli Access Manager for Business Integration ��

(GA30-2064-00)

v IBM Tivoli Access Manager for Business Integration �� (GA30-1827-01)

xx IBM Tivoli Access Manager for e-business: Web Security ��

http://www.ibm.com/software/data/db2/



v IBM Tivoli Access Manager for Business Integration Read This First

(GA30-2063-00)

IBM Tivoli Access Manager for WebSphere Business

Integration BrokerIBM Tivoli Access Manager for Business Integration� �� IBM

Tivoli Access Manager for WebSphere Business Integration Broker� WebSphere

Business Integration Message Broker, �� 5.0 � WebSphere Business Integration

Event Broker, �� 5.0� �� . IBM Tivoli Access

Manager for WebSphere Business Integration Broker� Tivoli Access Manager�

�� , ��

�� JMS ��/�� .

IBM Tivoli Access Manager for WebSphere Integration Broker� ��

� �� .


IBM Tivoli Access Manager for WebSphere Integration Broker, �� 5.1� ��

�� Tivoli Information Center �� .

v IBM Tivoli Access Manager for WebSphere Business Integration Brokers

Administration Guide(SC32-1347-00)

v IBM Tivoli Access Manager for WebSphere Business Integration Brokers ��

�� (GA30-2194-00)

v IBM Tivoli Access Manager for Business Integration Read This First

(GA30-2063-00)

IBM Tivoli Access Manager for Operating SystemsIBM Tivoli Access Manager for Operating Systems� ��

��, �� UNIX �� policy �

� �� . IBM Tivoli Access Manager for Operating Systems�

WebSEAL � IBM Tivoli Access Manager for Business Integration� IBM Tivoli

Access Manager� �� .

IBM Tivoli Access Manager for Operating Systems� ��

�� .

http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/

IBM Tivoli Access Manager for Operating Systems �� 5.1� �� Tivoli

Information Center �� .

v IBM Tivoli Access Manager for Operating Systems �� (SA30-1841-01)

�� xxi


http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/

v IBM Tivoli Access Manager for Operating Systems �� (SA30-1840-01)

v IBM Tivoli Access Manager for Operating Systems ��

(SA30-1842-01)

v IBM Tivoli Access Manager for Operating Systems �� (GA30-1843-01)

v IBM Tivoli Access Manager for Operating Systems Read Me(GA30-1844-01)

IBM Tivoli Identity ManagerIBM Tivoli Identity Manager �� 4.5� �� , ��

� ��(�: �� ID � ��)� �� (�, ��,

� �� )� � ��. Tivoli Identity

Manager� Tivoli Access Manager Agent� � Tivoli Access Manager� ��

� � ��. Agent �� IBM �� .

IBM Tivoli Identity Manager� �� .

http://www.ibm.com/software/tivoli/products/identity-mgr/

��

�� Tivoli software library� PDF �� HTML ��

� � ��.

http://www.ibm.com/software/tivoli/library

�� Product manuals �� . Tivoli software

information center� �� .

�� , �� , �� , ��

�� .

�: PDF �� , Adobe Acrobat � �� (�� → ��

��)�� .

��

��

�� . � ��

�� . ��

�� .

xxii IBM Tivoli Access Manager for e-business: Web Security ��

http://www.ibm.com/software/tivoli/products/identity-mgr/


��

Tivoli �� , IBM Tivoli Software Support� ��

�. �� Tivoli support �� IBM Tivoli Software Support�

��.

http://www.ibm.com/software/support/

�� , �� IBM Software Support Guide� ��

�� .

http://techsupport.services.ibm.com/guides/handbook.html

� �� IBM Software Support� ��

�� .

v ��

v ��

v ��

� ��

� �� , ��

�.

��

� �� .

�� , ��, ��, ,

Java �� .

��

��, �� , �� .

��

�� , , ��, ��, �� , ��

�, ��

��.

��

� �� UNIX �� . Windows

�� , �� $variable� %variable%� ��, ��

� ��(/)� ��(\)� ��. Windows �� bash � ��

�, UNIX �� .

�� xxiii

http://www.ibm.com/software/support/

http://techsupport.services.ibm.com/guides/handbook.html

xxiv IBM Tivoli Access Manager for e-business: Web Security ��

� 1 � ��

� 1 � �� . . . . . . . . . . . . 3

�� . . . . . . . . . . . . . . . 4

�� . . . . . . . . . . . . . 5

Tivoli Access Manager �� . . . . . 6

Tivoli Access Manager Base �� . . . . 6

Access Manager Application Development

Kit . . . . . . . . . . . . . . . 6

Access Manager Authorization Server . . . 6

Access Manager Java Runtime Environment 6

Access Manager Policy Proxy Server . . . 7

Access Manager Policy Server . . . . . . 7

Access Manager Runtime . . . . . . . 8

Access Manager Web Portal Manager . . . 8

Provisioning Fast Start . . . . . . . . 8

Tivoli Access Manager Web Security �� 9

Access Manager Attribute Retrieval Service 9

Access Manager for WebLogic Server . . . 9

Access Manager for WebSphere Application

Server . . . . . . . . . . . . . . 9

Access Manager Plug-in for Edge Server 10

Access Manager Plug-in for Web Servers 10

Access Manager Web Security Runtime . . 10

Access Manager WebSEAL Application

Development Kit . . . . . . . . . . 10

Access Manager WebSEAL Server . . . . 10

�� . . . . . . . . 11

IBM Global Security Kit . . . . . . . 11

IBM JRE(Java Runtime Environment). . . 11

IBM Tivoli Directory Client . . . . . . 11

IBM Tivoli Directory Server . . . . . . 12

IBM Tivoli Directory Server �� . . 12

IBM WebSphere Application Server . . . 12

Tivoli Access Manager �� . . . . . 12



�� . . . . . . . . . . . . . . . 22

�� . . . . . . . . . . . . . 22

�� . . . . . . . . . . . 23

�� . . . . . . . . . . . . . 23

� 2 � �� . . . . . . . . . . 25

�� . . . . . . . . . . . 25

IBM Tivoli Directory Server . . . . . . . 25

IBM Tivoli Directory Server �� . . 26

OS/390� IBM Security Server . . . . . . 28

IBM z/OS Security Server LDAP Server . . 28

Lotus Domino . . . . . . . . . . . . 29

Microsoft Active Directory. . . . . . . . 29

Netscape iPlanet � Sun ONE Directory

Server . . . . . . . . . . . . . . . 29

Novell eDirectory . . . . . . . . . . . 30

�� . . . . . . . 30



�� (�� ) . . . . . . 33

�� . . . . . . . . . . . . . . . 40

�� . . . . . . . . . . 41

� 3 � �� . . . . . . . . . . . 43

�� . . . . . . . . . . . . . 44

�� . . . . . . . . . . . 45

IBM Tivoli Directory Server� ��

�� . . . . . . . . . . . . . . . . . 47

�� . . . . . . . . . 49

�� . . . . . . . . . . . . 50

UNIX �� LANG �� . . . . . . . 51

Windows �� LANG �� . . . . . . 51

�� . . . . . . . . . . . 52

�� . . . . . . . . . . . . . 52

�� (�� ) �� . . . . . . . . 53

�� . . . . . . . . . . 53

© Copyright IBM Corp. 2001, 2003 1

2 IBM Tivoli Access Manager for e-business: Web Security ��

� 1 � ��


�� . Tivoli Access Manager ��

��, �� IBM Tivoli Access Manager Upgrade Guide� �

�� .

�: �� IBM Tivoli Access

Manager for e-business �� .

� �� .

v 4 ��

v 5 ��

v 6 �� Tivoli Access Manager ��

v 12 �� Tivoli Access Manager ��

v 22 ��

v 23 ��


��

�� Tivoli Access Manager � �� , ��

�� .


�� . �� , ��

�� policy� �� . ��

�� .

v ��

v � ��

v ��


� �� . �� , ��


��

� �� .

�� policy� �� , ��

� � ��. �� , ��

��. �� , �� Tivoli Access

Manager �� .

�� , �� policy� �� Tivoli Access

Manager �� .

��

�� .

http://www.ibm.com/redbooks/

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

��


http://www.ibm.com/redbooks

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

��

Tivoli Access Manager� ��, �� policy� �

� �� . ��

� �� .

Policy Server

�� . � ��, �

� �� Tivoli Access Manager ��

� �� .

��

Tivoli Access Manager� �� ID� �� . �

�, �� Tivoli Access Manager �� .

Tivoli Access Manager� �� (�)� ��

�� . �


Tivoli Access Manager� ��

� � �� . �

��

�.

Policy Server � �� , Authorization Server ��

ADK(Application Development System)� ��

�� . ��, �� (LDAP ��

�� ). ��

�. �� IBM Tivoli Access Manager Base Administration

Guide� ��.

��

� 1 � �� 5


� �� Tivoli Access Manager �� Tivoli Access Manager

�� . 12 �� Tivoli Access Manager ��


��.

� �� .

v �Tivoli Access Manager Base ��

v 9 �� Tivoli Access Manager Web Security ��

v 11 ��

Tivoli Access Manager Base ��

Tivoli Access Manager Base�� . �

�� IBM Tivoli Access Manager Base CD��

��, �� Web Portal Manager �� IBM Tivoli Access

Manager Web Administration Interfaces CD�� . 13 �� Tivoli

Access Manager Base �� Base ��

�� .

Access Manager Application Development KitAccess Manager Application Development Kit� �� Authorization

Server� �� (third-party) ��

� ��. � �� C API � Java™ ��

�� . Java �� Java

�� Java Runtime Environment ��

� ��.

Access Manager Authorization ServerAccess Manager Authorization Server� �� Tivoli Access Manager

�� API� ��

�. Authorization Server� ��

� �� .

Access Manager Java Runtime EnvironmentAccess Manager Java Runtime Environment� Tivoli Access Manager ��

� �� Java �� .

Tivoli Access Manager �� Java ��

�� .

��


pdjrtecfg �� JRE� ��

� � ��. �� , � �� JRE

� � �� .

Web Portal Manager �� , � ��

��. �� Tivoli Access Manager Java Runtime Environment ��

�� , Access Manager Application Development Kit ��

�� . �� IBM Tivoli Access Manager for e-business

Administration Java Classes Developer Reference � IBM Tivoli Access Manager

for e-business Authorization Java Classes Developer Reference� ��.

Access Manager Policy Proxy ServerAccess Manager Policy Proxy Server� ��

�� . � ��

�� . ��, ��

� ��

�� . Tivoli Access Manager

�� (�: pdadmin �

�)� � Policy Server �� .

Access Manager Policy ServerAccess Manager Policy Server� ��

��, �� policy �� . � �

�� , �� . ��,


�� .

�� Policy Server ��

� Standby �� . Policy Server� �� Standby

Policy Server� �� Policy Server� �� Policy Server

�� . �� , Standby Policy Server� �� Standby ��

��. �� Policy Server� �� policy ��

�� .

Tivoli Access Manager� �� AIX �� Standby Policy Server

�� . � ��, Standby Policy Server� �� HACMP(High

Availability Cluster Multiprocessing) �� , ��

��

� �� .

��

� 1 � �� 7

Access Manager RuntimeAccess Manager Runtime� �� Tivoli Access Manager ��

�� .

Web Portal Manager � Java Runtime Environment �� Tivoli Access

Manager� �� Access Manager Runtime ��

� ��.

Access Manager Web Portal ManagerAccess Manager Web Portal Manager� Tivoli Access Manager ��

�� (GUI)��. � GUI� pdadmin ��

�� , ��, ��, ��, policy � �� Tivoli Access Manager �

�� . � ��

�� .

Web Portal Manager �� , �� , �

� �� (��)

�� . � ��

��

��.

� �� IBM Tivoli Access Manager Web Administration Interfaces CD

� �� . Web Portal Manager ��

��.

v Netscape Navigator 4.7x � 7.0

v Microsoft Internet Explorer 5.5 � 6.0

Provisioning Fast StartProvisioning Fast Start Installer� AIX � Windows �� Tivoli Access Manager

Base CD� ��. Tivoli Access Manager� Tivoli Identity Manager(��

�� IBM ��)� �� Provisioning Fast Start

�� . � ��

�� .

v Tivoli Identity Manager �� Tivoli Access Manager �� policy

��

v WebSEAL �� Tivoli Identity Manager ��

v Tivoli Identity Manager� ��

v Tivoli Identity Manager��

�� IBM Tivoli Access Manager for e-business IBM Tivoli Identity

Manager Provisioning Fast Start Guide� ��.

��


Tivoli Access Manager Web Security ��

Tivoli Access Manager Web Security��

��. � �� IBM Tivoli Access Manager Web Security CD

�� , �� Attribute Retrieval Service� IBM Tivoli Access

Manager Attribute Retrieval Service CD�� . 17 �� Tivoli Access

Manager Web Security �� Web Security ��

�� .

Access Manager Attribute Retrieval ServiceAccess Manager Attribute Retrieval Service� WebSEAL� ADI(Authorization

Decision Information) �� . � �� WebSEAL ��

� �� ADI� ��

��.

Attribute Retrieval Service� �� IBM Tivoli Access Manager Attribute

Retrieval Service CD� �� . �� IBM Tivoli Access

Manager for e-business WebSEAL Administration Guide� ��.

Access Manager for WebLogic ServerAccess Manager for WebLogic Server� BEA WebLigic Server��

�� IBM Tivoli Access Manager� ��.

Access Manager for WebLogic Server� BEA WebLogic Server Security Service

Provider Interface� �� Tivoli Access Manager� ��

�� . ��

WebLogic Server� �� .

��, WebSEAL �� Access Manager Plug-in for Web Server� ��

�� Access Manager for WebLogic

Server� �� . � �� WebLogic Server ��


� �� . �� IBM Tivoli Access Manager for e-business BEA

WebLogic Server �� .

Access Manager for WebSphere Application ServerAccess Manager for WebSphere Application Server� IBM WebSphere Application

Server �� policy ��

�� Tivoli Access Manager� ��. � �� WebSphere Application

Server� �� (��) ��

� �� .

��

� 1 � �� 9

Tivoli Access Manager for WebSphere� �� J2EE(Java 2 Enterprise Edition) �

� �� Tivoli Access Manager �� (��)

��

��. � �� WebSphere Enterprise Archive(EAR)

�� . �� IBM Tivoli Access

Manager for e-business IBM WebSphere Application Server ��

��.

Access Manager Plug-in for Edge ServerAccess Manager Plug-in for Edge Server� IBM WebSphere Edge Server ��

�� . � ��

� � �� . ��

� IBM Tivoli Access Manager for e-business IBM WebSphere Edge Server ��

�� .

Access Manager Plug-in for Web ServersAccess Manager Plug-in for Web Servers� ��

�� . � ��

�� policy� ��. � ��

� ��

�� policy� �� . �� IBM Tivoli Access

Manager for e-business Plug-in for Web Servers Integration Guide� ��

�.

Access Manager Web Security RuntimeAccess Manager Web Security Runtime�� Access Manager WebSEAL � Plug-in

for Web Servers� ��

� ��.

Access Manager WebSEAL Application Development KitAccess Manager WebSEAL ADK�� Tivoli Access Manager CDAS(Cross-domain

Authentication Service), Tivoli Access Manager CDMF(Cross-domain Mapping

Framework) � Tivoli Access Manager Password Strength Module� �� API

� � ��.

Access Manager WebSEAL ServerAccess Manager WebSEAL� �� . WebSEAL

� �� policy� ��

��. WebSEAL� ��

� �� policy� �� .

��


��

Tivoli Access Manager��

�. � �� Tivoli Access Manager� � �� Tivoli Access Manager


� �� 14 �� 1� ��.

IBM Global Security KitIBM GSKit(Global Security Kit)� Tivoli Access Manager ��

�� SSL(Secure Sockets Layer) �� . GSKit

�� iKeyman � �� (gsk7ikm)� ��, � ��

�� , ��-�� .

GSKit� �� Tivoli Access Manager ��

�� . GSKit� �� Tivoli Access Manager �� Access

Manager Runtime �� , Java Runtime

Environment, Web Portal Manager � Attribute Retrieval Service ��

��. � �� SSL� ��

� �� 393 �� 24 � �SSL(Secure Sockets Layer) �� IBM

Global Security Kit Secure Sockets Layer and iKeyman User’s Guide� ��

��.

�: GSKit�� OpenSSL� � �� (OpenSSL ��

�)� �� .

IBM JRE(Java Runtime Environment)IBM JRE� Access Manager Java Runtime Environment ��, ��


�.

IBM Tivoli Directory ClientIBM Tivoli Directory Client� �� AIX, HP-UX, Linux, Solaris � Windows

�� IBM Tivoli Access Manager Directory Server CD� IBM Tivoli

Directory Server� � ��.

�� IBM Tivoli Directory Client� Tivoli Access Manager

� �� .

v Tivoli Access Manager �� Active Directory ��

Windows ��.

v Java Runtime Environment, Web Portal Manager �� Attribute Retrieval Service

�� .

v Lotus Domino� �� .

��

� 1 � �� 11

IBM Tivoli Directory ServerIBM Tivoli Directory Server, �� 5.2� �� AIX, HP-UX, Linux, Sun Solaris

� �� Windows �� IBM Tivoli Access Manager Directory Server CD

� ��. � �� Tivoli Access Manager �� 25

��

��. � LDAP(Lightweight Directory Access Protocol) ��

� ��. �� LDAP �� /�

� �� . IBM Tivoli Directory Server� ��, �, �

� � ��

��.

IBM Tivoli Directory Server � ��

IBM Tivoli Directory Server, �� 5.2� IBM WebSphere Application Server�

�� GUI� ��

��. IBM Tivoli Directory Server� ��

� ��. �� 4.1, 5.1 � 5.2 ��

� �� IBM Tivoli Directory Server� �� .

�� IBM Tivoli Access Manager Web Administration Interfaces CD� �

�� . �� 26 ��

� �IBM Tivoli Directory Server �� .

IBM WebSphere Application ServerIBM WebSphere Application Server 5.0.2� Web Portal Manager ��,

Attribute Retrieval Service � �� . IBM WebSphere

Application Server� �� IBM Access Manager Web Administration

Interfaces CD� ��.

IBM Tivoli Directory Server, �� 5.2� ��

WebSphere Application Server -- Express �� .

Tivoli Access Manager, �� 5.1�� Java

2 Enterprise Edition(J2EE) � �� IBM

WebSphere Application Server, �� 5.0.2� ��, �� e-business� �

� ��

�� .


� �� . � ��

�� .

��


Policy Server� �� . , �

� �� . �� , Policy Server� �

� �� Web Portal Manager �� .

� �� .

v �Tivoli Access Manager Base ��



14 �� 1� Tivoli Access Manager Base �� .

�:

1. �� IBM Tivoli Directory Client, �� 5.2� Tivoli Access

Manager� �� .


� Windows ��.

v Java Runtime Environment �� Web Portal Manager ��

�.

v Domino� �� .

2. �� Tivoli Access Manager ��

�, IBM JRE 1.3.1� ��.

3. SuSE Linux� UnitedLinux 1.0� � � ��

� ��, �� SCO Group, Turbolinux � Conectiva��.

SuSe Linux Enterprise Server(SLES)� �� ,

UnitedLinux 1.0 �� .

�� UnitedLinux �� .

http://www.unitedlinux.com

��

� 1 � �� 13


1. Tivoli Access Manager Base �� - ��

��

Authorization Server v Global Security Kit,

�� 7

v IBM Tivoli Directory Client,

�� 5.21

v Access Manager Runtime, �� 5.1

v Access Manager Authorization Server, ��

5.1

v AIX 5.1.0 � 5.2.0

v HP-UX 11.0 � 11i

v Red Hat Enterprise Linux 3.0

v IA32� �� SuSE SLES8

v �� 2� � S/390 � zSeries(31

� ��)� �� SuSE SLES8

v �� 2� � zSeries(64� ��

�, 31� �� )� �� SuSE SLES8

v pSeries � iSeries� SuSE SLES8

v Solaris 8 � 9

v �� 3� � Windows 2000

Server � Advanced Server

v Windows 2003 Standard Server �

Enterprise Server

Development(ADK) v Global Security Kit,

�� 7


�� 5.2 1


v Access Manager Application Development

Kit, �� 5.1

v AIX 4.3.3, 5.1.0 � 5.2.0

v HP-UX 11.0 � 11i



v �� 2� � S/390 � zSeries(31


v �� 2� � zSeries(64� ��

�, 31� �� )� �� SuSE SLES8

v Solaris 7, 8 � 9

v �� 6a� � Windows NT 4.0

v �� 3� � Windows 2000



Enterprise Server

v Windows XP Pro

��


1. Tivoli Access Manager Base �� - �� (��)

��

IBM Tivoli Directory Server IBM Tivoli Directory Server� Tivoli Access

Manager �� , ��

�� .

v Global Security Kit,

�� 7


�� 5.2 1

v IBM DB2, �� 8.1

v IBM Tivoli Directory Server,

�� 5.2

v AIX 5.1.0 � 5.2.0


v IA32� SuSE SLES8

v �� 2� � S/390 � zSeries(31

� ��)� SuSE SLES8

v �� 2� � zSeries(64� ��

�, 31� �� )� SuSE SLES8

v pSeries � iSeries� SuSE SLES8

v Solaris 8 � 9


v �� 3� � Windows 2000



Enterprise Server

Java Runtime Environment v Access Manager Java Runtime Environment,

�� 5.1

v IBM JRE, �� 1.3.1 ��

v AIX 4.3.3, 5.1.0 � 5.2.0

v HP-UX 11.0 � 11i



v �� 2� � S/390 � zSeries(31


v �� 2� � zSeries(64� ��

�, 31� �� )� �� SuSE SLES8

v pSeries � iSeries� �� SuSE SLES8


v �� 6a� � Windows NT

v �� 3� � Windows 2000



Enterprise Server

��

� 1 � �� 15


��

Policy proxy server v Global Security Kit,

�� 7


�� 5.2 1


v Access Manager Policy Proxy Server, ��

5.1

v AIX 5.1.0 � 5.2.0

v HP-UX 11.0 � 11i



v �� 2� � S/390 � zSeries(31


v �� 2� � zSeries(64� ��

�, 31� �� )� �� SuSE SLES8


v Solaris 8 � 9

v �� 3� � Windows 2000



Enterprise Server

Policy Server v Global Security Kit,

�� 7


�� 5.2 1


v Access Manager Policy Server, �� 5.1

v AIX 5.1.0 � 5.2.0

v HP-UX 11.0 � 11i



v �� 2� � S/390 � zSeries(31


v �� 2� � zSeries(64� ��

�, 31� �� )� �� SuSE SLES8

v Solaris 8 � 9

v �� 3� � Windows 2000



Enterprise Server

��



��

Runtime v Global Security Kit,

�� 7


�� 5.2 1


v AIX 4.3.3, 5.1.0 � 5.2.0

v HP-UX 11.0 � 11i



v �� 2� � S/390 � zSeries(31


v �� 2� � zSeries(64� ��

�, 31� �� )� �� SuSE SLES8



v �� 3� � Windows 2000



Enterprise Server

Web Portal Manager v IBM WebSphere Application Server, ��

5.0.2

v Access Manager Web Portal Manager, �

� 5.1

v Access Manager Java Runtime Environment,

�� 5.1

v AIX 5.1.0 � 5.2.0

v HP-UX 11.0 � 11i


v �� 2� � S/390 � zSeries(31


v �� 2� � zSeries(64� ��

�, 31� �� )� �� SuSE SLES8


v Solaris 8 � 9

v �� 3� � Windows 2000



Enterprise Server


18 �� 2� �� Web Security ��

��. � �� IBM Tivoli Access Manager

Web Security CD�� , �� Attribute Retrieval Service�

IBM Tivoli Access Manager Attribute Retrieval Service CD�� .

�:

1. �� IBM Tivoli Directory Client, �� 5.2� Tivoli Access

Manager� �� .

��

� 1 � �� 17


� Windows ��.

v Attribute Retrieval Service �� .

v Domino� �� .

2. BEA� BEA WebLogic Server� �� . �

� � �� BEA� ��

�. � � �� BEA WebLogic �

�� BEA �� .


�, IBM JRE 1.3.1� ��.

2. Tivoli Access Manager Web Security �� - ��

��

Attribute Retrieval Service IBM WebSphere Application Server, �

� 5.0.2v AIX 5.1.0 � 5.2.0

v HP-UX 11.0 � 11i


v �� 2� � S/390 � zSeries(31


v �� 2� � zSeries(64� ��

� , 31� �� )� �� SuSE

SLES8

v Solaris 8 � 9

v �� 3� � Windows 2000



Enterprise Server

��


2. Tivoli Access Manager Web Security �� - �� (��)

��

WebSEAL Server v Global Security Kit,

�� 7


�� 5.2 1


v Access Manager Web Security

Runtime, �� 5.1

v Access Manager WebSEAL Server, �

� 5.1

v AIX 5.1.0 � 5.2.0

v HP-UX 11.0 � 11i



v �� 2� � S/390 � zSeries(31


v �� 2� � zSeries(64� ��

� , 31� �� )� �� SuSE

SLES8

v Solaris 8 � 9

v �� 3� � Windows 2000



Enterprise Server

WebSEAL Development(ADK) v Global Security Kit,

�� 7


�� 5.2 1



Runtime, �� 5.1

v Access Manager WebSEAL Server, �

� 5.1

v Access Manager Appl ica t ion

Development Kit, �� 5.1

v A c c e s s M a n a g e r W e b S E A L

Application Development Kit, ��

5.1

v AIX 5.1.0 � 5.2.0

v HP-UX 11.0 � 11i



v �� 2� � S/390 � zSeries(31


v �� 2� � zSeries(64� ��

� , 31� �� )� �� SuSE

SLES8

v Solaris 8 � 9

v �� 3� � Windows 2000



Enterprise Server

Tivoli Access Manager for WebLogic v �� 2� � BEA WebLogic

Server, �� 7 ��

�� 1 2� � �� 8.1

v Access Manager Java Runtime

Environment, �� 5.1

v Access Manager for WebLogic Server

v AIX 5.1.0

v Solaris 8 � 9

v HP-UX 11.0 � 11i(BEA WebLogic

Server, �� 7.0 ��)

v �� 3� � Windows 2000


��

� 1 � �� 19


��

Tivoli Access Manager for WebSphere v IBM WebSphere Application Server,

�� 4.0.6, 5.0.2 �� 5.1 �� IBM

WebSphere Application Server,

Advanced Single Server, �� 4.0.6

v Access Manager Java Runtime

Environment, �� 5.1

v Access Manager for WebSphere

Application Server, �� 5.1

v AIX 5.1.0 � 5.2.0

v HP-UX 11.0 � 11i


v �� 2� � S/390 � zSeries(31


v �� 2� � zSeries(64� ��

� , 31� �� )� �� SuSE

SLES8

v Solaris 8 � 9

v �� 3� � Windows 2000



Enterprise Server

Plug-in for Apache Web Server v SSL �� Apache Web

Server(zSeries� Linux� ��

1.3.26-36/Solaris� �� 1.3.27)


�� 7

v IBM Tivoli Directory Client, �� 5.2



Runtime, �� 5.1

v Access Manager Plug-in for Web

Servers, �� 5.1

v Access Manager Plug-in for Apache

Web Server

v �� 2� � S/390 � zSeries(31


v Solaris 8 � 9

Plug-in for Edge Server v IBM WebSphere Edge Server, ��

5.1


�� 7




Runtime, �� 5.1

(Linux�� )

v Access Manager Plug-in for Edge

Server, �� 5.1

v AIX 5.1.0 � 5.2.0

v Solaris 8 � 9


v �� 3� � Windows 2000


��



��

Plug-in for IBM HTTP Server v IBM HTTP Server, �� 1.3.26


�� 7




Runtime, �� 5.1


Servers, �� 5.1

v Access Manager Plug-in for IBM

HTTP Server

v AIX 5.1.0 �� 5.2.0


v �� 2� � S/390 � zSeries(31


v �� 2� � zSeries(64� ��

� , 31� �� )� �� SuSE

SLES8

v Solaris 8 �� 9

Plug-in for Internet Information Services v Internet Information Services, �� 5.0

�� 6.0


�� 7




Runtime, �� 5.1


Servers, �� 5.1

v �� 3� � Windows 2000

Server � Advanced Server� ��

Internet Information Services, �� 5.0


Enterprise Server� �� Internet

Information Services, �� 6.0

Plug-in for SUN One Web Server v Sun ONE Web Server,

�� 6.0


�� 7




Runtime, �� 5.1


Servers, �� 5.1

v Access Manager Plug-in for Sun

ONE Web Server

v AIX 5.1.0 � 5.2.0

v Solaris 8 �� 9

��

� 1 � �� 21

��


��.

v ��

v 23 ��

��


��. �� Tivoli Access Manager ��

�� . ��

� ��.

3 23 �� 4� �� Base � Web Security

�� .

Tivoli Access Manager Base �� IBM Tivoli

Access Manager Base CD� � �� .

v install_ldap_server� IBM Tivoli Access Manager Directory Server CD�

� ��.

v install_amwpm� IBM Tivoli Access Manager Web Administration Interfaces

CD� � ��.

Tivoli Access Manager Web Security �� IBM

Tivoli Access Manager Web Security CD� � �� .

v install_amwebars� IBM Tivoli Access Manager Attribute Retrieval Service CD

� � ��.

�: � � �� 12 �

�� Tivoli Access Manager �� .

3. Base ��

�� Base ��

install_ldap_server IBM Tivoli Directory Server

install_ammgr Policy Server

install_amacld Authorization Server

install_amadk Development(ADK) ��

install_amjrte Java Runtime Environment ��

install_amproxy Policy Proxy Server

install_amrte Runtime ��

install_amwpm Web Portal Manager ��

install_ampfs 1 Provisioning Fast Start

��


3. Base �� (��)1 install_ampfs �� Tivoli Access Manager� Tivoli Identity Manager� ��

� � �� Provisioning Fast Start �� . �� IBM Tivoli

Access Manager for e-business IBM Tivoli Identity Manager Provisioning Fast Start Guide� �

��.

4. Web Security ��

�� Web Security ��

install_amwas Tivoli Access Manager for WebSphere

install_amweb WebSEAL Server

install_amwebadk WebSEAL Development(ADK) ��

install_amwebars Attribute Retrieval Service

install_amwls Tivoli Access Manager for WebLogic

install_amwpi_apache Plug-in for Apache Web Server

install_amwpi_ihs Plug-in for IBM HTTP Server

install_amwpi_iis Plug-in for Internet Information Services

install_amwpi_iplanet Plug-in for Sun ONE Web Server

��

Tivoli Access Manager �� Solaris � �� pkgadd� �

� �� . �� , � ��

� � �� .

Access Manager Runtime �� pdconfig ��

� �� Tivoli Access Manager �� . Access Manager

Runtime �� , Access Manager Java Runtime

Environment �� pdjrtecfg� ��

��, Access Manager Web Portal Manager �� pdwpmcfg�

�� .

�: � �� 449 �� 26 � �Tivoli Access

Manager �� .

��


1. Tivoli Access Manager �� . �� Tivoli Access Manager

� �� .

2. �� Tivoli Access Manager �� . � ��

�� Policy Server �� .

��

� 1 � �� 23

3. Tivoli Access Manager �� 25 �� 2 � ��

�� .

4. Tivoli Access Manager� � �� . �

�� 57 �� 4 � �� .

5. Tivoli Access Manager Policy Server �� . ��

� 105 �� 5 � �Policy Server �� . HACMP ��

�� Standby Policy Server� �� 421 �� 25 �

�AIX: Standby Policy Server �� .

6. �� Tivoli Access Manager Base �� (�� ). �

� �, �� .

Authorization Server 115 ��

Development(ADK) �� 123 ��

Java Runtime Environment �� 131 ��

Policy proxy server 139 ��

Runtime �� 147 ��

Web Portal Manager �� 155 ��

7. Tivoli Access Manager Web Security �� (�� ). ��

�, �� .

Attribute Retrieval Service 173 ��

Plug-in for Edge Server 181 ��

Plug-in for Web Servers 197 ��

Tivoli Access Manager for WebLogic 213 ��

Tivoli Access Manager for WebSphere 239 ��

WebSEAL development(ADK) �� 261 ��

WebSEAL Server 271 ��

�: Tivoli Access Manager ��

�� , ��

�.

8. CA(Certificate Authority)� �� IBM

Tivoli Directory Client �� SSL �� . ��

�� GSKit iKeyman ��

� ��. iKeyman �� IBM Global Security

Kit Secure Sockets Layer and iKeyman User’s Guide� ��. iKeyman

�� 288 �� GSKit iKeyman ��

�� .

��


� 2 � ��

� �� . �� , ��

� � �� IBM Tivoli Access Manager for e-business ��

�� .

� �� .

v ��

v 30 ��

v 33 �� (�� )�

v 40 ��

v 41 ��

��

Tivoli Access Manager� �� , ��

� �� .

IBM Tivoli Directory Server

Tivoli Access Manager� IBM Tivoli Directory Server, �� 4.1, 5.1 � 5.2� �

�� .

�: IBM Tivoli Directory Server, �� 5.2� Tivoli Access Manager, �� 5.1

� ��. � �� IBM Directory Server� ��

� � ��, IBM Tivoli Access Manager, �� 5.1� LDAP ��

IBM Directory Client �� 5.2� �� 4.1 �� 5.1� ��

�� IBM Tivoli Directory Server� �� .

�� .

v AIX ��:

– AIX 5.1

– AIX 5.2

�: AIX 5.1� ��, AIX �� 4 �� . AIX 5.2�

��, AIX �� 1 �� .

v HP-UX ��:

– HP-UX 11

– �� HP-UX 11i


- 2001� 12� GOLDBASE11i �

- 2001� 12� GOLDAPPS11i �

- �� PHSS_26560

v xSeries� Linux ��:

– �� 2� � UnitedLinux 1.0

– SuSE Linux Enterprise Server 8

– Red Hat Enterprise Linux 3.0

v zSeries� Linux ��:


– Red Hat Enterprise Server 3.0

v pSeries � iSeries� Linux ��:

– Red Hat Enterprise Server 3.0


v Solaris ��:

– Solaris Operating Environment Software, �� 8 � 9

– Trusted Solaris, �� 8

v Windows ��:

– Windows 2000

– Windows Server 2003, Standard �� Enterprise

– �� 6 �� Windows NT 4.0; �� Windows NT

��(NTFS)� ��.

��:

v Tivoli Access Manager� �� IBM Directory Server� � �� ,

�� . ��

�� IBM Tivoli Access Manager Upgrade Guide� ��.

v IBM �� LDAP �� , IBM Tivoli

Directory Server� �� . ��

�� IBM Tivoli Directory Server� ��

�, �� .


IBM Tivoli Directory Server� IBM Tivoli Directory Server �� , �� 5.2

� �� . IBM Tivoli Directory Server ��

�� . ��

� �� LDAP �� .

��


v IBM Tivoli Directory Server, �� 5.2

v IBM Directory Server, �� 5.1

v IBM Directory Server, �� 4.1

v OS/400 V5R3

v z/OS™ R4

�: z/OS R4� ��, �� .

– TDBM ��

– SDBM ��

– �� TDBM � SDBM ��

�� .

v AIX ��:

– AIX 4.3.3

– AIX 5.1

– AIX 5.2

v HP-UX ��:

– HP-UX 11

– HP-UX 11i

v xSeries� Linux ��:

– UnitedLinux 1.0

– SuSE Linux Enterprise Server 7 � 8

– Red Hat Advanced Server 2.1

v zSeries� Linux ��:

– SuSE Linux Enterprise Server 8.0

v pSeries � iSeries� Linux ��:

– UnitedLinux 1.0

– SuSE Linux Enterprise Server 8.0

v Solaris ��:

– Solaris Operating Environment Software, �� 7, 8 � 9

– Trusted Solaris, �� 8

v Windows ��:

– Windows 2000

– Windows XP

– Windows Server 2003, Standard �� Enterprise

��

� 2 � �� 27

– �� 6 �� Windows NT 4.0

�� .

v �� :

– WebSphere Application Server -- Express V5.0 ��

– IBM WebSphere Application Server, �� 5.0 ��. IBM WebSphere

Application Server, �� 5.0.2� Tivoli Access Manager, �� 5.1 � �

��.

v �� (� ��

� �� ).

– AIX ��: Mozilla 1.3 �� 1.4

– HP-UX ��: Mozilla 1.3 �� 1.4

– zSeries� Linux ��: Mozilla 1.3 �� 1.4

– iSeries, pSeries � zSeries� Linux ��: �� . �

Linux ��

��.

– Solaris ��: Mozilla 1.3 �� 1.4

– Windows ��: Internet Explorer, �� 6.0

OS/390� IBM Security Server

Tivoli Access Manager� OS/390®� IBM Security Server, �� 2, �� 10�

�� . �� OS/390 Internet Library

�� .

http://www.s390.ibm.com/os390/bkserv/

IBM z/OS Security Server LDAP Server

Tivoli Access Manager� IBM z/OS Security Server LDAP Server, �� 1, ��

� 2 �� . �� z/OS Internet

Library �� .

http://www.ibm.com/servers/eserver/zseries/zos/bkserv/

��, CD-ROM, z/OS: Collection, SK3T-4269��

��.

��


http://www.s390.ibm.com/os390/bkserv/


Lotus Domino

Windows� Tivoli Access Manager� Lotus® Domino, �� 5.0.10 � 6.0� ��

�� . Domino Server� Tivoli Access

Manager, �� 5.1� �� .

��: Lotus Domino� �� ,

v IBM Tivoli Directory Client� �� .

v Access Manager Runtime �� Lotus Notes® Client� ��

��. Tivoli Access Manager� Lotus Notes Client, �� 5.0.10 � ��

6.0 �� .

Microsoft Active Directory

Tivoli Access Manager� Windows 2000 � Windows 2003� Active Directory

� �� .

�� Tivoli Access Manager��, Windows 2000 Advanced Server ��

� Active Directory� �� . �� 5.1� �� , Active

Directory �� Tivoli Access Manager �� Windows � UNIX

�� Tivoli Access Manager� �� (Windows NT� ��

�).

UNIX �� IBM Tivoli Directory Client� �� Active Directory� ��

��. � LDAP �� Policy Server ��

�� .

Tivoli Access Manager Policy Server� Windows 2000 � 2003 ��

�� .

Netscape iPlanet � Sun ONE Directory Server

Tivoli Access Manager� Netscape iPlanet Directory Server, �� 5.1 � Sun ONE

Directory Server, �� 5.2� �� .

�� iPlanet �� Sun ONE Directory Server� � ��

� �� .

��:

v Tivoli Access Manager� �� iPlanet �� Sun ONE Directory Server

� � �� , �� . ��

�� Sun �� .

http://docs.sun.com/db/prod/s1dirsrv

��

� 2 � �� 29


v iPlanet � Sun ONE Directory Server�� SSL �� . Access

Manager Runtime �� GSKit� �

�� .

Novell eDirectory

Tivoli Access Manager� Novell eDirectory 8.6.2 � 8.7� ��

�� .

�� Novell eDirectory ��

��. Novell eDirectory �� .

http://www.novell.com/documentation/a-z.html

� �� .

http://support.novell.com/filefinder/5069/index.html

��:

v Tivoli Access Manager� �� Novell eDirectory �� ,

�� .

v Novell eDirectory �� SSL �� . Access Manager

Runtime �� GSKit� ��

� �� .

��


��. � � ��

��. � Tivoli Access Manager ��

� �� . �� Tivoli Access Manager ��

�� .

� �� .

v 31 �� Tivoli Access Manager Base ��


�: �� Tivoli Access Manager ��

�� . � ��

� ��(�� ).

��


http://www.novell.com/documentation/a-z.html

http://support.novell.com/filefinder/5069/index.html


5. Base �� -- ��

��

��(MB)

��

��(MB)

ACL ��

��

� ��

�(MB)

��

��

��

(MB)

��

(MB)

��

(MB)

��

� ��

A c c e s s M a n a g e r

A p p l i c a t i o n

Development Kit

3 5 -- -- -- -- --


Authorization Server2 4 15 2 5 30 40 --

Access Manager Java

Runtime Environment8 10 -- -- -- -- --


Policy Proxy Server1 2 -- 40 --


Policy Server2 4 5 1, 2 10 1 30 40 5 2


Runtime36 40 -- -- -- -- --

Access Manager Web

Portal Manager1 2 -- -- 35 3 70 4 --

Global Security Kit 18 20 -- -- -- -- --

IBM Tivoli Directory

Client46 50 -- -- 6 6


Server(��

�� )

145 7 245 7 -- 10 256 5 512--1GB 5 --

I B M W e b S p h e r e

Application Server, �

� 5.0.2

552 552 -- -- 256 512 --

�::1 � �� . � �� .

2 �� ACL �� , 10,000�� 10��

�� 10%� � 30�� ACL� �� . Policy Server� �� , � ��

� � �� .

3 WPM� �� .

4 WPM� �� .

5 256MB(��) � 512MB-1GB(��) �� 1�� Tivoli Access Manager �� . �� 1

�� , � �� 512KB(��) � 1GB-2GB(��) �� .

6 IBM Tivoli Directory Client� �� .

7 IBM Tivoli Directory Server �� . Tivoli Access Manager �� 10KB� ��

��.

��

� 2 � �� 31


6. Web Security �� -- ��

��

��(MB)

��

��(MB)

ACL ��

��

�� (MB)

��

� ��

��(MB)

��

(MB)

��

(MB)

��

��


WebSEAL20 25 15 1 200 2 80 250 3 --


WebSEAL Application

Development Kit

3 5 -- -- -- -- --

Access Manager for

WebLogic Server2 4 -- 5 64 128 --

Access Manager for

WebSphere2 4 -- 5 64 128 --

Access Manager Plug-

in for IBM HTTP

Server

15 25 15 1 10 60 120 --


in for Apache Web

Server

15 25 15 1 10 60 120 --


in for Sun ONE Web

Server

15 25 15 1 10 70 140 --


i n f o r I n t e r n e t

Information Services

15 25 15 1 10 165 225 --


Attr ibute Retr ieval

Service

6 10 -- -- 10 14 --


in for Edge Server15 25 15 1 10 15 30 --

�::1 �� ACL �� , 10,000�� 10�� 10%� �

30�� ACL� �� . Policy Server� �� , � ��

�� .2 WWW( �� ) �� .3 �� . � �� .

��


�� (�� ) 7� �� .

�: SuSE Linux� UnitedLinux 1.0� � � ��

� ��, �� SCO Group, Turbolinux � Conectiva��. SuSe

Linux Enterprise Server(SLES)� ��, UnitedLinux 1.0 ��

� �� . �� UnitedLinux

�� .


7. ��

�� Tivoli Access Manager 5.1 ��

��

��

AIX 4.3.3

v Development(ADK)

v Java Runtime Environment

v Runtime

�� :

v bos.rte.libpthreads � 4.3.3.51 �

�

v xlC.rte(6.0.0.0 C Set ++ Runtime)

v xlC.aix43.rte(6.0.0.3 C Set ++

Runtime)

AIX 5.1

v Attribute Retrieval Service

v Authorization server

v Development(ADK)


v Plug-in for Edge Server, �� 5.1

v Plug-in for IBM HTTP Server, ��

1.3.26

v Plug-in for Sun ONE Web Server, �

� 6.0

v Policy Server

v Policy proxy server

v Runtime

v Tivoli Access Manager for WebLogic

v Tivoli Access Manager for WebSphere

v Web Portal Manager

v WebSEAL Server

v WebSEAL Development(ADK)

�� 4 �� :


v xlC.aix50.rte(6.0.0.3 �� C Set ++

Runtime)

��

� 2 � �� 33


7. �� (��)


��

��

AIX 5.2



v Development(ADK)




1.3.26


� 6.0

v Policy Server


v Runtime



v WebSEAL Server


�� 1 ��

AIX 5200-01 ��

:


v xlC.aix50.rte(6.0.0.3 C Set ++

Runtime)

v 5.2.0.12� bos.rte.libc

HP-UX 11.0



v Development(ADK)


v Policy Server


v Runtime

v Tivoli Access Manager for

WebLogic(BEA WebLogic Server, �

� 7.0 ��)


v WebSEAL Server


v XSWGR-1100

v PHKL_25475

v PHSS_26945 ��

v PHSS_25091

v �� :

– ��: PHSS_26972

– ��: PHSS_26974

– ��: PHSS_26976

– ��: PHSS_24937

��


7. �� (��)


��

��

HP-UX 11i



v Development(ADK)


v Policy Server


v Runtime


WebLogic(BEA WebLogic Server, �

� 7.0 ��)



v WebSEAL Server


v PHCO_24400

v PHCO_24402

v PHSS_25092

v PHSS_26946

v �� :

– ��: PHSS_26971

– ��: PHSS_26973

– ��: PHSS_24975

– ��: PHSS_26977

Red Hat Enterprise Linux 2.1v Plug-in for Edge Server, �� 5.1 �� GSKit iKeyman ��

(gsk7ikm)� �� .

pdksh-5.2.14-13.i386.rpm

Red Hat Enterprise Linux 3.0


v Development(ADK)


v Policy Server


v Runtime

v WebSEAL Server


��

��

� 2 � �� 35

7. �� (��)


��

��

IA32� SuSE SLES8



v Development(ADK)



1.3.26

v Policy Server


v Runtime



v WebSEAL Server


libstdc++-3.2.2-5

v S/390 � zSeries(31� ��)� ��

SuSE SLES8

v zSeries(64� ��)� SuSE SLES8


v Authorization Server

v Development(ADK)


v SSL �� Plug-in for

Apache Web Server, �� 1.3.26-36(31

� �� )


1.3.26

v Policy Server


v Runtime



v WebSEAL Server


�� :

v 31�: k_deflt-2.4.19-32

v 64� : k_deflt-2.4.19-34

�� 2 �:

v 31� :

– k_deflt-2.4.19-79

v 64� :

– k_deflt-2.4.19-80

pSeries � iSeries� SuSE SLES8

v Development(ADK)


v Runtime


�� :

v kernel-iseries64-2.4.19-104

v kernel-ppc64-2.4.19-108

�� 1 �:

v kernel-iseries64-2.4.19-194

v kernel-ppc64-2.4.19-186

��


7. �� (��)


��

��

Solaris Operating Environment 7

v Development(ADK)


v Runtime

32� ��:

v 106327-18

v 106541-24

v 106950-22

v 106980-22

v 107544-03

64� ��:

v 106300-19

v 106327-18

v 106541-24

v 107544-03

v 106950-22

v 106980-22




v Development



Apache Web Server, �� 1.3.27



1.3.26


� 6.0

v Policy Server


v Runtime




v WebSEAL Server


32� ��:

v 109147-15

v 108434-05

v 108528-24

v 108827-40

v 111327-02

v SUNWuiu8

v SUNWjiu8

64� ��:

v 109147-15

v 108434-05

v 108435-06

v 108528-24

v 108827-40

v 111327-02

v SUNWuiu8

v SUNWjiu8

��

� 2 � �� 37

7. �� (��)


��

��




v Development(ADK)



Apache Web Server, �� 1.3.27



1.3.26


� 6.0

v Policy Server


v Runtime



WebSphere(�� 5.0.2 ��)


v WebSEAL Server


11711-06

Windows NT 4.0

v Development(ADK)


v Runtime

�� 6a

Windows XP � 2000 Pro

v Development(ADK)


v Runtime

��

��


7. �� (��)


��

��

Windows 2000 Server � Advanced

Server



v Development(ADK)



v Plug-in for Internet Information

Services, �� 5.0

v Policy Server


v Runtime




v WebSEAL Server


�� 3

Windows 2003 Standard Server �

Enterprise Server



v Development(ADK)


v Plug-in for Internet Information

Services, �� 6.0

v Policy Server


v Runtime

v Windows 2003 Enterprise Server�

Tivoli Access Manager for

WebSphere(�� 5.0.2 ��)


v WebSEAL Server


��, �� .

��

� 2 � �� 39

��

�� Tivoli Access Manager �� Policy Server �� 5.1 �� Authorization

Server� �� .

v Access Manager Runtime, �� 3.8, 3.9, 4.1 � 5.1

v Access Manager Java Runtime Environment, �� 3.9, 4.1 � 5.1

�:

1. �� .

2. �� .

3. Active Directory �� Lotus Domino� �� , �� Tivoli

Access Manager �� 5.1 �� .

Tivoli Access Manager, �� 3.9 � 4.1 �� Tivoli Access Manager,

�� 5.1� �� .

v Access Manager Runtime, �� 5.1� �� (Solaris ��)� �� Tivoli

Access Manager, �� 4.1 � 3.9 ADK� � � � ��

��.

v Solaris� Access Manager Runtime, �� 5.1� Tivoli Access Manager, �� 4.1

ADK� �� .

��


��

8� Tivoli Access Manager WebSEAL, �� 5.1 � ��

�� .

8. ��

��

AIX 5.1 v nCipher nForce 300 RSA BSAFE, �� 5.32

v nCipher nForce 300 PKCS#11, �� 5.32

v IBM 4758-023 PKCS#11, �� 2.41

v Eracom Orange PKCS#11, �� 2.11

v IBM 4960 PKCS#11, �� 5.1.0.25

AIX 5.2 v IBM 4758-023 PKCS#11, �� 2.41


v IBM 4960 PKCS#11, �� 5.1.0.25

HP-UX 11 Rainbow Crypto Swift RSA BSAFE, �� 3.2.0

HP-UX 11i ��

Red Hat Enterprise Linux 3.0 v Eracom Orange PKCS#1, �� 2.11

IA32� SuSE SLES8 v Eracom Orange PKCS#11, �� 2.11

zSeries(31� �� 64� ��

31� �� ) � S/390(31� �

�)� SuSE SLES8

v PCICA - zSeries � �� 0862

v PCICC - zSeries � �� 0861, S/390 � �� 0860

Solaris 8 v Rainbow Crypto Swift RSA BSAFE, �� 3.2.0

v nCipher nForce 300 RSA BSAFE, �� 8.0



Solaris 9 v nCipher nForce 300 RSA BSAFE


Windows 2000 Server � Advanced

Serverv Rainbow Crypto Swift RSA BSAFE, �� 3.2.0

v nCipher nForce 300 RSA BSAFE, �� 8.0


v IBM 4758-023 PKCS#11, �� 2.41


Windows 2003 Standard Server �

Enterprise Server

��

�� WebSEAL� ��

� � �� . BSAFE �� , WebSEAL� � �

� �� . GSKit� �� . ��, GSKit�

�� Tivoli Access Manager ��(�: WebSEAL)� ��

��

� 2 � �� 41

�� . PKCS#11 �� , WebSEAL �� PKCS#11 �

�� WebSEAL� PKCS#11� �� .

��


� 3 � ��


��. � �� .

v 44 ��

v 45 ��

v 47 �� IBM Tivoli Directory Server� ��

v 49 ��

v 50 ��

v 52 ��

v 53 �� (�� ) ��

��

�� IBM Tivoli Access Manager for

e-business �� .


��


v ��

v ��

v ��

v ��

v ��

v � �

v ��

v ��

v ��

v ��

v ��

v ��

v ��

� �� IBM Tivoli Access Manager Language Support

CD� �� . Tivoli Access Manager� � ��

�� .

�� Tivoli Access Manager� �� Tivoli Access

Manager� ��

�� . �� Tivoli Access

Manager ��

��. �� , ��

��.

�: � �� .

�� , � ��

�� . ��

� �� . ��

��, �� .

��


��


�.

1. root �� .

2. �� IBM JRE 1.3.1� ��. ��

� ��.

v AIX �� , 295 �� .

v HP-UX �� , 295 �� .

v Linux �� , 296 �� .

v Solaris �� , 297 �� .

v Windows �� , 297 �� .

3. IBM Tivoli Access Manager Language Support CD� �� ,

CD� �� .

�: HP-UX�� pfs_mountd �� CD� ��.


�� .

��

v �� UNIX �� (.bat ��)�

Windows �� .

v jre_path� �� , Java ��

PATH�� . �� , ��

jre_path� �� .

package jre_path

�� , Tivoli Access Manager Base� ��

�� .

install_pdrte_lp /usr/bin

�� /usr/bin� JRE� �� .

�� .

install_pdrte_lp Tivoli Access Manager Base� ��

�� .

��

� 3 � � �� 45

install_pdjrte_lp Tivoli Access Manager Java Runtime

Environment� ��

��.

install_pdwas_lp WebSphere Application Server� ��

�� .

install_pdwbpi_lp Tivoli Access Manager Plug-in for Web Servers

� �� .

install_pdwpm_lp Tivoli Access Manager Web Portal Manager�

�� .

install_pdwls_lp Tivoli Access Manager for WebLogic Server�

�� .

install_pdwsl_lp Tivoli Access Manager Plug-in for Edge Server

� �� .

install_pdweb_lp Tivoli Access Manager WebSEAL� ��

�� .

install_wbrte_lp Tivoli Access Manager Web Security Runtime

� �� .

5. �� . ��

��.

6. ��

� �� . �� .

7. �� . ��

� � �� .

8. �� . ��

��.

9. Tivoli Access Manager ��

�� .

��



Tivoli Access Manager �� IBM Tivoli

Directory� �� . � ��

�� IBM Tivoli Access Manager Language Support CD� �� .

1. �� .

v AIX �� .

a. IBM Tivoli Access Manager Language Support for AIX CD� ��

�� .

b. �� .

installp -c -a -g -X -d cd_mount_point/usr/sys/inst.images packages

�� cd_mount_point/usr/sys/inst.images� CD� ��

�� packages� �� .

ldap.html.lang

IBM Tivoli Directory �� .

ldap.msg.lang

IBM Tivoli Directory �� .

�� lang� �� .

�� , IBM Tivoli Directory ��

��.

installp -cagXd cd_mount_point/usr/sys/inst.images ldap.html.ko_KR


��.

v xSeries� Linux � zSeries� Linux �� .

a. IBM Tivoli Access Manager Language Supportfor Linux on xSeries or

Linux on zSeries CD� �� .

�: zSeries� Linux ��: �� CD� Linux rpm � ��

�� .

b. /mnt/cdrom/series �� . �� /mnt/cdrom� CD

� �� series� xSeries �� zSeries� ��.

c. �� .

rpm -ihv packages

��

� 3 � � �� 47


xSeries� Linux zSeries� Linux

ldap-html-lang-5.2-1.s390.rpm ldap-html-lang-5.2-1.i386.rpm

ldap-html-lang-5.2-1.s390.rpm ldap-html-lang-5.2-1.i386.rpm

�� lang� �� .

v Solaris �� .

a. IBM Tivoli Access Manager Language Support for Solaris CD� ��

��.

b. �� (� �� )

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault packages

�� packages� /solaris �� .

IBMldilang IBM Tivoli Directory �� .

IBMldmlang IBM Tivoli Directory �� .

�� lang� �� .

�� , IBM Tivoli Directory ��

��.

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IBMldmKo

�� -d /cdrom/cdrom0/solaris� �� -a

/cdrom/cdrom0/solaris/pddefault� ��

��.

��


��

�� .

1. �� .

v UNIX ��:

/opt/location

v Windows ��:

C:\Program Files\location

�� location� �� .

PDBLP/Lp_uninst Tivoli Access Manager Base� ��

�� .

PDJrtLP/lp_uninst Tivoli Access Manager Java Runtime

Environment� ��

��.

PDWasLP/lp_uninst WebSphere Application Server� ��

�� .

PDWpiLP/lp_uninst Tivoli Access Manager Plug-in for Web Servers

� �� .

PDWpmLP/lp_uninst Tivoli Access Manager Web Portal Manager�

�� .

PDWlsLP/lp_uninst Tivoli Access Manager For WebLogic Server

� �� .

PDWslLP/lp_uninst Tivoli Access Manager for Plug-in for Edge

Server� �� .

PDWebLP/lp_uninst Tivoli Access Manager WebSEAL� ��

�� .

PDWebLP/lp_uninst Tivoli Access Manager Web Security Runtime

� �� .

2. �� .

v UNIX ��:

jre_path/java -jar package

v Windows ��:

jre_path\java -jar package

�� jre_path� Java �� package� ��

��.

��

� 3 � � �� 49

�: Java �� , jre_path� �� .

pdrte_lp_uninstall.jar Tivoli Access Manager Base� ��

�� .

pdjrte_lp_uninstall.jar Tivoli Access Manager Java Runtime

Environment� �� .

pdwas_lp_uninstall.jar WebSphere Application Server� ��

�� .

pdwpi_lp_uninstall.jar Plug-in for Web Servers� ��

��.

pdwpm_lp_uninstall.jar Tivoli Access Manager Web Portal Manager�

�� .

pdwls_lp_uninstall.jar Tivoli Access Manager for WebLogic Server�

�� .

pdweb_lp_uninstall.jar Tivoli Access Manager WebSEAL Server� �

� �� .

pdwpm_lp_uninstall.jar Tivoli Access Manager Web Security Runtime

� �� .

��

�� , ��

��. Tivoli Access Manager �� , LANG �� POSIX,

X/Open ��

��.

�: Windows �� , ��

� � ��.

LANG �� LANG ��

� ��.

�� , ��

LANG� ��. � �� .

v LC_CTYPE

v LC_TIME

v LC_NUMERIC

v LC_MONETARY

v LC_COLLATE

��


v LC_MESSAGES

v LC_ALL

�� , �� LANG ��

��.

UNIX �� LANG ��

�� UNIX �� LANG �� . ��

� �� UNIX � ��

� � �� . �� UNIX � �� LANG�

�� .

UNIX �� .

locale -a

Windows �� LANG ��

�� LANG �� . Tivoli Access Manager

��, �� LANG� �� . ��

� �� LANG� �� ISO ��

� �� . �� , �� .

v fr� � �� .

v ko� �� .

v pt_BR� �� .

v C� C �� .

Windows �� LANG� �� , Access Manager Runtime� �

�� LANG �� .

case ISLANG_CZECH : lang = "CSCZ1250";case ISLANG_FRENCH_STANDARD: lang = "FrFr1252";case ISLANG_GERMAN : lang = "DeDe1252";case ISLANG_SPANISH : lang = "ESES1252";case ISLANG_ITALIAN : lang = "ITIT1252";case ISLANG_PORTUGUESE_BRAZILIAN : lang = "PTBR1252";case ISLANG_POLISH : lang = "PLPL1250";case ISLANG_CHINESE_TAIWAN : lang = "ZHTW950";case ISLANG_CHINESE_PRC : lang = "ZHCN936";case ISLANG_JAPANESE : lang = "JaJp932";case ISLANG_KOREAN : lang = "KoKr949";case ISLANG_RUSSIAN : lang = "RuRu1251" ;case ISLANG_HUNGARIAN : lang = "HuHu1250";default : lang = "enus1252";

��

� 3 � � �� 51

��


��, �� Tivoli Access Manager�

� �� . �� , Tivoli Access Manager� ��

�� .

v fr� � �� .

v fr_FR� �� .

v fr_CA� �� .

v fr_CH� �� .

��

�� msg �� , � � ��

� �� .

v UNIX ��:

/opt/PolicyDirector/nls/msg/locale

v Windows ��:

install_dir/nls/msg/locale

Tivoli Access Manager� UNIX ��

�� .

��

NLSPATH �� . �� , �� /opt/PolicyDirector/

nls/msg �� , NLSPATH �� .

/opt/PolicyDirector/nls/msg/%L/%N.cat:/opt/PolicyDirector/nls/msg/%L/%N

�: Windows� ��, � �� (:) �� (;)� ��.

%L ��

� �� %N.cat� �� .

�� , � C ��

��.

�� , �� AIX ��

��.

LANG=De_CH.IBM-850

%L �� .

1. de_CH

��


2. de

3. C

Tivoli Access Manager� �� de_CH

� �� . Tivoli Access Manager � � �� , de

� ��. �� C� ��

�.

�� (�� ) ��

�� . �� ,

Windows �� SJIS(�� 932)� �� UNIX

�� eucJP� ��.

� ��, ��

�� . ��

�� .

Tivoli Access Manager� Unicode � UTF-8(Unicode� �� )� ��

�� .

�� UTF-8� ��

�� . � �� ISO8859-1, Microsoft 1252, IBM PC 850

� IBM MVS™

1047 �� Latin 1 ��

�� .

UTF-8� �� . �� CORBA(Common

Object Request Broker Architecture) �� UTF-8� ��. ��

��

��. �� , UNIX�� EUC �� PC

�� .

�� Tivoli �� UTF-8

� �� . ��

�� .

��

�� UTF-8 ��

�� . � � ��

� �� .

v UNIX ��:

/opt/PolicyDirector/nls/msg/locale

��

� 3 � � �� 53

v Windows ��:

install_dir/nls/msg/locale

��


� 2 � Base ��

� 4 � �� . . . . . . . . 57

IBM Tivoli Directory Server �� . . . . . . 57

�� . . . . . . . . . . . 58

�� . . . . . . . 61

�� . . . . . . . 62

AIX: IBM Tivoli Directory Server �� . . 62

HP-UX: IBM Tivoli Directory Server �� 64

Linux: IBM Tivoli Directory Server �� 66

Solaris: IBM Tivoli Directory Server �� 68

Windows: IBM Tivoli Directory Server �

� . . . . . . . . . . . . . . . 71

IBM Tivoli Directory Server �� . . . . 74

IBM Tivoli Directory Server for Tivoli

Access Manager ��. . . . . . . . . 76

IBM z/OS � OS/390 Security Server �� . . . 83

�� . . . . . . . . . . . 83

�� . . . . . . . . . . . . . 84

Tivoli Access Manager for LDAP �� . . . 85

�� . . . . . . . . . 86

Lotus Domino �� . . . . . . . . . . . 87

Domino� �� Tivoli Access Manager ��

�� . . . . . . . . . . . . . . . . 88

Domino �� Lotus Notes �� 90

Microsoft Active Directory �� . . . . . . . 91

Active Directory �� . . . . . . . . 91

Active Directory �� . . . . . . . 92



Active Directory �� . . . . . . . . . 96

Novell eDirectory �� . . . . . . . . . . 97

Novell eDirectory �� . . . . . . . . 98

Sun ONE Directory Server �� . . . . . . . 99

� 5 � Policy Server �� . . . . . . . . 105

�� . . . . . . . . 105

�� . . . . . . . 106

AIX: Policy Server �� . . . . . . . . 106

HP-UX: Policy Server �� . . . . . . . 108

Linux: Policy Server �� . . . . . . . 110

Solaris: Policy Server �� . . . . . . . 111

Windows: Policy Server �� . . . . . . 113

� 6 � Authorization Server �� . . . . . 115

�� . . . . . . . . 115

�� . . . . . . . 116

AIX: Authorization Server �� . . . . . 116

HP-UX: Authorization Server �� . . . . 117

Linux: Authorization Server �� . . . . . 119

Solaris: Authorization Server �� . . . . . 120

Windows: Authorization Server �� . . . . 121

� 7 � Development(ADK) �� . . . 123

�� . . . . . . . . 123

�� . . . . . . . 124

AIX: Development(ADK) �� . . . 124

HP-UX: Development(ADK) �� . . 125

Linux: Development(ADK) �� . . . 126

Solaris: Development(ADK) �� . . . 128

Windows: Development(ADK) �� 129

� 8 � Java Runtime Environment ��

� . . . . . . . . . . . . . . . . . 131

�� . . . . . . . . 131

�� . . . . . . . 132

AIX: Java Runtime Environment �� 132

HP-UX: Java Runtime Environment ��

�� . . . . . . . . . . . . . . . 133

Linux: Java Runtime Environment ��

� . . . . . . . . . . . . . . . . 134

Solaris: Java Runtime Environment ��

� . . . . . . . . . . . . . . . . 135

Windows: Java Runtime Environment ��

�� . . . . . . . . . . . . . . . 136

� 9 � Policy Proxy Server �� . . . . . 139

�� . . . . . . . . 139

�� . . . . . . . 140

AIX: Policy Proxy Server �� . . . . . . 140

HP-UX: Policy Proxy Server ��. . . . . 141

Linux: Policy Proxy Server �� . . . . . 143

Solaris: Policy Proxy Server �� . . . . . 144

Windows: Policy Proxy Server �� . . . . 145

� 10 � �� . . . . . . . . 147

�� . . . . . . . . 147

�� . . . . . . . 148


AIX: �� . . . . . . . . 148

HP-UX: �� . . . . . . . 149

Linux: �� . . . . . . . . 150

Solaris: �� . . . . . . . 151

Windows: �� . . . . . . 152

� 11 � Web Portal Manager �� 155

�� . . . . . . . . 155

�� . . . . . . . 158

AIX: Web Portal Manager �� . . . 158

HP-UX: Web Portal Manager �� 161

Linux: Web Portal Manager �� . . 163

Solaris: Web Portal Manager �� . . 165

Windows: Web Portal Manager �� 168


� 4 � ��

�� Tivoli Access Manager�

� �� . ��

� � �� .

v IBM Tivoli Directory Server(Tivoli Access Manager� � ��)� ��

�� IBM Tivoli Directory Server �� .

install_ldap_server ��

��.

�: HP-UX�� .

v IBM Tivoli Directory Server ��

�� . �� 25 ��

�� .

v Tivoli Access Manager� �� , ��

�� . IBM Tivoli Directory

Server� �� IBM Tivoli Access Manager

Upgrade Guide� ��

� ��. �� , � �� Tivoli Access Manager�

� �� .

� �� .

v �IBM Tivoli Directory Server ��

v 83 �� IBM z/OS � OS/390 Security Server ��

v 87 �� Lotus Domino ��

v 91 �� Microsoft Active Directory ��

v 97 �� Novell eDirectory ��

v 99 �� Sun ONE Directory Server ��

IBM Tivoli Directory Server ��

� �� IBM Tivoli Directory Server� Tivoli Access Manager ��

� �� . ��

� �� .

v 61 ��

v 62 ��


�: IBM �� LDAP �� , IBM

Tivoli Directory Server� �� . ��

� �� IBM Tivoli Directory Server� ��

�� , �� .

�� IBM Tivoli Directory Server �� Product

Manuals and Technical Documentation �� .

http://www.ibm.com/software/network/help-directory/

�:

v IBM Tivoli Directory Server � IBM DB2� �� AIX, HP-UX, Linux,

Solaris � Windows �� IBM Tivoli Access Manager Directory Server CD

� ��.

v �� IBM WebSphere Application Server� �� AIX, HP-UX,

Linux, Solaris, Windows 2000 � Windows 2003 �� IBM Tivoli Access

Manager Web Administration Interfaces CD� ��.

��


�(�� )� �� . ��

��.

v DB2 �� ID(�: ldapdb2)� ��. �� ID�

DB2 �� . ��

� ID� �� .

�! Windows �� -- install_ldap_server �� , �

�� ID� DB2 �� DB2 �� , � ��

��. �� ID� ��

��. �� , DB2 �� ID� ldapdb2� �� DB2

�� ID� db2admin�� .

– �� ID� 8� � � ��.

– Windows ��, �� ID�

� � �� .

– UNIX ��, �� , � � ��

�� .

– DB2 �� . ��

� �� .

- DB2 �� DB2 �� DB2 ��

�� . AIX � Solaris�� dbsysadm

��. zSeries� Linux� ��, � �� db2iadm1��. �

��



� �, �� ID� ldapdb2 ��, �� AIX� Solaris

�� ldapdb2:dbsysadm� �� zSeries� Linux��

ldapdb2:db2iadm1� ��.

��

� �� . �� , Linux�� users

�� . �� Linux�� other

� �� .

– �� root� DB2 ��

�� . root� � �� , root� ��

� ��.

– �� Korn (/usr/bin/ksh)��

��.

– �� . �� , ��

�� (�

�� telnet

� � �� ID� �� ).

– �� ID� � ��

�� . ��

�� , �� 3-4MB� ��

�� . �� DB2� ��

� �� (�, ��)� � ��

��. � �� , � � ��

�� .

v AIX �� , IBM Tivoli Directory Server, �� 5.2�

64� �� 63� � ��. ��

�� .

– AIX �� 64�� .

bootinfo -y

� � 64� �� 64�� . � ��, lsattr --El

proc0 �� , �� .

RS64 I, II, III, IV, POWER3, POWER3 II �� POWER4 � ��

� �� 64� �� .

– 64� �� 32 �� 64� � �� . 64�

(/usr/lib/boot/unix_64)� ��

��.

bootinfo -K

��

� 4 � �� 59

� � 64� �� 64��. �� 32� ��, 32

� �� 64� � �� . ��

��.

1. �� 64� �� .

bos.64bitbos.mp64

2. 64� � �� .

ln -sf /usr/lib/boot/unix_64 /unixln -sf /usr/lib/boot/unix_64 /usr/lib/boot/unixlslv -m hd5bosboot -ad /dev/ipldeviceshutdown -Fr

– �� I/O� �� . ��

��.

/usr/sbin/mkdev -l aio0/usr/sbin/chdev -l aio0 -P/usr/sbin/chdev -l aio0 -P -a autoconfig=available

��


��



v IBM DB2 Universal Database, Enterprise Server Edition, �� 8.1

v Global Security Kit(GSKit), �� 7



v LDAP ��(am_update_ldap.sh)

�� 328 ��

�install_ldap_server �� .

install_ldap_server �� IBM Tivoli Directory Server ��

� �� .

�: HP-UX�� IBM Tivoli Directory Server �� .

HP-UX� IBM Tivoli Directory Server� �� , 64 �� HP-UX:

IBM Tivoli Directory Server �� .

1. 58 �� .

2. �� . �� 33 �

�� (�� )�� .

3. �(��) ��

�� . �� 47 �� IBM Tivoli

Directory Server� �� .

4. Windows �� , �� .

5. �� SSL LDAP � (am_key.kdb)� �� .

am_key.kdb � �� Policy Server� LDAP �� SSL ��

�� . �� SSL � � �� SSL� �� ,

� SSL � � � �� .

�: am_key.kdb � �� , ��

� �� . am_key.kdb � �� key4ssl(��)

��.

6. �� IBM JRE 1.3.1(AIX�� 1.3.1.5)� ��

�� . �� 294 �� .

7. �� .

v Solaris� �� IBM Tivoli Access Manager Directory Server for

Solaris 1/2 CD� � �� install_db2 ��

��

� 4 � �� 61

�. �� , IBM Tivoli Access Manager Directory Server for Solaris 2/2

CD� � �� install_ldap_server �� .

v �� AIX, Linux � Windows� ��, � �� IBM Tivoli

Access Manager Directory Server CD� � ��

install_ldap_server �� .

328 �� install_ldap_server ��

�� . � �� (��

�� ), �� .

8. �� am_key.kdb � � �� SSL� �� , � ��

�� SSL� ��

� �� . �� SGKit� � ��

iKeyman � �� . �� 288 �� GSKit

iKeyman �� GSKit iKeyman ��

��. iKeyman �� IBM Global Security Kit

Secure Sockets Layer and iKeyman User’s Guide� ��.

install_ldap_server �� Tivoli Access Manager� ��

�� IBM Tivoli Directory Server� �� Policy Server� �

��. �� 105 �� 5 � �Policy Server �� .

��

�� IBM Tivoli Directory Server� �

�� . � �� , � ��

� �� .

� � �� .

v 62 �� AIX

v 64 �� HP-UX

v 66 �� Linux

v 68 �� Solaris

v 71 �� Windows

AIX: IBM Tivoli Directory Server ��

installp �� AIX� IBM Tivoli Directory Server ��

�� .

�: �� Policy Server� �� .

1. root� ��.

��


2. �� . �� 33 �

�� (�� )�� .

3. 58 �� .

4. IBM Tivoli Access Manager Directory Server for AIX CD� ��

��.

5. IBM DB2� ��. ��

��.

installp -cagNYXd cdrom/usr/sys/inst.images packages


db2_08_01.msg.en_US.iso88591db2_08_01.clientdb2_08_01.cnvucsdb2_08_01.repldb2_08_01.db2.rtedb2_08_01.cs.rtedb2_08_01.icutdb2_08_01.sqlprocdb2_08_01.icucdb2_08_01.db2.engndb2_08_01.jhlp.en_US.iso88591db2_08_01.cj

db2_08_01.jdbcdb2_08_01.dasdb2_08_01.db2.samplesdb2_08_01.cadb2_08_01.ch.en_US.iso88591db2_08_01.ccdb2_08_01.conndb2_08_01.convdb2_08_01.ldapdb2_08_01.pextdb2_08_01.essg

6. GSKit� ��. �� 285 �� .

7. �� IBM Tivoli Directory Client� ��.

installp -acgXd cd_mount_point/usr/sys/inst.images ldap.client ldap.max_crypto_client


��.

8. �� IBM Tivoli Directory Server� ��.

installp -acgXd cd_mount_point/usr/sys/inst.images ldap.server ldap.max_crypto_server

9. � �� LDAP �� .

am_update_ldap.sh

10. IBM Tivoli Directory Server ��

�. �� IBM Tivoli Access Manager

Language Support for AIX CD�� . �� 47 ��

� �IBM Tivoli Directory Server� �� .

�� .

installp -ld cd_mount_point/usr/sys/inst.images | grep ldap


��

� 4 � �� 63

11. �� , �� . ��

�� SUCCESS� �� . ��

IBM Tivoli Directory� �� .

lslpp -L | grep ldap

�� ldap� �� . �� , �

��, �� , HTML � �� . �� , �

� ��.

ldap.client.adt 5.2.0.0 C F Directory SDKldap.client.rte 5.2.0.0 C F Directory Client Runtimeldap.client.cfg 5.2.0.0 C F Directory Server Config GUIldap.server.com 5.2.0.0 C F Directory Server Frameworkldap.server.java 5.2.0.0 C F Directory Server Javaldap.server.rte 5.2.0.0 C F Directory Server Runtime

12. LDAP �� DN � �� , ��

� ��. �� 74 �� UNIX: IBM Tivoli Directory Server

�� .

13. IBM Tivoli Directory Server �� , Tivoli Access Manager�

� �� IBM Tivoli Directory Server� �� . ��

�� 76 �� .

14. GSKit iKeyman �� IBM Tivoli

Directory Client �� SSL �� . ��

� �� .

a. iKeyman �� . �� 288 �� GSKit iKeyman

�� .

b. �� SSL� �� . �� 393

�� 24 � �SSL(Secure Sockets Layer) �� .

�: iKeyman �� IBM Global Security Kit


Tivoli Access Manager� � �� IBM Tivoli Directory Server�

�� Policy Server� ��. �� 105 �� 5 � �Policy

Server �� .

HP-UX: IBM Tivoli Directory Server ��

HP-UX� IBM Tivoli Directory Server ��

�.


1. root� ��.

��


2. �� . �� 33 �

�� (�� )�� .

3. 58 �� .

4. IBM Tivoli Access Manager Directory Server for HP-UX CD� ��.

5. �� , pfs_mountd� �� pfsd� ��. pfs_mount

�� CD� ��. �� , �� .

/usr/sbin/pfs_mount /dev/dsk/c0t0d0 /cd-rom

�� /dev/dsk/c0t0d0� CD �� /cd-rom� �� .

6. �� IBM DB2� ��.

swinstall -s /cd-rom/hp packages

�� /cd-rom/hp� �� packages� �� .

db2v81ent

db2v81cc

db2v81conn

db2v81gse

db2v81jhp

db2v81sdk

db2v81wgrp

db2v81cae

7. GSKit� ��. �� 287 �� .


swinstall -s /cd-rom/hp LDAPClient


swinstall -s /cd-rom/hp LDAPServer

10. � �� LDAP �� .

am_update_ldap.sh



Language Support for HP-UX CD�� . �� 47 ��


12. LDAP �� DN � �� , ��


�� .

��

� 4 � �� 65



�� 76 �� .



� �� .


�� .

b. �� SSL� �� . �� 393






Server �� .

Linux: IBM Tivoli Directory Server ��

�� Linux �� IBM Tivoli Directory Server� ��

��.

�:

1. �� Policy Server� �� .

2. zSeries� Linux ��: �� IBM Tivoli Access Manager for Linux on zSeries

CD� Linux rpm � �� .

1. root� ��.

2. �� . �� 33 �

�� (�� )�� .

3. 58 �� .

4. �� openldap2-client-2.1.4-30 �� LDAP

�� .

�: openldap2-client� IBM Tivoli Directory Client� � � ��

�� , /usr/bin� �� IBM

LDAP �� (symlink)�� .

/usr/bin/ldapadd → /usr/ldap/bin/ldapmodify/usr/bin/ldapdelete → /usr/ldap/bin/ldapdelete/usr/bin/ldapmodify → /usr/ldap/bin/ldapmodify/usr/bin/ldapmodrdn → /usr/ldap/bin/ldapmodrdn/usr/bin/ldapsearch → /usr/ldap/bin/ldapsearch

��


5. IBM Tivoli Access Manager Directory Server for xSeries, zSeries, or pSeries

and iSeries CD � �� .

6. /mnt/cdrom/series �� . �� /mnt/cdrom� CD� ��

� �� series� xSeries, zSeries �� pSeries� ��.

7. DB2� ��. ��

� ��.

rpm -ihv IBM_db2*.rpm

�� .

xSeries� Linux zSeries� Linux pSeries � iSeries� Linux

IBM_db2msen81-8.1.0-16.i386.rpmIBM_db2cliv81-8.1.0-16.i386.rpmIBM_db2conv81-8.1.0-16.i386.rpmIBM_db2repl81-8.1.0-16.i386.rpmIBM_db2rte81-8.1.0-16.i386.rpmIBM_db2crte81-8.1.0-16.i386.rpmIBM_db2icut81-8.1.0-16.i386.rpmIBM_db2icuc81-8.1.0-16.i386.rpmIBM_db2engn81-8.1.0-16.i386.rpmIBM_db2jhen81-8.1.0-16.i386.rpmIBM_db2cj81-8.1.0-16.i386.rpmIBM_db2jdbc81-8.1.0-16.i386.rpmIBM_db2das81-8.1.0-16.i386.rpmIBM_db2smpl81-8.1.0-16.i386.rpmIBM_db2ca81-8.1.0-16.i386.rpmIBM_db2chen81-8.1.0-16.i386.rpmIBM_db2cc81-8.1.0-16.i386.rpmIBM_db2cucs81-8.1.0-16.i386.rpmIBM_db2sp81-8.1.0-16.i386.rpmIBM_db2ldap81-8.1.0-16.i386.rpmIBM_db2pext81-8.1.0-16.i386.rpmIBM_db2conn81-8.1.0-16.i386.rpmIBM_db2wmsa81-8.1.0-16.i386.rpmIBM_db2essg81-8.1.0-16.i386.rpm

IBM_db2msen81-8.1.0-16.s390.rpmIBM_db2cliv81-8.1.0-16.s390.rpmIBM_db2conv81-8.1.0-16.s390.rpmIBM_db2repl81-8.1.0-16.s390.rpmIBM_db2rte81-8.1.0-16.s390.rpmIBM_db2crte81-8.1.0-16.s390.rpmIBM_db2icuc81-8.1.0-16.s390.rpmIBM_db2engn81-8.1.0-16.s390.rpmIBM_db2jhen81-8.1.0-16.s390.rpmIBM_db2cj81-8.1.0-16.s390.rpmIBM_db2jdbc81-8.1.0-16.s390.rpmIBM_db2das81-8.1.0-16.s390.rpmIBM_db2smpl81-8.1.0-16.s390.rpmIBM_db2ca81-8.1.0-16.s390.rpmIBM_db2chen81-8.1.0-16.s390.rpmIBM_db2cc81-8.1.0-16.s390.rpmIBM_db2cucs81-8.1.0-16.s390.rpmIBM_db2sp81-8.1.0-16.s390.rpmIBM_db2ldap81-8.1.0-16.s390.rpmIBM_db2pext81-8.1.0-16.s390.rpmIBM_db2conn81-8.1.0-16.s390.rpmIBM_db2wbdb81-8.1.0-16.s390.rpmIBM_db2essg81-8.1.0-16.s390.rpm

IBM_db2acsg81-8.1.0-16.ppc64.rpmIBM_db2adsg81-8.1.0-16.ppc64.rpmIBM_db2adt81-8.1.0-16.ppc64.rpmIBM_db2cj81-8.1.0-16.ppc64.rpmIBM_db2cliv81-8.1.0-16.ppc64.rpmIBM_db2conn81-8.1.0-16.ppc64.rpmIBM_db2conv81-8.1.0-16.ppc64.rpmIBM_db2crte81-8.1.0-16.ppc64.rpmIBM_db2cucs81-8.1.0-16.ppc64.rpmIBM_db2das81-8.1.0-16.ppc64.rpmIBM_db2dj81-8.1.0-16.ppc64.rpmIBM_db2engn81-8.1.0-16.ppc64.rpmIBM_db2icuc81-8.1.0-16.ppc64.rpmIBM_db2inst81-8.1.0-16.ppc64.rpmIBM_db2jdbc81-8.1.0-16.ppc64.rpmIBM_db2jhen81-8.1.0-16.ppc64.rpmIBM_db2msen81-8.1.0-16.ppc64.rpmIBM_db2pext81-8.1.0-16.ppc64.rpmIBM_db2repl81-8.1.0-16.ppc64.rpmIBM_db2rte81-8.1.0-16.ppc64.rpmIBM_db2smpl81-8.1.0-16.ppc64.rpmIBM_db2sp81-8.1.0-16.ppc64.rpmIBM_db2essg81-8.1.0-16.ppc64.rpm

8. GSKit� ��. �� 286 �� .

9. �� IBM Tivoli Directory Client �� .

rpm -ihv package

�� package� �� .

v xSeries� Linux: ldap-clientd-5.2-1.i386.rpm

v zSeries� Linux: ldap-clientd-5.2-1.s390.rpm

v pSeries � iSeries� Linux: ldap-client-5.2-1.ppc.rpm

10. �� IBM Tivoli Directory Server �� .

rpm -ihv package


v xSeries� Linux: ldap-serverd-5.2-1.i386.rpm

��

� 4 � �� 67

v zSeries� Linux: ldap-serverd-5.2-1.s390.rpm

v pSeries � iSeries� Linux: ldap-server-5.2-1.ppc.rpm

11. CD� � �� LDAP �� .

am_update_ldap.sh

12. �� .

rpm -qa | grep ldap

�� , �� .

ldap-clientd-5.2-1ldap-serverd-5.2-1



Language Support for Linux CD�� . �� 47 ��


14. LDAP �� DN � �� , ��


�� .



�� 76 �� .



� �� .


�� .

b. �� SSL� �� . �� 393






Server �� .

Solaris: IBM Tivoli Directory Server ��

pkgadd �� Solaris� IBM Tivoli Directory Server ��

�� .


��


1. root� ��.

2. �� . �� 33 �

�� (�� )�� .

3. 58 �� .

4. IBM Tivoli Access Manager Directory Server for Solaris 1/2 CD� ��

��.

5. �� /cdrom/cdrom0/solaris �� .

6. IBM DB2� ��. �� (� �� )� ��

��.


��,

-d /cdrom/cdrom0/solaris

�� .

-a /cdrom/cdrom0/solaris/pddefault

�� .


db2msen81db2cliv81db2cucs81db2repl81db2rte81db2crte81db2icut81db2sp81db2icuc81db2engn81db2jhen81db2cj81

db2jdbc81db2das81db2smpl81db2ca81db2chen81db2cc81db2conv81db2conn81db2pext81db2ldap81db2essg81

7. IBM Tivoli Access Manager Directory Server for Solaris 2/2 CD� ��

��.

8. �� IBM DB2 �� .

/opt/IBM/db2/V8.1/adm/db2licm -a /CD2_mount_point/solaris/db2ese.lic

9. GSKit� ��. �� 287 �� .

�: �� .


pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IBMldapc

��

� 4 � �� 69

�� -d /cdrom/cdrom0/solaris� ��

-a /cdrom/cdrom0/solaris/pddefault� ��

��.


pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IBMldaps

12. CD� � �� LDAP �� .

am_update_ldap.sh



Language Support for Solaris CD�� . �� 47 ��


14. �� , /opt� �� . ��

�� /opt� �� Enter� ��.

�: �� .

� �� . �� ?

� �� IBM Tivoli Directory Server �� ID� ��. �

� �� y� ��.

�� , DB2 �� , IBM Tivoli Directory

Server DB2 �� ID � �� , ��

� �� . �� y� ��.

15. �� .

16. LDAP �� DN � �� , ��


�� .



�� 76 �� .



� �� .


�� .

b. �� SSL� �� . �� 393


��






Server �� .

Windows: IBM Tivoli Directory Server ��

Windows� IBM Tivoli Directory Server� �� .


1. �� .

2. �� . �� 33 �

�� (�� )�� .

3. 58 �� .

4. �� . ��

� �� .

5. IBM Tivoli Access Manager Directory Server for Windows 2000 and Windows

2003 CD� ��.

6. GSKit� ��. �� 288 �� Windows: Global Security Kit

�� .

7. �� setup.exe � ��.

/windows/Directory

�� .

8. �� .

9. �� . �� .

10. �� . �� .

11. �� . ��

�� .

12. IBM Tivoli Directory Server� �� .

��

�� .

�: �� (-) � � (.)� ��

� ��.

13. IBM Tivoli Directory Server 5.2� ��

��.

14. �� .

��

� 4 � �� 71

v Client SDK 5.2

v Server 5.2

v DB2 V8.1

��

�� .

v Web Administration 5.2

v IBM WebSphere Application Server -- Express 5.0.2

� �� . , ��

Access Manager� WebSphere Application Server, �� 5.0.2� ��

�� . �� 298 �� WebSphere

Application Server �� 311 ��

��.

15. 71 �� 14 �� DB2 V8.1� ��, DB2 �� ID� � Windows

�� ID � �� . � �� ID�

�� DB2 �� ID(db2admin)��. ��

�.

a. �� ID� �� .

b. �� .

c. �� .

16. �� . �� . �

�� .

�� . �� . � ��

� �� .

17. � � �� README � ��. README � ��

� �� .

18. �� . ��

��.

�: IBM Tivoli Directory Server ��

��. �� IBM Tivoli Directory Server� ��

�.

19. �� IBM Tivoli Directory Server� ��

� �� ID� �� . ��

�� . �� , �� DN � ��

��


�� . �� 75 ��

� �Windows: IBM Tivoli Directory Server �� .

20. CD� � �� LDAP �� .

am_update_ldap.bat



�� 76 �� .



� �� .


�� .

b. �� SSL� �� . �� 393






Server �� .

��

� 4 � �� 73



1. �� DN � ��

2. ��

�� . �� IBM Tivoli Directory

Server �� Product Manuals and Technical

Documentation �� .


��

install_ldap_server �� IBM Tivoli Directory Server� ��

�� . �� IBM Tivoli


UNIX: IBM Tivoli Directory Server ��: �� ldapcfg ��

�� IBM Tivoli Directory Server� �� . ��

�� .

�� DN � �� : �� DN � ��

�.

1. �� .

ldapcfg -u "adminDN" -p pwd

�� adminDN� �� DN(�� cn=root)� pwd� �� DN� ��

��.

�� DN(cn=root)� �� .

ldapcfg -p pwd

�� pwd� �� DN� �� .

�� : ��

��.

ldapcfg -a database_owner -w pwd -d database_name -c -l location

�� database_owner� �� ID��(�� ,

ldapdb2). database_name� �� location� DB2 �

�� . UNIX �� , �� /home/ldapdb2� ��

� � ��.

��



�: �� IBM Tivoli Directory Server Installation and Configuration Guide,

Version 5.2� �� .

Windows: IBM Tivoli Directory Server ��:

�� DN � �� : IBM Tivoli Directory Server� �� DN � �

�� .

1. IBM Tivoli Directory Server �� DN/

�� .

2. �� DN/�� DN �� DN� ��

��(�� DN, cn=root� ��).

IBM Directory Server �� DN� �� DN��. �

��

��.

DN� �� . X.500 ��

�� DN� �� , �� DN� ��.

3. �� DN� �� .

�� . �� .

4. � �� .

�: �� 2�� (DBCS) �� .

�� : �� , ��

�� (ibmslapd.conf)� ��.

�� , �� .

�:

v �� DB2COMM� ��

��.

v �� Directory Server� �� .

�� .

1. DB2 �� ID� �� (58 ��

�� ).

2. �� .

3. �� . ��

(�, �� ), ��

�� . �� , ��

��

� 4 � �� 75

�� , ��

�� . ��

��.

�� .

v �� ID � �� , �� ID � ��

��. � �� ID� ��

��. �� DB2 �� ID(�:

ldapdb2)��(�� ID� �� , ��

�� ).

�: �� .

v �� , DB2 ��

� �� . 1-8 �� . ��

� �� ID� �� .

�: �� , ��

-t � LDAP ldapcfg �� .

v �� , ��

�� . �� 80MB�

��

�� .

v � �� , ��

��. LDAP �� UTF-8 � �� UCS ��

�(UTF-8) ��

�� .

�: �� UTF-8 ��

��.

4. �� . ��

� �� . �� .

5. � �� . �� .

IBM Tivoli Directory Server for Tivoli Access Manager ��

�� IBM Tivoli Directory Server� Tivoli Access Manager ��

� �� . �� , ��

�� IBM Tivoli Directory Server for Tivoli Access Manager� ��

�.

v 77 ��

v 82 ��

��


�: �� IBM Tivoli Directory Server ��

Product Manuals and Technical Documentation �� .


��

v install_ldap_server �� IBM Tivoli Directory Server� �

� � �� . �� IBM

Tivoli Directory Server� �� .

v �� . ��


��. � GUI� �� 311 �� .

�: IBM Tivoli Directory Server, �� 4.1 �� 5.1� �� ,

�� am_update_ldap.sh LDAP ��

��.

v �� , �� 5.2� �� IBM Tivoli Directory Server, �� 4.1,

5.1 � 5.2� � � ��. ��

�� , �� .

1. IBM WebSphere Application Server� ��. �� 298 �

�� .

2. IBM Tivoli Directory Server �� , �� WebSphere

�� . �� 311 �� .

v LDAP �� crypt �� SHA-1 ��

�� userPassword �� .

�� imask� �� . ��

� �� IBM Tivoli Directory Server

Administration Guide, Version 5.2� ��.


� �� : �� IBM Tivoli Directory Server for Tivoli

Access Manager� �� .

�: IBM Tivoli Directory Server V5.1 �� , HP-UX ��

� � �� . 82 ��

�.

1. IBM Tivoli Directory Server� �� .


� 4 � �� 77



v �� DN(cn=root) � �� .


�.

v ��

�� .

v �� , ��

�� . �� .

– UNIX �� .

ibmdiradm

– Windows �� → �� → �� → �� .

�� IBM Directory ��

��.

v IBM Tivoli Directory Server, �� 5.2� �� Tivoli Access

Manager �� . IBM Tivoli Directory Server,

�� 4.1 �� 5.1� �� .

a. � �� Tivoli Access Manager Base CD� common ��

secschema.def � �� (�: /tmp)� ��

��.

b. �� ldapmodify �� .

ldapmodify -v -h ldap_host -p port -D ldap_admin -w pwd -f /tmp/secschema.def

�: Access Manager Runtime �� LDAP ��

�� ivrgy_tool� ��

��.

ivrgy_tool -d -h ldap_host -p port -D ldap_admin -w pwd schema

ivrgy_tool� �� 466 �� ivrgy_tool�� .

2. �� . �� WebSphere Application Server�

�� .

v UNIX ��:

/usr/WebSphere/AppServer/bin/startServer.sh server1

��

/opt/WebSphere/AppServer/bin/startServer.sh server1

v Windows ��:

C:\Program Files\WebSphere\AppServer\bin\startServer.bat server1

3. �� , �� .

http://localhost:9080/IDSWebApp/IDSjsp/Login.jsp



�� localhost� �� IP ��

�.


4. �� .

v �� 80 �� 7 �� .

v �� .

a. IBM Tivoli Directory Server ��

� �� .

LDAP �� : Console Admin

�� : superadmin

��: secret

�� . IBM Tivoli Directory Server �

� �� .

�: �� , IBM Tivoli Directory Server ��

LDAP �� IP ��

��.

b. � �� . ��

� �� .

c. �� .


� 4 � �� 79

– �� : IBM Tivoli Directory Server� ��

� �� IP �� .

– �: � �� (389). LDAP ��

�� , � �� .

– �� : � �� (3538).

– SSL ��: SSL� �� .

�: �� SSL� ��

�� .

�� .

5. �� .

6. �� ″�� ″ �� IBM Tivoli

Directory Server �� .

7. �� . ��

� ��.

a. �� LDAP �� IP ��

��.

b. �� DN(cn=root)� ��.

c. IBM Tivoli Directory Server �� DN ��

�� .




�: �� .

8. IBM Tivoli Directory Server� ��

�� → �� . ��

�� /��/��

�. �� .

9. �� → �� . �

�� .

10. Tivoli Access Manager� � ��

�� → �� . ��

� �� . �� DN� ��

� � �� .

secAuthority=Default

�: �� .

�� DN �� . ��

� ��.

11. � �, ��

��.

�: ��

�� . �� 1000��.


� 4 � �� 81

12. �� → �� /��/��

�� . ��

�� .

13. �� .

v secAuthority=Default �� , ��

� �� IBM Directory Server �� . Policy Server

� �� secAuthority=Default� ��

��.

v secAuthority=Default ��

�� . ��

� �� → � �� . ��

� �� IBM Directory Server

�� .

�: SSL �� , SSL� ��

� �� .

�� : IBM Tivoli Directory Server� Tivoli Access Manager ��

� �� .

�: �� IBM Tivoli Directory Server,

�� 5.2 �� .

1. IBM Tivoli Directory Server, �� 5.2� �� Tivoli Access Manager

�� . IBM Tivoli Directory Server, �� 4.1 �

� 5.1� �� .

a. �� Tivoli Access Manager Base CD� common ��

� secschema.def � �� (�: /tmp)� ��

��.

b. �� ldapmodify �� .

ldapmodify -v -h ldap_host -p port -D ldap_admin -w pwd -f /tmp/secschema.def

�: Access Manager Runtime �� LDAP ��

�� ivrgy_tool� �� .

ivrgy_tool -d -h ldap_host -p port -D ldap_admin -w pwd schema

ivrgy_tool� �� 466 �� ivrgy_tool�� .

2. Tivoli Access Manager� � ��

��.

ldapcfg -s "secAuthority=Default"



� �� ibmslapd.conf � ��. � �, ��

�� . �� , �� .

ldapcfg -s "c=US"

3. �� LDAP �� .

ibmdiradm&ibmslapd&

4. �� . �� secAuthority=Default

�� , 78 �� . �� , � ��

� � �� ldapadd �� . �� , ��

� � addcus�� .

dn: c=usobjectclass: topobjectclass: countryc: us

�� , �� .

ldapadd -h host -D cn=root -w pwd -v -f addcus

IBM z/OS � OS/390 Security Server ��

� �� Tivoli Access Manager� �� z/OS �� OS/390� LDAP ��

�� . �� SAF(Security Authorization

Facility) �� Tivoli Access Manager� �� .

�� LDAP �� Tivoli Access Manager ��

�� . �� OS/390 �� z/OS� LDAP ��

�� . � �� z/OS ��

��.


� �� .

v ��

v 84 ��

v 85 �� Tivoli Access Manager for LDAP ��

v 86 ��

��

�� Access Manager �� z/OS �� . Tivoli Access

Manager, �� 5.1� �� . ��


� 4 � �� 83


secAuthority=Default �� ivrgy_tool ��

�� z/OS LDAP �� . �� 466 �� ivrgy_tool��

��.

��

Tivoli Access Manager� Tivoli Access Manager ��

secAuthority=Default�� . � ��

LDAP �� . � �� Tivoli

Access Manager� �� . ��

�� .

� ��, �� LDAP DIT ��

� �� . secAuthority=Default ��

��, Policy Server� �� LDAP ��

�. Tivoli Access Manager� � �� , �� ACL�

�� .

secAuthority=Default �� LDAP �� slapd.conf

� �� LDAP �� .


�: �� LDAP �� .

Tivoli Access Manager Policy Server� �� , ��

� �� ACL� �� .

1. � �� slapd.conf � ��. IBM z/OS �� OS/390

Security Server �� z/OS LDAP

Server Administration and Use Guide� ��.

2. IBM z/OS �� OS/390 Security Server� �� .

3. �� .

a. LDIF � ��. � �� o=neworg,c=us

� ��.

dn:o=neworg,c=usobjectClass:organizationobjectClass:topo:neworg

b. �� LDIF � ldapadd �� .

ldapadd -D ldap_admin -w ldap_pwd -v -f ldif_filename


� �� .




v �� (�� )� �� , �� ldif

� �� ACL� ��.

v �� ( � �� )� �� , �� ldif

� �� ACL� ��.

5. ldif � �� ldapmodify �� .

ldapmodify -h hostname -D admin_DN -w admin_pwd -v -f ldif_filename

�� aclpropagate=TRUE� �� ldapmodify ��

� �� .

ldap_modify: additional info: R004086 Entry o=neworg,c=us already containsattribute aclpropagrate, value=TRUE

� ��, ldif �� aclpropagate=TRUE� �� ldapmodify ��

��.

Tivoli Access Manager for LDAP ��

z/OS�� Access Manager for LDAP� �� , Access Manager� ��

LDAP �� . Access Manager

� �� Access Manager��

�� , � �� ignore-suffix ��

/access_mgr_install_dir/etc/ldap.conf � �� .

suffixaclpropagate=TRUEaclentry=group:cn=ivacld-servers,cn=securitygroups,secauthority=default:normal:csraclentry=group:cn=remote-acl-users,cn=securitygroups,secauthority=default:normal:csraclentry=group:cn=securitygroup,secauthority=default:object:ad:normal:cwsr:sensitive:cwsr:critical:\cwsr:restricted:cwsraclentry=access-id:LDAP_Admin_DN:object:ad:normal:rwsc:sensitive:rwsc:critical:cwsr:restricted:cwsrsuffixownerpropagate=TRUEentryOwner=group:cn=SecurityGroup,secAuthority=DefaultentryOwner=access-id:LDAP_Admin_DN

suffixaclentry=group:cn=ivacld-servers,cn=securitygroups,secauthority=default:normal:csraclentry=group:cn=remote-acl-users,cn=securitygroups,secauthority=default:normal:csraclentry=group:cn=securitygroup,secauthority=default:object:ad:normal:cwsr:sensitive:cwsr:critical:cwsr: \restricted:cwsraclentry=group:cn=ivacld-servers,cn=securitygroups,secauthority=<added domain>,cn=subdomains,\secauthority=default:normal:csraclentry=group:cn=remote-acl-users,cn=securitygroups,secauthority=<added domain>,cn=subdomains,\secauthority=default:normal:csraclentry=group:cn=securitygroup,secauthority=<add domain>,cn=subdomains,secauthority=default:object:ad:\normal:rwsc:sensitive:rwsc:critical:rwsc:restricted:rwscaclentry=access-id:LDAP_Admin_DN:object:ad:normal:rwsc:sensitivesuffixownerpropagate=TRUEentryOwner=group:cn=SecurityGroup,secAuthority=DefaultentryOwner=access-id:LDAP_Admin_DN


� 4 � �� 85

�� , �� .

ignore-suffix = sysplex=UTCPLXJ8ignore-suffix = "o=Your Company"ignore-suffix = o=MQuser

� �� z/OS SDBM(RACF) �� sysplex=UTCPLXJ8

�� . �� Access Manager� �� LDAP �� ID� z/OS

�� RACF �� ID� �� SDBM ��

�. � �� ignore-suffix �� , Access Manager� �

� �� x’32’ - LDAP_INSUFFICIENT_ACCESS �� .

�� z/OS� �� Access

Manager�� .

Tivoli Access Manager� LDAP ��

�� . �� , Tivoli Access Manager� ��

etc �� ldap.conf � Tivoli Access Manager� �

� �� .

��

��

�. �� , �� , ACL � ��

�� (�� ) �� LDAP �� Tivoli

Access Manager� � �� . �� pkmspasswd ��

�� SAF �� .

�� Tivoli Access Manager �� SAF �� ID ��

�� . �� ibm-nativeId� ��

�� . �� , �� SAF ��

�� (��

�� ).

pdadmin sec_master> group modify SAFusers add user1pdadmin sec_master> acl create deny_pkmspdadmin sec_master> acl modify deny_pkms set group SAFusers Tpdadmin sec_master> acl attach /Webseal/server_name/pkmspasswd deny_pkms

OS/390 LDAP ��

�. �� , �� Tivoli Access Manager ��

�� .

pdadmin sec_master> user modify user1 password ChangeMe1



�� ibm-nativeId �� out-of-the-box ��

� �� . �� nativeId� � Tivoli

Access Manager �� .

�� .

pdadmin sec_master> user create user1 cn=user1,o=tivoli,c=us user1 user1 ChangeMe1pdadmin sec_master> user modify user1 account-valid yes

��(� �� ChangeMe1)� LDAP��

�� userpassword �� . ��

� �� .

�� ibm-nativeId ��

�� ldif � ��.

cn=user1,o=tivoli,c=usobjectclass=inetOrgPersonobjectclass=ibm-nativeAuthenticationibm-nativeId=SAF_username

�� ldapmodify �� ldif � �� .

ldapmodify -h hostname -p port -D bind_DN -w bind_pwd -f schema_file

�� SAF �� .

subsystem_prefix ALTUSER userid PASSWORD pwd

�� auth-using-compare� ��

��. �� ivmgrd.conf � webseald.conf � [ldap] ��

�� .

auth-using-compare = no

�� LDAP� �� .

�� IBM z/OS Security Server

LDAP Server Administration and Use �� .


Lotus Domino ��

Domino™ Server� Tivoli Access Manager� ��

�� .

1. 25 ��

�� .


� 4 � �� 87


2. Domino� �� Tivoli Access Manager �� . ��

�Domino� �� Tivoli Access Manager �� .

3. Domino �� , Lotus Notes® �� Domino ��

��. �� 90 �� Domino �� Lotus Notes ��

�� .

4. Windows �� .

NOTESNTSERVICE=1

� �� Lotus Domino Server� Windows ��

� �� .

�: Domino �� Tivoli Access Manager� Windows ��

� ��. �� Lotus Notes �� Windows ��

��.

Domino� Tivoli Access Manager� � �� , Policy

Server� ��. �� 105 �� 5 � �Policy Server ��

��.

Domino� �� Tivoli Access Manager ��

Tivoli Access Manager �� Domino �� Domino� ��

Tivoli Access Manager �� . ��

�� .

1. �� .

v �� ID � ��

v � �� Domino ��

v �� Domino �� userCreator ��

2. Domino �� GUI�� & �� .

3. �� .

4. Domino �� .

Lotus Domino ��


5. �� → �� .

6. Domino �� ID� ��(�� c:\Program Files\

Lotus\Domino\Data�).

�: Notes� �� ID� ��. ��

� �� , NOTES.INI� CertifierIDFile �� ID� ��

��.

7. �� , �� ID ��

��. �� ID� �� .

8. � �� . ��

�, Tivoli Access Manager �� .

v � : AM

v �: Daemons

v ��: pwd

9. �� . �� (�� )� �

��.

10. ID �� Notes ID � Domino ��

�.

11. �� Domino

�� .

�� . ��

�� .

12. Domino �� Domino �� Tivoli Access

Manager �� .

Lotus Domino ��

� 4 � �� 89

Domino �� Lotus Notes ��

Domino �� Lotus Notes ��

�.

�: Tivoli Access Manager� Lotus Notes Client, �� 5.0.10 � �� 6.0 ��

��.

1. �� Lotus Notes ID � � �� ,

� �� drive:\notes\data �� .

�: �� ID � � � �� , Lotus Notes �

�� → �� → �� ID� �� ID � � �

��.

2. Windows� Lotus Notes �� Domino CD�� Notes ��

�� .

�: ��

�� . Tivoli Access Manager� �� , Notes ��

� �� .

3. Lotus Notes �� . ��

� �� .

4. Lotus Notes �� . �� , �� → ��

→ Lotus �� → Lotus Notes� ��.

5. Lotus Notes �� .

v Domino �� .

v LAN� �� .

v Domino �� . ��

�� . �� ,

Domino �� .

domino1/Tivoli

v �� .

– Lotus Notes ID � �� , Notes UserID� ��

� �� ID � �� ID

� �� . �� , c:\notes\data\username.id

� ��.

– � �� ID� �� Tivoli Access Manager

�� ID(�: AMDaemons)� ��.

�� .

Lotus Domino ��


6. �� . Notes

�� .

7. �� , ��

��.

Notes �� Domino ��

��.

8. Tivoli Access Manager �� . �� Notes �

�� .

�� , �� Notes ID � �� \notes\data �

�� .

Microsoft Active Directory ��

Active Directory for Tivoli Access Manager� ��

�� .

1. Active Directory �� .



Tivoli Access Manager� � �� Active Directory ��

�, Windows 2000 �� Windows 2003 �� Policy Server� ��. �

�� 105 �� 5 � �Policy Server �� .

Active Directory ��

Tivoli Access Manager� � Active Directory� ��

�� .

v Tivoli Access Manager� Active Directory ��

�� . ��

�� Active Directory �� .

– Windows 2000 �� :

http://www.microsoft.com/windows2000/en/server/help/

– Windows 2003 �� :

http://www.microsoft.com/windowsserver2003/proddoc/

v �� , �� Tivoli Access Manager

� �� . �� , �

�� Active Directory �� .

v �� .

Lotus Domino ��

� 4 � �� 91

http://www.microsoft.com/windows2000/en/server/help/

http://www.microsoft.com/windowsserver2003/proddoc/

v Tivoli Access Manager �� Active Directory �� Active

Directory �� Tivoli Access Manager ��

ID� ��.

v Tivoli Access Manager� Active Directory� ��

(�� , Tivoli Access Manager� Active Directory� ��

�) ��


��.

v �� TCP/IP �� DNS� ��

� TCP/IP �� . � �� DNS ��

� �� DNS� �� .

v Tivoli Access Manager� ��

� ��, � �� adschema_update.exe� ��

��.


Windows �� Active Directory ��

�� . �� Active Directory ��

�.

��

� �� . � ��

��

��.

v � ��(forest)��

v � ��(forest)��

v � ��

�: � �� DNS� �� , � ��

�� . �� , ��

�� (forest)� �� Windows ��

�.

��

��.

v 93 �� Active Directory ��

v 95 �� Active Directory ��




Active Directory �� , Windows Advanced Server� Active Directory

�� .

�: �� .

�� DNS� �

�� .

1. �� , � ��

��. �� .

2. �� .


� 4 � �� 93

3. � �� . ��

� � ��. �� .

4. ��

�� .

5. �� . ��

��.



6. �� . ��

�� .

7. �� . ��

� �� .

�: �� , �� AD ��

��. �� Windows �� .


Tivoli Access Manager �� Active Directory ��

�� .

1. Active Directory �� → �� → �� → Active Directory

�� .

2. � �� , �� , ��

� �� . � �� Active Directory ��


� 4 � �� 95

�� Tivoli Access Manager �� . Tivoli Access Manager

�� sec_master� ��

�� .


�� Active Directory� �� , ��

��

�. �� 300 (5 )��. � �� , ��

�� . ��

�� . � ��

� �� . �� 30 ��. �

�� .

Active Directory� ��

��

�(�) DWORD �� .

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

�: �� . ��

� �� .

� � �� DWORD �� 16� ��

0x12c��, 10�� 300(5 )��.

�� , ��

�� DSA � �� (�) DWORD ��

��.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

DSA � �� (�) DWORD �� 16� ��

�� 0x1e�� 10�� 30(30 )��.

�: �� Policy Server� ��

��.

Active Directory �� , �� 5 ��

�. �� user list �� group

list �� . ��, ��

�� 2� � ��

��. � � �� DSA � ��

�� .



Novell eDirectory ��

�� , �� Novell �� Novell eDirectory

� ConsoleOne �� .

Novell eDirectory, �� 8.6.2� �� .

http://www.novell.com/documentation/lg/ndsedir86/index.html

Novell eDirectory, �� 8.7� �� .

http://www.novell.com/documentation/lg/edir87/index.html

25 ��

�� .

Tivoli Access Manager� � Novell eDirectory� ��

��.

1. Novell Client �� ConsoleOne� ��.

2. NDS �� . ��

�� , �, � �� .

3. � �� . ��

��.

4. �� Tivoli Access Manager� �� , �

�� LDAP Group �� Properties� ��

�. �� .

5. LDAP �� .

6. LDAP ��

��.

inetOrgPersongroupOFNames

7. LDAP �� . LDAP ��

�� .

8. �� NDS �� Member �� . � LDAP ��

�� Member�� . LDAP �� Member� ��

��.

9. �� .

v NDS �� = Member

v �� LDAP �� = Member

v 2� LDAP �� = uniqueMember


� 4 � �� 97



10. LDAP �� .

Tivoli Access Manager� � �� Novell eDirectory� �� , �


Server �� .


Novell eDirectory� �� User � Group� ��

��. � ��

eDirectory �� . � �� eDirectory� �

�� . eDirectory� � � ��

�� X-NDS_NOT_CONTAINER ’1’� ��. ��

��

� � �� .

�� Tivoli Access Manager� �� Tivoli

Access Manager� � eDirectory ��

� �� . Tivoli Access Manager� � ��

� eDirectory �� , eDirectory User � Group ��

�� . Novell

eDirectory� �� .

�� Novell eDirectory �� User �� Tivoli Access

Manager �� . Group ��

��.

v �� eDirectory �� ndsrepair

��.

v ��

iManager �� .

v Novell eDirectory� �� .

v Novell eDirectory� �� .

Tivoli Access Manager� eDirectory ��

�� , �� Tivoli Access Manager �� User

�� .

ivrgy_tool -h edir_server_name -p port -D edir_admin_dn -w edir_admin_pwd schema

ivrgy_tool.exe� sbin �� . �� , �� .

v Windows ��: d:\Program Files\Tivoli\Policy Director\sbin

v UNIX ��: /opt/PolicyDirector/sbin



Tivoli Access Manager� sbin �� PATH� �� sbin

�� . � �� 466

�� ivrgy_tool�� .

Sun ONE Directory Server ��

�� , Sun ONE Directory Server ��

� �� . �� Sun ��

��.


Tivoli Access Manager� � Sun ONE Directory Server� ��

� ��.

�: ASCII �� Directory Server �� 7� ��

�� . � �� on��

��.

1. Directory Server �� slapd-serverID� �� (ps ��

� �� ).

2. Directory Server �� (slapd-serverID) � �� (admin-serv)�

�� . ��

� ��.

v UNIX ��:

% ServerRoot/slapd-serverID/start-slapd

% ServerRoot/start-admin

v Window �� , �� Sun ONE Administration Server

5.2 � Sun ONE Directory Server 5.2 �� .

3. �� .

v UNIX ��:

% ServerRoot/startconsole

v Windows �� , �� → �� → Sun ONE Server Products →

Sun ONE Server Console 5.2� ��.

�� (o=NetscapeRoot ��)� Sun ONE Directory Server� �

�� Sun ONE Server � ��

� ��. � ��, �� DN, �� Directory Server �

�� .

4. LDAP �� ID � �� . �� ,

cn=Directory Manager � � �� OK� ��.


� 4 � �� 99


Sun ONE Server �� .

5. �� Directory Server� ��

� �� .



6. �� Directory Server � � � � �� Open �� . �

Directory Server �� Directory Server �� .

7. �� New Suffix

� ��. Data� �� Object → New Suffix�

�� .


secAuthority=Default� �� OK� ��.

�� .

9. �� . ��

� �� , ��

� � �� . �� , o=tivoli,c=us��

� � ��.

10. �� .


� 4 � �� 101

v secAuthority=Default ��

��. Policy Server� �� secAuthority=Default� ��

� �� .

v secAuthority=Default �� 11 ��

� �� .

11. Directory ��

��.

12. Objects → New Root Object� ��. � ��

� �� .

13. � � ��(secAuthority=Default� ��)� � � ��

�. New Object �� . ��

�� . �� , o=tivoli,c=us��

organization� �� . � �� OK

� ��.



14. Generic Editor �� . o=tivoli,c=us ��

�, �� tivoli� �� OK� ��.

15. �� Console → Exit� ��

��.

Tivoli Access Manager� � �� Sun ONE Directory Server� �

�� , � �� Policy Server� ��. �� 105 �� 5

� �Policy Server �� .


� 4 � �� 103

� 5 � Policy Server ��

� �� Tivoli Access Manager Policy Server ��

�� . � �� Policy Server� ��

��. Policy Server� �� .

��: �� , Standby Policy Server� ��

�(AIX ��). � �� HACMP(High Availability Cluster

Multiprocessing) �� . �

� � �� 421 �� 25 � �AIX: Standby Policy Server

�� .

�� .

v ��

v 106 ��

��

install_ammgr ��

� Tivoli Access Manager Policy Server �� .


v IBM Tivoli Directory Client, �� 5.2(�� )


v Access Manager Policy Server, �� 5.1

�: � ��

� ��.

install_ammgr �� Policy Server ��

�� .

1. �� . �� 33 �

�� (�� )�� .

2. Policy Server� ��

�� .

3. �� IBM JRE 1.3.1(AIX�� 1.3.1.5)� ��

�� . �� 294 �� .


4. �(��) ��

�� . �� 45 ��

� �� .

5. Windows �� , �� .

6. �� AIX, HP-UX, Linux, Solaris � Windows� Tivoli Access

Manager Base CD� � �� install_ammgr ��

��.

336 �� install_ammgr ��

�� . � �� (��

�� ), �� .

Policy Server �� . �� Tivoli Access Manager ��

�� 23 �� .

��


� �� . � �� , � ��

� �� . ��

�� pdconfig �� .

� � �� .

v 106 �� AIX

v 108 �� HP-UX

v 110 �� Linux

v 111 �� Solaris

v 113 �� Windows

AIX: Policy Server ��

�� installp� �� pdconfig ��

�� .

AIX� Tivoli Access Manager Policy Server ��

��.

1. root� ��.


�� .

3. IBM Tivoli Access Manager Base for AIX CD� ��

�.

Policy Server ��


4. GSKit� ��. �� 285 �� .

5. IBM Tivoli Directory Client� ��. �� 291 ��

��.

6. �� .

installp -acgXd cd_mount_point/usr/sys/inst.images packages


packages� �� .

PD.RTE Access Manager Runtime �� .

PD.Mgr Access Manager Policy Server �� .

�: Policy Server� �� Access Manager Runtime� ��

�. , Policy Server� ��

�.

7. �(��) ��

�� . �� 45 ��

�� .

8. Access Manager Runtime� �� Access Manager Policy Server ��

� �� .

a. �� .

pdconfig


b. �� 1� ��. Tivoli Access Manager ��

� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .

�� Enter� ��

�� x � � � �� .


�� 23 �� .

Tivoli Access Manager Policy Server� �� pdcacert.b64�� SSL

CA(Certificate Authority) � �� . Access Manager Policy

Server �� , �� .


� 5 � Policy Server �� 107

Access Manager Policy Server �� .�� CA �� Base-64� �� ./var/PolicyDirector/keytab/pdcacert.b64�� .�� .

Tivoli Access Manager Runtime �� Tivoli Access Manager ��

�� . � � ��

�� .

v Access Manager Runtime �� (pdconfig �� )

pdcacert.b64 � �� .

v Access Manager Runtime �� pdcacert.b64 � ��


HP-UX: Policy Server ��

�� swinstall� �� pdconfig ��

�� .

HP-UX� Tivoli Access Manager Policy Server ��

��.

1. root� ��.


�� .

3. IBM Tivoli Access Manager Base for HP-UX CD� ��.


�� CD� ��. �� , �� .



5. GSKit� ��. �� 286 �� .


��.

7. CD� � �� LDAP �� .

am_update_ldap.sh

8. �� .



PDRTE Access Manager Runtime �� .

PDMgr Access Manager Policy Server �� .




��. , Policy Server� ��

��.

9. �(��) ��

� �� . �� 45 ��

�� .


� �� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

�� 377 �� 23 � �pdconfig �� .


�� x � � � �� .

11. �� CD� �� .

pfs_umount -c /cd-rom

�� /cd-rom� �� .


�� 23 �� .



Server �� , �� .



�� . � � ��

�� .







Linux: Policy Server ��

�� rpm� �� pdconfig ��

� �� .

Linux� Tivoli Access Manager Policy Server� ��

�.

�: zSeries� Linux ��: �� IBM Tivoli Access Manager for Linux on zSeries


1. root� ��.


�� .

3. IBM Tivoli Access Manager Base CD for xSeries or zSeries� ��

��.



5. GSKit� ��. �� 286 �� .


��.

7. �� .

rpm -ihv packages


Access Manager Runtime Access Manager Policy Server

xSeries� Linux PDRTE-PD-5.1.0-0.i386.rpm PDMgr-PD-5.1.0-0.i386.rpm

zSeries� Linux PDRTE-PD-5.1.0-0.s390.rpm PDMgr-PD-5.1.0-0.s390.rpm



�.

8. �(��) ��

�� . �� 45 ��

�� .


� �� .

a. �� .



pdconfig



� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .


�� 23 �� .



Server �� , �� .



�� . � � ��

�� .





Solaris: Policy Server ��

�� pkgadd� �� pdconfig ��

�� .

Solaris� Tivoli Access Manager Policy Server ��

��.

1. root� ��.


�� .

3. IBM Tivoli Access Manager Base for Solaris CD� ��.



4. GSKit� ��. �� 287 �� .


��.

6. �� (� �� )


��,


�� .


�� .



PDMgr Access Manager Policy Server �� .



�.

� �� .

�� .

7. �(��) ��

�� . �� 45 ��

�� .


� �� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .




�� 23 �� .



Server �� , �� .



�� . � � ��

�� .





Windows: Policy Server ��

�� setup.exe �� pdconfig ��

�� .

Windows� Tivoli Access Manager Policy Server� ��

��.

1. �� .


�� .

3. IBM Tivoli Access Manager Base for Windows NT, Windows XP, Windows

2000 and Windows 2003 CD� ��.

4. GSKit� ��. �� 288 �� .


��.

6. Access Manager Runtime � Access Manager Policy Server ��

��. �� setup.exe ��

��.

windows\PolicyDirector\Disk Images\Disk1

�� .





�.

7. �(��) ��

�� . �� 45 ��

�� .


� �� .

a. �� .

pdconfig


b. Access Manager Runtime �� .

c. Access Manager Policy Server �� .

�� . ��

�� 377 �� 23 � �pdconfig �� .


�� 23 �� .



Server �� , �� .

Access Manager Policy Server �� .�� CA �� Base-64� �� .C:\PROGRA~1\Tivoli\POLICY~1\keytab\pdcacert.b64�� .�� .


�� . � � ��

�� .







� 6 � Authorization Server ��

� �� Tivoli Access Manager Authorization Server ��

�� .

�� .

v ��

v 116 ��

��

install_amacld �� Tivoli

Access Manager Authorization Server �� .




v Access Manager Authorization Server, �� 5.1

�: � ��

� ��.

install_amacld �� Authorization Server ��

� �� .

1. �� . �� 33 �

�� (�� )�� .

2. �� Policy Server� ��

��.

3. �� IBM JRE 1.3.1(AIX�� 1.3.1.5)� ��

�� . �� 294 �� .

4. �(��) ��

�� . �� 45 ��

� �� .

5. Windows �� ,

v �� .

v Active Directory� �� , � �� IBM Tivoli

Directory Client� �� . ��


cd_drive:\windows\directory\ �� setup.exe ��

��. Client SDK 5.2 ��

�� .


Manager Base CD� � �� install_amacld ��

��.

352 �� install_amacld��

�� . � �� (�� ),

�� .

Authorization Server �� . �� Tivoli Access Manager �

�� 23 �� .

��


� �� . � �� , � ��

� �� . ��


� � �� .

v 116 �� AIX

v 117 �� HP-UX

v 119 �� Linux



AIX: Authorization Server ��


�� .

Tivoli Access Manager Authorization Server ��

��.

1. root� ��.


��.


�.

4. GSKit� ��. �� 285 �� .

Authorization Server ��



��.

6. �� .





PD.Acld Access Manager Authorization Server �� .

7. �(��) ��

�� . �� 45 ��

�� .

8. Access Manager Runtime� �� Access Manager Authorization Server ��

�� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .


�� 23 �� .

HP-UX: Authorization Server ��


�� .


��.

1. root� ��.


��.


� 6 � Authorization Server �� 117



�� CD� ��. �� , �� .



5. GSKit� ��. �� 286 �� .


��.

7. CD� � �� LDAP �� .

am_update_ldap.sh

8. �� .




PDAcld Access Manager Authorization Server �� .

9. �(��) ��

� �� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

�� 377 �� 23 � �pdconfig �� .


�� x � � � �� .

11. �� CD� �� .


�� /cd-rom� �� .




�� 23 �� .

Linux: Authorization Server ��


� �� .


��.



1. root� ��.


��.

3. IBM Tivoli Access Manager Base CD for xSeries or zSeries� ��

��.



5. GSKit� ��. �� 286 �� .


��.

7. �� .

rpm -ihv packages


Access Manager Runtime Access Manager Authorization

Server

xSeries� Linux PDRTE-PD-5.1.0-0.i386.rpm PDAcld-PD-5.1.0-0.i386.rpm

zSeries� Linux PDRTE-PD-5.1.0-0.s390.rpm PDAcld-PD-5.1.0-0.s390.rpm

8. �(��) ��

�� . �� 45 ��

�� .


�� .

a. �� .

pdconfig





� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .


�� 23 �� .

Solaris: Authorization Server ��


�� .


��.

1. root� ��.


��.


4. GSKit� ��. �� 287 �� .


��.

6. �� (� �� )


��,


�� .


�� .



PDAcld Access Manager Authorization Server �� .

� �� .



�� .

7. �(��) ��

�� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .


�� 23 �� .

Windows: Authorization Server ��


�� .


��.

1. �� .


��.



4. GSKit� ��. �� 288 �� .


��.

6. Access Manager Runtime � Access Manager Authorization Server ��


��.




�� .

7. �(��) ��

�� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



c. Access Manager Authorization Server ��

��.

�� . ��

�� 377 �� 23 � �pdconfig �� .


�� 23 �� .



� 7 � Development(ADK) ��

� �� Tivoli Access Manager Development(ADK) ��

�� .

�� .

v ��

v 124 ��

��

install_amadk ��

� Tivoli Access Manager Development(ADK) �� .




v Access Manager Application Development Kit, �� 5.1

�: � ��

� ��.

install_amadk �� Development(ADK) ��

�� .

1. �� . �� 33 �

�� (�� )�� .


��.

3. �� IBM JRE 1.3.1(AIX�� 1.3.1.5)� ��

�� . �� 294 �� .

4. �(��) ��

�� . �� 45 ��

� �� .

5. Windows �� , �� .


Manager Base CD� � �� install_amadk ��

��.


353 �� install_amadk��

�� . � �� (�� ),

�� .

Development(ADK) �� . �� Tivoli Access Manager ��

� �� 23 �� .

��


� �� . � �� , � ��

� �� . �� Access

Manager Runtime �� pdconfig �� .

� � �� .

v 124 �� AIX

v 125 �� HP-UX

v 126 �� Linux



AIX: Development(ADK) ��


�� .

Tivoli Access Manager Development(ADK) ��

��.

1. root� ��.


��.


�.

4. GSKit� ��. �� 285 �� .


��.

6. �� .




Development(ADK) ��



PD.AuthADK Access Manager Application Development Kit ��

��.

7. �(��) ��

�� . �� 45 ��

�� .

8. �� Access Manager Runtime �� .

a. �� .

pdconfig



� ��.

c. �� . �� 377

�� 23 � �pdconfig �� .

�� x � � � ��

� �� .

Tivoli Access Manager Development(ADK) �� . �� Tivoli

Access Manager �� 23 ��

��.

HP-UX: Development(ADK) ��


�� .


��.

1. root� ��.


��.



�� CD� ��. �� , �� .



5. GSKit� ��. �� 286 �� .


� 7 � Development(ADK) �� 125


��.

7. CD� � �� LDAP �� .

am_update_ldap.sh

8. �� .




PDAuthADK Access Manager Application Development Kit ��

��.

9. �(��) ��

� �� . �� 45 ��

�� .


a. �� .

pdconfig



� ��.

c. �� . �� 377

�� 23 � �pdconfig �� .

�� x � � � �

�� .

11. �� CD� �� .


�� /cd-rom� �� .



��.

Linux: Development(ADK) ��


� �� .




��.

�: zSeries� Linux ��: �� IBM Tivoli Access Managerfor Linux on zSeries


1. root� ��.


��.

3. IBM Tivoli Access Manager Base CD for xSeries, zSeries or pSeries and iSeries

� �� .



5. GSKit� ��. �� 286 �� .


��.

7. �� .

rpm -ihv packages


Access Manager Runtime Access Manager Appl icat ion

Development Kit

xSeries� Linux PDRTE-PD-5.1.0-0.i386.rpm PDAuthADK-PD-5.1.0-0.i386.rpm

zSeries� Linux PDRTE-PD-5.1.0-0.s390.rpm PDAuthADK-PD-5.1.0-0.s390.rpm

pSeries � iSeries�

Linux

PDRTE-PD-5.1.0-0.ppc.rpm PDAuthADK-PD-5.1.0-0.ppc.rpm

8. �(��) ��

�� . �� 45 ��

�� .


a. �� .

pdconfig



� ��.

c. �� . �� 377

�� 23 � �pdconfig �� .



�� x � � � ��

� �� .



��.

Solaris: Development(ADK) ��


�� .


��.

1. root� ��.


��.


4. GSKit� ��. �� 287 �� .


��.

6. �� (� �� )


��,


�� .


�� .



PDAuthADK Access Manager Application Development Kit ��

��.

� �� .

�� .

7. �(��) ��

�� . �� 45 ��

�� .




a. �� .

pdconfig



� ��.

c. �� . �� 377

�� 23 � �pdconfig �� .


�� x � � � �� .



��.

Windows: Development(ADK) ��


�� .


��.

1. �� .


��.



4. GSKit� ��. �� 288 �� .


��.

6. Access Manager Runtime � Access Manager Application Development Kit �

�� . �� setup.exe ��

� ��.


�� .

7. �(��) ��

�� . �� 45 ��

�� .




a. �� .

pdconfig



�� 377 �� 23 � �pdconfig ��

��.

��

�� .



��.



� 8 � Java Runtime Environment ��

� �� Tivoli Access Manager Java Runtime Environment ��

�� .

�� .

v ��

v 132 ��

��

install_amjrte �� Access Manager Java Runtime Environment, �� 5.1

�� Tivoli Access Manager Java Runtime Environment

�� .

�: � ��

� ��.

install_amjrte �� Java Runtime Environment ��

�� .

1. �� . �� 33 �

�� (�� )�� .

2. �� IBM JRE 1.3.1(AIX�� 1.3.1.5)� ��

�� . �� 294 �� .

3. Policy Server� �� .

4. �(��) ��

�� . �� 45 ��

� �� .

5. Windows �� , �� .


Manager Base CD� � �� install_amjrte ��

��.

354 �� install_amjrte��

�� . � �� (�� ),

�� .

Java Runtime Environment �� . �� Tivoli Access Manager

�� 23 �� .


��


� �� . � �� , � ��

� �� . ��

�� pdjrtecfg �� .

�: Access Manager Runtime �� , pdconfig ��

pdjrtecfg �� Access Manager Java Runtime Environment �

�� .

� � �� .

v 132 �� AIX

v 133 �� HP-UX

v 134 �� Linux



AIX: Java Runtime Environment ��

�� installp� �� Access Manager Java Runtime Environment ��


AIX� Tivoli Access Manager Java Runtime Environment ��

� �� .

1. root� ��.

2. IBM JRE, �� 1.3.1.5� ��. �� 295 �� .


�.

4. �� Access Manager Java Runtime Environment ��

�.

installp -acgXd cd_mount_point/usr/sys/inst.images PDJ.rte


��.

5. �(��) ��

�� . �� 45 ��

�� .

6. Access Manager Java Runtime Environment ��

/opt/PolicyDirector/sbin �� .

Java Runtime Environment ��


v IBM JRE 1.3.1.5�� .

./pdjrtecfg -action config -interactive

v Sun JRE 1.4�� .

./pdjrtecfg -action config -host policy_server_host -port port -java_home jre_path

�:

1. Java Runtime Environment� �� , Policy Server� �

�� . ��

�� .

2. Sun JRE 1.4� �� pdjrtecfg -interactive �� pdconfig ��

�� . �� . � ��

� �� 488 �� pdjrtecfg� � 487 �� pdconfig��

��.


�� 23 �� .

HP-UX: Java Runtime Environment ��

�� swinstall� �� Access Manager Java Runtime Environment ��


HP-UX� Tivoli Access Manager Java Runtime Environment ��

�� .

1. root� ��.

2. IBM JRE, �� 1.3.1� ��. �� 295 �� .



�� CD� ��. �� , �� .




��.

swinstall -s /cd-rom/hp PDJrte

6. �(��) ��

�� . �� 45 ��

�� .




� 8 � Java Runtime Environment �� 133

v IBM JRE 1.3.1�� .




�:

a. Java Runtime Environment� �� , Policy Server

� �� . ��

�� .

b. Sun JRE 1.4� �� pdjrtecfg -interactive �� pdconfig ��

�� . �� . �

�� 488 �� pdjrtecfg� � 487 ��

�pdconfig�� .

v �� CD� �� .


�� /cd-rom� �� .

Java Runtime Environment �� . �� Tivoli Access

Manager �� 23 �� .

Linux: Java Runtime Environment ��

�� rpm� �� Access Manager Java Runtime Environment ��


Linux� Tivoli Access Manager Java Runtime Environment ��

�� .



1. root� ��.

2. IBM JRE, �� 1.3.1� ��. �� 296 �� .

3. IBM Tivoli Access Manager Base CD for xSeries, zSeries or pSeries and iSeries

� �� .




�.

rpm -ihv package




v xSeries� Linux: PDJrte-PD-5.1.0-0.i386.rpm

v zSeries� Linux: PDJrte-PD-5.1.0-0.s390.rpm

v pSeries � iSeries� Linux: PDJrte-PD-5.1.0-0.ppc.rpm

6. �(��) ��

�� . �� 45 ��

�� .



v IBM JRE 1.3.1�� .




�:


� �� . ��

�� .


� �� . �� . � ��

�� 488 �� pdjrtecfg� � 487 �� pdconfig�

� ��.


Manager �� 23 �� .

Solaris: Java Runtime Environment ��

�� pkgadd� �� Access Manager Java Runtime Environment ��


Solaris� Tivoli Access Manager Java Runtime Environment ��

�� .

1. root� ��.

2. IBM JRE, �� 1.3.1� ��. �� 297 �� .



�.

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDJrte



�� -d /cdrom/cdrom0/solaris� � � � � � �� -a

/cdrom/cdrom0/solaris/pddefault� �� .

5. �(��) ��

�� . �� 45 ��

�� .



v IBM JRE 1.3.1�� .




�:


� �� . ��

�� .


� �� . �� . � ��

�� 488 �� pdjrtecfg� � 487 �� pdconfig�

� ��.


Manager �� 23 �� .

Windows: Java Runtime Environment ��

�� setup.exe �� Access Manager Java Runtime Environment


Windows� Tivoli Access Manager Java Runtime Environment ��

�� .

1. Windows �� .

2. IBM JRE, �� 1.3.1� ��. �� 297 �� .



4. Access Manager Java Runtime Environment �� . ��

�� setup.exe � ��.


�� .



5. �(��) ��

�� . �� 45 ��

�� .

6. Access Manager Java Runtime Environment �� c:\Program

Files\Tivoli\Policy Director\sbin ��

�.

v IBM JRE 1.3.1�� .

pdjrtecfg -action config -interactive


pdjrtecfg -action config -host policy_server_host -port port -java_home jre_path

�:

1. Java Runtime Environment� �� , Policy Server� �

�� . ��

�� .

2. Sun JRE 1.4� �� pdjrtecfg -interactive �� pdconfig ��

�� . �� . � ��

� �� 488 �� pdjrtecfg� � 487 �� pdconfig��

��.


�� 23 �� .



� 9 � Policy Proxy Server ��

� �� Tivoli Access Manager Policy Proxy Server ��

�� .

�� .

v ��

v 140 ��

��

install_amproxy ��

�� Tivoli Access Manager Policy Proxy Server �� .




v Access Manager Policy Proxy Server, �� 5.1

�: � ��

� ��.

install_amproxy �� Policy Proxy Server� ��

� �� .

1. �� . �� 33 �

�� (�� )�� .

2. �� IBM JRE 1.3.1(AIX�� 1.3.1.5)� ��

�� . �� 294 �� .


��.

4. �(��) ��

�� . �� 45 ��

� �� .

5. Windows �� ,

v �� .






�� .


Manager Base CD� � �� install_amproxy ��

��.

357 �� install_amproxy��

�� . � �� (��

�), �� .

Policy Proxy Server �� . �� Tivoli Access Manager �

�� 23 �� .

��


� �� . � �� , � ��

� �� . ��


� � �� .

v 140 �� AIX

v 141 �� HP-UX

v 143 �� Linux



AIX: Policy Proxy Server ��


�� .

Tivoli Access Manager Policy Proxy Server ��

��.

1. root� ��.


��.


�.

4. GSKit� ��. �� 285 �� .

Policy Proxy Server ��



��.

6. �� .





PD.Proxy Access Manager Proxy Policy Server �� .

7. �(��) ��

�� . �� 45 ��

�� .

8. Access Manager Runtime� �� Access Manager Policy Proxy Server� �

� �� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .


�� 23 �� .

HP-UX: Policy Proxy Server ��


�� .


��.

1. root� ��.


��.


� 9 � Policy Proxy Server �� 141



�� CD� ��. �� , �� .



5. GSKit� ��. �� 286 �� .


��.

7. CD� � �� LDAP �� .

am_update_ldap.sh

8. �� .




PDProxy Access Manager Policy Proxy Server �� .

9. �(��) ��

� �� . �� 45 ��

�� .


� �� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

�� 377 �� 23 � �pdconfig �� .


�� x � � � �� .

11. �� CD� �� .


�� /cd-rom� �� .




�� 23 �� .

Linux: Policy Proxy Server ��


� �� .


��.



1. root� ��.


��.

3. IBM Tivoli Access Manager Base for xSeries or zSeries CD� ��

��.



5. GSKit� ��. �� 286 �� .


��.

7. �� .

rpm -ihv packages


Access Manager Runtime Access Manager Policy Proxy

Server

xSeries� Linux PDRTE-PD-5.1.0-0.i386.rpm PDMgrPrxy-PD-5.1.0-0.i386.rpm

zSeries� Linux PDRTE-PD-5.1.0-0.s390.rpm PDMgrPrxy-PD-5.1.0-0.s390.rpm

8. �(��) ��

�� . �� 45 ��

�� .


� �� .

a. �� .

pdconfig





� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .


�� 23 �� .

Solaris: Policy Proxy Server ��


�� .


��.

1. root� ��.


��.


4. GSKit� ��. �� 287 �� .


��.

6. �� (� �� )


��,


�� .


�� .



PDProxy Access Manager Policy Proxy Server �� .

� �� .



�� .

7. �(��) ��

�� . �� 45 ��

�� .


� �� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .


�� 23 �� .

Windows: Policy Proxy Server ��


�� .


��.

1. �� .


��.



4. GSKit� ��. �� 288 �� .


��.

6. Access Manager Runtime � Access Manager Policy Proxy Server ��


��.




�� .

7. �(��) ��

�� . �� 45 ��

�� .


� �� .

a. �� .

pdconfig



c. Access Manager Policy Proxy Server ��

�.

�� . ��

�� 377 �� 23 � �pdconfig �� .


�� 23 �� .



� 10 � ��

� �� Tivoli Access Manager Runtime ��

��.

�� .

v ��

v 148 ��

��

install_amrte ��

� Tivoli Access Manager Runtime �� .




�: � ��

� ��.

install_amrte ��

��.

1. �� . �� 33 �

�� (�� )�� .


��.

3. �� IBM JRE 1.3.1(AIX�� 1.3.1.5)� ��

�� . �� 294 �� .

4. �(��) ��

�� . �� 45 ��

� �� .

5. Windows �� , �� .


Manager Base CD� � �� install_amrte ��

��.


346 ��(LDAP), 348 ��(Active Directory) �� 351 ��(Domino)�

�� .

� �� (�� ), ��

��.

�� . �� Tivoli Access Manager ��

� 23 �� .

��


� �� . � �� , � ��

� �� . ��


� � �� .

v 148 �� AIX

v 149 �� HP-UX

v 150 �� Linux



AIX: ��


�� .

Tivoli Access Manager Runtime �� .

1. root� ��.


��.


�.

4. GSKit� ��. �� 285 �� .


��.


installp -acgXd cd_mount_point/usr/sys/inst.images PD.RTE


��.

��


7. �(��) ��

�� . �� 45 ��

�� .


a. �� .

pdconfig



� ��.

c. �� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .

�� . �� Tivoli Access Manager ��

� 23 �� .

HP-UX: ��


�� .

HP-UX� Tivoli Access Manager� �� .

1. root� ��.


��.



�� CD� ��. �� , �� .



5. GSKit� ��. �� 286 �� .


��.

7. CD� � �� LDAP �� .

am_update_ldap.sh


��

� 10 � �� 149

swinstall -s /cd-rom/hp PDRTE

�� /cd-rom/hp� �� PDRTE� �� .

9. �(��) ��

� �� . �� 45 ��

�� .


a. �� .

pdconfig



� ��.

�� . �� 377

�� 23 � �pdconfig �� .

�� x � � � �

�� .

11. �� CD� �� .


�� /cd-rom� �� .

Tivoli Access Manager Runtime �� . �� Tivoli Access

Manager �� 23 �� .

Linux: ��


� �� .

Linux� Tivoli Access Manager �� .



1. root� ��.


��.

3. IBM Tivoli Access Manager Base for xSeries, zSeries, or pSeries and iSeries

CD� �� .



��


5. GSKit� ��. �� 286 �� .


��.


rpm -ihv package


v xSeries� Linux: PDRTE-PD-5.1.0-0.i386.rpm

v zSeries� Linux: PDRTE-PD-5.1.0-0.s390.rpm

v pSeries � iSeries� Linux: PDRTE-PD-5.1.0-0.ppc.rpm

8. �(��) ��

�� . �� 45 ��

�� .


a. �� .

pdconfig



� ��.

�� x � � � ��

� �� .


Manager �� 23 �� .

Solaris: ��


�� .


1. root� ��.


��.


4. GSKit� ��. �� 287 �� .


��.

��

� 10 � �� 151


pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDRTE



� �� .

�� .

7. �(��) ��

�� . �� 45 ��

�� .


a. �� .

pdconfig



� ��.

c. �� . �� 377

�� 23 � �pdconfig �� .


�� x � � � �� .


Manager �� 23 �� .

Windows: ��


�� .

Tivoli Access Manager Runtime �� .

1. �� .


��.



4. GSKit� ��. �� 288 �� .


��.

��


6. Access Manager Runtime �� . ��

�� setup.exe �� .


�� .

7. �(��) ��

�� . �� 45 ��

�� .


a. �� .

pdconfig



�� . �� 377 ��

� 23 � �pdconfig �� .


Manager �� 23 �� .

��

� 10 � �� 153

� 11 � Web Portal Manager ��

� �� Tivoli Access Manager Web Portal Manager ��

�� .

�� .

v ��

v 158 ��

��

install_amwpm ��

�� Tivoli Access Manager Web Portal Manager �� .

v IBM HTTP Server, �� 1.3.26� � IBM WebSphere Application Server,

�� 5.0.2

v Access Manager Java Runtime Environment, �� 5.1

v Access Manager Web Portal Manager, �� 5.1

�: � ��

� ��.

install_amwpm �� Web Portal Manager ��

�� .

�: HP-UX�� Web Portal Manager �� . HP-UX�

IBM Tivoli Directory Server� �� , 161 �� HP-UX: Web Portal

Manager �� .

1. �� . �� 33 �

�� (�� )�� .


��.

3. �� IBM JRE 1.3.1(AIX�� 1.3.1.5)� ��

�� . �� 294 �� .

�: �� IBM JRE �� JRE� � Web Portal Manager� ��

��, �� .


4. �(��) ��

�� . �� 45 ��

� �� .

5. �� . Web

Portal Manager� �� .



6. Windows �� , �� .

7. AIX, Linux, Solaris, Windows 2000 � Windows 2003� Tivoli Access Manager

Web Administration Interfaces CD� � �� install_amwpm �

�� .

373 �� install_amwpm��

�� . � �� (�� ),

�� .

8. AIX, xSeries� Linux, Solaris �� Windows 2000� �� , ��

� �� 2� ��.

�: �� WebSphere Application Server 5.0.2 ��

�� .

a. WebSphere Application Server � IBM HTTP Server� ��. LDAP

�� , LDAP ��

��.

b. JAVA_HOME �� .

c. � �� IBM Tivoli Access Manager WebSphere Fix Pack CD� �

��.

d. � CD� �� .

e. platform/websphere_fixpack ��(CD �� )�

�� updateWizard ��(UNIX) �� (Windows)� ��

��.

�� .

f. �� 2� ��. ��

�� . �� , CD� websphere_fixpack �

�� C:\temp �� , ��

�� .

C:\temp\websphere_fixpack\fixpacks

�� .

Web Portal Manager ��


�: Tivoli Access Manager�� Embedded Messaging� �� .

� �� . WebSphere Application

Server 5.0� � � Embedded Messaging� �� , � ��

�� .

g. WebSphere� � �� JRE �� Access Manager Java

Runtime Environment �� . ��

��.

1) /opt/PolicyDirector/sbin ��

��.


2) �� .

3) IBM WebSphere Application Server� � �� JRE� ��.

�� , �� .

/usr/WebSphere/AppServer/java/jre

4) Policy Server �� , � � �� .

�: � �� 488 �� pdjrtecfg��

��.

h. �� WebSphere Application Server � IBM HTTP Server� ��

��.

1) WebSphere Application Server� ��

��.

v UNIX �� /usr/WebSphere/AppServer/bin� ��

startServer.sh �� .

./stopServer.sh server1

./startServer.sh server1

v Windows 2000 �� → �� → �� → ��

�� .

2) IBM HTTP Server� �� .

v AIX �� .

/usr/HTTPServer/apachectl restart

v HP-UX, xSeries� Linux � Solaris �� .

/opt/IBMHTTPServer/apachectl restart

v Windows 2000 �� → �� → �� → ��

�� .

9. Web Portal Manager ��

��.



http://hostname/pdadmin

�� hostname� IBM WebSphere Application Server� IBM HTTP Server�

�� .

Web Portal Manager �� . �� Tivoli Access Manager �

�� 23 �� . Web Portal

Manager �� IBM Tivoli Access Manager Base Administration

Guide� ��.

WebSphere Application Server� �� HTTP Server� �� Web

Portal Manager� �� Tivoli Access Manager��

�� . CA �� Web Portal Manager ��

�� .

��


� �� . � �� , � ��

� �� . ��

�� pdjrtecfg � amwpmcfg ��

�� .

� � �� .

v 158 �� AIX

v 161 �� HP-UX

v 163 �� Linux



AIX: Web Portal Manager ��

�� installp� �� pdjrtecfg � amwpmcfg

�� .

AIX� Tivoli Access Manager Web Portal Manager ��

�� .

1. root� ��.


��.

3. �� .

Web Portal Manager� �� .





4. IBM JRE 1.3.1.5� �� . �� 295 ��

��.


� ��, �� .

5. IBM WebSphere Application Server� ��. �� 299 ��

��.

6. IBM Tivoli Access Manager Web Administration Interfaces for AIX CD� �

�� .

7. �� .




PDJ.rte Access Manager Java Runtime Environment ��

��.

PD.WPM Access Manager Web Portal Manager �� .

�: � �� IBM WebSphere Application Server� � � ��

� ��.

8. �(��) ��

� �� . �� 45 ��

�� .

9. WebSphere� � �� JRE �� Access Manager Java


��.

a. /opt/PolicyDirector/sbin ��

�.


b. �� .

c. IBM WebSphere Application Server� � �� JRE� ��. �

� �, �� .


d. Policy Server �� , � � �� .



�: � �� 488 �� pdjrtecfg��

��.

10. �� Access Manager Web Portal Manager �� .

./amwpmcfg -action config -interactive

�: � �� 463 �� amwpmcfg��

�.

11. Web Portal Manager �� WebSphere Application Server

� IBM HTTP Server� �� .

WebSphere Application Server� �� /usr/WebSphere/

AppServer/bin �� startServer.sh ��

��.



IBM HTTP Server� �� .

/usr/HTTPServer/apachectl restart

�: IBM HTTP Server� �� Web

Portal Manager� � � �� , Web Server ��

�� . IBM HTTP Server ��

/usr/HTTPServer/conf/httpd.conf � ��

� 80� 8080�� IBM HTTP Server� �� .

# Port: The port the standalone listens to.Port 8080


��.



�� .




Guide� ��.

Tivoli Access Manager� �� WebSphere Application

Server� �� HTTP Server� �� Web Portal Manager� ��


�� .



HP-UX: Web Portal Manager ��

�� swinstall� �� pdjrtecfg � amwpmcfg

�� .

HP-UX� Tivoli Access Manager Web Portal Manager ��

�� .

1. root� ��.


��.

3. �� .




4. IBM JRE 1.3.1� �� . �� 295 ��

��.


� ��, �� .


��.

6. IBM Tivoli Access Manager Web Administration Interfaces for HP-UX CD

� ��.


�� CD� ��. �� , �� .



8. �� .



PDJrte Access Manager Java Runtime Environment ��

��.

PDWPM Access Manager Web Portal Manager �� .


� ��.



9. �(��) ��

� �� . �� 45 ��

�� .



��.


�.


b. �� .


� �, �� .



�: � �� 488 �� pdjrtecfg��

��.



�: � �� 463 �� amwpmcfg��

�.

12. �� CD� �� .


�� /cd-rom� �� .



WebSphere Application Server� �� /usr/WebSphere/


��.







�� . IBM HTTP Server �� ,



/opt/IBMHTTPServer/conf/httpd.conf � ��

� 80� 8080�� IBM HTTP Server� �� .



��.



�� .




Guide� ��.




�� .

Linux: Web Portal Manager ��

�� rpm� �� pdjrtecfg � amwpmcfg �

�� .

Linux� Tivoli Access Manager Web Portal Manager ��

�� .

1. root� ��.


��.

3. �� .




4. IBM JRE 1.3.1� �� . �� 296 ��

��.


� ��, �� .




��.

6. IBM Tivoli Access Manager Web Administration Interfaces for xSeries, zSeries,

or pSeries and iSeries CD� �� .

7. /mnt/cdrom/series �� . �� /mnt/cdrom� CD� �

�� series� xSeries, zSeries �� pSeries� ��.

8. �� .

rpm -ihv packages


Access Manager Java Runtime

Environment

Access Manager Web Portal

Manager

xSeries� Linux PDJrte-PD-5.1.0-0.i386.rpm PDWPM-PD-5.1.0-0.i386.rpm

zSeries� Linux PDJrte-PD-5.1.0-0.s390.rpm PDWPM-PD-5.1.0-0.s390.rpm

pSeries � iSeries�

Linux

PDJrte-PD-5.1.0-0.ppc.rpm PDWPM-PD-5.1.0-0.ppc.rpm


� ��.

9. �(��) ��

� �� . �� 45 ��

�� .



��.


�.


b. �� .


� �, �� .

/opt/WebSphere/AppServer/java/jre


�: � �� 488 �� pdjrtecfg��

��.





�: � �� 463 �� amwpmcfg��

�.



WebSphere Application Server� �� /opt/WebSphere/


��.









� 80� 8080�� IBM HTTP Server� �� .



��.



�� .




Guide� ��.




�� .

Solaris: Web Portal Manager ��

�� pkgadd� �� pdjrtecfg � amwpmcfg

�� .



Solaris� Web Portal Manager ��

�.

1. root� ��.


��.

3. �� .




4. IBM JRE 1.3.1� �� . �� 297 ��

��.


� ��, �� .


��.

6. IBM Tivoli Access Manager Web Administration Interfaces for Solaris CD

� ��.

7. �� (� �� )


��,


�� .


�� .



��.

PDWPM Access Manager Web Portal Manager �� .


� ��.

8. �(��) ��

� �� . �� 45 ��

�� .





��.


�.


b. �� .


� �, �� .

/opt/WebSphere/AppServer/java/jre


�: � �� 488 �� pdjrtecfg��

��.

e. �� Access Manager Web Portal Manager �� .


�: � �� 463 �� amwpmcfg��

��.



WebSphere Application Server� �� /opt/WebSphere/


��.




/opt/IBMHTTPServer/bin/apachectl restart





� 80� 8080�� IBM HTTP Server� �� .



��.





�� .




Guide� ��.




�� .

Windows: Web Portal Manager ��

�� setup.exe� �� pdjrtecfg � amwpmcfg

�� .

Windows� Web Portal Manager ��

��.

1. �� .


��.

3. �� .




4. IBM JRE 1.3.1� �� . �� 297 ��

��.


� ��, �� .


�� Windows: WebSphere Application Server �� .

6. IBM Tivoli Access Manager Web Administration Interfaces CD for Windows

2000 or Windows 2003� ��.

7. Access Manager Java Runtime Environment � Access Manager Web Portal

Manager �� . ��

setup.exe � ��.




�� .


� ��.

8. �(��) ��

� �� . �� 45 ��

�� .



��.

a. install_dir\sbin ��(�: C:\Program Files\Tivoli\

Policy Director\sbin)� �� .


b. �� . ��

� � ��.


� �, �� .

C:\Program Files\WebSphere\AppServer\java\jre

�� .

d. Policy Server �� , � � �� . ��

�� .

e. �� .

�: � �� 488 �� pdjrtecfg��

��.

10. Access Manager Web Portal Manager �� . ��

�� .

a. install_dir\sbin ��(�: C:\Program Files\Tivoli\


amwpmcfg -action config -interactive

�: � �� 463 �� amwpmcfg��

��.

b. IBM WebSphere Application Server� ��

�. �� .

C:\Program Files\WebSphere\AppServer

�� .



c. Policy Server �� . ��

��.

d. Tivoli Access Manager �� (sec_master), ��

��. �� .

e. �� .

11. ��: IBM WebSphere Application Server � IBM HTTP Server� ��

��. �� , �� → �� → �� → �� , ��

� �� .



�� . IBM HTTP Server �� C:\Program

Files\IBMHTTPServer\conf\httpd.conf � ��

� � 80� 8080�� IBM HTTP Server� �� .


12. Web Portal Manager� �� .



�� .




Guide� ��.




�� .



� 3 � Web Security ��

� 12 � Attribute Retrieval Service �� . . 173

�� . . . . . . . . 173

�� . . . . . . . 175

AIX: Attribute Retrieval Service �� . . . 175

HP-UX: Attribute Retrieval Service �� . . 176

Linux: Attribute Retrieval Service �� . . . 177

Solaris: Attribute Retrieval Service �� . . 178

Windows: Attribute Retrieval Service �� 179

� 13 � Plug-in for Edge Server �� . . . 181

�� . . . . . . . . . . . 181

AIX: Tivoli Access Manager Plug-in for Edge

Server �� . . . . . . . . . . . . . . 182

Red Hat Enterprise Linux 2.1: Tivoli Access

Manager Plug-in for Edge Server �� . . . . 183

Solaris: Tivoli Access Manager Plug-in for

Edge Server ��. . . . . . . . . . . . 185

Windows: Tivoli Access Manager Plug-in for

Edge Server ��. . . . . . . . . . . . 186

Plug-in for Edge Server �� . . . 188

�� . . . . . . . . . . . . 188

�� . . . . . . . . 190

�� . . . . . . . . 193

�� . . . . . . . . . 194

�� . . . . . . . . . . . . 195

� 14 � Plug-in for Web Servers �� . . . 197

�� . . . . . . . . . . . 197

�� . . . . . . . . 198

�� . . . . . . . 199

Plug-in for Apache Web Server �� . . . 200

zSeries� Linux: Plug-in for Apache Web

Server �� . . . . . . . . . . . . 200

Solaris: Plug-in for Apache Web Server

�� . . . . . . . . . . . . . . 201

Plug-in for IBM HTTP Server �� . . . . 203

AIX: Plug-in for IBM HTTP Server �� 203

Linux: Plug-in for IBM HTTP Server �

� . . . . . . . . . . . . . . . 205

Solaris: Plug-in for IBM HTTP Server �

� . . . . . . . . . . . . . . . 206

Plug-in for Internet Information Services �� 208

Plug-in for Sun ONE Web Server �� . . . 209

AIX: Plug-in for Sun ONE Web Server

�� . . . . . . . . . . . . . . 210

Solaris: Plug-in for Sun ONE Web Server

�� . . . . . . . . . . . . . . 211

� 15 � Tivoli Access Manager for

WebLogic �� . . . . . . . . . . . . 213

�� . . . . . . . . . . . 215

�� . . . . . . . . 215

�� . . . . . . . 218

AIX: Tivoli Access Manager for WebLogic

�� . . . . . . . . . . . . . . . 218

HP-UX: Tivoli Access Manager for

WebLogic �� . . . . . . . . . . . 220

Solaris: Tivoli Access Manager for

WebLogic �� . . . . . . . . . . . 223

Windows: Tivoli Access Manager for

WebLogic �� . . . . . . . . . . . 225

startWebLogic �� CLASSPATH �� 228

Tivoli Access Manager for WebLogic �� . . 229

� �� . . . . . . 229

�� . . . . . . . . . . . . . 230

Tivoli Access Manager � �� . . . . . . 231

� �� . . . . . . 232

�� . . . . . . . . . . . . . 233

BEA WebLogic Server �� . . . 234

�� . . . . . . . . . . . . . . 237

� 16 � Tivoli Access Manager for

WebSphere �� . . . . . . . . . . . . 239

�� . . . . . . . . . . . 239

�� . . . . . . . . 240

�� . . . . . . . 242

AIX: Tivoli Access Manager for WebSphere

�� . . . . . . . . . . . . . . . 242

HP-UX: Tivoli Access Manager for

WebSphere �� . . . . . . . . . . . 244

Linux: Tivoli Access Manager for

WebSphere �� . . . . . . . . . . . 245

Solaris: Tivoli Access Manager for

WebSphere �� . . . . . . . . . . . 247

Windows: Tivoli Access Manager for

WebSphere �� . . . . . . . . . . . 248


� �� . . . . . . . . . 250

WebSphere� �� Tivoli Access Manager ��

�� . . . . . . . . . . . . . . . 250

WebSphere �� . . . . . . . . . . 251

WebSphere, �� 4.0.6, �� . . . . . 251

WebSphere, �� 5.0.2 �� 5.1, �� 252

Tivoli Access Manager for WebSphere �� 254

WebSphere �� . . . . . 255

WebSphere, �� 4.0.6 ��

. . . . . . . . . . . . . . . . 256

WebSphere, �� 5.0.2 �� 5.1, ��

�� . . . . . . . . . . . . 257

� 17 � WebSEAL Development(ADK) ��

� �� . . . . . . . . . . . . . . . 261

�� . . . . . . . . 261

�� . . . . . . . 262

AIX: WebSEAL Development(ADK) ��

�� . . . . . . . . . . . . . . . 262

HP-UX: WebSEAL Development(ADK) ��

� �� . . . . . . . . . . . . . . 264

Linux: WebSEAL Development(ADK) ��

�� . . . . . . . . . . . . . . . 265

Solaris: WebSEAL Development(ADK) ��

� �� . . . . . . . . . . . . . . 266

Windows: WebSEAL Development(ADK) �

�� . . . . . . . . . . . . . 268

� 18 � WebSEAL Server �� . . . . . . 271

�� . . . . . . . . 271

�� . . . . . . . 272

AIX: WebSEAL Server �� . . . . . . 273

HP-UX: WebSEAL Server �� . . . . . 274

Linux: WebSEAL Server �� . . . . . . 275

Solaris: WebSEAL Server �� . . . . . . 277

Windows: WebSEAL Server �� . . . . . 278


� 12 � Attribute Retrieval Service ��

� �� Attribute Retrieval Service� �� .

�� .

v 155 ��

v 158 ��

��

install_amwebars �� Attribute

Retrieval Service� �� .

v IBM HTTP Server, �� 1.3.26� � IBM WebSphere Application Server,

�� 5.0.2

v Access Manager Attribute Retrieval Service, �� 5.1

�: � ��

� ��.

install_amwebars �� Attribute Retrieval Service� ��

�� .

�: HP-UX�� Attribute Retrieval Service �� .

HP-UX� �� 175 ��

�� .

1. �� . �� 33 �

�� (�� )�� .


��.

3. �� IBM JRE 1.3.1(AIX�� 1.3.1.5)� ��

�� . �� 294 �� .

�: �� IBM JRE �� JRE� � Attribute Retrieval Service�

�� , �� .

4. �(��) ��

�� . �� 45 ��

� �� .

5. Windows �� , �� .


6. IBM Tivoli Access Manager Attribute Retrieval Service CD for AIX, Linux,

Solaris, Windows 2000 and Windows 2003� � ��

install_amwebars �� .

366 �� install_amwebars��

�� . � �� (��

�), �� .

7. AIX, xSeries� Linux �� Windows 2000� �� , ��

� 2� ��.

�: �� WebSphere Application Server 5.0.2 ��

�� .

a. WebSphere Application Server � IBM HTTP Server� ��. LDAP

�� , LDAP ��

��.

b. JAVA_HOME �� .

c. � �� IBM Tivoli Access Manager WebSphere Fix Pack CD� �

��.

d. � CD� �� .

e. platform/websphere_fixpack ��(CD �� )�

�� updateWizard ��(UNIX) �� (Windows)� ��

��.

�� .

f. �� 2� ��. ��

�� . �� , CD� websphere_fixpack �

�� C:\temp �� , ��

�� .


�� .


WebSphere Application Server 5.0� � � Embedded Messaging

� �� , � �� .

g. Attribute Retrieval Service� WebSphere Application Server ��

� Attribute Retrieval Service� �� WebSEAL� �� IBM

Tivoli Access Manager for e-business WebSEAL Administration Guide� �

��.

Attribute Retrieval Service ��


Attribute Retrieval Service� �� . �� Tivoli Access Manager

�� 23 �� .

Attribute Retrieval Service� �� IBM Tivoli Access Manager for e-business

WebSEAL Administration Guide� ��.

��


� �� . � �� , � ��

� �� .

� � �� .

v 175 �� AIX

v 176 �� HP-UX

v 177 �� Linux



AIX: Attribute Retrieval Service ��

�� installp� �� .

AIX� Attribute Retrieval Service� �� .

1. root� ��.


��.

3. IBM JRE 1.3.1.5� �� . �� 295 ��

��.


��.

5. IBM Tivoli Access Manager Attribute Retrieval Service for AIX CD� ��

�� .

6. �� .

installp -acgXd cd_mount_point/usr/sys/inst.images PDWeb.ARS


PDWeb.ARS� Access Manager Attribute Retrieval Service ��.


��.


� 12 � Attribute Retrieval Service �� 175

7. �(��) ��

��. �� 45 �� .

8. Attribute Retrieval Service� WebSphere Application Server ��

Deploy.sh � �� /opt/pdwebars/ �� Readme.deploy

� �� .

9. Attribute Retrieval Service� �� WebSEAL� �� IBM Tivoli

Access Manager for e-business WebSEAL Administration Guide� ��

�.

Attribute Retrieval Service� �� . �� Tivoli Access Manager ��

�� 23 �� .



HP-UX: Attribute Retrieval Service ��

�� swinstall� �� .

HP-UX� Attribute Retrieval Service� �� .

1. root� ��.


��.

3. IBM JRE 1.3.1� �� . �� 295 ��

��.


��.

5. IBM Tivoli Access Manager Attribute Retrieval Service for HP-UX CD� �

��.


�� CD� ��. �� , �� .



7. �� .

swinstall -s /cd-rom/hp PDWebARS

�� /cd-rom/hp� �� PDWebARS� Access Manager Attribute

Retrieval Service� ��.




��.

8. �(��) ��

��. �� 45 �� .


� Deploy.sh � �� /opt/pdwebars/ ��

Readme.deploy � �� .



�.

11. �� CD� �� .


�� /cd-rom� �� .


�� 23 �� .



Linux: Attribute Retrieval Service ��

�� rpm� �� .

Linux� Attribute Retrieval Service� �� .

1. root� ��.


��.

3. IBM JRE 1.3.1� �� . �� 296 ��

��.


��.

5. IBM Tivoli Access Manager Attribute Retrieval Service CD for xSeries or

zSeries� �� .


�� series� xSeries �� zSeries� ��.

7. �� .

rpm -ihv package




Access Manager Attribute Retrieval Service

xSeries� Linux PDWebARS-PD-5.1.0-0.i386.rpm

zSeries� Linux PDWebARS-PD-5.1.0-0.s390.rpm


��.

8. �(��) ��

��. �� 45 �� .


� Deploy.sh � �� /opt/pdwebars/ ��

Readme.deploy � �� .



�.


�� 23 �� .



Solaris: Attribute Retrieval Service ��

�� pkgadd� �� .

Solaris� Attribute Retrieval Service� �� .

1. root� ��.


��.

3. IBM JRE 1.3.1� �� . �� 297 ��

��.

�: �� IBM JRE �� JRE� � Attribute Retrieval Service�

�� , �� .


��.

5. IBM Tivoli Access Manager Attribute Retrieval Service for Solaris CD� �

��.

6. �� (� �� )



pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDWebARS

��,


�� .


�� .

�� PDWebARS� Access Manager Attribute Retrieval Service ��

��.


��.

7. �(��) ��

��. �� 45 �� .


Deploy.sh � �� /opt/pdwebars/ �� Readme.deploy

� �� .



�.


�� 23 �� .



Windows: Attribute Retrieval Service ��

�� setup.exe� �� .

Windows� Attribute Retrieval Service� �� .

1. �� .


��.

3. IBM JRE 1.3.1� �� . �� 297 ��

��.


� �Windows: WebSphere Application Server �� .



5. IBM Tivoli Access Manager Attribute Retrieval Service CD for Windows 2000

or Windows 2003� ��.

6. Access Manager Attribute Retrieval Service �� . ��



�� .


��.

7. �(��) ��

��. �� 45 �� .


Deploy.bat � �� C:\Program Files\Tivoi\AMWebARS\ ��

�� Readme.deploy � �� .



�.


�� 23 �� .





� 13 � Plug-in for Edge Server ��

� �� Tivoli Access Manager Plug-in for Edge Server ��

�� .

�� IBM Tivoli Access Manager for e-business

IBM WebSphere Edge Server �� .

Access Manager Plug-in for Edge Server� IBM WebSphere Edge Server, ��

5.1� ��, �� .

v IBM WebSphere Edge Server, �� 5.1

v Global Security Kit, �� 7



v Access Manager Web Security Runtime, �� 5.1(Linux�� )

v Access Manager Plug-in for Edge Server, �� 5.1

� �� . ��

��. �� pdconfig �� .

� � �� .

v 182 �� AIX

v 183 �� Red Hat Enterprise Linux 2.1



�� IBM Tivoli Access Manager for e-business Plug-in for Web Servers

Integration Guide� ��.

� ��

Tivoli Access Manager Plug-in for Web Servers ��

�� . ��

��.

v Tivoli Access Manager �� Policy Server� ��

�� . � �� 55 �� 2

� �Base �� .


v IBM WebSphere Edge Server, �� 5.1� ��

��.

v Tivoli Access Manager� IBM WebSphere Edge Server� ��

�� . ��

��. �� 33 �� (�� )��

��.

AIX: Tivoli Access Manager Plug-in for Edge Server ��

�� installp� �� . AIX� Tivoli

Access Manager Plug-in for Edge Server� �� .

1. root� �� .

2. 181 �� .

3. IBM Tivoli Access Manager Web Security for AIX CD� ��

��.

4. GSKit� ��. �� 285 �� .


��.

6. �� .





PDWeb.RTE Access Manager Web Security Runtime �� .

PDPlgES Access Manager Plug-in for Edge Server �� .

7. �(��) ��

�� . �� 45 ��

�� .

8. Access Manager Runtime� �� Access Manager Plug-in for Edge Server �

�� .

a. �� .

pdconfig



� ��.

Plug-in for Edge Server ��


c. �� . ��

� �� 377 �� 23 � �pdconfig �� .

�� x � � � ��

�� .

�� .

v �� .

v �� ivacld-servers � SecurityGroup� �� .

v SSL �� .

v Tivoli Access Manager Policy Server�� SSL �� .

v Edge Server � �� ibmproxy.conf� �� Edge

Server � �� Plug-in for Edge Server� �� .

v Edge Server � �� ibmproxy� �� .

v wesosm �� Plug-in for Edge Server ��

�� . � �� Tivoli Access Manager ��

�� Plug-in for Edge Server� �� . �

�� 511 �� wesosm�� .

Tivoli Access Manager Plug-in for Edge Server �� . Edge

Server � �� Plug-in for Edge Server� � ��. ��

sec_master� �� .

Red Hat Enterprise Linux 2.1: Tivoli Access Manager Plug-in forEdge Server ��

�� rpm� �� . Red Hat Enterprise

Linux 2.1� Access Manager� �� .

�: Red Hat Enterprise Linux 2.1�� Access Manager Web Security Runtime�

�� .

1. root� �� .

2. 181 �� .

3. IBM Tivoli Access Manager Web Security for xSeries CD� ��

��.

4. /mnt/cdrom/xseries �� . �� /mnt/cdrom� CD� �

�� .

5. GSKit� ��. �� 286 �� .


��.


� 13 � Plug-in for Edge Server �� 183

7. �� .

rpm -ihv packages


PDRTE-PD-GCC295-5.1.0-0.i386.rpm

Access Manager Runtime �� .

PDPlgES-PD-5.1.0-0.i386.rpm

Plug-in for Edge Server �� .

8. �(��) ��

�� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



� ��.

c. �� . ��

� �� 377 �� 23 � �pdconfig �� .

�� x � � � ��

�� .

�� .

v �� .


v SSL �� .








�� 511 �� wesosm�� .



Tivoli Access Manager Plug-in for Edge Server �� . ��

Tivoli Access Manager �� 23 ��

��.

Edge Server � �� Plug-in for Edge Server� � ��

�. �� sec_master� �� .

Solaris: Tivoli Access Manager Plug-in for Edge Server ��

�� pkgadd� �� . Solaris� Tivoli

Access Manager Plug-in for Edge Server� �� .

1. root� ��.

2. 181 �� .

3. IBM Tivoli Access Manager Web Security for Solaris CD� ��.

4. GSKit� ��. �� 287 �� .


��.

6. �� (� �� )


��,


�� .


�� .



PDWebRTE Access Manager Web Security Runtime �� .

PDPlgES Plug-in for Edge Server �� .

7. �(��) ��

�� . �� 45 ��

�� .


�� .

a. �� .

pdconfig





� ��.

c. �� . ��

� �� 377 �� 23 � �pdconfig �� .

�� x � � � ��

�� .

�� .

v �� .


v SSL �� .








�� 511 �� wesosm�� .



��.



Windows: Tivoli Access Manager Plug-in for Edge Server ��

�� setup.exe �� .

Windows� Tivoli Access Manager Plug-in for Edge Server� ��

�� .

1. �� .

2. 181 �� .

3. GSKit� ��. �� 288 �� .


��.



5. IBM Tivoli Access Manager Web Security for Windows 2000 and Windows

2003 CD� ��.

6. �� setup.exe � ��.

\windows\PolicyDirector\Disk Images\Disk1\setup.exe

�� .

7. �� .

8. �� . �� .

9. �� .

10. �� .

v Access Manager Runtime

v Access Manager Web Security Runtime

v Access Manager Plug-in for Edge Server

11. ��

�� . � �� , ��

�� .

12. �� .

13. �� .

14. �(��) ��

� �� . �� 45 ��

�� .

15. Access Manager Runtime� �� Access Manager Plug-in for Edge Server

�� .

a. �� .

pdconfig



c. Access Manager Plug-in for Edge Server ��

��.

�� 377 �� 23 � �pdconfig ��

�.

�� .

v �� .


v SSL �� .










�� 511 �� wesosm�� .



��.




� �� Plug-in for Edge Server �� , � � ��

� ��. � �� .

v ��

v 190 ��

v 193 ��

v 194 ��

v 195 ��

��

Plug-in for Edge Server� �� Edge Server ��

�� . ��

��

�� . Edge Server ��

�� , � ��

�� .

�� .

� �� , ��

� �� . �� , � ��

�� , �� . ��

� � �� . � ��

�� , �



� �� . ��

��

� ��.

�� ‘�� ’ �� osdef.conf� ��

� ��. � ��

�� . ��

�� .

��

[Global] � �� . � �

�� .

[Local] [Local] �� Edge Server � ��

�� . � �� .

[Remote: Tivoli Access Manager

Object Space Name]

[Remote: ...] ��

�� . � ��

�� .

osdef.conf � ��

� �� . �� , form_session_timeout ��

�� [Global] �� [Remote] �� .

[Global]login_method = formsform_login_file = /opt/pdweb-lite/samples/forms/welcome.htmlform_session_timeout = 10

[Remote: /ESproxy/reverse/anyother.com]domains = anyother.com

[Remote: /ESproxy/reverse/verysecure.com]domains = verysecure.comform_session_timeout = 1

�� , verysecure.com� �� 1 ��

�� . �� 1 � � �� . ��,

anyother.com � �� , ��

� [Global] �� 10 � ��. �� ([SSO] ��

�)� �� 190 �� 1� ��

� �� .



� �� , � ��

�� [Global] �� . ��

�, �� , � �� [Global] ��

� �� .

��

�� , ��

� �� . �� , ��

�� .

1. �� , �� , ��

�� 4 �� .

2. �� ID� ��.

v �� , �� ID� �� .

v �� , �� .

3. Tivoli Access Manager �� .


5. �� .

6. � �� .

��

�� . � �� osdef.conf ��

�� . �� , 2 �� login_method ��

��.

��

� �� . ��

�� 1. �� Plug-in for Edge Server



��. ��

�� , ��

��.

�� ID��. ��

��, �� 2� ��

� �� .

� ��, www.newbooks.com, newbooks.com, newnovels.com � newpoems.com

� �� Edge Server �� . �

�� ID� �� , ��

�� .

�� osdef.conf �� .

[Global]login_method = basic

# Definition 1[Remote: /ESproxy/reverse/newbooks.com]domains = newbooks.com *.newbooks.comlogin_method = formsroute = http://backend1.com

# Definition 2[Remote: /ESproxy/reverse/label2]domains = newnovels.comlogin_method = certificateroute = http://backend2.com

# Definition 3[Remote: /ESproxy/check_here/this_is_just_a_label]domains = newpoems.comroute = http://backend3.com

�� 2. ��



�� , ��

� �� , �� .

v �� URL� ��, �� *.newbooks.com�

� �� 1� ��.

http://www.newbooks.com/private.html

�� . ��

�� , �� URL �� . � �

��, ��(r) �� /ESproxy/reverse/newbooks.com/

private.html�� . �� backend1.com��

��.

v �� URL� ��, �� IP �� DNS ��

�� newnovels.com� � �� 2� �

��.

http://IP_address_of_newnovels.com/gifs/private.html

�� . ��(r)

�� /ESproxy/reverse/label2/gifs/private.html��

��. �� backend2.com�� .

v �� URL� ��, �� newpoems.com�

� �� 3� ��.

http://newpoems.com/logo.gif

�� ,

[Global] �� . ��(r) ��

/ESproxy/check_here/this_is_just_a_label /logo.gif�� . �

� �� backend3.com�� .

v �� Edge Server� �� URL� �

�� , �� [Global] ��

��.

http://internet.com/mail/logo.gif

�� . ��

� /ESproxy/forward/domain/path� ��. � ��, ��(r) ��

� �� /ESproxy/forward/internet.com/mail/logo.gif��

�. � �� /ESproxy/forward

� �� ACL�� . ��

� �� internet.com�� . ��, ��

�� internet.com ��

� �� . ��

�� . � �� .



��


� �� , �� URL� �� . �

� �, �� 1�� .

URL ��: http://www.newbooks.com/private.htmlTivoli Access Manager ��: /ESproxy/reverse/newbooks.com/private.html

Tivoli Access Manager ACL� ��

��, �� URL��

��

�. �� URL� ��

�� .

Tivoli Access Manager ��: /ESproxy/reverse/newbooks.com/server files/ESproxy/reverse/newbooks.com/private.html/ESproxy/reverse/newbooks.com/public.html/ESproxy/reverse/newbooks.com/gifs/ESproxy/reverse/newbooks.com/gifs/logo.gif

URL ��: http://www.newbooks.com/server fileshttp://www.newbooks.com/private.htmlhttp://www.newbooks.com/public.htmlhttp://www.newbooks.com/gifshttp://www.newbooks.com/gifs/logo.gif

� query_contents �� wesosm ��

�� . ��

�� URL �� .

� �� URL �� query_contents ��

�� . �� URL ��

�� . �� , ��

�� query_contents ��

�� .

Tivoli Access Manager ��: /ESproxy/reverse/newbooks.com/virtual objects/ESproxy/reverse/newbooks.com/object1/ESproxy/reverse/newbooks.com/object2/ESproxy/reverse/newbooks.com/object3/ESproxy/reverse/newbooks.com/object3/object3.1

URL ��: http://www.newbooks.com/virtual objectshttp://www.newbooks.com/object1http://www.newbooks.com/object2http://www.newbooks.com/object3http://www.newbooks.com/object3/object3.1

� ��, ��

�� . ��, ��



� �� . query_contents �� wesosm ��

� �� , ��

�� .


� �� . URL� ��

�� . �� ACL� ��

�� URL �

� �� .

��

�� [SSO] � ��

�� .

��

[SSO] � ��

�� . � ��

�� .

� �� [Global], [Local] � [Remote] ��

�� . �� , trust_list ��

� �� . , �� , ��

� �� accept_sso � submit_sso� ��

�. �� iv-user �� .

[Remote: /ESproxy/reverse/newbooks.com]domains = newbooks.comaccept_sso = myssosubmit_sso = myssoroute = http://backend1.com

[Remote: /ESproxy/reverse/newnovels.com]domains = newnovels.comsubmit_sso = myssoroute = http://backend2.com

[SSO: mysso]name = iv-userformat = <userid>trust_basis = IP_Addresstrust_list = 0.0.0.0/0.0.0.0

� �� newbooks.com� �� IP ��

iv-user �� . iv-user ��

� ID� �� . �� newbooks.com

� newnovels.com� �� iv-user �� .



��

Plug-in for Edge Server� ��

� �� . �� , ��

�� . � ��

�� , � ��

�.

�� .

1. �� , ��

�� .

2. � �� [Remote] �� , ��

�� .

3. � �� , �� [Global] �

�� . ��

�� .

4. wesosm ��

�� ACL� Tivoli Access Manager ��

�.

�� . ��

� �� , ��

�� . �� UNIX tail -f ��

�� . ��

�� .



� 14 � Plug-in for Web Servers ��


� �� Tivoli Access Manager Plug-in for Web Servers� �

� �� .

Tivoli Access Manager Plug-in for Web Server� �� .

v AIX, xSeries � zSeries� Linux, Solaris� IBM HTTP Server(IHS), �� 1.3.26

v SSL �� Apache Web Server(zSeries� Linux� �� 1.3.26-36,

Solaris� �� 1.3.27)

v AIX � Solaris� Sun ONE Web Server, �� 6.0

v Windoes� Internet Information Services(IIS) Web Server, �� 5.0 � 6.0

� Web Security �� IBM Tivoli Access Manager for

e-business Plug-in for Web Servers Integration Guide� ��.

�� Web Server Plug-in� ��

��.

v 198 ��

v 199 ��

� ��

Tivoli Access Manager Web Server ��

�� . �� .

v Tivoli Access Manager �� Policy Server� ��

�� . � �� 55 �� 2

� �Base �� .

v �� /�� .

v �� . ��, SSL ��

� �� SSL �/�� .

v Tivoli Access Manager� �� .

�� . ��

33 �� (�� )�� .


��

�� Tivoli Access

Manager Web Server Plug-in� �� .




v Access Manager Web Security Runtime, �� 5.1

v Access Manager Authorization Server, �� 5.1

v Access Manager Plug-in for Web Servers, �� 5.1

v �� Access Manager ��, �� 5.1

�: � ��

� ��.

�� Tivoli Access Manager Web Server Plug-in� ��

�� .

1. 197 �� .

2. JRE 1.3.1� �� . �� 294 �� .

3. �(��) ��

�� . �� 45 ��

� �� .

4. Windows� Web Server Plug-in �� :

v �� .





�� .

5. �� IBM Tivoli Access Manager Web Security CD� �

�� install_amwpi_webserver ��

��.

Tivoli Access Manager Plug-in for Web Server� ��

��.

v Apache Web Server� �� install_amwpi_apache(zSeries� Linux � Solaris)

v IBM HTTP Server� �� install_amwpi_ihs(AIX, xSeries � zSeries� Linux,

Solaris)

v Internet Information Services� �� install_amwpi_iis(Windows ��)

Plug-in for Web Servers ��


v Sun ONE Web Server� �� install_amwpi_iplanet(AIX � Solaris)

��

��.

v 369 �� install_amwpi_apache�

v 370 �� install_amwpi_ihs�

v 371 �� install_amwpi_iis�

v 372 �� install_amwpi_iplanet�

� �� (�� ), ��

��.

6. �� .

7. �� pdwebpi.conf � �� . �� IBM

Tivoli Access Manager for e-business Plug-in for Web Servers Integration Guide

� ��.

8. �� .

v UNIX �� , /opt/pdwebpi/bin ��

��.

pdwebpi_start start

v Windows �� → �� → �� → �� . �

�� Access Manager Plug-in for Web Servers� ��

�� .

�: � �� 503 �� pdwebpi_start��

��.

Tivoli Access Manager Web Server Plug-in� �� . �� Tivoli Access

Manager �� 23 �� .

��


� �� . � �� , � ��

� �� . ��


�: ��, pdconfig �� pdwpicfg �� Plug in

for Web Servers �� . � ��

�� 506 �� pdwpicfg -action config�� .

� �� .


� 14 � Plug-in for Web Servers �� 199

v �Plug-in for Apache Web Server ��

v 203 �� Plug-in for IBM HTTP Server ��

v 208 �� Plug-in for Internet Information Services ��

v 209 �� Plug-in for Sun ONE Web Server ��

Plug-in for Apache Web Server ��

� � �� .

v 200 �� zSeries� Linux




zSeries� Linux: Plug-in for Apache Web Server ��


� �� .

zSeries� Linux� Web server plug-in for Apache Web Server(31� ��)� �

�� .



1. root� ��.

2. 197 �� .

3. GSKit� ��. �� 286 �� .


��.

5. �� .

rpm -ihv packages


PDRTE-PD-5.1.0-0.s390.rpm

Access Manager Runtime �� .

PDWebRTE-PD-5.1.0-0.s390.rpm

Access Manager Web Security Runtime �� .

PDWPI-PD-5.1.0-0.s390.rpm

Access Manager Plug-in for Web Servers ��

�.



PDWPI-Apache-5.1.0-0.s390.rpm

Access Manager Plug-in for Apache Web Server ��

��.

�: � �� Apache Web Server� � � �� .

6. �(��) ��

� �� . �� 45 ��

�� .

7. Access Manager Runtime� �� Access Manager Plug-in for Web Servers

�� .

a. �� .

pdconfig



� ��.

c. �� . ��

�� 377 �� 23 � �pdconfig �� .

�� x � � � �

�� .

8. �� .

9. �� pdwebpi.conf � �� . ��

IBM Tivoli Access Manager for e-business Plug-in for Web Servers Integration

Guide� ��.

10. �� /opt/pdwebpi/bin ��

� ��.

pdwebpi_start start

� �� 503 �� pdwebpi_start��

�.

zSeries� Linux�� Web server plug-in for Apache Web Server� ��

��. �� Tivoli Access Manager �� 23 ��

�� .

Solaris: Plug-in for Apache Web Server ��


�� .



Solaris� Web Server Plug-in for Apache Web Server� ��

� ��.

1. root� ��.

2. 197 �� .


4. GSKit� ��. �� 287 �� .


��.

6. �� (� �� )


��,


�� .


�� .




PDWPI Access Manager Plug-in for Web Servers ��

�.

PDWPIapa Access Manager Plug-in for Apache Web Server ��

��.

�: � �� Apache Web Server� � � �� .

7. �(��) ��

� �� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



� ��.



c. �� . ��

�� 377 �� 23 � �pdconfig �� .

�� x � � � �

�� .

9. �� .

10. �� pdwebpi.conf � �� . ��

� IBM Tivoli Access Manager for e-business Plug-in for Web Servers



� ��.

pdwebpi_start start


�.

Solaris�� Web Server Plug-in for Apache Web Server� �� . �

� Tivoli Access Manager �� 23 ��

�� .

Plug-in for IBM HTTP Server ��

� � �� .

v 203 �� AIX

v 205 �� xSeries � zSeries� Linux




AIX: Plug-in for IBM HTTP Server ��


�� .

AIX� Web server plug-in for IBM HTTP Server� ��

��.

1. root� ��.

2. 197 �� .


��.

4. GSKit� ��. �� 285 �� .




��.

6. �� .






PD.WPI Access Manager Plug-in for Web Servers ��

�.

PD.WPIIHS Access Manager Plug-in for IBM HTTP Server ��

��.

�: � �� IBM HTTP Server� � � �� .

7. �(��) ��

� �� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



� ��.

c. �� . ��

�� 377 �� 23 � �pdconfig �� .

�� x � � � �

�� .

9. �� .

10. �� pdwebpi.conf � �� . ��




� ��.

pdwebpi_start start




�.

AIX�� Web Server Plug-in for IBM HTTP Server� �� . �� Tivoli


��.

Linux: Plug-in for IBM HTTP Server ��


� �� .

zSeries � xSeries� Linux� Plug-in for IBM HTTP Server� ��

�� .



1. root� ��.

2. 197 �� .

3. IBM Tivoli Access Manager Web Security for xSeries or zSeries CD� ��

� � �� .



5. GSKit� ��. �� 286 �� .


��.

7. �� .

rpm -ihv packages



PDRTE-PD-5.1.0-0.i386.rpm PDRTE-PD-5.1.0-0.s390.rpm

PDWebRTE-PD-5.1.0-0.i386.rpm PDWebRTE-PD-5.1.0-0.s390.rpm

PDWPI-PD-5.1.0-0.i386.rpm PDWPI-PD-5.1.0-0.s390.rpm

PDWPI-IHS-5.1.0-0.i386.rpm PDWPI-IHS-5.1.0-0.s390.rpm

�: � �� IBM HTTP Server� � � �� .

8. �(��) ��

� �� . �� 45 ��

�� .




�� .

a. �� .

pdconfig



� ��.

c. �� . ��

�� 377 �� 23 � �pdconfig �� .

�� x � � � �

�� .

10. �� .

11. �� pdwebpi.conf � �� . ��




� ��.

pdwebpi_start start


�.

Linux�� Web Server Plug-in for IBM HTTP Server� �� . ��


��.

Solaris: Plug-in for IBM HTTP Server ��


�� .

Solaris� Web Server Plug-in for IBM HTTP Server� ��

��.

1. root� ��.

2. 197 �� .


4. GSKit� ��. �� 287 �� .


��.



6. �� (� �� )


��,


�� .


�� .





�.

PDWPIihs Access Manager Plug-in for IBM HTTP Server ��

��.

�: � �� IBM HTTP Server� � � �� .

7. �(��) ��

� �� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



� ��.

c. �� . ��

�� 377 �� 23 � �pdconfig �� .

�� x � � � �

�� .

9. �� .

10. �� pdwebpi.conf � �� . ��






� ��.

pdwebpi_start start


�.

Solaris�� Web Server Plug-in for IBM HTTP Server� �� . ��


��.

Plug-in for Internet Information Services ��

Web Server Plug-in for Internet Information Services� �� Windows ��

�� .


�� .

Windows� Web Server Plug-in for Internet Information Services� ��

� �� .

1. �� .

2. 197 �� .

3. GSKit� ��. �� 288 �� .


��.


2003 CD� ��.

6. �� setup.exe � ��.


�� .

7. �� .

8. �� . �� .

9. �� .

10. �� .



v Access Manager Plug-in for Web Servers



11. ��

�� . � �� , ��

�� .

12. �� .

13. �� . ��

�� .

14. �(��) ��

� �� . �� 45 ��

�� .


�� . �� → �� → IBM Tivoli Access

Manager → �� .

�� 377 �� 23 � �pdconfig ��

�.

�: �� pdconfig �� Tivoli Access Manager ��

� �� .

16. �� .

17. �� pdwebpi.conf � �� . ��



18. �� → �� → �� → ��

��. ��

��.

Windows�� Web Server Plug-in for IIS Web Server� �� . ��


��.

Plug-in for Sun ONE Web Server ��

� � �� .

v 210 �� AIX






AIX: Plug-in for Sun ONE Web Server ��


�� .

AIX� Web Server Plug-in for Sun ONE Web Server� ��

��.

1. root� ��.

2. 197 �� .


��.

4. GSKit� ��. �� 285 �� .


��.

6. �� .






PD.WPI Access Manager Plug-in for Web Servers ��

�.

PD.WPIiPlanet

Access Manager Plug-in for Sun One Web Server ��

��.

�: � �� Sun ONE Web Server� � � �� .

7. �(��) ��

� �� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



� ��.



c. �� . ��

�� 377 �� 23 � �pdconfig �� .

�� x � � � �

�� .

9. �� .

10. �� pdwebpi.conf � �� . ��




� ��.

pdwebpi_start start


�.

AIX�� Web Server Plug-in for Sun ONE Web Server� �� . �

� Tivoli Access Manager �� 23 ��

�� .

Solaris: Plug-in for Sun ONE Web Server ��


�� .

Solaris� Web Server Plug-in for Sun ONE Web Server� ��

� � ��.

1. root� ��.

2. 197 �� .


4. GSKit� ��. �� 287 �� .


��.

6. �� (� �� )


��,


�� .


�� .







�.

PDWPIipl Access Manager Plug-in for Sun ONE Web Server ��

��.

�: � �� Sun ONE Web Server� � � �� .

7. �(��) ��

� �� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



� ��.

c. �� . ��

�� 377 �� 23 � �pdconfig �� .

�� x � � � �

�� .

9. �� .

10. �� pdwebpi.conf � �� . ��




� ��.

pdwebpi_start start


�.

Solaris�� Web Server Plug-in for Sun ONE Web Server� �� .

�� Tivoli Access Manager �� 23 ��

�� .



� 15 � Tivoli Access Manager for WebLogic ��

� �� Tivoli Access Manager for WebLogic� ��

��.


BEA WebLogic Server �� .

�� Tivoli Access Manager for WebLogic� ��

� ��.

v 215 ��

(BEA WebLogic Server, �� 7.0 ��)

v 218 ��


v BEA WebLogic Server 7.0:

http://edocs.bea.com/wls/docs70/index.html






��

�� .

v Access Manager for WebLogic Server� � �� Custom Realm�

�� . �� BEA WebLogic Server SSPI(Security

Service Provider Interface)� ��.

v Tivoli Access Manager for WebLogic� Java 2 Security Manager� ��

�� . Java policy � Java 2 Security

Manager� � � ��

� ��.

v �� WebLogic Server �� WebLogic Server �

�� , �� WebLogic Administration Server(�

�� ) � � �� WebLogic Server� Tivoli Access

Manager for WebLogic� �� . ��

� �� WebLogic Server��

�� .

�� WebLogic Server��

�� . �� , Tivoli Access Manager for WebLogic� �


��. � �� , ��

�� WebLogic Server� ��

�.

Tivoli Access Manager for WebLogic ��


� ��


�� . �� .

v Tivoli Access Manager �� , Policy Server � Authorization Server�

�� . �� 55

�� 2 � �Base �� .

v �� BEA WebLogic Server� �� BEA


Access Manager for WebLogic Server� �� .

– �� 2� � BEA WebLogic Server, �� 7.0

– �� 1� � BEA WebLogic Server, �� 8.1

v AIX �� , IBM JRE� �� .

– BEA WebLogic Server, �� 7.0� ��, IBM JRE 1.3.1.5� ��.

�� 295 �� .

– BEA WebLogic Server, �� 8.1� ��, IBM JRE 1.4.1� ��. �

�� .

http://www.ibm.com/developerworks/java/jdk/index.html

�: BEA WebLogic Server� AIX �� JRE� �� AIX� IBM

JRE� �� .

v Tivoli Access Manager� BEA WebLogic Server� ��

�� . �� .

�� 33 �� (�� )�� .

��

��

� �� BEA WebLogic Server, �� 7.0� �� . BEA

WebLogic Server, �� 8.1� �� , 218 ��

�� .

install_amwls ��

� Tivoli Access Manager for WebLogic �� .


v Access Manager for WebLogic Server, �� 5.1


� 15 � Tivoli Access Manager for WebLogic �� 215


�: � ��

� ��.

install_amwls �� Tivoli Access Manager for WebLogic� ��

�� .

1. 215 �� .

2. �(��) ��

� �� . �� 45 ��

�� .

3. Windows �� , �� .

4. �� BEA WebLogic Server� ��.

v UNIX ��:

/wls_install_dir/user_projects/domain_name/startWebLogic.sh

v Windows ��:

C:\wls_install_dir\user_projects\domain_name\startWebLogic.cmd

5. �� .

v BEA WebLogic Server� � �� JRE� �� ,

AIX, HP-UX(BEA WebLogic Server 7.0 ��), Solaris � Windows� IBM

Tivoli Access Manager Web Security CD� � ��

install_amwls �� .

v BEA WebLogic Server� � �� JRE� ��

��(�� AIX� �� ) �� install_amwls ��

��.

install_amwls -is:javahome path

�� path� � �� JRE� ��.

367 �� install_amwls��

�� . � �� (��

�), �� .

�: Windows �� Tivoli Access Manager for WebLogic� � �

�� .

6. BEA WebLogic Server� ��.

7. �� AMSSPIProviders.jar � wls_install_dir/weblogic/

server/lib/mbeantypes �� . � � � �

�� , amwls_install_dir/lib ��

��.



8. Active Directory �� : WebLogic ��

� ��

�� . ��

� � �� (��)� ��

��.

�� , WebLogic Server, �� 7.0��

�� . ��

� �� . � ��

� �� .

9. startWebLogic �� CLASSPATH� ��. �� 228 ��

�� .

10. WebLogic Server� �� .

11. WebLogic �� Tivoli Access Manager ��

�. �� 231 �� .

12. WebLogic Server� �� , ��

�� WebLogic Server�

� Tivoli Access Manager for WebLogic� �� . ��

�� WebLogic �� rbpf.properties,

amsspi.properties � amwlsjlog.properties � ��

�� WebLogic Server� ��.

BEA_WLS_HOME/jdk_location/jre/amwls/

�: � �� WebLogic Server� ��

��.

13. BEA WebLogic Server� �� .

14. ��: BEA WebLogic Server� � �� . �

�� 234 �� .

�: Tivoli Access Manager �� SSO � �� ,

� �� amsspi.properties � � ��. �

� � �� IBM Tivoli Access Manager for e-business BEA


15. Tivoli Access Manager for WebLogic� Tivoli Access Manager ��

�� Policy Server� �� . �

�� 237 �� .

Tivoli Access Manager for WebLogic �� . �� Tivoli Access

Manager �� 23 �� .



��


� �� . � �� , � ��

� �� .

� � �� .

v 218 �� AIX

v 220 �� HP-UX



�: Tivoli Access Manager for WebLogic �� BEA


AIX: Tivoli Access Manager for WebLogic ��

�� installp� �� .

AIX� Tivoli Access Manager for WebLogic� ��

��.

1. root� ��.

2. IBM JRE �� 215 ��

��.



��.

5. �� .

installp -acgNXd cd_mount_point/usr/sys/inst.images packages




��.

PDWLS Access Manager for WebLogic Server �� .




��.



7. �(��) ��

� �� . �� 45 ��

�� .

8. CLASSPATH � PATH �� WebLogic Jar � bin � lib ��

�� . �� .

. setWLSEnv.sh

� �� .

v WebLogic Server, �� 7.0:

weblogic_install_dir/weblogic700/server/bin



9. �� IBM JRE�� Access Manager Java Runtime

Environment �� (215 ��

� ��) /opt/PolicyDirector/sbin ��

�.

./pdjrtecfg -action config -host policy_server_host -java_home jre_home -port port

�� jre_home� AIX �� IBM JRE� �� . �� ,

�� .

v BEA WebLogic Server, �� 7.0:

-java_home /usr/java131/jre



�: WebLogic Server, �� 8.1� �� pdjrtecfg �� jre/lib �

�� jsse.jar � ��. � � Access Manager Java

Runtime Environment �� . � ��

�� 488 �� pdjrtecfg�� .


� ��

��. ��

� �� (��)� �� .


�� . ��

� �� . � ��

� �� .


�� .



12. Access Manager for WebLogic Server �� . �� 229

�� .


�. �� 231 �� .


�� WebLogic Server�� Tivoli

Access Manager for WebLogic� �� . ��

WebLogic �� WebLogic

Server� �� .



��.


16. ��: WebLogic Server� � �� . ��

�� 234 �� .




e-business BEA WebLogic Server �� .


�� Policy Server� �� .

�� 237 �� .


Manager �� 23 �� .

HP-UX: Tivoli Access Manager for WebLogic ��

�� swinstall� �� .

�: HP-UX 11.0 � 11i� BEA WebLogic Server, �� 7.0� ��

�.

HP-UX� Tivoli Access Manager for WebLogic� ��

��.

1. root� ��.

2. 215 �� .





�� CD� ��. �� , �� .



5. �� .

swinstall -s /cd_rom/hp packages



��.





��.

7. �(��) ��

� �� . �� 45 ��

�� .


�� . �� .

. setWLSEnv.sh

WebLogic Server, �� 7.0�� .


9. BEA WebLogic Server� � �� JRE ��

Access Manager Java Runtime Environment ��



�� jre_home� BEA WebLogic Server� � �� Sun JRE� ��

��. �� , BEA WebLogic Server, �� 7.0�� .


�: Sun JRE 1.4.x �� ,

pdjrtecfg -interactive � �� . � � ��

� �� . � �� 488 ��

�pdjrtecfg�� .


� ��



��. ��

� �� (��)� �� .


�� . ��

� �� . � ��

� �� .


�� .


�� .


�. �� 231 �� .





Server� �� .



��.



�� 234 �� .







�� 237 �� .

18. �� CD� �� .


�� /cd-rom� �� .


Manager �� 23 �� .



Solaris: Tivoli Access Manager for WebLogic ��

�� pkgadd� �� .

Solaris� Tivoli Access Manager for WebLogic� ��

��.

1. root� ��.

2. 215 �� .



5. �� (� �� )

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/solaris/pddefault packages

��,


�� .


�� .



��.


� �� .

�� .




��.

7. �(��) ��

� �� . �� 45 ��

�� .


�� . �� .

. setWLSEnv.sh

� �� .












��. �� , �� .




-java_home /usr/local/bea/jdk141_03/jre

�:

a. Sun JRE 1.4.x �� ,


� �� . � �� 488 ��


b. WebLogic Server, �� 8.1� �� pdjrtecfg �� jre/lib �


Runtime Environment �� .


� ��

��. ��

� �� (��)� �� .


�� . ��

� �� . � ��

� �� .


�� .


�� .


�. �� 231 �� .







Server� �� .



��.



�� 234 �� .






�� Policy Server� �� . �

�� 237 �� .


Manager �� 23 �� .

Windows: Tivoli Access Manager for WebLogic ��

�� InstallShield setup.exe ��

��.

Windows� Tivoli Access Manager for WebLogic� ��

� ��.

1. Windows �� .

2. 215 �� .

3. BEA WebLogic Server �� .


2003 CD� ��.

5. Access Manager Java Runtime Environment � Access Manager for WebLogic

Server �� . �� setup.exe

� ��.




�� .

6. �� .

7. �� . �� .

8. �� .

9. �� .

v Access Manager Java Runtime Environment

v Access Manager for WebLogic Server

10. ��

�� . � �� , ��

�� .

11. �� .

12. �� .

13. �� AMSSPIProviders.jar � wls_install_dir

\weblogic\server\lib\mbeantypes �� . �

� � �� , \amwls_install_dir\lib��

� ��.

14. �(��) ��

� �� . �� 45 ��

�� .


�� . �� .

setWLSEnv.bat

� �� .


weblogic_install_dir\weblogic700\server\bin


weblogic_install_dir\weblogic81\server\bin



install_dir\sbin ��(�� , C:\Program Files\Tivoli\Policy

Director\sbin)� �� .

pdjrtecfg -action config -host policy_server_host -java_home jre_home -port port


��. �� , �� .




-java_home c:\bea\jdk131_06\jre


-java_home c:\bea\jdk141_03\jre

�:

a. Sun JRE 1.4.x �� ,


� �� . � �� 488 ��


b. WebLogic Server, �� 8.1� �� pdjrtecfg �� jre\lib �


Runtime Environment �� .


� ��

��. ��

� �� (��)� �� .


�� . ��

� �� . � ��

� �� .


�� .


�� .


�. �� 231 �� .





Server� �� .

BEA_WLS_HOME\jdk_location\jre\amwls\


��.



�� 234 �� .









�� 237 �� .


Manager �� 23 �� .

startWebLogic �� CLASSPATH ��

startWebLogic �� WebLogic Server� �� . �� Java �

�� startWebLogic� �� CLASSPATH

�� .

�: � �� WebLogic ��

�.

startWebLogic� �� CLASSPATH� �� .


2. startWebLogic �� CLASSPATH �� .

v UNIX ��:

/opt/pdwls/lib/AMSSPICore.jar/opt/pdwls/lib/rbpf.jar

v Windows ��:

C:\amwls_install_dir\lib\AMSSPICore.jarC:\amwls_install_dir\lib\rbpf.jar

startWebLogic �� BEA WebLogic Server� ��

��. � �� .

v UNIX ��:

/wls_install_dir/user_projects/domain_name

v Windows ��:

C:\wls_install_dir\user_projects\domain_name

�� domain_name� BEA WebLogic Server ��

��.

3. �� , startWebLogic �� CLASSPATH

� �� nls �� .



v UNIX ��:

/opt/pdwls/nls/java/com/tivoli/pdwls/nls

v Windows ��:

C:\Progra~1\Tivoli\pdwls\nls\java\com\tivoli\pdwls\nls

�: nls ��

� � � � �� .

v UNIX ��:

/opt/pdwls/nls/java/com/tivoli/pdwls/nls/

v Windows ��:

c:\amwls_install_dir\nls\java\com\tivoli\pdwls\nls


�� Access Manager for WebLogic Server ��

��. � �� Access Manager for


� �� .

v ��

v 230 ��

�:

1. � �� BEA WebLogic Server ��

��.

2. �� . � �� Tivoli


�� IBM Tivoli Access Manager for e-business BEA WebLogic Server

�� .

��

� �� Access Manager for WebLogic Server� �

�� .


v UNIX ��:

/amwls_install_dir/user_projects/domain_name/startWebLogic.sh

v Windows ��:

C:\amwls_install_dir\user_projects\domain_name/startWebLogic.cmd



2. �� BEA WebLogic� �� BEA WebLogic �

� ��. �� , �� .

http://weblogic_server_name:7001/console

�: �� BEA WebLogic Server �� 7001��. � �� .


3. �� .

4. � �� .

a. BEA WebLogic Server � ��

��.

b. � � �� .

c. �� .

d. �� .

amwls_install_dir\lib\AMWLSConsoleExtension.war

e. AMWLSConsoleExtension.war� �� .

f. �� .

� ��

� �� . �� , ��

� �� AMWLSConsoleExtensions� ��. � ��

� BEA WebLogic Server �� Access Manager ��

�� .

5. Tivoli Access Manager �� BEA WebLogic Server ��

�� Access Manager �� .

�� .

6. 457 �� AMWLSConfigure -action config��

�� .

�� .

�� WebLogic �� Tivoli Access Manager ��

�. �� 231 �� .

��

�� Access Manager for WebLogic Server ��

� �� .


v UNIX ��:

/wls_install_dir/user_projects/domain_name/startWebLogic.sh



v Windows ��:

C:\wls_install_dir\user_projects\domain_name/startWebLogic.cmd

2. �� Access Manager for WebLogic Server� ��

�� AMWLSConfigure �� AMSSPI_DIR ��

�� . ��, WebLogic� ��

�� WebLogic Server, �� 8.1� �� , WLS_JAR ��

AMWLSConfigure �� WebLogic.jar� ��

�.

3. Access Manager for WebLogic Server ��

��.

v �� AMWLSConfigure ��(UNIX) ��

(Windows)� ��.

– UNIX ��:

opt/pdwls/sbin/AMWLSConfigure.sh

– Windows ��:

c:\amwls_install_dir\pdwls\sbin\AMWLSConfigure.bat

v �� AMWLSConfigure �� .

AMWLSConfigure -action config [options ...]

AMWLSConfigure� ��

��.

AMWLSConfigure -help [action]

�: AMWLSConfigure -action config � �� 457 ��

�AMWLSConfigure -action config�� .

�� WebLogic �� Tivoli Access Manager ��

�. �� 231 �� .


Access Manager for WebLogic Server� BEA WebLogic Server� ��


��. � �� WebLogic ��

WebLogic Server�� .

� ��

�. � �� .

v 232 ��

v 233 ��



Active Directory �� :

Tivoli Access Manager for WebLogic� �� Tivoli Access Manager

�� , amwls_install_dir/etc/amsspi.properties � �

� AdminGroupProp=Administrators �� . �

�� , �� Active Directory� ��

��.

��


�� .

�: BEA WebLogic Server� � �� 233 ��

�� . WebLogic Server � ��

�� .

1. �� Access Manager �� .

� �� .

2. �� .

3. Tivoli Access Manager �� BEA WebLogic Server� ��

� �� .


a. �� .

b. BEA WebLogic Server ��

� ��.

�� .

c. �� .

d. � �� Access Manager ��

�� .

v BEA WebLogic Server 8.1� ��, �� BEA WebLogic Server �

� �� . �� Access

Manager �� .


5. � Tivoli Access Manager �� , Access

Manager �� Tivoli Access Manager ��

�� .



��


��.

1. �� Access Manager for WebLogic Server� ��

�� , AMWLSConfigure �� AMSSPI_DIR ��

� �� . ��, WebLogic� ��

� �� WebLogic Server, �� 8.1� �� , WLS_JAR ��

� AMWLSConfigure �� WebLogic.jar� ��

��.


v �� .

– UNIX ��:

opt/pdwls/sbin/AMWLSConfigure.sh

– Windows ��:

c:\amwls_install_dir\pdwls\sbin\AMWLSConfigure.bat

v �� AMWLSConfigure �� .

AMWLSConfigure -action create_realm [options ...]

AMWLSConfigure� ��

��.

AMWLSConfigure -help [action]

�:

a. AMWLSConfigure -action create_realm � �� 460 �

�� AMWLSConfigure -action create_realm�� .

b. BEA WebLogic Server� � SSO� ��

� �� .

-sso_enabled true

-sso_user sso_user

-sso_pwd sso_pwd

c. �� . � ��

� �� IBM Tivoli Access Manager for e-business Command

Reference� ��.

3. Tivoli Access Manager �� BEA WebLogic Server� ��

� �� .




a. �� BEA WebLogic� �� BEA WebLogic

�� . �� , �� .

http://weblogic_server_name:7001/console

�: 7001� �� BEA WebLogic Server � ��. � ��

��.


b. �� .

c. BEA WebLogic Server ��

� ��.

�� .

d. �� .

e. � �� Access Manager ��

�� .

v BEA WebLogic Server 8.1� ��, �� BEA WebLogic Server �

� �� . �� Access

Manager �� .


5. � Tivoli Access Manager �� , Access

Manager �� Tivoli Access Manager ��

�� .

BEA WebLogic Server ��

�� (SSO)� � ��

�� . �� BEA

WebLogic Server� � �� WebSEAL ��

� �� . � �� .


1. �� AMWLSConfigure -action create_realm �� 231 �� Tivoli

Access Manager � �� .

-sso_enabled true

-sso_user sso_user

-sso_pwd sso_pwd

2. �� .

v BEA WebLogic Server� � SSO� ��

�� .



a. �� pdwebpi.conf � ��.

– UNIX ��:

/opt/pdwebpi/etc

– Windows ��:

c:\web_server_plugin_install_dir\PDWebPI\etc\

b. ��

� �� [common-modules] �� .

[common-modules]post-authzn = BA

c. �� [BA] �� .

[BA]add-hdr = supplysupply-password = sso_pwd

��,

supply HTTP �� (BA) �� , �� ,

�� .

sso_pwd 231 �� Tivoli Access Manager � ��

� SSO �� .

�� IBM Tivoli Access

Manager for e-business Plug-in for Web Servers Integration Guide� �

��.

v WebLogic Server� � SSO� �� WebSEAL Server �

�� .

a. �� webseald.conf � ��.

– UNIX ��:

/opt/pdwebpi/etc

– Windows ��:

c:\web_server_plugin_install_dir\Tivoli\PDWeb\etc\

b. �� [junction] �� .

[junction]basicauth-dummy-passwd = sso_pwd

�� sso_pwd� 231 �� Tivoli Access Manager � ��

�� SSO �� .

�: �� ID � � �� IBM Tivoli Access

Manager for e-business WebSEAL Administration Guide� ��

��.



c. �� WebSEAL� ��

��.

d. WebSEAL Junction� �� Web Portal Manager ��

pdadmin �� . �� , pdadmin server task create

�� .

pdadmin sec_master> server task server_name-host create -t tcp-p wls_listening_port -h weblogic_server -b supply junction_point

9� WebSEAL Junction �� . pdadmin

server task create �� IBM Tivoli Access Manager

for e-business Command Reference� ��. WebSEAL Junction �

�� IBM Tivoli Access Manager for e-business WebSEAL

Administration Guide� ��.

9. pdadmin server task create �� . *� �� .

��

server_name-host WebSEAL Server� � � �� . ��

pdadmin server list ��

�� .

�� WebSEAL �� ,

server_name� default-webseald-hostname��. � �


server_name� WebSEAL Server ��

�� -webseald-hostname� ��. �� , WebSEAL

�� webseal2� ��, server_name�

webseal2-webseald-hostname��.


�� .

�: �� Junction ��

�� IBM Tivoli Access Manager for e-business WebSEAL


-h weblogic_server BEA WebLogic Server� DNS �� IP ��

� ��.

-p wls_listening_port BEA WebLogic Server� �� . ��

�� 7001��.

-b supply WebSEAL�� , �(“�”) ��

Tivoli Access Manager �� (�� ID)

� �� . SSO�� supply � ��

�.

junction_point Junction �� URL �� .




��

Tivoli Access Manager for WebLogic� Tivoli Access Manager ��

� Policy Server� ��

� ��.

1. BEA WebLogic Server ��

��.

2. �� pdadmin �� .

pdadmin sec_master> user show test_user

v account-valid� yes�� .

v password-valid� yes�� .

Tivoli Access Manager for WebLogic �� WebSEAL� � BEA

WebLogic Server� � ��

�� . ��

��. �� IBM Tivoli Access Manager for e-business BEA




� 16 � Tivoli Access Manager for WebSphere ��

� �� Tivoli Access Manager for WebSphere� ��

��.


IBM WebSphere Application Server �� .

�� .

v 240 ��

v 242 ��

�� WebSphere �� .


� ��

Tivoli Access Manager for WebSphere ��

�� . ��

�� .

1. Tivoli Access Manager �� , Policy Server � Authorization server�

�� . � ��

� 55 �� 2 � �Base �� .

�: �� Authorization Server� WebSphere Application Server�

� � �� .

2. WebSphere Application Server� � �� . Tivoli

Access Manager for WebSphere� �� .

v IBM WebSphere Application Server, �� 4.0.6

v IBM WebSphere Application Server, Advanced Single Server, �� 4.0.6


v IBM WebSphere Application Server, �� 5.1

3. Tivoli Access Manager� WebSphere Application Server� ��

�� . ��

��. �� 33 �� (�� )��

��.



4. �� WebSphere Application Servers(Advanced Single Server, �� 4.0.6

��)� � �� .

v Tivoli Access Manager Policy Server � WebSphere Application Server�

� � �� .

v Policy Server� WebSphere ��

�� , � �� WebSphere �� Tivoli

Access Manager �� . 250 ��

� �� .

5. WebSphere Application Server� �� .

250 �� WebSphere� �� Tivoli Access Manager ��

�� .

6. WebSphere Application Server �� . 251 ��

�WebSphere �� .

��

��

WebSphere Application Server, �� 5.1� ��

��. �� 242 ��

�� .

install_amwas ��

� Tivoli Access Manager for WebSphere �� .


v Access Manager for WebSphere Application Server, �� 5.1

�: � ��

� ��.

install_amwas �� Tivoli Access Manager for WebSphere ��

� �� .

1. 239 �� .

2. �(��) ��

�� . �� 45 ��

� �� .



3. WAS_HOME �� WebSphere Application Server ��

��. �� WebSphere Application Server� �� bin ��

�� setupCmdLine.sh(UNIX) �� setupCmdLine.bat(Windows)� ��

��.

4. UNIX �� PDWAS_HOME �� Tivoli Access Manager for

WebSphere �� . �� , �� .

PDWAS_HOME=/opt/amwasexport PDWAS_HOME

�: Windows �� PDWAS_HOME �� .

5. Windows �� , �� .

6. WebSphere Application Server� ��.

7. �� .

v WebSphere Application Server� � �� JRE� ��

��, �� AIX, HP-UX, Linux, Solaris � Windows� IBM

Tivoli Access Manager Web Security CD� � ��

install_amwas �� .

v WebSphere Application Server� � �� JRE� ��

� �� , �� install_amwas �� .

install_amwls -is:javahome websphere_install_dir/AppServer/java/jre

359 �� install_amwas��

�� . � �� (�� ),

�� .

�:

a. �� Tivoli Access Manager ��

�� . ��

� �� . �� 515 �� 27 �

�� .

b. Access Manager Java Runtime Environment� ��

��, �� WebSphere Application Server� � �� JRE

� �� . �� , �� .

v UNIX:

websphere_install_dir/AppServer/java/jre

v Windows:

websphere_install_dir\AppServer\java\jre


� 16 � Tivoli Access Manager for WebSphere �� 241

8. �� policy� �� EAR � �� J2EE ��

� ��, WebSphere �� . �� 255 ��

�� .


Tivoli Access Manager for WebSphere �� . �� Tivoli


��.

Tivoli Access Manager for WebSphere� ��

�� EAR � �� . �� IBM

Tivoli Access Manager for e-business IBM WebSphere Application Server Integration

Guide� �� .

��


� �� . � �� , � ��

� �� .

� � �� .

v 242 �� AIX

v 244 �� HP-UX

v 245 �� Linux



AIX: Tivoli Access Manager for WebSphere ��

�� installp� �� pdjrtecfg � pdwascfg �

�� .

AIX� Tivoli Access Manager for WebSphere� ��

��.

1. root� ��.

2. 239 �� .

3. WebSphere Application Server, �� 5.1� �� 243 �� 8 �

� �� Access Manager Java Runtime Environment� ��. �

� �� .


��.



5. �� .





��.

PDWAS Access Manager for WebSphere Application Server ��

��.

�: � �� WebSphere Application Server� � � ��

��.

6. �(��) ��

� �� . �� 45 ��

�� .

7. WAS_HOME �� IBM WebSphere Application Server � ��

�� . �� WebSphere� �� bin ��

�� setupCmdLine.sh �� .

env | grep WAS_HOME

8. WebSphere Application Server� � �� JRE��

�� Access Manager Java Runtime Environment ��


./pdjrtecfg -action config -host policy_server_host -java_home $WAS_HOME/java/jre -port port

�: � �� 488 �� pdjrtecfg�� .

9. Access Manager for WebSphere Application Server �� .

�� 254 �� .

10. �� policy� �� EAR � �� J2EE ��

� ��, WebSphere �� . �� 255 �

�� .



��.


�� EAR � �� . �� IBM


Guide� �� .



HP-UX: Tivoli Access Manager for WebSphere ��

�� swinstall� �� pdjrtecfg � pdwascfg

�� .

HP-UX� Tivoli Access Manager for WebSphere� ��

� � ��.

1. root� ��.

2. 239 �� .

3. WebSphere Application Server, �� 5.1� �� , 9 ��

Access Manager Java Runtime Environment� ��. ��

�� .

4. IBM Tivoli Access Manager Web Security for HP-UX CD� ��.


�� CD� ��. �� , �� .



6. �� .




��.

PDWAS Access Manager for WebSphere Application Server ��

��.


��.

7. �(��) ��

� �� . �� 45 ��

�� .




env | grep WAS_HOME

9. WebSphere Application Server� � �� JRE ��






�: � �� 488 �� pdjrtecfg�� .


�� 254 �� .

11. �� policy� �� EAR � �� J2EE ��

� ��, WebSphere �� . �� 255 �

�� .

12. �� CD� �� .


�� /cd-rom� �� .



��.


�� EAR � �� . �� IBM


Guide� �� .

Linux: Tivoli Access Manager for WebSphere ��

�� rpm� �� pdjrtecfg � pdwascfg ��

�� .

Linux� Tivoli Access Manager for WebSphere� ��

� ��.



1. root� ��.

2. 239 �� .

3. WebSphere Application Server, �� 5.1� �� , 246 �� 9

�� Access Manager Java Runtime Environment� ��. �

� �� .


� � �� .



6. �� .



rpm -ihv packages


Access Manager Java Runtime

Environment

Access Manager for WebSphere

Application Server

xSeries� Linux PDJrte-PD-5.1.0-0.i386.rpm PDWAS-PD-5.1.0-0.i386.rpm

zSeries� Linux PDJrte-PD-5.1.0-0.s390.rpm PDWAS-PD-5.1.0-0.s390.rpm


��.

7. �(��) ��

� �� . �� 45 ��

�� .




env | grep WAS_HOME





�: � �� 488 �� pdjrtecfg�� .


�� 254 �� .

11. �� policy� �� EAR � �� J2EE ��

� ��, WebSphere �� . �� 255 �

�� .



��.


�� EAR � �� . �� IBM


Guide� �� .



Solaris: Tivoli Access Manager for WebSphere ��

�� pkgadd� �� pdjrtecfg � pdwascfg �

�� .

Solaris� Tivoli Access Manager for WebSphere� ��

� � ��.

1. root� ��.

2. 239 �� .

3. WebSphere Application Server, �� 5.1� �� , � 248 ��

8� �� Access Manager Java Runtime Environment� ��. �

� �� .


5. �� (� �� )


��,


�� .


�� .



��.

PDWAS Access Manager WebSphere Application Server ��

��.


��.

6. �(��) ��

� �� . �� 45 ��

�� .




env | grep WAS_HOME







�: � �� 488 �� pdjrtecfg�� .


�� 254 �� .

10. �� policy� �� EAR � �� J2EE ��

� ��, WebSphere �� . �� 255 �

�� .



��.


�� EAR � �� . �� IBM


Guide� �� .

Windows: Tivoli Access Manager for WebSphere ��

�� setup.exe �� pdjrtecfg �

pdwascfg �� .

Windows� Tivoli Access Manager for WebSphere� ��

�� .

1. �� .

2. 239 �� .

3. WebSphere Application Server, �� 5.1� �� , 249 �� 15

�� Access Manager Java Runtime Environment� ��. �

� �� .


2003 CD� ��.

5. Access Manager Java Runtime Environment � Access Manager for WebSphere

Application Server �� . ��



�� .



6. �� .

7. �� . �� .

8. �� .

9. �� .

v Access Manager Java Runtime Environment

v Access Manager for WebSphere Application Server

10. ��

�� . � �� , ��

�� .

11. �� .

12. �� .

13. �(��) ��

� �� . �� 45 ��

�� .


�� .



install_dir\sbin ��(�: C:\Program Files\Tivoli\


pdjrtecfg -action config -host policy_server_host -java_home %WAS_HOME\java\jre -port port

�: � �� 488 �� pdjrtecfg�� .


�� 254 �� .

17. �� policy� �� EAR � �� J2EE ��

� ��, WebSphere �� . �� 255 �

�� .



��.


�� EAR � �� . �� IBM


Guide� �� .



��

�� WebSphere Application Server(Advanced Single Server, �� 4.0.6 ��)

� �, WebSphere �� Policy Server� ��

� ��, � �� WebSphere �� Tivoli Access

Manager �� . � ��

�� .

�� Policy Server� �� WebSphere ��

� �� . �� , � ��

� �� .

pdadmin ��

��. �� , �� .

pdadmin sec_master> user import marga "cn=Margaret Averett,o=IBM,c=us,dc=mkt"pdadmin sec_master> group import engineering "cn=engineering,o=IBM,c=US"

�: �� IBM Tivoli Access Manager Base


IBM Tivoli Directory Server� �� ,

bulkload �� . � LDAP �� IBM Tivoli Access Manager

for e-business Performance Tuning Guide� �� .

WebSphere� �� Tivoli Access Manager ��

�� WebSphere� Tivoli Access

Manager �� . WebSphere �� ,

WebSphere Application Server �� Tivoli Access Manager ��

� �� . �� WebSphere� �� Tivoli Access Manager ��

� �� WebSphere �� (251 ��

�WebSphere �� )

Web Portal Manager �� pdadmin ��

� �� . �� , �� pdadmin� �� sec_master �

�� .

pdadmin -a sec_master -p sec_master_password

wsadmin�� .

pdadmin sec_master> user create wsadmin cn=wsadmin,o=organization,c=countrywsadmin wsadmin myPassword



�� pdadmin user modify ��

� account-valid �� yes� ��.

pdadmin sec_master> user modify wsadmin account-valid yes

�� IBM Tivoli Access Manager Base Administration Guide� ��

��.

WebSphere ��


WebSphere Application Server �� . ��

��.

v Tivoli Access Manager for WebSphere� �� WebSphere �

�� .

v Tivoli Access Manager� WebSphere� � � �� .

��, WebSphere� Tivoli Access Manager� � � ��

�� .

v WebSphere �� LDAP ��

� Tivoli Access Manager �� .

�� .

v �WebSphere, �� 4.0.6, ��

v 252 �� WebSphere, �� 5.0.2 �� 5.1, ��

WebSphere, �� 4.0.6, ��

WebSphere Application Server, �� 4.0.6, ��

��.

1. �� WebSphere Administration Server� ��.

v AIX ��:

/usr/WebSphere/AppServer/bin/adminserver

v HP-UX, Linux � Solaris ��:

/opt/WebSphere/AppServer/bin/adminserver

v Windows ��:

c:\websphere\appserver\bin\adminserver

2. �� WebSphere Administration Client� ��.

v AIX ��:

/usr/WebSphere/AppServer/bin/adminclient




/opt/WebSphere/AppServer/bin/adminclient

v Windows ��:

c:\websphere\appserver\bin\adminclient

3. �� → � �� .

4. �� . � �� .

5. �� .

a. LTPA� �� .

v �� : 120

v ��

�: mydomain.ibm.com

b. �� . �� , LDAP� ��

�� .

6. �� WebSphere �� → �� → ��

��.

7. �� .

WebSphere, �� 5.0.2 �� 5.1, ��

WebSphere Application Server, �� 5.0.2 �� 5.1, ��

�� .

1. WebSphere Administration Server� ��.

2. �� .

http://localhost:9090/admin/

3. �� .

4. �� . �� , LDAP ��

��.

a. � → �� → LDAP� ��.

10. � ��

��

�� ID cn=wsadmin,o=ibm,c=us

�� myPassword

�� ldapserver.mydomain.ibm.com

�� SecureWay

�� DN o=ibm,c=us

�� DN cn=root

�� myPassword



b. 11� �� LDAP �� .

5. �� LTPA �� .

a. �� → LTPA� ��.

b. �� LTPA �� .

c. LTPA �� 120�� .

d. �� .

e. �� .

f. �� (SSO)� ��

��.

g. �� DNS ��

��.

h. �� .

6. �� .

a. � → �� .

b. �� .

11. � ��

��

�� ID cn=wsadmin,o=ibm,c=us

�� myPassword

�� IBM_Directory_Server

�� ldapserver.mydomain.ibm.com

� 389

�� DN o=ibm,c=us

�� DN cn=root

�� myPassword

�� 120

�� true

�� true

SSL �� false

SSL �� cellname/DefaultSSLSetting

Tivoli Access Manager for Account Policies �

�

(WebSphere, �� 5.1� ��

�)


WebSphere, �� 5.1� ��

��.



7. �� .

8. �� .

9. WebSphere Application Server �� .

10. WebSphere Application Server� �� .


� �� WebSphere Application Server� ��

Access Manager for WebSphere Application Server ��

��. � ��, � �� Tivoli Access Manager ��

��.

�: install_amwas �� Tivoli Access Manager for WebSphere �

�� , � �� . ��

�� .

Access Manager for WebSphere Application Server ��

�� .


�� .

2. UNIX �� PDWAS_HOME �� Tivoli Access Manager for

WebSphere �� . �� , �� .

PDWAS_HOME=/opt/amwasexport PDWAS_HOME

�: Windows �� , PDWAS_HOME �� .

3. WAS_HOME\bin �� pdwascfg ��

��. �� , WebSphere Application Server, �� 5.0.2 �� 5.1� ��

Windows �� .

12. ��

� ��

�� true

Java 2 �� false

�� ID �� true

� �� 600

�� true

� �� CSI � SAS

� �� LTPA

� �� LDAP



%WAS_HOME%\bin\pdwascfg.bat -action configWAS5-remote_acl_user remote_ACL_user_name-sec_master_pwd sec_master_pwd-pdmgrd_host policy_server_hostname-pdacld_host authorization_server_hostname-was_home WAS_home-amwas_home WAS_home -embedded true -action_type local

�� remote_ACL_user_name� �� . � �

�� Tivoli Access Manager �� . � ��

�� .

�: pdwascfg �� Tivoli Access Manager for WebSphere� ��

�� WebSphere Application Server� ��. � ��

�� 494 �� pdwascfg�� .

4. pdwascfg �� PdPerm.properties

� �� . �� , WebSphere Application Server� �

� �� , PdPerm.properties � ��

��.

v AIX ��:

/usr/WebSphere/AppServer/java/jre/PdPerm.properties


/opt/WebSphere/AppServer/java/jre/PdPerm.properties

v Windows ��:

– WebSphere Application Server, �� 4.0.6� ��,

C:\WebSphere\AppServer\java\jre\PdPerm.properties

– WebSphere Application Server, �� 5.0.2 �� 5.1� ��,

C:\Program Files\WebSphere\AppServer\java\jre\PdPerm.properties

�: pdwascfg �� AMWASConfig.log � ��, � � � �

�� .

WebSphere ��

J2EE �� Tivoli Access Manager policy ��

� �� . Tivoli Access Manager for WebSphere� ��

� � �� . � �� policy� �� EAR

� �� J2EE ��

��.

�� .

v 256 �� WebSphere, �� 4.0.6 ��



v 257 �� WebSphere, �� 5.0.2 �� 5.1, ��

WebSphere, �� 4.0.6 ��

WebSphere� �� WebSphere admin.ear ��

�� policy� Tivoli Access Manager policy ��

�� . � �� WebSphere ��


WebSphere Application Server, �� 4.0.6, ��

�� .

1. WebSphere� �� .


�� .

3. migrateEAR4 �� .

v UNIX ��:

/opt/amwas/bin

v Windows ��:

C:\Program Files\Tivoli\amwas\bin

4. �� admin.EAR� � ��

��. 469 �� migrateEAR4�� .

�� , �� .

v AIX ��:

migrateEAR4 -j /usr/WebSphere/AppServer/config/admin.ear-a sec_master-p sec_master_password-w wsadmin-d "o=ibm,c=us"-c file:/usr/WebSphere/AppServer/java/jre/PdPerm.properties


migrateEAR4 -j /opt/WebSphere/AppServer/config/admin.ear-a sec_master-p sec_master_password-w wsadmin-d "o=ibm,c=us"-c file:/opt/WebSphere/AppServer/java/jre/PdPerm.properties

v Windows ��:

migrateEAR4 -j c:\WebSphere\AppServer\config\admin.ear-a sec_master-p sec_master_password-w wsadmin-d "o=ibm,c=us"-c file:/c:\WebSphere\AppServer\java\jre\PdPerm.properties



�: Windows�� .

5. admin.ear � �� , pdwas-admin �� ACL� ��

��. admin.ear � �� .

�� pdadmin ��

��.

pdadmin sec_master> acl modify _WebAppServer_deployedResources_AdminRole_admin_ACLset group pdwas-admin T[WebAppServer]i

�� Authorization Server� � ��, pdadmin� ��

�� server replicate �� Authorization Server� ��

ACL �� .


�� . � ��

pdwas_migrate.log � ��, � � ��

��. � �� policy� ��

�� . �� , ��

�� . ��

�� , -c � -j � ��

��.

�� admin.ear � ��

��. �� DTD(Document Type Definition)

�� URL �� . ��, �� DTD� �

�� . ��

� DTD �� . �� , �� DTD� �

�� .

�: � �� , �� Tivoli Access Manager for

WebSphere �� . �� IBM Tivoli Access Manager for

e-business IBM WebSphere Application Server �� .

WebSphere, �� 5.0.2 �� 5.1, ��

WebSphere� �� WebSphere adminconsole.ear ��

�� policy� Tivoli Access Manager policy ��

� �� . � �� WebSphere ��


WebSphere Application Server, �� 5.0.2 �� 5.1 ��

� �� .

1. WebSphere� �� .




�� .

3. migrateEAR5 �� .

v UNIX ��:

/opt/amwas/bin

v Windows ��:

C:\Program Files\Tivoli\amwas\bin

4. �� adminconsole.EAR, admin-authz.xml �

naming-authz.xml � � �� . 473 ��

�� migrateEAR5�� . �� , ��

�� .

v AIX ��:


migrateEAR5 -j /usr/WebSphere/AppServer/installedApps/cellname/adminconsole.ear-a sec_master -p sec_master_pwd -w wsadmin -d "o=ibm,c=us"-c file:/usr/WebSphere/AppServer/java/jre/PdPerm.properties -e adminconsole

migrateEAR5 -j /usr/WebSphere/AppServer/config/cells/cellname/admin-authz.xml-a sec_master -p sec_master_pwd -w wsadmin -d "o=ibm,c=us"-c file:/usr/WebSphere/AppServer/java/jre/PdPerm.properties

migrateEAR5 -j /usr/WebSphere/AppServer/config/cells/cellname/naming-authz.xml-a sec_master -p sec_master_pwd -w wsadmin -d "o=ibm,c=us"-c file:/usr/WebSphere/AppServer/java/jre/PdPerm.properties

migrateEAR5 -j /opt/WebSphere/AppServer/installedApps/cellname/adminconsole.ear-a sec_master -p sec_master_pwd -w wsadmin -d "o=ibm,c=us"-c file:/opt/WebSphere/AppServer/java/jre/PdPerm.properties -e adminconsole

migrateEAR5 -j /opt/WebSphere/AppServer/config/cells/cellname/admin-authz.xml-a sec_master -p sec_master_pwd -w wsadmin -d "o=ibm,c=us"-c file:/opt/WebSphere/AppServer/java/jre/PdPerm.properties

migrateEAR5 -j /opt/WebSphere/AppServer/config/cells/cellname/naming-authz.xml-a sec_master -p sec_master_pwd -w wsadmin -d "o=ibm,c=us"-c file:/opt/WebSphere/AppServer/java/jre/PdPerm.properties



v Windows ��:

�:

a. Windows�� .

b. WebSphere Application Server� ��

� �� adminconsole.ear �� -e � �

��.

�� . � ��

pdwas_migrate.log � ��, � � ��

��. � �� policy� ��

�� . �� , ��

� ��

�. �� -c � -j � � ��

� �� .

�� adminconsole.ear � ��

� �� . �� DTD(Document

Type Definition) �� URL �� . ��, ��

�� DTD� �� . ��

� �� DTD �� . �� , ��

�� DTD� �� .

�: � �� , �� Tivoli Access Manager for

WebSphere �� . �� IBM Tivoli Access Manager

for e-business IBM WebSphere Application Server �� .

migrateEAR5 -j "c:\Program Files\WebSphere\AppServer\installedApps\cellname\adminconsole.ear-a sec_master -p sec_master_pwd -w wsadmin -d "o=ibm,c=us"-c file:/"c:\Program Files\WebSphere\AppServer\java\jre\PdPerm.properties" -e adminconsole

migrateEAR5 -j "c:\Program Files\WebSphere\AppServer\config\cells\cellname\admin-authz.xml-a sec_master -p sec_master_pwd -w wsadmin -d "o=ibm,c=us"-c file:/"c:\Program Files\WebSphere\AppServer\java\jre\PdPerm.properties"

migrateEAR5 -j "c:\Program Files\WebSphere\AppServer\config\cells\cellname\naming-authz.xml-a sec_master -p sec_master_pwd -w wsadmin -d "o=ibm,c=us"-c file:/"c:\Program Files\WebSphere\AppServer\java\jre\PdPerm.properties"



� 17 � WebSEAL Development(ADK) ��

� �� Tivoli Access Manager WebSEAL Development(ADK) ��

� �� .



�� .

v ��

v 262 ��

��

install_amwebadk ��

�� Tivoli Access Manager WebSEAL Development(ADK) ��

��.





v Access Manager WebSEAL Server, �� 5.1

v Access Manager Application Development Kit, �� 5.1

v Access Manager WebSEAL Application Development Kit, �� 5.1

�:

1. �� Policy Server� WebSEAL ADK� �� , ��

� �� . �� 262 ��

�� .

2. � ��

� ��.

install_amwebadk �� Tivoli Access Manager WebSEAL

Development(ADK) �� .

1. �� . �� 33 �

�� (�� )�� .


��.


3. �� IBM JRE 1.3.1(AIX�� 1.3.1.5)� ��

�� . �� 294 �� .

4. �(��) ��

�� . �� 45 ��

� �� .

5. Windows �� ,

v �� .





�� .

6. �� AIX, HP-UX, Linux, Solaris � Windows� IBM Tivoli Access

Manager Web Security CD� � �� install_amwebadk ��

�� .

364 �� install_amwebadk��

�� . � �� (��

�), �� .

WebSEAL Development(ADK) �� . �� Tivoli Access

Manager �� 23 �� .

��


� �� . � �� , � ��

� �� . ��


� � �� .

v 262 �� AIX

v 264 �� HP-UX

v 265 �� Linux



AIX: WebSEAL Development(ADK) ��


�� .

WebSEAL Development(ADK) ��


AIX� Tivoli Access Manager WebSEAL Development(ADK) ��

� �� .

1. root� ��.


��.


��.

4. GSKit� ��. �� 285 �� .


��.

6. �� .






PDWeb.Web Access Manager WebSEAL Server �� .

PD.AuthADK Access Manager Application Development Kit ��

��.

PDWeb.ADK Access Manager Web Services Application Development Kit

�� .

7. �(��) ��

�� . �� 45 ��

�� .

8. Access Manager Runtime� �� Access Manager WebSEAL Server ��

�� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .


� 17 � WebSEAL Development(ADK) �� 263


�� x � � � �� .


Manager �� 23 �� .

HP-UX: WebSEAL Development(ADK) ��


�� .

HP-UX� Tivoli Access Manager WebSEAL Development(ADK) ��

�� .

1. root� ��.


��.



�� CD� ��. �� , �� .



5. GSKit� ��. �� 286 �� .


��.

7. CD� � �� LDAP �� .

am_update_ldap.sh

8. �� .





PDWeb Access Manager WebSEAL Server �� .

PDADK Access Manager Application Development Kit ��

��.

PDWebADK Access Manager Web Services Application Development Kit

�� .



9. �(��) ��

� �� . �� 45 ��

�� .


� �� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

�� 377 �� 23 � �pdconfig �� .


�� x � � � �� .

11. �� CD� �� .


�� /cd-rom� �� .


Manager �� 23 �� .

Linux: WebSEAL Development(ADK) ��


� �� .

Linux� Tivoli Access Manager WebSEAL Development(ADK) ��

�� .



1. root� ��.


��.

3. IBM Tivoli Access Manager Web Security for xSeries, zSeries, or pSeries and

iSeries CD� �� .





5. GSKit� ��. �� 286 �� .


��.

7. �� .

rpm -ihv packages


xSeries� Linux zSeries� Linux pSeries � iSeries� Linux

PDRTE-PD-5.1.0-0.i386.rpmPDWebRTE-PD-5.1.0-0.i386.rpmPDWeb-PD-5.1.0-0.i386.rpmPDAuthADK-PD-5.1.0-0.i386.rpmPDWebADK-PD-5.1.0-0.i386.rpm

PDRTE-PD-5.1.0-0.s390.rpmPDWebRTE-PD-5.1.0-0.s390.rpmPDWeb-PD-5.1.0-0.s390.rpmPDAuthADK-PD-5.1.0-0.s390.rpmPDWebADK-PD-5.1.0-0.s390.rpm

PDRTE-PD-5.1.0-0.ppc.rpmPDWebRTE-PD-5.1.0-0.ppc.rpmPDWeb-PD-5.1.0-0.ppc.rpmPDAuthADK-PD-5.1.0-0.ppc.rpmPDWebADK-5.1.0-0.ppc.rpm

8. �(��) ��

�� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .


Manager �� 23 �� .

Solaris: WebSEAL Development(ADK) ��


�� .



Solaris� Tivoli Access Manager WebSEAL Development(ADK) ��

�� .

1. root� ��.


��.


4. GSKit� ��. �� 287 �� .


��.

6. �� (� �� )


��,


�� .


�� .





PDADK Access Manager Application Development Kit ��

��.

PDWebADK Access Manager Web Services Application Development Kit

�� .

“setuid/setgid� ��?”� �� , Y� ��

Enter� ��. �� Y� �� Enter�

��.

� �� .

�� .

7. �(��) ��

�� . �� 45 ��

�� .


�� .



a. �� .

pdconfig



� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .


Manager �� 23 �� .

Windows: WebSEAL Development(ADK) ��


�� .

Windows� Tivoli Access Manager WebSEAL Development(ADK) ��

� �� .

1. �� .


��.


2003 CD� ��.

4. GSKit� ��. �� 288 �� .


��.

6. �� setup.exe �� .


�� .



v Access Manager WebSEAL Server

v Access Manager Application Development Kit

v Access Manager Web Services Application Development Kit



7. �(��) ��

�� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



c. Access Manager WebSEAL Server �� .

�� . ��

�� 377 �� 23 � �pdconfig �� .


Manager �� 23 �� .



� 18 � WebSEAL Server ��

� �� Tivoli Access Manager WebSEAL Server ��

� �� .



�� .

v ��

v 272 ��

��

install_amweb ��

� Tivoli Access Manager WebSEAL Server �� .





v Access Manager WebSEAL Server, �� 5.1

�:

1. �� Policy Server �� WebSEAL� �� , ��

� �� . �� 272 ��

�� .

2. � ��

� ��.

install_amweb �� Tivoli Access Manager WebSEAL Server ��

�� .

1. �� . �� 33 �

�� (�� )�� .


��.

3. �� IBM JRE 1.3.1(AIX�� 1.3.1.5)� ��

�� . �� 294 �� .


4. �(��) ��

�� . �� 45 ��

� �� .

5. Windows �� ,

v �� .





� ��.


Manager Web Security CD� � �� install_amweb ��

� ��.

361 �� install_amweb��

�� . � �� (�� ),

�� .

WebSEAL Server �� . �� Tivoli Access Manager ��

�� 23 �� .

�: Tivoli Access Manager WebSEAL� � ��

WebSEAL Server� ��. �� WebSEAL Server ��

� �� IBM Tivoli Access Manager for e-business WebSEAL Administration

Guide� ��.

��


� �� . � �� , � ��

� �� . ��


�: ��, pdconfig �� amwebcfg �� Access

Manager WebSEAL Server �� . � ��

�� 451 �� amwebcfg�� .

� � �� .

v 273 �� AIX

v 274 �� HP-UX

v 275 �� Linux

WebSEAL Server ��




AIX: WebSEAL Server ��


�� .

AIX� Tivoli Access Manager WebSEAL Server ��

��.

1. root� ��.


��.


��.

4. GSKit� ��. �� 285 �� .


��.

6. �� .






PDWeb.Web Access Manager WebSEAL Server �� .

7. �(��) ��

�� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



� ��.

c. �� .


� 18 � WebSEAL Server �� 273

�� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .


�� 23 �� .




Guide� ��.

HP-UX: WebSEAL Server ��


�� .

HP-UX� Tivoli Access Manager WebSEAL Server ��

�� .

1. root� ��.


��.



�� CD� ��. �� , �� .



5. GSKit� ��. �� 286 �� .


��.

7. CD� � �� LDAP �� .

am_update_ldap.sh

8. �� .








9. �(��) ��

� �� . �� 45 ��

�� .


� �� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

�� 377 �� 23 � �pdconfig �� .


�� x � � � �� .

11. �� CD� �� .


�� /cd-rom� �� .


�� 23 �� .




Guide� ��.

Linux: WebSEAL Server ��


� �� .

Linux� Tivoli Access Manager WebSEAL Server� ��

��.



1. root� ��.




��.


� �� .



5. GSKit� ��. �� 286 �� .


��.

7. �� .

rpm -ihv packages



PDRTE-PD-5.1.0-0.i386.rpmPDWebRTE-PD-5.1.0-0.i386.rpmPDWeb-PD-5.1.0-0.i386.rpm

PDRTE-PD-5.1.0-0.s390.rpmPDWebRTE-PD-5.1.0-0.s390.rpmPDWeb-PD-5.1.0-0.s390.rpm

8. �(��) ��

�� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .


�� 23 �� .






Guide� ��.

Solaris: WebSEAL Server ��


�� .

Solaris� Tivoli Access Manager WebSEAL Server� ��

��.

1. root� ��.


��.


4. GSKit� ��. �� 287 �� .


��.

6. �� (� �� )


��,


�� .


�� .





“setuid/setgid� ��?”� �� , Y� ��

Enter� ��. �� Y� �� Enter�

��.

� �� .

�� .



7. �(��) ��

�� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



� ��.

c. �� .

�� . ��

� �� 377 �� 23 � �pdconfig �� .


�� x � � � �� .


�� 23 �� .




Guide� ��.

Windows: WebSEAL Server ��


�� .

Windows� Tivoli Access Manager WebSEAL Server ��

�� .

1. �� .


��.


2003 CD� ��.

4. GSKit� ��. �� 288 �� .


��.



6. �� setup.exe �� .


�� .



v Access Manager WebSEAL Server

7. �(��) ��

�� . �� 45 ��

�� .


�� .

a. �� .

pdconfig



c. Access Manager WebSEAL Server �� .

�� . ��

�� 377 �� 23 � �pdconfig �� .


�� 23 �� .




Guide� ��.



� 4 � ��

� 19 � �� . . . 285

Global Security Kit �� . . . . . . . . . 285

AIX: Global Security Kit �� . . . . . . 285

HP-UX: Global Security Kit �� . . . . . 286

Linux: Global Security Kit �� . . . . . 286

Solaris: Global Security Kit �� . . . . . 287

Windows: Global Security Kit �� . . . . 288

GSKit iKeyman �� . . . . . . 288

IBM Tivoli Directory Client �� . . . . . . 291

AIX: IBM Tivoli Directory Client �� . . . 291

HP-UX: IBM Tivoli Directory Client �� 292

Linux: IBM Tivoli Directory Client �� . . 292

Solaris: IBM Tivoli Directory Client �� 293

Windows: IBM Tivoli Directory Client �� 293

IBM JRE �� . . . . . . . . . . . . 294

AIX: IBM JRE, �� 1.3.1.5 �� . . . . . 295

HP-UX: IBM JRE, �� 1.3.1 �� . . . . 295

Linux: IBM JRE, �� 1.3.1 �� . . . . . 296

Solaris: IBM JRE, �� 1.3.1 . . . . . . 297

Windows: IBM JRE, �� 1.3.1 ��. . . . 297

WebSphere Application Server �� . . . . . 298

AIX: WebSphere Application Server �� 299

AIX: WebSphere Application Server, ��

� 2 �� . . . . . . . . . . . . 300

HP-UX: WebSphere Application Server �� 301

HP-UX: WebSphere Application Server,

�� 2 �� . . . . . . . . . . . 302

Linux: WebSphere Application Server �� 303

xSeries� Linux: WebSphere Application

Server, �� 2 �� . . . . . . . . 305

Solaris: WebSphere Application Server �� 306

Solaris: WebSphere Application Server, �

�� 2 �� . . . . . . . . . . . . 307

Windows: WebSphere Application Server �

� . . . . . . . . . . . . . . . . 308

Windows 2000: WebSphere Application

Server �� 2 �� . . . . . . . . 309

�� . . . . . . . . . . . . 311

AIX: �� . . . . . . . . . 311

HP-UX: �� . . . . . . . . 312

Linux: �� . . . . . . . . . 313

Solaris: �� . . . . . . . . 314

Windows: �� . . . . . . . 315

WebSphere� �� . . . . . . 316

� 20 � �� . . . . . . . . 319

Tivoli Access Manager �� . . . 319

IBM Tivoli Directory Server �� . . . . 320


� . . . . . . . . . . . . . . . . . 321

AIX: �� . . . . . . . . . . . . 321

HP-UX: �� . . . . . . . . . . . 322

Linux: �� . . . . . . . . . . . 323

Solaris: �� . . . . . . . . . . . 324

Windows: �� . . . . . . . . . . 325

� 21 � �� . . . . . . . 327

install_ldap_server �� . . . . . . . 328

�� . . . . . . . . . . 328

install_ldap_server �� . . . . . . . 330

install_ammgr �� . . . . . . . . 336

� 22 � �� . . . . . . . . 345

Access Manager Runtime(LDAP) . . . . . . 346

Access Manager Runtime(Active Directory) . . 348

Access Manager Runtime(Domino) . . . . . 351

install_amacld . . . . . . . . . . . . . 352

install_amadk . . . . . . . . . . . . . 353

install_amjrte . . . . . . . . . . . . . 354

install_ammgr . . . . . . . . . . . . . 355

install_amproxy . . . . . . . . . . . . 357

install_amrte . . . . . . . . . . . . . 358

install_amwas . . . . . . . . . . . . . 359

install_amweb . . . . . . . . . . . . . 361

install_amwebadk. . . . . . . . . . . . 364

install_amwebars . . . . . . . . . . . . 366

install_amwls . . . . . . . . . . . . . 367

install_amwpi_apache . . . . . . . . . . 369

install_amwpi_ihs. . . . . . . . . . . . 370

install_amwpi_iis . . . . . . . . . . . . 371

install_amwpi_iplanet . . . . . . . . . . 372

install_amwpm . . . . . . . . . . . . 373

install_ldap_server . . . . . . . . . . . 374

� 23 � pdconfig �� . . . . . . . . . 377


Access Manager Runtime -- LDAP . . . . . 378

Access Manager Runtime -- Active Directory 379

Access Manager Runtime -- Domino . . . . 381

Access Manager Attribute Retrieval Service . . 382

Access Manager Authorization Server . . . . 383

Access Manager Java Runtime Environment 384

Access Manager Plug-in for Edge Server . . . 385

UNIX� Access Manager Plug-in for Web

Servers . . . . . . . . . . . . . . . 386

Windows� Access Manager Plug-in for Web

Servers . . . . . . . . . . . . . . . 388

Access Manager Policy Server . . . . . . . 389

Access Manager Policy Proxy Server . . . . 390

Access Manager Web Portal Manager . . . . 391

Access Manager WebSEAL Server . . . . . 392

� 24 � SSL(Secure Sockets Layer) �� . . 393

SSL �� IBM Tivoli Directory Server

�� . . . . . . . . . . . . . . . . 394

� �� . . . . 394

CA(Certificate Authority)��

�� . . . . . . . . . . . . . . . 395

� �� . . . . . . 396

SSL �� . . . . . . . . . . . 397

SSL �� IBM z/OS � OS/390 ��

�� . . . . . . . . . . . . . . 399

�� . . . . . . . . . . . . 400

� �� . . . . . . . . 401

SSL �� Microsoft Active Directory

�� . . . . . . . . . . . . . . . . 402

Active Directory �� . . . 402

LDAP �� . . . 403

SSL �� . . . . . . . . . . 404

SSL �� Novell eDirectory �� 404

� CA(Certificate Authority) �� 405

� �� . . . . . . . . . 406

LDAP �� . . . . 406

SSL �� . . . . . . . . . . . . . 407

� �� CA �� IBM � � �� 407

SSL �� ONE Directory Server �� 408

�� . . . . . . . . . . . 408

�� . . . . . . . . . . . 409

SSL �� . . . . . . . . . . . 410

SSL �� IBM Tivoli Directory Client

�� . . . . . . . . . . . . . . . . 411

� �� . . . . . . . . 411

�� . . . . . . . . . . 412

SSL �� . . . . . . . . . . 413

LDAP �� . . . . . 414

� �� . . . . . . . . 414


�� . . . . . . . . . . . . . . . 415

� �� . . . . . . 416

�� . . . . . . . . . . 417

SSL �� . . . . . . . . . . 418

� 25 � AIX: Standby Policy Server �� 421

�� . . . . . . . . . . . 422

HACMP �� . . . . . . . . . . 423

HACMP �� . . . . . . . . . . 426

� 1 �: �� HACMP �� 427

� 2 �: HACMP ��

� . . . . . . . . . . . . . . 429

� 3 �: HACMP ��

�� . . . . . . . . . . . 434

Standby Policy Server �� . . . . . . 434

��: �� standby ��

UID �� . . . . . . . . . . . . . 439

��: �� 441

��: �� , ��

� �� . . . . . . . . . . . . . . 442

��: AIX �� Standby ��

� �� . . . . . . . . 444

��: Standby �� , ��

�� . . . . . . . . . . . . . 446

� 26 � Tivoli Access Manager �� . . 449

amwebcfg . . . . . . . . . . . . . . 451

AMWLSConfigure -action config . . . . . . 457

AMWLSConfigure -action unconfig . . . . . 459

AMWLSConfigure -action create_realm . . . . 460

AMWLSConfigure -action delete_realm . . . . 462

amwpmcfg . . . . . . . . . . . . . . 463

ivrgy_tool . . . . . . . . . . . . . . 466

migrateEAR4 . . . . . . . . . . . . . 469

migrateEAR5 . . . . . . . . . . . . . 473

pdbackup . . . . . . . . . . . . . . 477

pdconfig . . . . . . . . . . . . . . . 487

pdjrtecfg . . . . . . . . . . . . . . . 488

pd_start . . . . . . . . . . . . . . . 492

pdwascfg . . . . . . . . . . . . . . 494

pdweb . . . . . . . . . . . . . . . 499

pdwebpi . . . . . . . . . . . . . . . 502

pdwebpi_start . . . . . . . . . . . . . 503


pdwpi-version . . . . . . . . . . . . . 505

pdwpicfg -action config . . . . . . . . . 506

pdwpicfg -action unconfig . . . . . . . . 509

wesosm . . . . . . . . . . . . . . . 511

wslstartwte . . . . . . . . . . . . . . 513

wslstopwte . . . . . . . . . . . . . . 514

� 27 � �� . . . . . . . . . 515

�� . . . . . . . . . . . 516

� 4 � �� 283

� 19 � � ��

� �� 2 �� 3 �� Tivoli Access Manager Base � Web

Security �� .

Global Security Kit ��

IBM Global Security Kit(GSKit)� Tivoli Access Manager ��

�� SSL(Secure Sockets Layer) �� . GSKit

�� iKeyman � �� (gsk7ikm)� ��, � ��

� ��, ��-�� .

� � �� .

v 285 �� AIX

v 286 �� HP-UX

v 286 �� Linux



AIX: Global Security Kit ��

AIX� GSKit� �� .

1. root� ��.

2. IBM Tivoli Access Manager CD for AIX� �� .

3. 32� �� .

installp -acgXd cd_mount_point/usr/sys/inst.images gskta.rte


��.

�: IBM Tivoli Directory Server �� GSKit� �� , 32�� 64

� �� . 64� ��

� ��.

installp -acgXd cd_mount_point/usr/sys/inst.images gsksa.rte

4. GSKit� �� .

lslpp -l | grep gsk

GSKit� �� .


GSKit� � �� 288 �� GSKit iKeyman

�� . �� 393 �� 24 � �SSL(Secure

Sockets Layer) �� IBM Global Security Kit Secure Sockets Layer and

iKeyman User’s Guide� ��.

HP-UX: Global Security Kit ��

HP-UX� GSKit� �� .

1. root� ��.

2. IBM Tivoli Access Manager CD for HP-UX� ��.


�� CD� ��. �� , �� .



4. �� .

swinstall -s /cd-rom/hp/gsk7bas gsk7bas

�� /cd-rom/hp� ��.

5. �� CD� �� .


�� /cd-rom� �� .

GSKit� �� .


�� . �� 393 �� 24 � �SSL(Secure



Linux: Global Security Kit ��

Linux� GSKit� �� .



1. root� ��.

2. IBM Tivoli Access Manager for xSeries, zSeries, or pSeries and iSeries CD

� �� .





4. �� .

v GSKit� �� .

rpm -ih package


– xSeries� Linux: gsk7bas-7.0-1.9.i386.rpm

– zSeries� Linux: gsk7bas-7.0-1.9.s390.rpm

– pSeries � iSeries� Linux: gsk7bas-7.0-1.0.ppc32.rpm

v �� , � ��

�� --noscripts �� .

rpm -ih --prefix new_location package --noscripts

�� new_location� GSKit� �� . �� , ��

�.

rpm -ihv --prefix /tmp/usr gsk7bas-7.0-1.9.i386.rpm --noscripts

GSKit� �� .


�� . �� 393 �� 24 � �SSL(Secure



Solaris: Global Security Kit ��

Solaris� GSKit� �� .

1. root� ��.

2. IBM Tivoli Access Manager for Solaris CD� ��.

3. Global Security Kit �� .

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault gsk7bas



GSKit� �� .


�� . �� 393 �� 24 � �SSL(Secure




� 19 � �� 287

Windows: Global Security Kit ��

Windows� GSKit� �� .

1. �� .

2. IBM Tivoli Access Manager CD for Windows� ��.

3. Global Security Kit(GSKit)� �� CD �� \windows\GSKit �

�� .

setup policydirector

4. �� . �� .

5. ��

�� . � �� , ��

�� .

6. �� GSKit� ��. �� .

7. �� .

GSKit� �� .

GSKit� � �� GSKit iKeyman ��

�� . �� 393 �� 24 � �SSL(Secure Sockets

Layer) �� IBM Global Security Kit Secure Sockets Layer and iKeyman

User’s Guide� ��.

GSKit iKeyman ��

iKeyman �� GSKit� �� CMS(Certificate

Management System) � �� . ��

� �� .

1. �� .

v GSKit, �� 7(�� 285 �� Global Security Kit �� ).

v IBM JRE 1.3.1(�� 294 �� IBM JRE �� ).

v Access Manager Java Runtime Environment ��

�: � �� .

�� 131 �� 8 � �Java Runtime

Environment �� .

2. JAVA_HOME �� JRE� �� . JAVA_HOME

� UNIX �� $JAVA_HOME�, Windows� �� %JAVA_HOME%��.

3. CMS(Certificate Management System) � �� GSKit� �

�� .



a. JAVA_HOME/jre/lib/ext �� (��

�).

gskikm.jaribmjcaprovider.jar

b. accessmgr_install_dir/java/export/pdjrte�� JAVA_HOME/jre/lib/ext�

�� .

v JDK, �� 1.3.1� �� ,

– lib/ext/ibmjceprovider.jar

– lib/ext/ibmpkcs.jar

– lib/ext/ibmjcefw.jar

– lib/ext/local_policy.jar

– lib/ext/US_export_policy.jar

– lib/ext/ibmpkcs11.jar

JDK, �� 1.4.1� �� ,

– lib/ext/ibmjceprovider.jar

– lib/ext/ibmpkcs.jar

– lib/ibmjcefw.jar

– lib/security/local_policy.jar

– lib/ext/US_export_policy.jar

– lib/ext/ibmpkcs11.jar

v IBM CMS � JCE ��

��.

�: �� . � ��

�� . � ��

�� , � ��

��.

– GSKit �� IBM CMS ��

JAVA_HOME/jre/lib/security/java.security � ��

�� .

security.provider.1=sun.security.provider.Sunsecurity.provider.2=com.ibm.spi.IBMCMSProvider

– GSKit � JSSE �� IBM CMS � IBM JCE ��

� �� JAVA_HOME/jre/lib/security/java.security �

�� .

security.provider.1=sun.security.provider.Sunsecurity.provider.2=com.ibm.spi.IBMCMSProvidersecurity.provider.3=com.ibm.crypto.provider.IBMJCE


� 19 � �� 289

4. �� : IBM PCI 4758 Cryptographic Coprocessor Card

� �� , �� . �

� �, WebSEAL� PKCS#11 �� GSKit 7 API� �

�� PKCS#11� �� .

a. GSKIT_HOME/classes/native/native-support.zip��

�� . �� ,

native-support.zip � AIX� /usr/lib �� Windows� C:\Program

Files\ibm\gsk7\lib� ��.

b. zip � �� . �� , AIX��

�� .

libjpkcs11.solibpkcslog.solibpseudotoken.so

c. IBMPKCS11 �� JAVA_HOME/jre/lib/security/

java.security � �� .

security.provider.1=sun.security.provider.Sunsecurity.provider.2=com.ibm.spi.IBMCMSProvidersecurity.provider.3=com.ibm.crypto.provider.IBMJCEsecurity.provider.4=com.ibm.crypto.pkcs11.provider.IBMPKCS11

d. ��: gsk7ikm �� gsk7cli ��

�� .

v gsk7ikm �� PKCS#11 ��

�� . ��

�� . � �� GSKIT_HOME/classes/

ikmuser.properties � �� . � � ��

� ��, �� GSKIT_HOME/classes/ikmuser.sample�� .

DEFAULT_CRYPTOGRAPHIC_MODULE� PKCS#11 ��

PKCS#11 �� . �� ,

IBM Cryptographic Accelerator� �� AIX 5.2�

/usr/lib/pkcs11/PKCS11_API.so� ��.

gsk7ikm GUI��

��. ��

PKCS#11 �� PKCS#11 �� . ��

DEFAULT_CRYPTOGRAPHIC_MODULE� � �� .

v gsk7cli �� gskit_install/classes/

ikeycmd.properties � ��

�� .

– Windows ��:

DEFAULT_CRYPTOGRAPHIC_MODULE=path\\pseudotoken.dll



– UNIX ��:

DEFAULT_CRYPTOGRAPHIC_MODULE=path\\libpseudotoken.so

iKeyman �� . iKeyman ��

�� SSL� �� 393 �� 24 �

�SSL(Secure Sockets Layer) �� IBM Global Security Kit Secure Sockets

Layer and iKeyman User’s Guide� ��.

IBM Tivoli Directory Client ��

IBM Tivoli Directory Client� �� AIX, HP-UX, Linux, Solaris � Windows

�� IBM Tivoli Access Manager CD� IBM Tivoli Directory Server�

� ��.

�� Tivoli Access Manager� �� IBM Tivoli

Directory Client� �� .


Windows ��.

v Java Runtime Environment �� Web Portal Manager �� .

v Lotus Domino� �� .

� � �� .

v 291 �� AIX

v 292 �� HP-UX

v 292 �� Linux



AIX: IBM Tivoli Directory Client ��

AIX� IBM Tivoli Directory Client� �� .

1. root� ��.

2. IBM Tivoli Access Manager CD for AIX� �� .

3. �� .

installp -acgXd cd_mount_point/usr/sys/inst.images ldap.client ldap.max_crypto_client


��.

IBM Tivoli Directory Client� �� .


� 19 � �� 291

HP-UX: IBM Tivoli Directory Client ��

HP-UX� IBM Tivoli Directory Client� �� .

1. � �� LDAP ��

��.

2. root� ��.

3. IBM Tivoli Access Manager CD for HP-UX� ��.


�� CD� ��. �� , �� .



5. �� .

swinstall -s /cd-rom/hp LDAPClient

�� /cd-rom/hp� �� LDAPClient� IBM Tivoli Directory Client

�� .

6. CD� � �� LDAP �� .

am_update_ldap.sh

7. �� CD� �� .


�� /cd-rom� �� .


Linux: IBM Tivoli Directory Client ��

Linux� IBM Tivoli Directory Client� �� .

�: � �� IBM Tivoli Directory Client� ��

��.

1. root� ��.

2. �� openldap2-client-2.1.4-30 �� LDAP

�� .

�: openldap2-client� IBM Tivoli Directory Client� � � ��

�� , /usr/bin� �� IBM LDAP

�� (symlink)�� .



/usr/bin/ldapadd → /usr/ldap/bin/ldapmodify/usr/bin/ldapdelete → /usr/ldap/bin/ldapdelete/usr/bin/ldapmodify → /usr/ldap/bin/ldapmodify/usr/bin/ldapmodrdn → /usr/ldap/bin/ldapmodrdn/usr/bin/ldapsearch → /usr/ldap/bin/ldapsearch

3. IBM Tivoli Access Manager CD for xSeries, zSeries or pSeries and iSeries

� �� .




rpm -ihv package


v xSeries� Linux: ldap-clientd-5.2-1.i386.rpm

v zSeries� Linux: ldap-clientd-5.2-1.s390.rpm

v pSeries � iSeries� Linux: ldap-client-5.2-1.ppc.rpm


Solaris: IBM Tivoli Directory Client ��

Solaris� IBM Tivoli Directory Client� �� .

1. root� ��.


3. /cdrom/cdrom0/solaris �� .


pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IBMldapc

�� -d /cdrom/cdrom0/solaris� ��

-a /cdrom/cdrom0/solaris/pddefault� ��

��.

5. �� , /opt� �� .

�� , /opt� �� . /opt� ��

�� Enter� ��.


Windows: IBM Tivoli Directory Client ��

Windows� IBM Tivoli Directory Client� �� .

1. �� .



� 19 � �� 293

3. �� setup.exe � ��.

windows\Directory

�� .

4. �� .

5. �� . �� .

6. �� . �� . �

��

� � ��. �� .

7. �� IBM Tivoli Directory Client� ��

�. ��

�� .

8. IBM Tivoli Directory Client� �� .

9. �� .

10. Client SDK 5.2 �� .

11. �� . �� . �

�� .

�� . �� .

�: Windows ��

��.

12. � � �� README � ��. README� ��

�� .

13. �� .


IBM JRE ��

Access Manager Java Runtime Environment� ��

� IBM JRE, �� 1.3.1(AIX�� 1.3.1.5)� ��.

� � �� .

v 295 �� AIX

v 295 �� HP-UX

v 296 �� Linux





AIX: IBM JRE, �� 1.3.1.5 ��

AIX� JRE, �� 1.3.1.5� �� .

1. root� ��.

2. IBM Tivoli Access Manager for AIX CD� �� .

3. �� .

installp -acgXd cd_mount_point/usr/sys/inst.images Java131.rte


��.

4. �� .

v PATH �� . �� , �� .

export PATH=/usr/java131/jre/bin:$PATH

�: IBM JRE 1.3.1.5� � �� java -version

�� .

v JAVA_HOME �� JRE 1.3.1� �� . �� ,

JAVA_HOME� �� ksh� �� .

export JAVA_HOME=/usr/java131/jre

5. IBM Tivoli Directory Server �� :

v JAVA_HOME� �� Java �� IBM Tivoli Directory Server(��

�)� � � Java �� . IBM Tivoli Directory

Server �� , �� LIBPATH ��

��.

export LIBPATH=/usr/ldap/java/bin:/usr/ldap/java/bin/classes:$LIBPATH

v IBM Tivoli Directory Server �� GSKit iKeyman ��

��, �� /usr/ldap/jre�� /usr/ldap/java��

��.

ln -s /usr/ldap/java /usr/ldap/jre

IBM JRE 1.3.1.5� �� .

HP-UX: IBM JRE, �� 1.3.1 ��

HP-UX� JRE 1.3.1� �� .

1. root� ��.

2. IBM Tivoli Access Manager for HP-UX CD� ��.


�� CD� ��. �� , �� .


IBM JRE ��

� 19 � �� 295


4. �� .

swinstall -s /cd_drive/hp rte_13101os11.depot B9789AA

�� /cd_drive� CD �� /cd_drive/hp� ��.

5. �� PATH �� .

export PATH=java_path:$PATH

6. GSKit iKeyman �� , ��

�� .

SHLIB_PATH=/usr/lib

�� , �� .

export SHLIB_PATH=/usr/lib;$SHLIB_PATH

�: � �� Tivoli Access Manager �� GSKit

�� .

7. �� CD� �� .


�� /cd-rom� �� .

IBM JRE 1.3.1� �� .

Linux: IBM JRE, �� 1.3.1 ��

Linux� JRE 1.3.1� �� .

1. root� ��.

2. IBM Tivoli Access Manager CD for xSeries, zSeries or pSeries and iSeries

� �� .



4. IBM JRE 1.3.1 �� .

rpm -ihv package


v xSeries� Linux: IBMJava2-JRE-1.3.1-3.0.i386.rpm

v zSeries� Linux: IBMJava2-JRE-1.3.1-3.0.s390.rpm

v pSeries � iSeries� Linux: IBMJava2-JRE-1.3.1-3.0.ppc.rpm

5. �� PATH �� .

export PATH=jre_path:$PATH

IBM JRE ��


�� , PATH �� JRE� ��

� ��.

export PATH=/opt/IBMJava2-s390-131/jre/bin:$PATH

6. Red Hat Enterprise Linux 2.1� �� .

export LD_PRELOAD=/usr/lib/libstdc++-libc6.2-2.so.3

�: Tivoli Access Manager� Access Manager Plug-in for Edge Server� �

�� Red Hat Enterprise Linux 2.1� ��.

7. Red Hat Enterprise Linux 3.0� ��, Red Hat Linux 3� � ��

� ��(NPTL)� Tivoli Access Manager� � �� IBM JDK 1.3.1

�� . ��

�� LD_ASSUME_KERNEL �� JDK 1.3.1 ��

�� . �� , �� .

export LD_ASSUME_KERNEL=2.4.0export LD_ASSUME_KERNEL=2.2.5

�� , �� JRE �� . � ��

�� .


IBM JRE 1.3.1� �� .

Solaris: IBM JRE, �� 1.3.1

Solaris� JRE 1.3.1� �� .

1. root� ��.


3. IBM JRE 1.3.1 �� .

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault SUNWj3rt



4. �� PATH �� .

PATH=/usr/j2se/jre/bin:$PATHexport PATH

IBM JRE 1.3.1� �� .

Windows: IBM JRE, �� 1.3.1 ��

Windows� IBM JRE 1.3.1� �� .

1. �� .

IBM JRE ��

� 19 � �� 297



3. �� .

cd_drive\windows\JRE\install.exe

�� . �� .

4. �� PATH �� .

set PATH=install_dir;%PATH%

�� , �� .

set PATH=c:\Program Files\IBM\Java131\jre\bin;%PATH%

5. GSKit iKeyman �� , �� .

a. JAVA_HOME �� Java �� . �� , �

� ��.

set JAVA_HOME=c:\Program Files\IBM\Java131

b. GSKit bin � lib �� PATH �� . �� , ��

��.

set PATH="C:\Program Files\ibm\gsk7\bin";%PATH%set PATH="C:\Program Files\ibm\gsk7\lib";%PATH%

IBM JRE 1.3.1� �� .

WebSphere Application Server ��

IBM WebSphere Application Server 5.0.2� �� IBM Tivoli Access

Manager Web Administration Interfaces � IBM Tivoli Access Manager Attribute

Retrieval Service CD� � ��.

WebSphere Application Server� �� Tivoli Access Manager ��

� Web Portal Manager �� IBM Tivoli Directory Server ��

� �� .

AIX, HP-UX, xSeries� Linux, Solaris � Windows 2000 �� IBM

WebSphere Application Server� �� 2� ��. ��

� �� 5.0.2 ��.


��.


� � �� .

v 299 �� AIX

IBM JRE ��



v 301 �� HP-UX

v 303 �� Linux



AIX: WebSphere Application Server ��

Web Portal Manager �� WebSphere

Application Server� ��. AIX� WebSphere Application Server 5.0.2� �

�� .

�: WebSphere �� IBM Tivoli Access Manager Web Administration Interfaces

for AIX �� IBM Tivoli Access Manager Attribute Retrieval Service for AIX

CD� usr/sys/inst.images/websphere/docs �� .

1. root� ��.

2. IBM Tivoli Access Manager Web Administration Interfaces for AIX �� IBM

Tivoli Access Manager Attribute Retrieval Service for AIX CD� ��

� ��.

3. CD �� /usr/sys/inst.images/websphere/aix ��

�.

4. �� .

./install

�� .

5. �� .

6. �� . �� .

7. �� .

�� . �� .

8. �� , Embedded Messaging � IBM WebSphere

MQSeries� �� JMS �� Embedded Messaging

� �� . �� .

9. �� . ��

� �� .

v IBM WebSphere Application Server, �� 5

v IBM HTTP Server, �� 1.3.26

10. � � � ��

� ��.


� 19 � �� 299

�: � � � �� (�) �� . �

�� DNS � �� IP ��.

11. �� . ��

�� .

�� . �� .

12. �� , ��

�� .

13. �� . WebSphere Application Server -- �

�� . ��

��.

14. �� , �� 2� �� . �� AIX: WebSphere Application

Server, �� 2 �� .

AIX: WebSphere Application Server, �� 2 ��

AIX� WebSphere Application Server, �� 2� ��

��.

1. WebSphere Application Server � IBM HTTP Server� ��. LDAP

�� , LDAP ��

��.

2. JAVA_HOME �� . �� , ��

�.

export JAVA_HOME=/opt/WebSphere/AppServer/java

3. IBM Tivoli Access Manager WebSphere Fix Pack for AIX CD� ��

� ��.

4. � CD� �� .

5. aix/websphere_fixpack ��(CD �� )� ��

�� .

./updateWizard.sh

�� .

6. �� .

7. �� . �� .

8. IBM WebSphere Application Server v5.0.0� ��

�� .

9. �� .



10. �� . �� , CD�

websphere_fixpack �� C:\temp �� , ��

� �� .


�� .

11. �� .

12. IBM HTTP Server� �� .


WebSphere Application Server 5.0� � � Embedded Messaging�

�� , � �� .

13. �� . ��

��. �� .

14. �� .

15. WebSphere Application Server � IBM HTTP Server� �� .

HP-UX: WebSphere Application Server ��


Application Server� ��. HP-UX� WebSphere Application Server 5.0.2�

�� .


for HP-UX �� IBM Tivoli Access Manager Attribute Retrieval Service for

HP-UX CD� hp/websphere/docs �� .

1. root� ��.

2. IBM Tivoli Access Manager Web Administration Interfaces for HP-UX ��

IBM Tivoli Access Manager Attribute Retrieval Service for HP-UX CD� �

��.


�� CD� ��. �� , �� .



4. CD �� hp/websphere/hp �� .

5. �� .

./install

�� .


� 19 � �� 301

6. �� .

7. �� . �� .

8. �� .

�� . �� .



� �� . �� .

10. �� . ��

� �� .



11. � � � ��

� ��.

�: � � � �� (�) �� . �

�� DNS � �� IP ��.

12. �� . ��

�� .

�� . �� .

13. �� , ��

�� .


�� . ��

��.

15. �� CD� �� .


�� /cd-rom� �� .

16. �� , �� 2� �� . �� HP-UX: WebSphere

Application Server, �� 2 �� .

HP-UX: WebSphere Application Server, �� 2 ��

HP-UX� WebSphere Application Server, �� 2� ��

��.


�� , LDAP ��

��.



2. JAVA_HOME �� . �� , ��

�.


3. IBM Tivoli Access Manager WebSphere Fix Pack for HP-UX CD� ��

��.

4. � CD� �� .

5. hp/websphere_fixpack ��(CD �� )� ��

�� .

./updateWizard.sh

�� .

6. �� .

7. �� . �� .


�� .

9. �� .

10. �� . �� , CD�


� �� .


�� .

11. �� .




�� , � �� .

13. �� . ��

��. �� .

14. �� .


Linux: WebSphere Application Server ��


Application Server� ��. Linux� WebSphere Application Server 5.0.2�

�� .


� 19 � �� 303


for Linux on xSeries, zSeries or pSeries/iSeries �� IBM Tivoli Access Manager

Attribute Retrieval Service CD or Linux on xSeries or zSeries�

series/websphere/docs �� .

1. root� ��.

2. IBM Tivoli Access Manager Web Administration Interfaces for Linux on xSeries,

zSeries or pSeries/iSeries �� IBM Tivoli Access Manager Attribute Retrieval

Service for Linux on xSeries or zSeries CD� �� .

3. CD �� .

xSeries� Linux: /xSeries/websphere/linuxi386

zSeries� Linux: /zSeries/websphere/linuxs390

pSeries � iSeries� Linux: /pSeries/websphere/linuxppc

4. �� .

./install

�� .

5. �� .

6. �� . �� .

7. �� .

�� . �� .



� �� . �� .

9. �� . ��

� �� .



10. � � � ��

� ��.

�: � � � �� (�) �� . �

�� DNS � �� IP ��.

11. �� . ��

�� .

�� . �� .

12. �� , ��

�� .




�� . ��

��.

14. xSeries� Linux� �� 2� ��. �� xSeries�

Linux: WebSphere Application Server, �� 2 �� .

xSeries� Linux: WebSphere Application Server, �� 2 ��

xSeries� Linux� WebSphere Application Server, �� 2� ��

�� .


�� , LDAP ��

��.

2. JAVA_HOME �� .�� , �� .


3. IBM Tivoli Access Manager WebSphere Fix Pack for Linux on xSeries CD

� �� .

4. � CD� �� .

5. platform/websphere_fixpack ��(CD �� )� �

� �� .

./updateWizard.sh

�� .

6. �� .

7. �� . �� .


�� .

9. �� .

10. �� . �� , CD�


� �� .


�� .

11. �� .



� 19 � �� 305



�� , � �� .

13. �� . ��

��. �� .

14. �� .


Solaris: WebSphere Application Server ��


Application Server� ��. Solaris� WebSphere Application Server 5.0.2�

�� .


for Solaris �� IBM Tivoli Access Manager Attribute Retrieval Service for

Solaris CD� solaris/websphere/docs �� .

1. root� ��.

2. IBM Tivoli Access Manager Web Administration Interfaces for Solaris ��

IBM Tivoli Access Manager Attribute Retrieval Service for Solaris CD� �

��.

3. CD �� solaris/websphere/sun �� .

4. �� .

./install

�� .

5. �� .

6. �� . �� .

7. �� .

�� . �� .



� �� . �� .

9. �� . ��

� �� .





10. � � � ��

� ��.

�: � � � �� (�) �� . �

�� DNS � �� IP ��.

11. �� . ��

�� .

�� . �� .

12. �� , ��

�� .


�� . ��

��.

14. �� 2� ��. �� Solaris: WebSphere Application Server,

�� 2 �� .

Solaris: WebSphere Application Server, �� 2 ��

Solaris� WebSphere Application Server, �� 2� ��

��.


�� , LDAP ��

��.

2. JAVA_HOME �� . �� , ��

�.


3. IBM Tivoli Access Manager WebSphere Fix Pack for Solaris CD� ��

��.

4. � CD� �� .

5. solaris/websphere_fixpack ��(CD �� )� �

� �� .

./updateWizard.sh

�� .

6. �� .

7. �� . �� .


�� .

9. �� .


� 19 � �� 307

10. �� . �� , CD�


� �� .


�� .

11. �� .




�� , � �� .

13. �� . ��

��. �� .

14. �� .


Windows: WebSphere Application Server ��


Application Server� ��. Windows� WebSphere Application Server 5.0.2�

�� .


�� IBM Tivoli Access Manager Attribute Retrieval Service CD�

windows\websphere\docs(Windows 2000) �� windows2003\websphere\docs

(Windows 2003) �� .

1. �� .

2. �� Windows �� .

3. IBM Tivoli Access Manager Web Administration Interfaces �� IBM Tivoli

Access Manager Attribute Retrieval Service CD for Windows 2000 or Windows

2003� ��.

4. CD �� .

v Windows 2000 ��:

windows\websphere\nt

v Windows 2003 ��:

windows2003\websphere\windows2003

5. �� .

install.exe



�� .

6. �� .

7. �� . �� .

8. �� .

�� . �� .



� �� . �� .

10. �� . ��

� �� .



11. � � � ��

� ��.

�: � � � �� (�) �� . �

�� DNS � �� IP ��.

12. WebSphere Application Server � IBM HTTP Server� Windows ��

�� . �� ID� ��

��. �� WebSphere� �� , ��

� ID � �� .

13. �� . ��

�� .

�� . �� .

14. �� , ��

�� .


�� . ��

��.

16. Windows 2000 �� 2� ��. �� Windows

2000: WebSphere Application Server �� 2 �� .

Windows 2000: WebSphere Application Server �� 2 ��

Windows� WebSphere Application Server, �� 2� ��

��.


�� , LDAP ��

��.


� 19 � �� 309

2. JAVA_HOME �� . ��

install_dir\bin �� setupCmdLine.bat � ��. �

�� install_dir� WebSphere Application Server� �� . �

� �, �� .

C:\Program Files\WebSphere\AppServer\bin\setupCmdLine.bat

3. IBM Tivoli Access Manager WebSphere Fix Pack for Windows 2000 CD�

��.

4. � CD� �� .

5. windows/websphere_fixpack ��(CD �� )� �

� �� .

updateWizard

�� .

6. �� .

7. �� . �� .


�� .

9. �� .

10. �� . �� , CD�


� �� .


�� .

11. �� .




�� , � �� .

13. �� . ��

��. �� .

14. �� .




� ��


� ��. � �� .

�� .

�: IBM Tivoli Directory Server, �� 4.1 �� 5.1� �� , ��

� �� am_update_ldap.sh LDAP �� .

v 311 �� AIX

v 312 �� HP-UX

v 313 �� Linux



�: Tivoli Access Manager� � �� IBM WebSphere Application Server,

�� 5.0.2� �� . �� Web Portal

Manager �� , � � WebSphere ��

� �� .

AIX: � ��

AIX� �� .

1. root� ��.

2. �� . �� 26

�� .

3. �� .



� �� 57 �� IBM Tivoli Directory Server

�� 298 �� WebSphere Application Server �� .

4. IBM Tivoli Access Manager Web Administration Interfaces for AIX CD� �

�� .

5. �� .

installp -acgXd cd_mount_point/usr/sys/inst.images ldap.webdadmin ldap.max_crypto_webdadmin


��.

6. �� WebSphere Application Server �� . �� 316

�� .

� ��

� 19 � �� 311

�� . �� , WebSphere Application

Server� �� .


��


�� , �� .


�� localhost� �� WebSphere Application Server� ��

�� IP �� . ��

�� IBM Tivoli Directory Server Administration Guide, Version 5.2� ��

��.


HP-UX: � ��

HP-UX� �� .

1. root� ��.

2. �� . �� 26

�� .

3. �� .





4. IBM Tivoli Access Manager Web Administration Interfaces for HP-UX CD�

��.


�� CD� ��. �� , �� .



6. �� .

swinstall -s /cd-rom/hp ldapwebadmin

�� /cd-rom/hp� ��.

� ��




�� .

8. �� CD� �� .


�� /cd-rom� �� .


Server� �� .


��


�� , �� .



�� IP �� . ��


��.


Linux: � ��

Linux� �� .



1. root� ��.

2. �� . �� 26

�� .

3. �� .





4. IBM Tivoli Access Manager Web Administration Interfaces CD for xSeries,

zSeries or pSeries and iSeries� �� .

� ��

� 19 � �� 313




6. �� .

rpm -ihv package


v xSeries� Linux: ldap-webadmind-5.2-1.i386.rpm

v zSeries� Linux: ldap-webadmind-5.2-1.s390.rpm

v pSeries � iSeries� Linux: ldap-webadmind-5.2-1.ppc.rpm


�� .


Server� �� .


��


�� , �� .



�� IP �� . ��


��.


Solaris: � ��

Solaris� �� .

1. root� ��.

2. �� . �� 26

�� .

3. �� .





� ��



4. IBM Tivoli Access Manager Web Administration Interfaces for Solaris CD�

��.

5. �� .

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IBMldapw




�� .


Server� �� .


��


�� , �� .



�� IP �� . ��


��.


Windows: � ��

Windows� �� .

1. �� .

2. �� . �� 26

�� .

3. �� .





4. IBM Tivoli Access Manager Web Administration Interfaces CD for Windows

2000/Windows 2003� ��.

� ��

� 19 � �� 315


5. �� . ��

setup.exe �� .

\windows\Directory

�� . �� 5.2� ��

� �� .


�� .


Server� �� .

C:\Program Files\WebSphere\AppServer\bin\startServer.bat server1

�� , �� .



�� IP �� . ��


��.


WebSphere� � ��

�� , � �� WebSphere Application Server�

�� . �� .

WebSphere �� IBM

WebSphere Application Server 5.0 �� .


http://publib7b.boulder.ibm.com/wasinfo1/en/info/ae/ae/trun_app_instwiz.html

�� WebSphere Application Server ��

�.

1. WebSphere Application Server �� . �� , ��

� �� .

http://hostname:9090/admin/

�� hostname� IBM WebSphere Application Server� ��

�� IP �� .

� ��




http://publib7b.boulder.ibm.com/wasinfo1/en/info/ae/ae/trun_app_instwiz.html

2. � �� → � �� . �

�� .

3. � �� .

a. �� IDSWebApp.war � ��

�� .

1) UNIX ��:

install_dir/idstools/IDSWebApp.war

2) Windows ��:

install_dir\idstools\IDSWebApp.war

�� install_dir� �� .

�� , C:\Program Files\IBM\LDAP\idstools\IDSWebApp.war��

�.

�: � �� ( �� ) ��

�(�� )� �� .

b. �� .

/IDSWebApp

c. �� .

4. ��

��. ��

�� . � �� . ��

�� .

� �� .

5. (1 �: �� ) �� IDSWebApp_war� �

�� , �� .

6. (2 �: �� ) �� IBM Tivoli Directory Server

Web Application v2.0� �� default_host� ��

�� .

7. (3 �: �� ) IBM Tivoli Directory Server Web

Application v2.0� �� .

8. (4 �: �) �� .

9. ��

��. �� .

� ��

� 19 � �� 317

� ��


� 20 � ��


�� , Tivoli Access Manager �� .

� �� .

v �Tivoli Access Manager ��

v 320 �� IBM Tivoli Directory Server ��

v 321 �� Tivoli Access Manager for WebSphere ��

v �� :

– 321 �� AIX

– 322 �� HP-UX

– 323 �� Linux

– 324 �� Solaris

– 325 �� Windows

��

v Access Manager Policy Server �� Access Manager Runtime ��

�� WebSEAL �� Tivoli Access Manager ��

� �� .

v �� Policy Server �� .



�� (�� ). �� .

1. UNIX�� root� ��. Windows�� Windows ��

� �� .

2. �� .

pdconfig

�: Windows �� → �� → Access Manager → ��

� �� .

Access Manager for e-business �� .


3. �� . UNIX� ��


Windows� ��

��. �� .

a. Access Manager Web Portal Manager, Access Manager WebSEAL Server,

Access Manager Plug-in for Edge Server �� Access Manager Plug-in for

Web Servers

b. Access Manager Authorization Server

c. Access Manager Policy Proxy Server

d. Access Manager Policy Server

e. Access Manager Runtime � Access Manager Java Runtime Environment

�:

v �� , �� .

v Policy Server �� Policy Proxy Server� �� , LDAP ��

� �� (cn=root) � �� .

v Policy Server� �� , �� Tivoli Access

Manager ��

� ��. �� y� ��.

LDAP �� DN � �� , ��

�� . ��

�� y� ��. ��

�� n�

��.

v Access Manager Java Runtime Environment� �� Access Manager

Runtime� �� , �� /opt/PolicyDirector/sbin/

pdjrtecfg �� .

./pdjrtecfg -action unconfig -interactive


IBM Tivoli Directory Server� �� . � ��

�� .

1. UNIX�� root� ��. Windows�� Windows ��

� �� .

2. ibmslapd �� .

3. ldapucfg �� IBM Tivoli Directory Server�� DB2 ��

�� . �� .

��


ldapucfg -d -i

�� 1� �� . ��

�� , ldapucfg ��

�� . �� , ��

�� .

�: ��

��.

db2stopdb2ilistdb2idrop instance_name


PDWAS �� Tivoli Access Manager for WebSphere

�� .

1. root� ��.


3. �� -action [unconfigWAS4 | unconfigWAS5] � �� pdwascfg

�� .

pdwascfg -action unconfig version_number-remote_acl_user user_CN-sec_master_pwd password-was_home home_directory_of_WebSphere_Application_Server-pdmgrd_host policy_server_host_name-pdacld_host authorization_server_host_name

� �� 494 �� pdwascfg�� .

AIX: ��


�� , ��

� ��.


�� .

AIX �� .

1. �� (�� ). 319 �� Tivoli


2. �� .

��

� 20 � �� 321

installp -u -g packages


�: �� -g � ��

�.

IBM Global Security Kit gsksa.rte � gskta.rte

IBM Tivoli Directory Client ldap.client �

ldap.max_crypto_client

IBM Tivoli Directory Server ldap.server �

ldap.max_crypto_server

Access Manager Application Development Kit PD.AuthADK

Access Manager Attribute Retrieval Service PDWeb.ARS

Access Manager Authorization Server PD.Acld

Access Manager Java Runtime Environment PDJ.rte

Access Manager Plug-in for IBM HTTP Server PD.WPIIHS

Access Manager Plug-in for Sun ONE Web Server PD.WPIiPlanet

Access Manager Plug-in for Web Servers PD.WPI

Access Manager Policy Server PD.Mgr

Access Manager Policy Proxy Server PD.MgrPrxy

Access Manager Runtime PD.RTE

Access Manager for WebLogic Server PDWLS

Access Manager for WebSphere Application Server PDWAS

Access Manager Web Portal Manager PD.WPM

Access Manager Web Security Runtime PDWeb.RTE

Access Manager WebSEAL Server PDWeb.Web

Access Manager WebSEAL Development(ADK) PDWeb.ADK

HP-UX: ��


�� , ��

� ��.


�� .

HP-UX �� .

1. �� . 319 �� Tivoli Access Manager

�� .

2. �� .

swremove packages

��



IBM Global Security Kit gsk7bas � gsk7ikm

IBM Tivoli Directory Client LDAPClient

IBM Tivoli Directory Server LDAPServer

Access Manager Application Development Kit PDAuthADK

Access Manager Attribute Retrieval Service PDWebARS

Access Manager Authorization Server PDAcld

Access Manager Java Runtime Environment PDJrte

Access Manager Policy Server PDMgr

Access Manager Policy Proxy Server PDMgrPrxy

Access Manager Runtime PDRTE



Access Manager Web Portal Manager PDWPM

Access Manager Web Security Runtime PDWebRTE

Access Manager WebSEAL Server PDWeb

Access Manager WebSEAL Development(ADK) PDWebADK

�� . � � �

�� .

Linux: ��




�� .

Linux �� .

1. �� . 319 �� Tivoli Access Manager

�� .

2. �� .

v LDAP �� ,

rpm -qa | grep ldap

v GSKit �� ,

rpm -qa | grep gsk

v Tivoli Access Manager �� ,

rpm -qa | grep PD

3. �� .

��

� 20 � �� 323

rpm -e packages


IBM Global Security Kit gsk7bas-7-0-1.9

IBM Tivoli Directory Client ldap-clientd-5.2-1

IBM Tivoli Directory Server ldap-serverd-5.2-1

Access Manager Application Development Kit PDAuthADK-PD-5.1.0-0

Access Manager Attribute Retrieval Service PDWebARS-PD-5.1.0-0

Access Manager Authorization Server PDAcld-PD-5.1.0-0

Access Manager Java Runtime Environment PDJrte-PD-5.1.0-0

Access Manager Plug-in for Apache Web Server PDWPI-Apache-5.1.0-0

Access Manager Plug-in for IBM HTTP Server PDWPI-IHS-5.1.0-0

Access Manager Plug-in for Web Servers PDWPI-PD-5.1.0-0

Access Manager Policy Server PDMgr-PD-5.1.0-0

Access Manager Policy Proxy Server PDMgrPrxy-PD-5.1.0-0

Access Manager Runtime PDRTE-PD-5.1.0-0

Access Manager for WebLogic Server PDWLS-PD-5.1.0-0

Access Manager for WebSphere Application Server PDWAS-PD-5.1.0-0

Access Manager Web Portal Manager PDWPM-PD-5.1.0-0

Access Manager Web Security Runtime PDWebRTE-PD-5.1.0-0

Access Manager WebSEAL Server PDWeb-PD-5.1.0-0

Access Manager WebSEAL Development(ADK) PDWebADK-PD-5.1.0-0

Solaris: ��


�� , ��

� ��.


�� .

Solaris �� .

1. �� . �� 319 �


2. �� .

pkgrm package


IBM Global Security Kit gsk7bas � gsk7ikm

IBM Tivoli Directory Client IBMldapc

��


IBM Tivoli Directory Server IBMldaps

Access Manager Application Development Kit PDAuthADK

Access Manager Attribute Retrieval Service PDWebARS

Access Manager Authorization Server PDAcld

Access Manager Java Runtime Environment PDJrte

Access Manager Plug-in for Apache Web Server PDWPIihs

Access Manager Plug-in for IBM HTTP Server PDWPIapa

Access Manager Plug-in for Sun ONE Web Server PDWPIipl

Access Manager Plug-in for Web Servers PDWPI

Access Manager Policy Server PDMgr

Access Manager Policy Proxy Server PDMgrPrxy

Access Manager Runtime PDRTE



Access Manager Web Portal Manager PDWPM

Access Manager Web Security Runtime PDWebRTE

Access Manager WebSEAL Server PDWeb

Access Manager WebSEAL Development(ADK) PDWebRTE

3. � �� y� ��.

�� . � � ��

�� .

Windows: ��


�� , ��

� ��.


�� .

Windows �� .

1. Windows �� .

2. �� → �� → �� /�� .

3. �� .

4. �� .

5. �� GSKit� �� .

isuninst -f"c:\program files\ibm\gsk7\gsk7bui.isu"

��

� 20 � �� 325

�� c:\program files\ibm\gsk7� gsk7BUI.isu � ��

��.

�: GSKit� �� Tivoli Access Manager �� /��

�� .

��


� 21 � ��


� �� .

v 328 �� install_ldap_server ��

v 336 �� install_ammgr ��

�� 345 �� 22 � ��

�� .



�� install_ldap_server �� IBM Tivoli Directory Server�

Tivoli Access Manager �� . � ��

�� , Tivoli Access Manager ��

�� .

��

IBM Tivoli Directory Server� �� , ��

�(�� )� �� . ��

��.

v DB2 �� ID(�: ldapdb2(UNIX) �� db2admin(Windows))�

��. �� ID� DB2 ��

�� . �� ID� ��

�.

�! Windows �� -- install_ldap_server �� , �

�� ID� DB2 �� ID � DB2 �� ID, � �

� ��. �� ID� ��

�� . �� , DB2 �� ID� ldapdb2� ��,

DB2 �� ID� db2admin�� .

– �� ID� 8� � � ��.

– Windows ��, �� ID�

� � �� .

– UNIX ��, �� , � � ��

�� .

– DB2 �� . ��

� �� .

- DB2 �� DB2 �� DB2 ��

� �� . AIX � Solaris�� dbsysadm�

��. zSeries� Linux��, � �� db2iadm1��. ��

�, �� ldapdb2 �, �� AIX� Solaris��

ldapdb2:dbsysadm� �� zSeries� Linux�� ldapdb2:db2iadm1

� ��.

��

� �� . �� , Linux�� users

�� . �� Linux�� other

� �� .

��


– �� root� DB2 ��

�� . root� � �� , root� ��

�� .

– �� Korn (/usr/bin/ksh)��

��.

– �� . �� , ��

� ��

��(��

telnet� � �� ID� ��

�).

– �� ID� � ��

�� . ��

�� , �� 3-4MB� ��

�� . �� DB2� ��

� �� (�, User)� � ��

��. � �� , � � ��

�� .

v AIX �� , IBM Tivoli Directory Server, �� 5.2�

64� �� 63� � ��. ��

�� .

– AIX �� 64�� .

bootinfo -y

� � 64� �� 64�� . � ��, lsattr --El

proc0 �� , �� .

RS64 I, II, III, IV, POWER3, POWER3 II �� POWER4 � ��

� �� 64� �� .

– 64� �� 32 �� 64� � �� . 64�

(/usr/lib/boot/unix_64)� ��

��.

bootinfo -K

� � 64� �� 64��. �� 32� ��, 32

� �� 64� � �� . ��

��.

1. �� 64� �� .

bos.64bitbos.mp64

2. 64� � �� .

��

� 21 � �� 329

ln -sf /usr/lib/boot/unix_64 /unixln -sf /usr/lib/boot/unix_64 /usr/lib/boot/unixlslv -m hd5bosboot -ad /dev/ipldeviceshutdown -Fr

– �� I/O� �� . ��

��.

/usr/sbin/mkdev -l aio0/usr/sbin/chdev -l aio0 -P/usr/sbin/chdev -l aio0 -P -a autoconfig=available



�� .

1. root �� .

2. �� IBM Tivoli Access Manager Directory Server CD� ��

��.

3. �� JVM� �� JVM�� . ��

�� .

�� JVM� �� .-is:javahome <JAVA HOME DIR> �� .

Tivoli Access Manager� � �� JRE �� 294 ��

� �IBM JRE �� .

4. SSL� �� , �� SSL � � ��

�� . �� CD� common ��

� (am_key.kdb)� install_dir\lib �� .

5. �� CD ��

��.

install_ldap_server

6. �� .

��


7. �� . �� .

8. �� , �� .� �

��. �� .

9. �� .

v Windows ��: �� GSKit, IBM DB2 � IBM Tivoli


�� . �

� �� .

��

� 21 � �� 331

v UNIX ��: 10 �� . �� GSKit, IBM

DB2 � IBM Tivoli Directory Server� �� .

– GSKit ��

AIX: /usr/opt/ibm/gsksa � /usr/opt/ibm/gskta

HP-UX � Solaris: /opt/ibm/gsk7

Linux: /usr/local/ibm/gsk7

– IBM DB2 ��

AIX � Linux: /usr/ldap/db2

HP-UX � Solaris: /opt/IBM/db2

– IBM Tivoli Directory Server ��

AIX � Linux: /usr/ldap

HP-UX � Solaris: /opt/IBMldaps

10. 328 �� DB2 ��

� ID� �� . �� .

11. �� .

a. �� ID -- �� DN� �� DN(cn=root)� ��.

� ID� ��

� �� DN��.

�: DN� �� . X.500 ��

� �� DN� �� , �� DN� ��

��.

��


b. �� -- �� ID� �� . ��

�� .

c. �� -- �� .

d. �� -- �� (�

: o=ibm,c=us)� ��.

e. �� -- LDAP ��

��.

12. �� .

�: am_key.kdb� �� , SSL � ��, ��

� �� .

a. SSL � �� . ��

key4ssl(��)��.

b. LDAP �� SSL � �� . ��

� �� PDLDAP��.

�: Policy Server �� Authorization Server� ��

�� . � �� SSL � ��

��

�� . �� LDAP ��

�� .kdb �� .

��

� 21 � �� 333

13. �� . �� . �

�� .

�� . �� . � ��

� �� .

�: Windows ��

��.

��


14. IBM Tivoli Directory Server � ��

��.

��

�. �� , ��

� �� . �� , ��

� � �� .

�: ��

msg__ldaps_install.log � ��.

v UNIX ��:

/tmp

v Windows ��:

C:\Documents and Settings\Administrator\Local Settings\Temp

15. ��: IBM Tivoli Directory Server� ��

�� . � �� . IBM

WebSphere Application Server 5.0.2(Tivoli Access Manager� � ��)

� �� . �� Web Portal

Manager �� , � � WebSphere ��

� �� .

� GUI� �� 311 �� .

�: IBM Tivoli Directory Server, �� 4.1 �� 5.1� �� , �

� � �� am_update_ldap.bat LDAP ��

��.

��

� 21 � �� 335

16. �� am_key.kdb � � �� SSL� �� , � ��

�� SSL� ��

� �� . �� SGKit� � ��

� iKeyman � �� . �� 285 ��

�Global Security Kit �� GSKit iKeyman ��

� ��.

install_ammgr ��

�� Tivoli Access Manager Policy Server

� ��. �� LDAP �� Policy Server� ��

� �� install_ammgr �� . � �� Tivoli Access

Manager ��, ��

�� .

�: Policy Server ��

�.

install_ammgr �� Tivoli Access Manager Policy Server� ��

�� .

1. root �� .

2. �� . �� ,

� InstallShield �� .


��.

4. �� IBM Tivoli Access Manager Base CD� ��.

5. Policy Server� IBM Tivoli Directory Server� ��

6�� . �� , IBM Tivoli Directory Server� ��

�� SSL � � � �� . ��

�, � am_key.kdb � �� IBM Tivoli Directory Server

�� .

6. �� CD ��

��.

install_ammgr

��


7. �� .

8. �� . �� .

��

� 21 � �� 337

9. �� , �� .� �

��. �� .

10. Tivoli Access Manager� �� . ��

�� .

11. Tivoli Common Directory� �� . �� Tivoli ��

��

�� .

��


� �� , �� .

�� , � �� Tivoli �� .

12. �� .

v Windows ��: �� GSKit, IBM DB2 � IBM Tivoli

Directory Client� �� .

�� . �

� �� .

v UNIX ��: 13 �� . �� GSKit, IBM

DB2 � IBM Tivoli Directory Client� �� .

– GSKit ��

AIX: /usr/opt/ibm/gsksa � /usr/opt/ibm/gskta

HP-UX � Solaris: /opt/ibm/gsk7

Linux: /usr/local/ibm/gsk7

– IBM DB2 ��

AIX � Linux: /usr/ldap/db2

HP-UX � Solaris: /opt/IBM/db2

– IBM Tivoli Directory Client ��

AIX � Linux: /usr/ldap

HP-UX � Solaris: /opt/IBMldapc

13. �� .

��

� 21 � �� 339

v LDAP �� -- LDAP ��

�.

v LDAP �� -- LDAP �� (389). LDAP

�� , � ��

�.

v Windows �� , IBM Tivoli Directory Server� SSL(Secure

Sockets Layer) �� . ��

�� SSL� �� . �� , � ��

�� 15 �� SSL � �� . ��

� �� 341 �� 16 �� .

14. UNIX �� , IBM Tivoli Directory Server� � SSL(Secure Sockets

Layer)� �� . �� LDAP ��

SSL� �� . ��

�� . 15 �� SSL � ��

�.

15. IBM Tivoli Directory Server� � SSL� �� , ��

�� .

v �� SSL � �� -- LDAP SSL ��

�� . �� , am_key.kdb � c:\keytabs �

�� , c:\keytabs\am_key.kdb� ��.

v SSL � �� -- � � �� . am_key.kdb � �

� �� key4ssl��. ��, gsk7ikm ��

� �� .

��


v �� -- �� am_key.kdb� ��

SSL �� .

v SSL � -- SSL � �� (636). ��

� ��.

16. �� .

v Tivoli Access Manager �� -- �� ID(sec_master)� �

� �� . sec_master ID� ��

� ID, �� .

v Policy Server SSL � -- SSL � �� (7135). �

�� .

v SSL � ��(�) -- SSL �� . �

� �� 365 ��.

v SSL �� (�) -- SSL ��

�( )� ��. �� 7200 ��.

v LDAP �� DN -- LDAP �� DN� �� (cn=root)� �

��.

v LDAP �� -- LDAP �� DN �� .

��

� 21 � �� 341

17. �� . �� . �

�� .

�� . �� . � ��

� �� .

18. Policy Server � �� .

��


Windows ��

�� . ��

�� . �� .

Policy Server �� .

Policy Server� �� , �� Tivoli Access Manager ��

�� . Tivoli Access Manager �� 12 ��

�Tivoli Access Manager �� .

��

� 21 � �� 343

� 22 � ��

� ��

��. �� .

v 346 �� Access Manager Runtime(LDAP)�

v 348 �� Access Manager Runtime(Active Directory)�

v 351 �� Access Manager Runtime(Domino)�

v 352 �� install_amacld�

v 353 �� install_amadk�

v 354 �� install_amjrte�

v 355 �� install_ammgr�

v 357 �� install_amproxy�

v 358 �� install_amrte�

v 359 �� install_amwas�

v 361 �� install_amweb�

v 364 �� install_amwebadk�

v 366 �� install_amwebars�

v 367 �� install_amwls�

v 369 �� install_amwpi_apache�

v 370 �� install_amwpi_ihs�

v 371 �� install_amwpi_iis�

v 372 �� install_amwpi_iplanet�

v 373 �� install_amwpm�

v 374 �� install_ldap_server�


Access Manager Runtime(LDAP) 13� LDAP �� Access Manager Runtime ��

�� . Tivoli Access Manager� ��

� � �� . �� 147 ��

� �� install_amrte ��

�� .

�: install_ammgr �� Policy Server� �� Policy

Server � �� .

13. Access Manager Runtime -- LDAP. *� �� .

��

�� *Tivoli Access Manager� � ��

�� . �� LDAP��.

IBM Global Security Kit� ��

�

(Windows� �� )

GSKit �� . ��

��.

v AIX: /usr/opt/ibm/gsksa � /usr/opt/ibm/gskta

v HP-UX � Solaris: /opt/ibm/gsk7

v Linux: /usr/local/ibm/gsk7

v Windows: C:\Program Files\ibm\gsk7

IBM Tivoli Directory Client� ��

��


IBM Tivoli Directory Client �� .

�� .

v AIX � Linux: /usr/ldap

v HP-UX � Solaris: /opt/IBMldapc

v Windows: C:\Program Files\ibm\LDAP

Access Manager Runtime� ��

�


Access Manager Runtime �� . �

� �� .

v UNIX: /opt/PolicyDirector

v Windows: C:\Program Files\Tivoli\Policy Director

Tivoli Common Directory ��

Tivoli Common Directory -- Tivoli ��

� ��

� �� .

�� *

� �� Tivoli ��

�� .

Tivoli Common Directory� � �� , ��

�� . �� , � �

�� Tivoli �� .

Policy Server �� *

Policy Server� �� . ��

�, �� .

pdmgr.tivoli.com

Policy Server SSL � *Policy Server� SSL ��

��. �� 7135��.

��


13. Access Manager Runtime -- LDAP (��). *� �� .

Policy Server CA �� Policy Server��

� ��.

�� *�� . �� Default��, ��

� �� .

LDAP �� *LDAP �� . ��

�� 389��.

LDAP �� *LDAP �� SSL ��

��. �� 636��.

�� SSL(Secure

Sockets Layer) ��

(Windows� �� ).

SSL� �� . ��

��.

Windows�� LDAP �� SSL� �� . ��, ��

� �� .

�� SSL � * �� LDAP � ��

� � �� . � � �

LDAP �� .

�: SSL ��

�� CA(Certificate Authority)� ��

��.

SSL � �� * �� LDAP � ��

�.

Tivoli Access Manager� � �� am_key.kdb

� key4ssl� �� .

� �� install_ldap_server ��


�� . gsk7ikm ��

�� , � �� .

�� LDAP � �

�� .

� �� SSL � � ��

��

�� .

�� LDAP �� .kdb ��

�� . SSL ��

��

��.

SSL � * LDAP �� SSL ��

��. �� 636��.

��

� 22 � �� 347

Access Manager Runtime(Active Directory) 14� Active Directory �� , Access Manager Runtime �

�� . � �� Tivoli Access

Manager �� . �� 147

�� install_amrte ��

�� .

Active Directory �� Tivoli Access Manager ��

� Windows � UNIX �� Tivoli Access Manager� ��

(Windows NT� ��).

UNIX �� IBM Tivoli Directory Client� �� Active Directory� ��

��. � LDAP �� Policy Server ��

�� .

14. Access Manager Runtime -- Active Directory. *� �� .

��

�� *

Tivoli Access Manager -- Active Directory� � �

�� .

�� LDAP��.



GSKit �� . ��

��.

v AIX: /usr/opt/ibm/gsksa � /usr/opt/ibm/gskta




IBM Tivoli Directory Client� ��

� �



�. �� .

v AIX � Linux: /usr/ldap

v HP-UX � Solaris: /opt/IBMldapc

v Windows: C:\Program Files\ibm\LDAP


�


Web Security Runtime �� . �

� �� .

v UNIX: /opt/PolicyDirector

v Windows: C:\Program Files\Tivoli\Policy

Director



��

�� .

��


14. Access Manager Runtime -- Active Directory (��). *� �� .

�� *


�� .


� �� . �� , �

�� Tivoli ��

��.



�, �� .

pdmgr.tivoli.com


��. �� 7135��.

Policy Server CA �� Policy Server��

� � ��.

�� *�� . �� Default��, ��

� �� .

�� *��

�.

Active Directory �� *


�. �� , �� .

adserver.tivoli.com

Active Directory �� *Active Directory �� . �� ,

dc=ibm,dc=com

�� Active Directory ��


��

�� . �� ,

Tivoli Access Manager� �� (�

��).

��


��


ADSI(Active Directory Service Interface)��

Kerberos� �� . � �� Windows �

�� SSL �� .

Active Directory �� SSL(Secure

Sockets Layer) ��

(Policy Server� �� Active Directory �

�� UNIX ��

�� ).

�� . UNIX ��


�� .

UNIX �� Active Directory �� SSL ��

�� .

�� SSL � * �� LDAP � ��

�� . � � � LDAP ��

�� .

�: SSL ��

� �� CA(Certificate Authority)� ��

� ��.

��

� 22 � �� 349

14. Access Manager Runtime -- Active Directory (��). *� �� .

SSL � �� * �� LDAP � ��

��.






�� , � ��

��.

�� LDAP �

�� .

� �� SSL � � ��

��

�� .

�� LDAP �� .kdb ��

�� . SSL ��

��

��.

SSL � LDAP �� SSL ��

��. �� 636��.

Access Manager �� *


� ��. �� , dc=ibm,dc=com. ��

Active Directory �� .

��


Access Manager Runtime(Domino) 15� Domino ��(Windows ��)� �� Access Manager Runtime

�� . � �� Tivoli

Access Manager �� . �

� 147 �� install_amrte ��

�� .

15. Access Manager Runtime -- Domino. *� �� .

��

�� *

Tivoli Access Manager -- Domino� � �

��

��. �� LDAP��.


GSKit �� . ��

�� .

C:\Program Files\ibm\gsk7


Access Manager Runtime ��

��. �� .

C:\Program Files\Tivoli\Policy Director



� ��

� � ��

��.

�� *


� �� .

Tivoli Common Directory� � �� , �

� � �� .

�� , � �� Tivoli ��

�� .


Policy Server� ��

�. �� , �� .

pdmgr.tivoli.com


�� . �� 7135��.

Policy Server CA �� Policy Server�

� �� .

�� *�� . �� Default��,

�� .

Domino �� *

Domino �� . ��

�, �� .

Domino/tivoli

Notes �� *� �� Notes ID �

�� .

Notes �� * �� names.nsf��.

��

� 22 � �� 351

15. Access Manager Runtime -- Domino (��). *� �� .

Tivoli Access Manager �� *


�� . �� PDMdata.nsf

��.

install_amacldTivoli Access Manager Authorization Server �� (install_amacld)� ��

�� Access Manager Runtime ��

�� . � �� .




16� 115 �� install_amacld

�� .

16. install_amacld �� . *� �� .

��


Policy Server� ��

�. �� , �� .

pdmgr.tivoli.com


�� . �� 7135��.

�� *�� . �� Default��,

�� .

�� ID *�� . ��

sec_master��.


�� *

Tivoli Access Manager sec_master ��

�� .

�� *Authorization Server� ��

�� .

�� *�� . ��

7137��.

�� *�� . ��

�� 7136��.

UNIX�� SSL� �� . ��, ��

� �� .

��


16. install_amacld �� (��). *� �� .

�� SSL � * Policy Proxy Server�� LDAP �

��

� ��. � � � LDAP ��

� ��.

�: SSL ��

� � �� CA(Cert i f icate

Authority)� �� .

SSL � �� * �� LDAP � ��

� ��.


am_key.kdb � key4ssl� ��

��.




��

��, � �� .

��

LDAP � ��

��.

� �� SSL � � ��

��

� �� .

�� LDAP �� .kdb

�� . SSL

��

�� .


�� . �� 636��.

install_amadkTivoli Access Manager Development(ADK) �� (install_amadk)� ��


��. � �� .




ADK �� .

��

� 22 � �� 353

install_amjrte 17� Tivoli Access Manager Java Runtime Environment ��

�� . 131 �� 8 � �Java Runtime Environment ��

�� install_amjrte ��

� �� .

17. install_amjrte �� . *� �� .

��



� ��

� � ��

��.

�� *


� �� .

Tivoli Common Directory� � �� , �

� � �� .

�� , � �� Tivoli ��

�� .


Policy Server� �� .

�� , �� .

pdmgr.tivoli.com


�� . �� 7135��.

JRE �� *Tivoli Access Manager� � �� Java

Runtime Environment� �� .

��


install_ammgrTivoli Access Manager Policy Server �� (install_ammgr)� ��


��. � �� .




18� 105 �� install_ammgr

�� .

�: UNIX �� Windows �� , � � ��

� � �� .

18. install_ammgr �� . *� �� .

��

Tivoli Access Manager �� *(sec_master

� �� )


�� .

�� * �� sec_master �� .


�� . �� 7135��.

SSL �� ( ) *SSL �� . �

� �� 365��.

SSL �� ( ) *

SSL ��

�( )� ��. �� 7200 �

��.

�� SSL� �� . ��, ��

��.


��

� ��. � � � LDAP ��

� ��.

�: SSL ��



��

� 22 � �� 355

18. install_ammgr �� (��). *� �� .

SSL � �� * �� LDAP � ��

� ��.



��.




��

��, � �� .

��

LDAP � ��

��.

� �� SSL � � ��

��

� �� .


�� . SSL

��

�� .


�� . �� 636��.

LDAP �� SSL� �� , �� .

LDAP �� DN * LDAP �� . ��

� cn=root��.

LDAP �� * LDAP �� DN �� .

��


install_amproxyTivoli Access Manager Policy Proxy Server �� (install_amproxy)� ��


�� . � �� .




19� 139 �� install_amproxy

�� .

19. install_amproxy �� . *� �� .

��

�� ID *�� . ��

sec_master��.

Tivoli Access Manager �� *Tivoli Access Manager sec_master ��

�� .

�� *Policy Proxy Server� ��

�� .

�� *�� . ��

7137��.

�� *�� . ��

�� 7138��.

��

� 22 � �� 357

install_amrteTivoli Access Manager Runtime �� (install_amrte)� ��

�� Access Manager Runtime �� . �

�� .




��


install_amwas 20� Tivoli Access Manager for WebSphere ��

��. 240 �� install_amwas

�� .

�: ��

� � �� .

20. install_amwas �� . *� �� .

�� :


Policy Server� �� . �

� �, �� .

pdmgr.tivoli.com


�� . �� 7135��.

JRE �� *

IBM WebSphere Application Server� � ��

�� JRE� �� . -is:java_home

� �� , java_home

�� JRE ��.

Tivoli Access Manager for WebSphere

Application Server ��


� �� . ��

��.

�� ACL �� *

�� Tivoli Access Manager

for WebSphere� �� Access Manager ��

�� ID� �� .

�� , pdpermadmin��.

sec_master �� *Tivoli Access Manager sec_master ��

� ��.



� �, �� .

pdmgr.tivoli.com

Policy Server � *Policy Server� SSL ��

�� . �� 7135��.

Authorization Server �� *


Authorization Server� �� . �

�� WebSphere ��

�� .

Authorization Server � �� *Authorization Server� SSL ��

� �� . �� 7136��.

�� . � all, local ��

remote��. �� all��.

� �� WebSphere� � �� True

� ��

�� false� �

��. �� false��.

�� WebSphere Application Server� �� *

�� WebSphere Application Server� ��

��. �� WAS5 � WAS4��. ��

�� WAS5��.

��

� 22 � �� 359

20. install_amwas �� (��). *� �� .


Application Server ��


� �� . �� .

WebSphere Application Server �� *

WebSphere Application Server� ��

��. � �� WAS_HOME ��

�� .

�� JRTE �� URLAccess Manager Java Runtime Environment

PdPerm.properties � URL �� .

AMJRTE �� URL

Policy � Authorization Server��

�� Access Manager Java Runtime

Environment �� URL ��

�.

��


install_amwebTivoli Access Manager WebSEAL �� (install_amweb)� ��


��. � �� .




21� 271 �� install_amweb

�� .

21. install_amweb �� . *� �� .

��

Web Security RTE ��


Web Security Runtime ��

��. �� .

v Windows:

C:\Program Files\Tivoli\PDWebRTE

v UNIX:

/opt/pdwebrte

WebSEAL ��


WebSEAL Server �� . �

� �� .

v Windows:

C:\Program Files\Tivoli\PDWeb

v UNIX:

/opt/pdweb

WebSEAL �� *

� WebSEAL Server� �� Policy

Server� ��

��.

�� *

��

�. yes� ��, ��

IP �� .

WebSEAL �� * WebSEAL Server� �� .

�� *WebSEAL Server� ��

�� . �� 7234��.

�� ID *�� . ��

sec_master��.

�� *Tivoli Access Manager sec_master ��

�� .

��

� 22 � �� 361

21. install_amweb �� (��). *� �� .


� �� .


��

� ��. � � � LDAP ��

� ��.

�: SSL ��



SSL � �� * �� LDAP � ��

� ��.



��.




��

��, � �� .

��

LDAP � ��

��.

� �� SSL � � ��

��

� �� .


�� . SSL

��

�� .


�� . �� 636��.

HTTP ��

HTTP �� . ��

� �� , HTTP � ��

��. �� HTTP ��

�.

HTTP � *HTTP �� . �� 80

��.

HTTPS ��

HTTPS �� . ��

�� , HTTPS � ��

��. �� HTTPS ��

��.

HTTPS �HTTPS �� . �� 443

��.

��


21. install_amweb �� (��). *� �� .

�� *

�� .

v UNIX: /opt/pdweb/www-default/docs

v Windows: C:\Progam Files\Tivoli\

P o l i c y D i r e c t o r \ P D W e b \ w w w -

default\docs

��

� 22 � �� 363

install_amwebadkTivoli Access Manager WebSEAL Development(ADK) ��

(install_amwebadk)� �� Access Manager Runtime

�� . � ��

�� .




22� 261 �� install_amwebadk

�� .

22. install_amwebadk �� . *� �� .

��

Web Security RTE ��


Web Security Runtime �� .

�� .

v Windows:


v UNIX:

/opt/pdwebrte

WebSEAL ��


WebSEAL Server �� . ��

�� .

v Windows:

C:\Program Files\Tivoli\PDWeb

v UNIX:

/opt/pdweb

WebSEAL �� default

�� *

��

��. yes� ��, ��

� IP �� .

WebSEAL �� * WebSEAL Server� �� .

�� *WebSEAL Server� ��

�� . �� 7234��.

�� ID *�� . � ��

sec_master��.

�� *Tivoli Access Manager sec_master ��

� ��.

��


22. install_amwebadk �� (��). *� �� .


� �� .

�� SSL � * Policy Proxy Server�� LDAP � ��

��

��. � � � LDAP ��

��.

�: SSL ��

�� CA(Certificate Authority)�

�� .

SSL � �� * �� LDAP � ��

��.





� �� . gsk7ikm ��

�� , � ��

�� .

�� LDAP

� �� .

� �� SSL � � ��

��

�� .

�� LDAP �� .kdb �

� � �� . SSL ��

��

�� .


� ��. �� 636��.

HTTP ��

HTTP �� . ��

�� , HTTP � �� . ��

�� HTTP �� .

HTTP � �� *HTTP �� . �� 80��

�.

HTTPS ��

HTTPS �� . ��

�� , HTTPS � �� . �

�� HTTPS �� .

HTTPS � ��HTTPS �� . �� 443�

��.

�� *

�� .


v Windows: C:\Progam Files\Tivoli\

PolicyDirector\PDWeb\www-default\docs

��

� 22 � �� 365

install_amwebars 23� Tivoli Access Manager Attribute Retrieval Service ��

�� . 173 ��

install_amwebars ��

� ��.

23. install_amwebars �� . *� �� .

�� :

IBM HTTP Server� ��IBM HTTP Server �� . �

� �, C:\Program Files\IBMHTTPServer

WebSphere Application Server� ��

WebSphere Application �� .

�� ,

c:\Program Files\WebSphere\AppServer

� �

�� WebSphere � � � ��

�. � � � � �(�) ��

��. �� DNS � �

� IP ��.

�� Attribute Retrieval Service� ��

� �� .

�� ID�� ID� ��(UNIX�� ID�

cn=root��).

�� .

AM ARS� ��

Access Manager Attribute Retrieval Service� �

� �� . �� ,

c:\Program Files\Tivoli\PDWebARS

��


install_amwls 24� Tivoli Access Manager for WebLogic ��

��. 215 �� install_amwls

�� .

24. install_amwls �� . *� �� .

��



�� , �� .

pdmgr.tivoli.com

Policy Server � �� *Policy Server� ��

��. �� 7135��.

�� (Windows� ��

��).


�� . ��

�.

v UNIX:

/opt/pdwls

v Windows:

c:\Program Files\Tivoli\pdwls

�� ACL �� *Authorization Server� � �� Tivoli Access

Manager �� .

sec_master �� *Tivoli Access Manager sec_master ��

�� .



�� , �� .

pdmgr.tivoli.com

Policy Server � �� *Policy Server� ��

��. �� 7135��.

Authorization Server �� *Tivoli Access Manager Authorization Server �

�� .

Authorization Server � �� *�� . ��

� 7136��.

true� �� AMWLS5.1 � �� AMWLS5.1 � ��

��. �� true��.

WebLogic �� *

Tivoli Access Manager� �� WebLogic �

�� . � �� WebLogic

�� .

WebLogic �� * WebLogic �� .

��

� 22 � �� 367

24. install_amwls �� (��). *� �� .

Access Manager for WebLogic Server ��

�� *

WebLogic Server ��

�. �� .

v Windows:

c:\Program Files\Tivoli\pdwls

v UNIX:

/opt/pdwls

WebLogic Admin Server� URL

WebLogic Administration Server� �� URL�

��. �� URL� �� .

t3://localhost:7001

��


install_amwpi_apachePlug-in for Apache Web Server� �� (install_amwpi_apache)� �

� �� Access Manager Runtime ��

�� . � �� .



25� 198 ��

install_amwpi_apache ��

��.

25. install_amwpi_apache �� . *� �� .

��


�� ID *

�� . ��

sec_master��.


�� .

Apache Web Server ��

�� *

Web Server ��

��. �� , /usr/local/apache/conf

��

� 22 � �� 369

install_amwpi_ihsPlug-in for IBM HTTP Server(install_amwpi_ihs)� ��

� �� Access Manager Runtime �� . � �

� � �� .



26� 198 �� install_amwpi_ihs

�� .

26. install_amwpi_ihs �� . *� �� .

��


�� ID *

�� . ��

sec_master��.


�� .

IBM HTTP Server ��

� �� *

Web Server ��

��. �� , /usr/HTTPServer/conf

��


install_amwpi_iisPlug-in for Internet Information Services� �� (install_amwpi_iis)�


� ��. � �� .




27� 198 �� install_amwpi_iis

�� .

27. install_amwpi_iis �� . *� �� .

��

��

Access Manager Web Security Runtime� ��

� �� . ��

�� .


��

Access Manager Web Server Plug-in for IIS�

�� . ��

�� .

C:\Program Files\Tivoli\PDWebPI


ID *

�� . ��

sec_master��.


�� .

��

� 22 � �� 371

install_amwpi_iplanetPlug-in for Sun ONE Web Server� �� (install_amwpi_iplanet)� �

� �� Access Manager Runtime ��

�� . � �� .



28� 198 ��

install_amwpi_iplanet ��

��.

28. install_amwpi_iplanet �� . *� �� .

��


�� ID *

�� . ��

sec_master��.


�� .

Sun ONE Web Server ��

�� *

Web Server �� (�

:/usr/iplanet/servers� ��.

��


install_amwpm 29� Tivoli Access Manager Web Portal Manager ��

�� . 155 ��

install_amwpm ��

��.

29. install_amwpm �� . *� �� .

��

IBM HTTP Server� ��


IBM HTTP Server �� . ��

�� .

v AIX: /usr/HTTPServer

v Linux � Solaris: /opt/IBMHTTPServer

v Windows: c:\Program Files\IBMHttpServer


� �


IBM WebSphere Application Server ��

��. �� .

v AIX: /usr/WebSphere/AppServer

v Linux � Solaris: /opt/WebSphere/AppServer

v Windows:

c:\Program Files\WebSphere\AppServer

� � *

�� WebSphere � � � ��. �

� � � �(�) �� . �

�� DNS � �� IP ��

��.

�� *Web Portal Manager� ��

� � � ��.

�� ID *�� ID� ��(UNIX�� ID�

cn=root��).

�� * �� .



� �, �� .

pdmgr.tivoli.com

�: ��

��.

Policy Server SSL � *

Policy Server� SSL ��

� ��. �� 7135��.

�: ��

��.

JRE �� *Tivoli Access Manager� � �� Java

Runtime Environment� �� .

Policy Server �� ID *�� . � ��

sec_master��.

Policy Server �� *Tivoli Access Manager sec_master ��

��.

��

� 22 � �� 373

install_ldap_server 30� IBM Tivoli Directory Server � ��

��. UNIX �� Windows �� , � � ��

�� .


��



GSKit �� . ��

�� .

v AIX: /usr/opt/ibm/gsksa � /usr/opt/

ibm/gskta




IBM DB2 ��


IBM DB2 �� . ��

�� .

v AIX � Linux:

/usr/ldap/db2

v Solaris:

/opt/IBM/db2

v Windows:

C:\Program Files\IBM\SQLLIB




��. �� .

v AIX � Linux:

/usr/ldap

v Solaris:

/opt/IBMldaps

v Windows:

C:\Program Files\IBM\LDAP

DB2 �� ID *

�� , DB2 �� ID� �

� � � � (� : ldapdb2 (UNIX) � �

db2admin(Windows)). �� 58 ��

�� .

DB2 �� * DB2 �� ID� �� .

Directory Server �� *

Windows� ��, C:

UNIX� ��, ldapdb2 ��

�

��


30. IBM Tivoli Directory Server �� (��)

DB2 �� * amdb

�� ID * cn=root

�� * �� ID� � � �� .

�� *

(Windows� �� ).�� ID �� .

��

��

�� . �� , �� .

o=ibm,c=us

�� *


��

��.

LDAP ��

� ��.

SSL � �� *LDAP �� .

�� 389��.

SSL � �� *LDAP �� SSL ��

�� . �� 636��.

�� SSL � *

�� . � ��

�� . � �

��

��.

SSL ��

�� CA(Certificate Authority)�

�� .

SSL � �� *SSL � �� . key4ssl

� am_key.kdb �� .

SSL � ��

LDAP �� SSL � ��

� �� . ��

PDLDAP(am_key.kdb ��)��.

��

� 22 � �� 375

��


� 23 � pdconfig �

� �� pdconfig �� Tivoli Access Manager� ��

�� . UNIX �� Windows ��

�� , � � ��

��.


v 378 �� Access Manager Runtime -- LDAP�

v 379 �� Access Manager Runtime -- Active Directory�

v 381 �� Access Manager Runtime -- Domino�

v 382 �� Access Manager Attribute Retrieval Service�

v 383 �� Access Manager Authorization Server�

v 384 �� Access Manager Java Runtime Environment�

v 385 �� Access Manager Plug-in for Edge Server�

v 386 �� UNIX� Access Manager Plug-in for Web Servers�

v 388 �� Windows� Access Manager Plug-in for Web Servers�

v 389 �� Access Manager Policy Server�

v 390 �� Access Manager Policy Proxy Server�

v 391 �� Access Manager Web Portal Manager�

v 392 �� Access Manager WebSEAL Server�


Access Manager Runtime -- LDAP 31� LDAP �� Access Manager Runtime ��

�� .

31. Access Manager Runtime �� - LDAP

��

�� Policy Server� ��? Policy Server� � � ��

��.

Tivoli Common Directory �� Tivoli Common Directory--Tivoli ��

��

� �� .

�� LDAP �� .

LDAP �� LDAP �� . ��

�, �� .

ldapserver.tivoli.com

LDAP �� LDAP �� . ��

� �� 389��.

Tivoli Access Manager Policy Server� Access Manager Runtime ��

�� , �� .

Policy Server �� Policy Server� �� . ��

�, �� .

pdmgr.tivoli.com

Policy Server SSL � Policy Server� SSL ��

��. �� 7135��.

�� . �� Default��, ��

� �� .

Policy Server�� pdcacert.b64 �

�� ?

Tivoli Access Manager Policy Server� ��

pdcacert.b64�� SSL CA(Certificate Authority)

� ��. Access Manager Policy Server ��

��

� � ��.

Tivoli Access Manager Runtime �� Tivoli Access

Manager ��

� �� . � � ��

� �� .

v Access Manager Runtime �� ,

pdcacert.b64 � ��

��.

v Access Manager Runtime ��

pdcacert.b64 � �� Tivoli Access Manager

�� .

pdconfig ��


Access Manager Runtime -- Active Directory 32� Active Directory �� Access Manager Runtime ��

� �� .

32. Access Manager Runtime �� - Active Directory

��

Access Manager Policy Server� �� . Access Manager Policy Server� ��

�� .

�� Policy Server� �� . ��

�, �� .

pdmgr.tivoli.com

�� Policy Server� SSL ��

��. �� 7135��.


(Active Directory).

�� Active Directory �� . ��

�� . �� ,

Tivoli Access Manager� �� (��

�).

Active Directory �� * Active Directory �� .

�� , �� .

adserver.tivoli.com

Active Directory �� Active Directory �� . �� ,

dc=tivoli,dc=com

��


ADSI(Active Directory Service Interface)�� Kerberos�

�� . � �� Windows ��

SSL �� .

Windows �� Tivoli Access Manager Runtime �� Active Directory �

� �� SSL �� . ��, ��

� ��.

� �� LDAP �� SSL ��

��. �� 636��.

�� LDAP ��

�� .

�� SSL �� . � ��

� �� . ��

� ��, �� .

pdconfig ��

� 23 � pdconfig 379

32. Access Manager Runtime �� - Active Directory (��)

��

� �� LDAP � ��

�.






�� , � ��

�.

Active Directory �� ID 95 �� Active Directory ��

� ID� ��.

Active Directory �� Active Directory �� ID� �� .

Access Manager �� Tivoli Access Manager ��

��. �� , dc=tivoli,dc=com. �� Active

Directory �� .

Tivoli Common Directory �� Tivoli Common Directory -- Tivoli ��

� ��

� �� .


�� .


�� . �� , � �


Active Directory� �� , activedir.conf � ��

�� .

%PD_INSTALL_DIR%\etc

�� PD_INSTALL_DIR� Tivoli Access Manager� �� C:\Program

Files\Tivoli\Policy Director� �� .

pdconfig ��


Access Manager Runtime -- Domino 33� Lotus Domino �� Access Manager Runtime ��

�� .

33. Access Manager Runtime �� - Domino ��

��

Access Manager Policy Server� �� . Access Manager Policy Server� ��

�� .

�� Policy Server� �� . ��

�, �� .

pdmgr.tivoli.com

�� Policy Server� SSL ��

��. �� 7135��.


(Domino).

Domino �� Domino �� . �� , �

� ��.

Domino/tivoli

�� SSL �� . ��

�� .

Notes �� Notes ID ��

�� .

Access Manager �� Tivoli Access Manager ��

� ��. �� PDMdata.nsf��.


� ��

� �� .


�� .


�� . �� , � �


pdconfig ��


Access Manager Attribute Retrieval Service 34� Access Manager Attribute Retrieval Service ��

�� .

34. Access Manager Attribute Retrieval Service

��

� � �� WebSphere � � � ��. �

� � � �(�) �� . ��

� � � �� DNS � �� IP ��.

�� Attribute Retrieval Service� ��

�� .

�� ID �� ID� ��(UNIX�� ID�

cn=root��).

�� .

pdconfig ��


Access Manager Authorization Server 35� Access Manager Authorization Server ��

�� .

�: Access Manager Authorization Server �� Access Manager

Runtime �� .

35. Access Manager Authorization Server ��

��

�� . �� Default��, ��

� �� . � �� .

Policy Server �� Policy Server� ��

� � ��. ��

��.

Policy Server � Policy Server� ��

��. �� 7135��.

Tivoli Access Manager ��(Default �

�� ID)

�� . �� sec_master

��. � �� .

�� Tivoli Access Manager ��(sec_master) ��

��.

�� Authorization Server� ��

� ��.

�� . �� 7137��.

�� . �� 7136

��.

pdconfig ��


Access Manager Java Runtime Environment 36� Access Manager Java Runtime Environment ��

�� .


��

�� JRE �� Access Manager Java

Runtime Environment� ��

�� .

��: Web Portal Manager� �� Tivoli Access

Manager �� Java ��

� �� .

��: Java Runtime Environment ��

�� . Policy Server ��

� �� .


� JRE(Java Runtime Environment)� �

� ��

IBM JRE 1.3.1� �� . �� , �

� ��.

/usr/java131/jre

Web Portal Manager �� , ��

WebSphere Application Server� � �� JRE� �

��. �� , �� .


Access Manager Policy Server ��

��


�, �� .

pdmgr.tivoli.com


� ��

Policy Server� SSL ��

��. �� 7135��.


�

(null)


� ��

� �� .


�� .


�� . �� , � �


pdconfig ��


Access Manager Plug-in for Edge Server 37� Access Manager Plug-in for Edge Server ��

� �� . �� .

37. Access Manager Plug-in for Edge Server ��

��

Web Traffic Express� �� Edge Server � �� .

�� 80��.

Tivoli Access Manager �� ID �� . �� sec_master

��.

Tivoli Access Manager �� ID

��


��.

�: Windows �� Active Directory ��

�� , ��

�.

pdconfig ��


UNIX� Access Manager Plug-in for Web Servers 38� UNIX �� Plug-in for Web Servers� ��

�.

38. UNIX� Plug-in for Web Servers

��

��

��

(Sun ONE �� , Sun ONE

��

� ��.)

�� . � ��

�� .

�� x� ��.

� �� .

v � �� , ��

�� .

v � � ��

� �� . �

�� .

v ��

�� all� ��.


��. Active Directory �� , ��

sec_master@domain_name��.


��


�� .

�� Policy �� Policy Server��

� Policy �� . ��

�� 7237� ��

�.

UNIX� LDAP �� , SSL �� .

Tivoli Access Manager Plug-in for Web

Servers Authorization Server � LDAP �

� �� SSL ��

��

�� SSL� �� . ��

� ��

�� SSL� ��

� ��

�� .

Tivoli Access Manager Plug-in for Web Servers Authorization Server� LDAP �� SSL�

�� .

pdconfig ��


38. UNIX� Plug-in for Web Servers (��)

��

LDAP SSL �� /usr/ldap/lib/ldapkey.kdb

�: Tivoli Access Manager Plug-in for Web Server�

Policy Server� � � �� LDAP� ��

SSL � �� , LDAP ��

� � ��. ��

� �� UNIX �� . � �

�� Plug-in ��

LDAP �� .

SSL �� LDAP �

�� .

� �� SSL � � ��

��

�� .

�� LDAP �� .kdb ��

�� . SSL ��

��

��.

LDAP SSL �� LDAP � ��

��.






� �� , � ��

��.

LDAP �� SSL � �� LDAP �� SSL ��

��. �� 636��.

pdconfig ��


Windows� Access Manager Plug-in for Web Servers 39� Windows �� Plug-in for Web Servers� ��

��.

39. Windows� Plug-in for Web Servers

��

��

��.





��


��.

�� Policy �� Policy Server��

� Policy �� . ��

�� 7237� ��

�.

pdconfig ��


Access Manager Policy Server

�:

1. Manager Policy Server �� Access Manager Runtime ��

�� .

2. UNIX �� Policy Server� Active Directory �� Domino ��

�� .

40. Access Manager Policy Server ��

��

Access Manager �� ID �� . �� sec_master



Access Manager �� Tivoli Access Manager �� ID� ��

��.

�� sec_master �� .

Policy Server SSL � Policy Server� SSL ��

��. �� 7135��.

SSL �� SSL �� . ��

365 ��.

SSL �� SSL �� ( )�

��. �� 7200 ��.

pdconfig ��


Access Manager Policy Proxy Server 41� Access Manager Policy Proxy Server ��

�� .

�: Access Manager Policy Proxy Server �� Access Manager

Runtime �� .

41. Access Manager Policy Proxy Server ��

��

Policy Server �� * Policy Server� �� . ��

�, �� .

pdmgr.tivoli.com

Policy Server � * Policy Server� ��

��. �� 7135��.

�� ID * �� . �� sec_master



�� * Tivoli Access Manager �� ID� ��

��.

�� * Policy Proxy Server� ��

� ��. �� , �� .

pdproxy.tivoli.com

�� * �� . �� 7139��.

�� * �� . �� 7138��.

pdconfig ��


Access Manager Web Portal Manager 42� Access Manager Web Portal Manager ��

�� .

42. Access Manager Web Portal Manager ��

��

Tivoli Access Manager �� . �� sec_master

��.

Tivoli Access Manager �� Tivoli Access Manager sec_master ��

��.

pdconfig ��


Access Manager WebSEAL Server 43� Access Manager WebSEAL Server ��

�� .

�: Access Manager WebSEAL Server �� Access Manager

Runtime �� .

43. Access Manager WebSEAL Server ��

��

WebSEAL �� WebSEAL Server� �� Policy Server� �

�� .

�� . yes�

��, �� IP ��

�� .

WebSEAL �� WebSEAL Server� �� .

WebSEAL �� WebSEAL Server� ��

��. �� 7234��.

�� ID �� . �� sec_master

��.

�� Tivoli Access Manager sec_master ��

��.

HTTP �� (y/n) HTTP �� . ��

��, HTTP � �� . �� HTTP

�� .

HTTP � [80] HTTP �� . �� 80��. �

�� , ��

� �� .

�� HTTP �� (y/n) HTTPS �� . ��

� ��, HTTPS � �� . ��

HTTPS �� .

HTTPS � [443] HTTPS �� . �� 443��.

� �� , ��

� � �� .

�� [opt/pdweb/www-

default/docs]

�� .


v Windows: C:\Progam Files\Tivoli\PolicyDirector

\PDWeb\www-default\docs

pdconfig ��


� 24 � SSL(Secure Sockets Layer) ��

IBM Tivoli Access Manager �� IBM Tivoli Directory Client�

LDAP �� SSL(Secure Sockets Layer) �� .

�: �� IBM Tivoli Directory Server� �� , � ��

� �� . install_ldap_server �� SSL� �

� �� LDAP ��

�� .

SSL �� SSL� �� IBM Tivoli Directory Client

�� SSL� �� . SSL� ��

�� .

��

��

��.

��

�� , �

�� . � ��, ��

�� .

�� , SSL �� IBM Tivoli Directory

Client� �� . �� , ��

�� SSL� �� 414 �� LDAP ��

� �� .

� �� .

v 394 �� SSL �� IBM Tivoli Directory Server ��

v 399 �� SSL �� IBM z/OS � OS/390 ��

v 402 �� SSL �� Microsoft Active Directory ��

v 404 �� SSL �� Novell eDirectory ��

v 408 �� SSL �� ONE Directory Server ��

v 411 �� SSL �� IBM Tivoli Directory Client ��

v 414 �� LDAP ��


SSL �� IBM Tivoli Directory Server ��

Tivoli Access Manager �� LDAP �� SSL� ��

� ��. � �� LDAP �� IBM Tivoli Directory Client �� SSL ��

� � �� .

�� LDAP �� LDAP �� SSL �� ,

SSL �� Tivoli Access Manager ��

� � � �� .

LDAP �� SSL �� , GSKit� �� SSL � ��

��. GSKit� gsk7ikm�� . gsk7ikm �

�� SSL� �� SSL Introduction and iKeyman

User’s Guide� ��.

IBM Tivoli Directory Server�� SSL ��

� �� .

v 394 ��

v 395 �� CA(Certificate Authority)�� 396 ��

��

v 397 �� SSL ��

� ��

LDAP �� SSL �� , ��

�� . � ��

�� . � ��

�� . ��

VeriSign �� CA(Certificate Authority)�� .

��, �� . ��

�� , � �� CA(Certificate Authority)� ��.

� �� gsk7ikm �� . �

�� (� �� )� ��

��.

1. LDAP �� SSL� �� IBM Tivoli Directory Client� ��

�� GSKit � gsk7ikm� �� .

2. CA(Certificate Authority)� �� GSKit iKeyman ��

�� IBM Tivoli Directory Client �� SSL ��

�� . �� .

SSL -- IBM Tivoli Directory Server



�� .

b. �� SSL� �� . �� 393




3. gsk7ikm �� . � ��

��.

��

AIX /usr/lpp/ibm/gsk7/bin/gsk7ikm

HP-UX /opt/ibm/gsk7/bin/gsk7ikm

Linux /usr/local/ibm/gsk7/bin/gsk7ikm

Solaris /opt/IBM/GSK7/bin/gsk7ikm

Windows C:\Program Files\IBM\gsk7\bin\gsk7ikm.exe

4. � �� → ��

��.

5. CMS� �� .

6. ��

�� . � �� .kdb��.

7. � �� . � ��

�� .

8. �� .

9. �� , �� .

� ��

� �� . ��

�� .sth �� .

10. �� . � �� . ��

�� . � �� CA(Certificate Authority)

��.


� �� CA(Certificate Authority)� �� , � CA

�� .

� �� , � �� 396 ��

� �� .


� 24 � SSL �� 395

�� .

1. CA(Certificate Authority)��

� � �� gsk7ikm� ��.

2. � �� .

3. �� .

4. CA� �� .

5. CA� ��

� �� .

6. � �� LDAP �� LDAP �� SSL�

�� .

397 �� SSL �� .

��

395 �� CA(Certificate Authority)��

� �� CA�� . � �� 397 �� SSL ��

� �� .

� ��

� ��.

1. �� → � �� .

2. � �� GSKit� � ��

�� . �� , �� LDAP ��

� � � ��.

3. �� (X509 V3) � � �� .

4. ��

� ��.

5. � �� .

6. �� .

7. �� , �� 365� ��

�� .

8. �� . GSKit� � ��

��.

� �� , GSKit� ��

� � �� . �

�� . ��

�� .



LDAP �� . ��

�� . � ��

�� .

�� . � ��

�� , � ��

��.

�� , LDAP �� Base64-�� ASCII ��

��.

9. LDAP �� Base64-�� ASCII �� gsk7ikm

� ��. � � 412 �� .

10. �� .

11. � �� .

12. �� Base64-�� ASCII �� .

13. �� . ��

� �� .arm��.

14. �� .

15. �� .

16. � �� IBM Tivoli Directory Client �� .

�� LDAP �� SSL� �� . �SSL ��

�� .

SSL ��

IBM Tivoli Directory Server� SSL� ��

�.

1. IBM Tivoli Directory Server � �� . ��

�� .

v UNIX �� , ibmdirctl �� .

v Windows �� , ibmdirctl �� .

a. �� → �� → �� .

b. �� .

– Windows NT �� . IBM Tivoli Directory

V5.2� �� . IBM Tivoli Directory Admin

Daemon �� .


� 24 � SSL �� 397

– Windows 2000 �� → �� . ��

�� IBM Tivoli Directory V5.1� ��

��. IBM Tivoli Directory Admin Daemon ��

� ��.

2. �� .

v SSL �� .

ldapmodify -D Admin_DN -w admin_password -i filename

�� filename� �� .

dn:cn=SSL,cn=Configurationchangetype:modifyreplace:ibm-slapdSecurityibm-slapdSecurity:SSL | none | SSLOnly-replace:ibm-slapdSslAuthibm-slapdSslAuth:serverauth | serverClientAuth-replace:ibm-slapdSslCertificateibm-slapdSslCertificate: ldapserv-replace:ibm-slapdSslKeyDatabaseibm-slapdSslKeyDatabase: /usr/ldap/etc/key.kdb

v ibmsladp.conf � �� .

dn:cn=SSL,cn=Configuration

ibm-slapdSecurity:SSL | none | SSLOnlyibm-slapdSslAuth:serverauth | serverClientAuthibm-slapdSslCertificate: ldapservibm-slapdSslKeyDatabase: /usr/ldap/etc/key.kdb

3. �� IBM Tivoli Directory Server� �� .

v UNIX ��:

ibmdirctl -D ldap_admin -w ldap_pwd stopps -ef | grep ibmdiradmkill -9 pid_obtained_by_previous_command

v Windows �� , �� → �� → �� → �� → ��

��. �� IBM Tivoli Directory V5.2� ��

��. IBM Tivoli Directory Admin Daemon ��

� ��.

4. �� IBM Tivoli Directory Server� �� .

v UNIX �� , �� ibmdirctl ��

�� , ibmdirctl �� .

ibmdiradmibmdirctl -D ldap_admin -w ldap_pwd start

v Windows �� , ibmdirctl �� → �� → ��

→ �� → �� . �� IBM Tivoli



Directory V5.2� �� . IBM Tivoli Directory Admin

Daemon �� .

5. SSL� �� LDAP ��

��.

ldapsearch -h ldaphost -Z -K keyfile -P key_pw -b "" -s base objectclass=*

��,

ldaphost

LDAP �� DNS �� .

keyfile_pwd

SSL � �� (�� .kdb� ��

). � �� , ��

�� .

key_pw

� �� . � �� (��

�� )� ��

�. �� , ��

� �� -P � �� . -Z �� -K�

�� .

ldapsearch �� LDAP �� LDAP ��

��.

LDAP �� SSL �� .

6. �� , SSL �� IBM Tivoli Directory Client� ��. 411

�� SSL �� IBM Tivoli Directory Client ��

��.

SSL �� IBM z/OS � OS/390 ��

Tivoli Access Manager � LDAP �� Tivoli

Access Manager �� LDAP �� SSL ��

�� . � ��

�� . Tivoli Access Manager� � ��

�� .

OS/390 �� z/OS� LDAP �� SSL ��

�� OS/390 �� z/OS� �� LDAP ��

�. � �� .



� 24 � SSL �� 399


z/OS �� 1.2� 1.4� �� LDAP� � SSL� ��

� � ��. �� LDAP �� , z/OS

Cryptographic Services System SSL� ��, STEPLIB, LPALIB �� LINKLIST

� �� .

1. SSL �� LDAP ��

�� LDAP �� . ��

��.

2. LDAP ��

�� sslCertificate ��

��. gskkyman ��

� �� 401 �� .

3. LDAP �� .

��

SSL� �� slapd.conf � �� .

listen ldap_URL

LDAP �� IP ��(�� )

� � �� LDAP URL �� . � ��

� � � �� .

sslAuth {serverAuth | serverClientAuth}

SSL �� . serverAuth �� LDAP ��

�� LDAP ��

��. serverAuth� ��.

sslCertificate {certificateLabel | none}

�� . gskkyman ��

� �� .

sslCipherSpecs int

�� SSL �� .

44. ��

�� 16� 10�

SLAPD_SSL_RC4_MD5_US 0x0800 2048

SLAPD_SSL_RC4_SHA_US 0x0400 1024

SLAPD_SSL_TRIPLE_DES_SHA_US 0x0100 256

SLAPD_SSL_DES_SHA_EXPORT 0x0200 512

SLAPD_SSL_RC2_MD5_EXPORT 0x1000 4096

SLAPD_SSL_RC4_MD5_EXPORT 0x2000 8192

SSL -- z/OS � OS/390 ��


sslCipherSpecs �� 400 �� 44� �

� 16� �� OR� �� 10� ��. �� ,

�� 15104��( ��

�� 12288��). ��

��, � �� SSL ��

� ��.

sslKeyRingFile filename

�� SSL � �� .

� � gskkyman ��

��.

sslKeyRingFilePW string

SSL � �� . ��

�� gskkyman ��

� � ��.

�: sslKeyRingFilePW �� . �

�, RACF � � �� sslKeyRingPWStashFile ��

� ��. �� .

sslKeyRingPWStashFile filename

�� .

� � �� , � �� sslKeyRingFilePW ��

(�� )� ��. � �� -s

� gskkyman �� .

� ��

�� gskkyman ��

�� .

1. ��(OMVS �� rlogin �)�� gskkyman ��

��.

$ gskkyman

gskkyman �� . ��

� �� . ��

�� . � �� Enter� �� .

2. � �� 1� ��.

3. � �� (key.kdb)� �� Enter� ��

��.

4. � �� .

5. �� .

SSL -- z/OS � OS/390 ��

� 24 � SSL �� 401

6. �� (�� )� ��.

7. �� (2500)� ��.

� ��

��.

8. � �� 6� ��

��.

9. �� , � �� LDAP ��

�� CA �� . ��

��.

a. 1� �� .

b. � � �� .

c. � � �� 6� �� .

d. �� . �� , Binary

ASN.1 DER� �� 1� ��.

�� . �� LDAP ��

�� CA �� . �� Binary DER

� �� , �� LDAP ��

�� gsk7ikm �� .

SSL �� Microsoft Active Directory ��

Tivoli Access Manager Policy Server� Windows 2000 ��

Active Directory �� .


Active Directory �� CA �� .

1. ��

�� .

2. Windows �� CA(Certificate Authority)� ��. �� Active Directory

�� . �� .

a. �� → �� → CA(Certificate Authority)� �� CA MMC(Microsoft

Management Console) GUI� ��.

b. CA �� CA� ��

��.

c. �� .

d. �� ... ��

��.

SSL -- z/OS � OS/390 ��


e. �� CA �� .

�: CA �� DER �� X-509 �� Based-64 ��

X-509 �� .

3. Active Directory ��(Windows 2000 �� Windows 2003)�� SSL� ��

�� .

a. Active Directory �� Windows 2000 �� (Windows 2003�

Windows �� )� �� . suptools.msi ��

�� Windows CD� \Support\Tools\ �� .

b. �� .

v Windows 2000 �� → Windows 2000 �� → �� →

Active Directory �� ldp �� .

v Windows 2003 �� , �� → Windows �� → �� → �

� � �� ldp �� .

c. ldp �� → �� (636)� ��

��.

�: Active Directory �� .

� ��, Active Directory SSL �� . ��

�, �� .

LDAP ��


-Windows Tivoli Access Manager �� . ��

�� .


��: � � Access Manager Runtime �� .

v GSKit(Global Security Kit)

v IBM Tivoli Directory Client(LDAP ��)


2. GSKit� � �� iKeyman Key Management Utility� ��

��. �� 285 �� Global Security Kit �� GSKit

iKeyman �� .

3. �� CA �� Tivoli Access Manager �� .

4. GSKit iKeyman �� Active

Directory �� CA �� . �� CA ��

Active Directory �� CA ��

SSL -- Microsoft Active Directory

� 24 � SSL �� 403

��. �� 411 �� SSL �� IBM Tivoli Directory Client

�� SSL Introduction and iKeyman User’s Guide� ��.

5. �� Active Directory �� SSL ��

�� Tivoli Access Manager �� ldapsearch ��

��. �� SSL �� .

6. Tivoli Access Manager pdconfig �� Access Manager Runtime

�� . ��

��. �� 379 �� Access Manager Runtime

-- Active Directory�� .

7. � �� Access Manager Authorization Server �� Web Portal Manager

� �� Tivoli Access Manager �� , � � � ��

�� .

�� SSL �� .

SSL ��

Active Directory �� CA� �� , LDAP

�� SSL �� .

ldapsearch -h AD_servername -s base -Z -K client_keyfile -P keyfile_pwd objectclass=*

�� .

� ��

AD_servername Active Directory �� DNS ��

�.

client_keyfile ��

��.

keyfile_pwd �� .

� ��, Active Directory �� . �� , �

�� .

SSL �� Novell eDirectory ��

SSL(Secure Socket Layer)� �� Tivoli Access Manager �� NDS

eDirectory ��

� ��. �� SSL� ��

�� . , Tivoli Access Manager� �� SSL� ��

��. Tivoli Access Manager �� SSL� �� , � ��

��.

SSL -- Microsoft Active Directory


Tivoli Access Manager� Novell eDirectory� �� .

SSL� � Novell eDirectory �� ConsoleOne ��

�� .

v �� CA(Certificate Authority) ��

v 406 ��

v 406 �� LDAP ��

v 407 �� SSL ��

v 407 �� CA �� IBM � � ��

�: �� Novell �� .

Novell eDirectory, �� 8.6.2� �� .


Novell eDirectory, �� 8.7� �� .


�� CA(Certificate Authority) ��

eDirectory� �� NDSPKI:Certificate Authority ��

��(� �� ). �� (�� )

� �� . �� Tivoli Access Manager� � ��

� �� . ��

��.

0=organizational_entry_name.OU=Organizational CD

�� . �� CA(Certificate

Authority) �� . ��

�.

1. ConsoleOne� ��.

2. � �� . ��

��.

3. � CA �� .

4. �� → �

�� .

5. � �� NDSPKI: Certificate Authority

� � � ��. � CA(Certificate Authority) ��

��. �� .

SSL -- Novell eDirectory ��

� 24 � SSL �� 405



6. �� eDirectory �� . �� , ��

��.

�� = C22Knt_NDS.AM

� � � �� = C22KNT-CA

7. �� .

Novell eDirectory� �� .

�� .

8. �� CA� �� .

� CA� �� .

9. � CA� ConsoleOne� C22KNT-CA� ��.

��

� �� .

1. � CA(C22KNT-CA)� �� . �� .

2. �� .

3. �� .

4. �� . �� .

5. �� . �� , �

� ��.

c:\c22knt\CA-SelfSignedCert.der

6. � Tivoli Access Manager �� (FTP)��. �� ,

�� .

c:\Program Files\Tivoli\Policy Directory\keytab

� � �� .

LDAP ��

Novell eDirectory �� .

1. LDAP ��

�� → � �� . � �� .

2. NDSPKI: � �� . �� (� �) �

� ��.

3. �� (�: AM)� ��

� ��.

4. �� CA(Certificate Authority) ��

� ��.



5. � ��

��.

�: Novell eDirectory �� 8.6.2� �� 1024�� 8.7

� �� 2048��.

6. �� .

�� .

7. �� . ��

��(� �) �� . �� .

8. ��

��.

�� . �� , ConsoleOne� ��

�� AM�� . �� .

SSL ��

Novell LDAP �� SSL� �� .

1. ConsoleOne� �� LDAP �� - hostname ��

�� .

2. �� . �� SSL ��

��.

3. SSL �� . SSL ��

� ��. SSL �� .

4. AM �� . LDAP �� - hostname ��

SSL �� .

�: �� .

�� CA �� IBM � ��

� �� CA �� Tivoli Access Manager �� IBM � � ��

�� .

1. gsk7ikm �� . IBM Key Manager �� .

2. � �� → �� . � �� .

3. �� .

� �� : CMS � �� : key.kdb��: /var/PolicyDirector/keytabs

�� .


� 24 � SSL �� 407

4. �� . IBM Key

Manager �� .

5. �� . �� CA �� . ��

� �� .

�� : Binary der �� : <hostname>CA-SelfSignedCert.der��: /var/PolicyDirector/keytabs

�� AM�� .

SSL �� ONE Directory Server ��

SSL� �� Tivoli Access Manager �� ONE Directory Server ��

�� . ��

� SSL� ��

��. , Tivoli Access Manager� �� SSL� �� .

� �� Sun ONE Directory Server� IBM Tivoli Directory Client �� SSL �

�� . SSL �� Sun ONE Directory

Server� IBM Tivoli Directory Client� �� .

Sun ONE Directory Server�� SSL ��

� �� Sun �� .


�� .

v 408 ��

v 409 ��

v 410 �� SSL ��

��

Sun ONE Directory Server� SSL ��

�� ID� �� . ��

�� . � �� Server-Cert� ��.

�� Sun ONE Console 5.1 � �� Server-Cert

� ��.

1. Sun ONE Server Console 5.2� ��.

2. Sun ONE Server Console �� ID, ��

� �� Admin Server� URL� ��.

3. Tivoli Access Manager� �� .




4. �� .

5. Server Group� ��.

6. Directory Server �� .

Sun ONE Directory Server� �� .

7. Open� ��. Sun ONE Directory Server� ��.

8. Configuration �� .

9. Encryption �� .

10. Enable SSL for this server �� .

11. Task �� Manage Certificates� ��.

�: ��

� ��. Manage Certificates ��

�� .

12. �� . Manage Certificates ��

��.

13. �� internal (software)� �� Server Certs ��

�� .

14. �� Request �� . ��

��.

15. Request Certificate manually ��

��.

16. � �� Next� ��. ��

��. �� yes� ��.

17. Active Encryption token �� internal (software)� ��

��.

18. �� Next� ��.

19. �� Save to File� ��. ��

�� Copy to Clipboard� ��. �� Done� ��

��.

20. �� CA(Certificate Authority)

�� .

��

CA�� .

1. Sun ONE Server Console 5.2� ��.

2. �� Manage Certificates� ��.

SSL -- Sun ONE Directory Server

� 24 � SSL �� 409

3. Server Certs� �� Install� ��.

4. �� .

v �� In this local file� ��.

v ��

�� .

5. �� .

6. �� .

7. � � �� server-cert� ��

� �� .

8. �� . ��

� �� Server Certs � �� .

9. �SSL �� .

SSL ��

�� .

1. �� SSL �� .

2. �� ;RSA� ��.

3. �� , ��

�� .

4. �� .



5. �� Sun ONE Directory Server� �� .

�: �� .

�� Sun ONE Directory Server�� SSL� �� . �� , Sun

ONE Directory Server� � LDAP �� IBM Tivoli Directory

Client �� SSL� �� .

�� 411 �� SSL �� IBM Tivoli Directory Client

�� .

SSL �� IBM Tivoli Directory Client ��

SSL �� LDAP �� SSL �� LDAP

�� . SSL �� , ��

� �� .

v 394 �� SSL �� IBM Tivoli Directory Server ��

v 408 �� SSL �� ONE Directory Server ��

v 404 �� SSL �� Novell eDirectory ��

v 399 �� SSL �� IBM z/OS � OS/390 ��

�� , ��

� � �� . �� LDAP ��

� �� LDAP �� CA(��)� ��

��. LDAP �� , �� LDAP �

�� (CA)� �� .

LDAP �� SSL �� LDAP ��

� �� .

v 411 ��

v 412 ��

v 413 �� SSL ��

� ��

� �� gsk7ikm �� . � ��

� � �� .

1. LDAP �� SSL� �� LDAP �� GSKit � gsk7ikm �

�� .

2. gsk7ikm �� . � ��

��.


� 24 � SSL �� 411

��




Solaris /opt/IBM/gsk7/bin/gsk7ikm


3. � �� → ��

��.

4. CMS � �� .

5. ��

��. � �� .kdb��.

6. �� .

7. � �� .

� �� .

8. �� .

9. �� , �� .

� ��

� �� . ��

�� .sth �� .

10. �� . � �� . ��

�� . � �� CA(Certificate Authority)

��.

�� LDAP �� , � �� LDAP ��

�� CA(��)� �� . LDAP ��

� �� , �� LDAP �� (CA)�

�� .

11. � �� , � �� ivmgr

� ��. ��

��. �� , UNIX �� .

# chown ivmgr keyfile

��

� ��

�.

1. LDAP �� , 396 ��

� ��

SSL -- IBM Tivoli Directory Client


�� . ��

�. �� , LDAP �� CA� ��

� ��.

2. �� CMS � �� .

3. �� .

4. �� Base64-�� ASCII �� .

5. �� . �� .arm��

�.

6. �� .

7. �� . �� , � �� LDAP

�� . LDAP �� CA� �

�� , � CA� � � �� .

8. �� . ��

��.

9. �� /�� .

10. ��

�� .

LDAP �� CA� � �� , � CA� ��

�� . �� , CA

� �� .

�� LDAP �� SSL �� .

SSL ��

SSL �� LDAP ��

��.

ldapsearch -h servername -Z -K client_keyfile -P keyfile_pwd-b "" -s base objectclass=*

�� .

� ��

servername LDAP �� DNS �� .

client_keyfile ��

��.

keyfile_pwd �� .

� �� LDAP �� LDAP �� .


� 24 � SSL �� 413

394 �� SSL �� IBM Tivoli Directory Server �� LDAP �

� �� , �� .

v �� SSL �� .

v �� LDAP ��

� ��.

LDAP ��

397 �� SSL �� , SSL ��

LDAP ��

� �� .

�� SSL �� .

��

��. � �� , ��

� �� ID� ��.

�� .

v 414 ��

v 415 �� CA(Certificate Authority)��

v 416 ��

v 417 ��

v 418 �� SSL ��

� ��

�� , gsk7ikm ��

�� . � ��

�� 415 �� CA(Certificate Authority)��

��.

� �� (� �� )� ��

��.

1. LDAP �� SSL� �� GSKit � gsk7ikm� ��

� �� .

2. gsk7ikm �� . � ��

��.



��






3. � �� → �� .

4. CMS � �� .

5. ��

��. � �� .kdb��.

6. �� .

7. � �� . � ��

�� .

8. �� .

9. �� , �� .

� ��

� �� . ��

�� .sth �� .

10. �� .

� �� . �� .

� �� CA(Certificate Authority)��.

11. � �� , � �� ivmgr

� ��. ��

��. �� , UNIX �� .

# chown ivmgr keyfile


� �� CA(�: VeriSign)� �� , � CA��

�� .

� �� , � �� 416 ��

� �� .

�� .

1. CA(Certificate Authority)��

� � �� gsk7ikm� ��.

2. � �� .

SSL -- ��

� 24 � SSL �� 415

3. �� .

4. CA� �� .

5. CA� ��

� �� .

6. � �� LDAP �� , LDAP ��

�� CA� �� .

7. 417 �� .

��

415 �� CA(Certificate Authority)��

� �� CA�� 417 ��

� �� .

� ��

� ��.

1. gsk7ikm �� . � ��

��.

��






2. �� → � �� .

3. � �� GSKit� � ��

�� .

�� , �� LDAP �� .

4. �� (X509 V3) � � �� .

5. ��

� ��.

6. � �� .

7. �� .

8. �� , �� 365� ��

�� .

9. �� . GSKit� � ��

��.

SSL -- ��


� �� , GSKit� ��

� � �� . �

�� . ��

�� .

LDAP �� . ��

� �� . � ��

� �� .

�� . � ��

�� , � ��

��.

�� , LDAP �� Base64-�� ASCII ��

��.

10. LDAP �� Base64-�� ASCII �� gsk7ikm

� ��.

11. �� .

12. � �� .

13. �� Base64-�� ASCII �� .

14. �� . ��

� �� .arm��.

15. �� .

16. � �� LDAP �� .

LDAP ��

� � �� , � �� CA� �� (��

� �)� �� .

��

LDAP �� .

� ��

�.

1. �� .

v �� , 416 ��

� ��

�� . ��

�� .

v �� CA� � �� , �� CA�

�� .

SSL -- ��

� 24 � SSL �� 417

2. �� CMS � �� .

3. �� .

4. Base64-�� ASCII �� .

5. �� . �� .arm��

�.

6. �� .

7. �� . �� , �� LDAP

�� CA� �

� �� .

8. �� . � ��

�� .

9. �� /�� .

10. ��

�� .

LDAP �� CA� � �� , � CA� ��

�� . ��

�, CA� �� .

�� LDAP �� SSL �� .

11. �SSL �� .

SSL ��

LDAP �� CA� �� , LDAP ��

�� SSL �� .

ldapsearch -h servername -Z -K client_keyfile -P key_pw -N \client_label -b "" -s base objectclass=*

�� .

� ��

servername LDAP �� DNS �� .

client_keyfile �� .

key_pw �� .

client_label �� . � �� , LDAP ��

��

�� .

ldapsearch �� LDAP �� LDAP �� .

-N ��

�� .

SSL -- ��


�: LDAP �� . -N � ��

�� GSKit� ��. ��

��, ��

��.

�� SSL �� .

SSL -- ��

� 24 � SSL �� 419

� 25 � AIX: Standby Policy Server ��


Standby �� . Policy Server� �� Standby Policy

Server� �� Policy Server� �� Policy Server

� ��. �� , Standby Policy Server� �� Standby ��

�. �� Policy Server� �� Policy ��

�� .

Tivoli Access Manager� AIX �� Standby Policy Server ��

��. � ��, Standby Policy Server� �� HACMP(High Availability

Cluster Multiprocessing) �� , ��

� � ��

�� .

� �� .

v 422 ��

v 423 �� HACMP ��

v 434 �� Standby Policy Server ��

Standby Policy Server �� HACMP ��

�� HACMP �� . HACMP �� ,

Tivoli Access Manager �� Standby Policy Server ��

�� . ��

�.

�� HACMP� �� .

http://www.ibm.com/servers/eserver/clusters/software/

http://www.ibm.com/servers/aix/products/ibmsw/ high_avail_network/hacmp.html


http://www.ibm.com/servers/eserver/clusters/software/

http://www.ibm.com/servers/aix/products/ibmsw/ high_avail_network/hacmp.html

�

v �� Policy Server � �� Standby Policy Server� ��

��.

v �� Standby Policy Server� � � HACMP(High Availability Cluster

Multiprocessing) �� AIX �� .

v � AIX ��

� �� .

v Policy Server� �� policy ��

�� .

v IBM Tivoli Directory Server 5.2� ��

� �� .

� ��

��/Standby �� .

v � ��(�� Standby)� �� /��

� �� . �� .

– AIX 5.1� ��, �� 3 ��

– AIX 5.2� ��, �� 1 ��

v �� Standby Policy Server �� HACMP 4.5 �� , ��

� �� .

v �� . �� , SSA �� 7133 �

T40 �� SSA ��

� � ��.

�� HACMP �� 423 ��

��.

AIX: Standby Policy Server ��


HACMP ��

� �� Standby Policy Server �� HACMP ��

� �� . � �� Standby Policy Server ��

HACMP �� , ��

�� IP �� IP �� HACMP �� .

��

�� HACMP �� . HACMP� ��

� � �� IBM �� .

� �� AIX �� Policy Server� ��

� ��. � �� .

v tucana� �� IP �� 192.168.2.13, �� IP �� 192.168.2.79 � ��

� �� Standby IP �� IP �� 192.168.3.2�

��. � IP �� (�: ��

)� tucana�� . HACMP �� HACMP ��

� HACMP �� IP �� IP ��

�� .

v perseus� �� IP �� 192.168.2.14, �� IP �� 192.168.2.80 � �

�� standby IP �� IP �� 192.168.3.3

� ��. � IP �� (�: ��

�)� perseus�� .

�: � AIX �� IP ��

�. � AIX �� standby IP �� .

�� Policy Server� �� AIX �� . � ��

�� tucana��.

Standby Policy Server� �� AIX �� . � ��

�� perseus��.



��

� �� . ��

�� .

v �� AIX ��:

– ��

– � AIX �� AIX ��

� ��

�: � AIX �� AIX �� IP �� ping� ��

��.

– � �� SSA ��

v SSA �� . �� , IBM 7133 � T40 ��

IBM 7133 D40 � ��

v � �� SSA �� . � �� (AIX �� )� ��

�� AIX �� .

v � AIX �� IBM AIX 5.1 �� 3(�� )

�� CD. �� , � ��

�� .

AIX� �� HACMP �� .

1. AIX �� CD� �� rsct �� 3� � AIX

5.1 � �� . � �� .

oslevel -r

�� 3� �� 5100-03� ��.

2. �� HACMP �� 4.5 ES/CRM �� AIX ��

� �� .

3. �� .

a. �� IP �� AIX ��

�� /etc/hosts � ��. �� , � ��

�� , /etc/hosts � ��

�� .

# @(#)47 1.1 src/bos/usr/sbin/netstart/hosts, cmdnet, bos510 7/24/91 10:46## COMPONENT_NAME: TCPIP hosts## FUNCTIONS: loopback



## ORIGINS: 26 27## (C) COPYRIGHT International Business Machines Corp. 1985, 1989# All Rights Reserved# Licensed Materials - Property of IBM## US Government Users Restricted Rights - Use, duplication or# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.## /etc/hosts## This file contains the hostnames and their address for hosts in the# network. This file is used to resolve a hostname into an Internet# address.## At minimum, this file must contain the name and address for each# device defined for TCP in your /etc/net file. It may also contain# entries for well-known (reserved) names such as timeserver# and printserver as well as any other host name and address.## The format of this file is:# Internet Address Hostname # Comments# Items are separated by any number of blanks and/or tabs. A ’#’# indicates the beginning of a comment; characters up to the end of the# line are not interpreted by routines which search this file. Blank# lines are allowed.

# Internet Address Hostname # Comments# 192.9.200.1 net0sample # ethernet name/address# 128.100.0.1 token0sample # token ring name/address# 10.2.0.2 x25sample # x.25 name/address127.0.0.1 loopback localhost # loopback (lo0) name/address192.168.2.13 tucana192.168.2.79 tucana-boot192.168.3.2 tucana-stby192.168.2.14 perseus192.168.2.80 perseus-boot192.168.3.3 perseus-stby

b. /.rhosts � �� . �

� �, �� .

perseusperseus-bootperseus-stbytucanatucana-boottucana-stby

c. �� .

chmod 600 /.rhosts

d. /etc/rc.net � �� .

no -o thewall=10240no -o routerevalidate=1no -o ipqmaxlen=512

4. HACMP �� . �� HACMP ��

��. �� 426 �� HACMP �� .



HACMP ��

� �� Tivoli Access Manager� �� HACMP �� .

� �� SMITTY ��

��. � �� .

v 427 �� 1 �: �� HACMP ��

� � , �� HACMP ��

�� .

v 429 �� 2 �: HACMP ��

� �� HACMP ��

� �� .

v 434 �� 3 �: HACMP ��

HACMP �� (� �� Policy

Server�)� � ��.

�� 3� �� (�� ) ��

� ��.

��(tucana) � Standby(perseus) Policy Server� SSA ��

�� . �� Policy Server� ��

�� , Standby �� HACMP ��

�� Policy Server� �� IP �� . HACMP ��

�� Standby �� Standby Policy Server

� ��. Standby Policy Server� Standby �� HACMP ��

� �� . � �, �

� �� HACMP �� .

�� 3. Standby Policy Server ��



1. �� IP �� .

2. �� .

3. �� Policy Server� ��.

�: �� HACMP �� , Standby �

�� HACMP �� Standby Policy Server� ��

�� , �� Policy Server� �� IP ��

�.

�� Standby Policy Server� �� HACMP �� .

� SMITTY ��

��.

� 1 �: �� HACMP ��

SMITTY MENU Hierarchy:

HACMP for AIX- Cluster Configuration- Cluster Topology- Show Cluster Topology- Show Cluster Topology

COMMAND STATUS

Command: OK stdout: yes stderr: no

Before command completion, additional instructions may appear below.

[TOP]Cluster Description of Cluster am51bosCluster ID: 1There were 2 networks defined: tucanaip, tucanatty1There are 2 nodes in this cluster

NODE perseus:This node has 2 service interface(s):

Service Interface perseus:IP address: 192.168.2.14Hardware Address:Network: tucanaipAttribute: public

Service Interface perseus has a possible boot configuration:Boot (Alternate Service) Interface: perseus-boot

IP Address: 192.168.2.80Network: tucanaipAttribute: public

Service Interface perseus has 1 standby interfacesStandby Interface 1: perseus-stby

IP Address: 192.168.3.3



Network: tucanaipAttribute: public

Service Interface perseus-tty1:IP address: /dev/tty1Hardware Address:Network: tucanatty1Attribute: serial

Service Interface perseus-tty1 has no standby interfaces

NODE tucana:This node has 2 service interface(s):

Service Interface tucana:IP address: 192.168.2.13Hardware Address:Network: tucanaipAttribute: public

Service Interface tucana has a possible boot configuration:Boot (Alternate Service) Interface: tucana-boot


Service Interface tucana has 1 standby interfacesStandby Interface 1: tucana-stby


Service Interface tucana-tty1:IP address: /dev/tty1Hardware Address:Network: tucanatty1Attribute: serial

Service Interface tucana-tty1 has no standby interfaces

Breakdown of network connections:

Connections to network tucanaipNode perseus is connected to network tucanaip by these interfaces:

perseus-bootperseusperseus-stby

Node tucana is connected to network tucanaip by these interfaces:tucana-boottucanatucana-stby



Connections to network tucanatty1Node perseus is connected to network tucanatty1 by these interfaces:

perseus-tty1

Node tucana is connected to network tucanatty1 by these interfaces:tucana-tty1

[BOTTOM]

� 2 �: HACMP ��


HACMP for AIX- Cluster Configuration- Cluster Resources- Show Cluster Resources- Show Resource Information by Node- Select Node Name- perseus

COMMAND STATUS



[TOP]

Resource Group Name tucanasipNode Relationship cascadingParticipating Node Name(s) tucana perseusService IP Label tucanaFilesystems /am510fs1Filesystems Consistency Check fsckFilesystems Recovery Method sequentialFilesystems/Directories to be exported /am510fs1Filesystems to be NFS mountedNetwork For NFS MountVolume Groups am510vgConcurrent Volume GroupsDisksShared Tape ResourcesAIX Connections ServicesAIX Fast Connect ServicesApplication Servers PDMGRHighly Available Communication LinksMiscellaneous DataAutomatically Import Volume Groups falseInactive Takeover falseCascading Without Fallback false9333 Disk Fencing falseSSA Disk Fencing falseFilesystems mounted before IP configured false



Resource Group Name perseusipNode Relationship cascadingParticipating Node Name(s) perseus tucanaService IP Label perseusFilesystemsFilesystems Consistency Check fsckFilesystems Recovery Method sequentialFilesystems/Directories to be exportedFilesystems to be NFS mountedNetwork For NFS MountVolume GroupsConcurrent Volume GroupsDisksShared Tape ResourcesAIX Connections ServicesAIX Fast Connect ServicesApplication ServersHighly Available Communication LinksMiscellaneous DataAutomatically Import Volume Groups falseInactive Takeover falseCascading Without Fallback false9333 Disk Fencing falseSSA Disk Fencing falseFilesystems mounted before IP configured false

Run Time Parameters:

Node Name perseusDebug Level highHost uses NIS or Name Server false

[BOTTOM]


HACMP for AIX- Cluster Configuration- Cluster Resources- Show Cluster Resources- Show Resource Information by Node- Select Node Name- tucana

COMMAND STATUS





[TOP]




Node Name tucana



Debug Level highHost uses NIS or Name Server false

[BOTTOM]


HACMP for AIX- Cluster Configuration- Cluster Resources- Show Cluster Resources- Show Resource Information by Resource Group- Select Resouce Group Name- perseusip

COMMAND STATUS





Node Name perseus



Debug Level highHost uses NIS or Name Server false

Node Name tucanaDebug Level highHost uses NIS or Name Server false


HACMP for AIX- Cluster Configuration- Cluster Resources- Show Cluster Resources- Show Resource Information by Resource Group- Select Resouce Group Name- tucanasip

COMMAND STATUS







Node Name tucanaDebug Level highHost uses NIS or Name Server false

Node Name perseusDebug Level highHost uses NIS or Name Server false

� 3 �: HACMP ��


HACMP for AIX- Cluster Configuration- Cluster Resources- Define Application Servers- Change / Show an Application Server

Change Application Server

Type or select values in entry fields.Press Enter AFTER making all desired changes.

[Entry Fields]Server Name PDMGRNew Server Name [PDMGR]Start Script [/usr/bin/pd_start start]Stop Script [/usr/bin/pd_start stop]

Standby Policy Server ��

Standby Policy Server �� .

1. �� Policy Server � Standby Policy Server �� ivmgr user ID,

ivmgr �� ID, tivoli �� ID � tivoli �� ID� ��.

� ID� �� /etc/security/limits � � � �

� ��(�� ID� �� )� �� . ��

� �� ID� � �� . �

ID� �� .

v SMITTY �� AIX �� ID� � ��

�� . �� , � �� ID ivmgr� � �

� ID �� . � ��, ID �� ID ��

� �� .

v 439 �� : �� standby �� UID ��

�� . ivmgr � tivoli ��



�� UID� �� . �� , � ��

�� setivug� �� , �� ID� 250� ivmgr ��

ID� 251� ivmgr ��, ID� 260� tivoli �� ID� 261� tivoli

�� .

./setivug 250 251 260 261

�: �� UID ��

��.

2. � �� HACMP �� , � ��

�� /share� �� . �� , �

� �� SSA �� /share �� . ��

�� .

a. �� Policy Server� �� /share

�� . �� SSA ��

�� Standby Policy Server ��

�� .

b. PolicyDirector�� /share ��(/share/

PolicyDirector)� ��. �� ivmgr� ��, ivmgr� � �

�� .

c. SMITTY HACMP �� IP �� .

�� , �� Policy Server ��

�� .

�� Policy Server�� , Standby Policy Server� ��

Policy Server� �� IP �� /share �

/share/PolicyDirector �� .

d. Standby Policy Server �� ls -l ��

�� ivmgr �� ivmgr �� .

e. �� Policy Server� �� . �� , ��

ID �� Policy Server �� , ��


3. �� Policy Server�� .

a. install_ammgr �� Tivoli Access

Manager �� . �� 105 �� 5 �

�Policy Server �� .

436 �� 4� �� Policy Server� �� , � � �

�� .



b. �� Policy Server� ��.

c. /opt/PolicyDirector/ivmgrd.conf � �� .

1) [ssl] �� ssl-io-inactivity-timeout �� 300��

��.

2) [configuration-database] �� file= �� SHARED �

� �� ivmgrd.conf.obf � �� (�:

file=/share/PolicyDirector/ivmgrd.conf.obf)� ��

��.

d. /opt/PolicyDirector/pd.conf � �� Policy Server� ��

� � � � �� HACMP �� IP ��

�� . 423 �� HACMP ��

� �� tucana��.

e. �� , 441 �� : ��

� �� . ��

Policy Server��

��(/share)�� .

437 �� 5� � � ��

� �� . � �� Standby Policy Server� ��

�� .

�� 4. � �� Policy Server



f. �� Policy Server� �� .

g. 442 �� , ��, ��

��.

4. Standby Policy Server�� .

a. installp� �� Tivoli Access Manager

�� (�� ). �� 106 �� AIX:


b. HACMP ��

��(/share/PolicyDirector)� �� . �

� �� .conf � ��

�� .

Standby Policy Server� � �� Policy

Server� � �� . �� , SMITTY HACMP ��


�� . �� , HACMP ��

�� (1 �� ) Standby Policy Server ��

Policy Server� �� IP �� Standby Policy

Server �� .

c. pdconfig �� Standby Policy Server� ��. ��

�� 106 �� AIX: Policy Server �� .

�� 5. �� Policy Server



�: Standby Policy Server� �� Policy Server� ��

� ��. �� Policy Server� ��


� �� .

�� pdconfig �� Policy Server ��

�� . �� y(Yes)� ��.

� LDAP �� Policy Server� �� . �� standby �� 2� Policy Server� �� .LDAP �� 2� Policy Server��? [N]: [y]Policy Server� standby� ��? [N]: [y]

�� ivmgrd.conf (� Policy Server �� )� “�

��” �� . �� , �� /share��

��.

/share/PolicyDirector/ivmgrd.conf

pdconfig �� /opt/PolicyDirector/etc �

�� ivmgrd.conf � �� Standby ��

� ��.

�: Standby Policy Server �� Standby Policy Server� �

�� . Standby Policy Server�� HACMP ��

�� . ��

�, �� Standby Policy Server� ��

� �� .

d. 444 �� : AIX �� Standby ��

�� . AIX ��

�� .

e. 446 �� , ��, ��

��.

�: � �� Standby ��

/share/PolicyDirector� ��

��.

�� Standby Policy Server� �� . � �� HACMP �

�� Policy Server �� Standby Policy Server ��

� ��.

Policy Server �� , HACMP �� Policy Server

�� .



SMITTY �� HACMP ��

�� . ��

�� HACMP ��

��. � �� , Policy Server ��

(/usr/bin/pd_start start) � �� (/usr/bin/pd_start stop)� ��

��.

�� 6� �� Standby Policy Server� ��

�� . ��

��.

�� HACMP ��/Standby Policy Server ��

� �� . � �� Policy Server ��

� HACMP �� . �� Policy

Server� �� Standby Policy Server� standby �� .

��: �� standby �� UID ��

�� Standby Policy Server �� ivmgr � tivoli ��

UID� �� .

�� 6. � � ��/Standby Policy Server ��



#!/bin/ksh## This script sets the uid values for the ivmgr user and the ivmgr group# to values that are specified on the command line when this script is# executed. In addition, this script defines the tivoli group uid and the# tivoli user uid.## The first parameter ($1) is the uid for the ivmgr group. The second parameter# ($2) is the uid for the ivmgr user. The third parameter ($3) is the uid# for the tivoli group. The fourth parameter ($4) is for the tivoli user uid.# Before executing this script, insure that the four uid values ARE NOT already# being used on either system.## Due to the importance of these values, it is ABSOLUTELY necessary on the# system which will run as the Standby Policy Server to set the ivmgr group# uid and the ivmgr user uid to MATCH the corresponding settings for these# entities on the system which is serving as the Primary Policy Server. Also,# since the definition of the ivmgr user has membership in the tivoli group,# then it is also necessary to create the tivoli group as well. Finally, since# the tivoli group contains the tivoli user, then then tivoli user, with the# appropriate uid, must be defined as well. These user/group settings insure# consistency across the two policy servers allowing for each system to take# over the role of the Primary Policy Server when it is appropriate.# Otherwise, the Standby Policy Server will not run or will not even configure# correctly if these values are not the same on BOTH systems.## Note that this script, setivug, MUST be run BEFORE the Standby Policy Server# is installed. As a matter of fact, it is recommended that this script be run# BEFORE any Access Manager software is installed on either the Primary OR the# Standby Policy server. In this way, all four of these ID’s will be consistent# across BOTH systems.#set -eset -x## Create the ivmgr and tivoli groups with the appropriate uids#mkgroup -’A’ id="$1" ivmgrmkgroup -’A’ id="$3" tivolix() {LIST=SET_A=for i in "$@"doif [ "$i" = "admin=true" ]thenSET_A="-a"continuefiLIST="$LIST \"$i\""doneeval mkuser $SET_A $LIST}## Now define the ivmgr user uid to be a part of the staff, tivoli, and ivmgr groups.# (Enter the following command on one continuous line.)#x id="$2" pgrp=’staff’ groups=’staff,tivoli,ivmgr’ home=’/opt/PolicyDirector’

shell=’/usr/bin/ksh’ gecos=’Policy Director Manager’ ivmgr## Now define the tivoli user uid to be a part of the staff and tivoli groups.# (Enter the following command on one continuous line.)#x id="$4" pgrp=’staff’ groups=’staff,tivoli’ home=’/home/tivoli’ shell=’/usr/bin/ksh’

gecos=’Owner of Tivoli Common Files’ tivoli#



��: ��


�� .

#!/bin/ksh#

# Save a copy of the 3 files below under the .bkp extensioncp -p /opt/PolicyDirector/etc/pd.conf /opt/PolicyDirector/etc/pd.conf.bkpcp -p /opt/PolicyDirector/etc/ivmgrd.conf /opt/PolicyDirector/etc/ivmgrd.conf.bkpcp -p /opt/PolicyDirector/etc/ivmgrd.conf.obf /opt/PolicyDirector/etc/ivmgrd.conf.obf.bkp

# Move configuration files to shared directory on the external file systemmv /opt/PolicyDirector/etc/pd.conf /share/PolicyDirectormv /opt/PolicyDirector/etc/ivmgrd.conf /share/PolicyDirector/ivmgrd.confmv /opt/PolicyDirector/etc/ivmgrd.conf.obf /share/PolicyDirector/ivmgrd.conf.obf

# Link the configuration files back to the original installation directory# and change the ownership and group of these links to ivmgr.ln -s /share/PolicyDirector/pd.conf /opt/PolicyDirector/etcln -s /share/PolicyDirector/ivmgrd.conf /opt/PolicyDirector/etcln -s /share/PolicyDirector/ivmgrd.conf.obf /opt/PolicyDirector/etcchown -h ivmgr /opt/PolicyDirector/etc/ivmgrd.confchown -h ivmgr /opt/PolicyDirector/etc/ivmgrd.conf.obfchown -h ivmgr /opt/PolicyDirector/etc/pd.confchgrp -h ivmgr /opt/PolicyDirector/etc/ivmgrd.confchgrp -h ivmgr /opt/PolicyDirector/etc/ivmgrd.conf.obfchgrp -h ivmgr /opt/PolicyDirector/etc/pd.conf

# For the keytab, db and lock subdirectories, create a backup of these directories,# move their contents to the shared external file system, and link the files in# these directories back to the original installation directory.

cp -R -p /var/PolicyDirector/keytab /var/PolicyDirector/keytab_bkpmv /var/PolicyDirector/keytab /share/PolicyDirectorln -s /share/PolicyDirector/keytab /var/PolicyDirector

cp -R -p /var/PolicyDirector/db /var/PolicyDirector/db_bkpmv /var/PolicyDirector/db /share/PolicyDirectorln -s /share/PolicyDirector/db /var/PolicyDirector

cp -R -p /var/PolicyDirector/lock /var/PolicyDirector/lock_bkpmv /var/PolicyDirector/lock /share/PolicyDirectorln -s /share/PolicyDirector/lock /var/PolicyDirector

# Change the ownership and group of these links to ivmgr.chown -h ivmgr /var/PolicyDirector/dbchown -h ivmgr /var/PolicyDirector/keytabchown -h ivmgr /var/PolicyDirector/lockchgrp -h ivmgr /var/PolicyDirector/dbchgrp -h ivmgr /var/PolicyDirector/keytabchgrp -h ivmgr /var/PolicyDirector/lock



��: �� , ��

/opt/PolicyDirector/etc p:d.!-:

==> ls -ltotal 3714-rw-r----- 1 ivmgr ivmgr 1682440 Oct 10 11:48 AccessManagerBaseAutoTraceDatabaseFile.obfuscated-rw-r--r-- 1 ivmgr ivmgr 2703 Oct 14 13:16 activedir_ldap.conf-rw-r----- 1 ivmgr ivmgr 2703 Jul 14 14:21 activedir_ldap.conf.template-rw-r----- 1 ivmgr ivmgr 18195 Jul 7 10:46 additional_licenses.txtdrw-rw---- 2 ivmgr ivmgr 512 Dec 31 1969 blades-rw-r----- 1 ivmgr ivmgr 5890 Jan 24 2003 config-rw-r----- 1 ivmgr ivmgr 718 May 13 11:40 domino.conf.template-rw-r----- 1 ivmgr ivmgr 114 Oct 10 11:48 ffdclrwxrwxrwx 1 ivmgr ivmgr 36 Oct 15 13:45 ivmgrd.conf -> /am510fs1/PolicyDirector/ivmgrd.conf-rw-r----- 1 ivmgr ivmgr 16949 Oct 14 13:19 ivmgrd.conf.bkplrwxrwxrwx 1 ivmgr ivmgr 40 Oct 15 13:45 ivmgrd.conf.obf -> /am510fs1/PolicyDirector/ivmgrd.conf.obf-rw-r----- 1 ivmgr ivmgr 64 Oct 14 13:19 ivmgrd.conf.obf.bkp-rw-r----- 1 ivmgr ivmgr 16731 Oct 10 11:29 ivmgrd.conf.template-rw-r--r-- 1 ivmgr ivmgr 2319 Oct 14 13:18 ldap.conf-rw-r----- 1 ivmgr ivmgr 2187 Oct 10 11:21 ldap.conf.template-rw-r--r-- 1 ivmgr ivmgr 36544 Sep 29 12:45 novschema.def-rw-r--r-- 1 ivmgr ivmgr 26260 Sep 29 12:45 nsschema.deflrwxrwxrwx 1 ivmgr ivmgr 32 Oct 15 13:45 pd.conf -> /am510fs1/PolicyDirector/pd.conf-rw-r--r-- 1 ivmgr ivmgr 3736 Oct 14 13:20 pd.conf.bkp-rw-r----- 1 ivmgr ivmgr 3645 Oct 10 11:29 pd.conf.template-rw-r----- 1 ivmgr ivmgr 5576 Oct 10 10:05 pdbackup.lst-rw-r----- 1 ivmgr ivmgr 7448 Oct 10 10:05 pdinfo.lst-rw-r--r-- 1 ivmgr ivmgr 5354 Oct 14 13:19 pdmgrd_routing-rw-r--r-- 1 ivmgr ivmgr 5255 Oct 10 11:36 pdmgrd_routing.template-rw-r--r-- 1 ivmgr ivmgr 1492 Oct 14 12:49 pdversion.dat-rw-r--r-- 1 ivmgr ivmgr 1492 Aug 18 11:37 pdversion.dat.template-rw-r----- 1 ivmgr ivmgr 1466 Jan 24 2003 product-rw-r--r-- 1 ivmgr ivmgr 5827 Oct 14 13:16 routing-rw-r--r-- 1 ivmgr ivmgr 5674 Oct 10 11:36 routing.template-rw-r--r-- 1 ivmgr ivmgr 14035 Sep 29 12:45 secschema.def-rw-r--r-- 1 ivmgr ivmgr 11236 Jan 24 2003 secschema390.def-rw-r--r-- 1 ivmgr ivmgr 1 Oct 14 12:49 startup-rw-r--r-- 1 ivmgr ivmgr 1 Jun 24 10:48 startup.template-rw-r--r-- 1 ivmgr ivmgr 1233 Jan 24 2003 upgrade3.7_ibm_schema.def-rw-r--r-- 1 ivmgr ivmgr 1938 Jan 24 2003 upgrade3.7_ibm_schema390.def-rw-r--r-- 1 ivmgr ivmgr 1744 Jan 24 2003 upgrade3.7_netscape_schema.def



/var/PolicyDirector p:d.!-:

==> ls -Rltotal 7drwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 auditlrwxrwxrwx 1 ivmgr ivmgr 27 Oct 15 13:45 db -> /am510fs1/PolicyDirector/dbdrwxrwxr-x 2 ivmgr ivmgr 512 Oct 14 13:19 db_bkplrwxrwxrwx 1 ivmgr ivmgr 31 Oct 16 15:48 keytab -> /am510fs1/PolicyDirector/keytabdrwxr-xr-x 2 ivmgr ivmgr 512 Oct 16 15:42 keytab_bkplrwxrwxrwx 1 ivmgr ivmgr 29 Oct 15 13:45 lock -> /am510fs1/PolicyDirector/lockdrwxr-x--- 2 ivmgr ivmgr 512 Dec 31 1969 lock_bkpdrwxrwxrwx 3 ivmgr ivmgr 512 Oct 16 13:40 logdrwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 pdbackupdrwxr-x--- 2 ivmgr ivmgr 512 Oct 14 12:49 pdmgrd./audit:total 0

./db_bkp:total 1056-rw------- 1 ivmgr ivmgr 540672 Oct 15 13:45 master_authzn.db

./keytab_bkp:total 35-rw------- 1 ivmgr ivmgr 10080 Oct 14 13:19 ivmgrd.kdb-rw------- 1 ivmgr ivmgr 129 Oct 14 13:18 ivmgrd.sth-rw-rw-rw- 1 root system 5080 Oct 14 13:19 pd.kdb-rw-rw-rw- 1 root system 129 Oct 14 13:19 pd.sth-rw------- 1 root system 1070 Oct 14 13:18 pdcacert.b64

./lock_bkp:total 0



��: AIX �� Standby ��

AIX �� Standby Policy Server ��

�� .

\N DO C:[! VB x/ p:d., /share/PolicyDirector!-:

==> ls -Rltotal 80drwxrwxr-x 2 ivmgr ivmgr 512 Oct 14 13:19 db-rw-r----- 1 ivmgr ivmgr 16950 Oct 16 13:32 ivmgrd.conf-rw-r----- 1 ivmgr ivmgr 64 Oct 16 13:32 ivmgrd.conf.obfdrwxr-xr-x 2 ivmgr ivmgr 512 Oct 16 15:42 keytabdrwxr-x--- 2 ivmgr ivmgr 512 Dec 31 1969 lock-rw-r--r-- 1 ivmgr ivmgr 3736 Oct 14 13:20 pd.conf

./db:total 1056-rw------- 1 ivmgr ivmgr 540672 Oct 16 16:18 master_authzn.db

./keytab:total 64-rw------- 1 ivmgr ivmgr 10080 Oct 14 13:19 ivmgrd.kdb-rw------- 1 ivmgr ivmgr 129 Oct 14 13:18 ivmgrd.sth-rw-rw-rw- 1 root system 5080 Oct 14 13:19 pd.kdb-rw-rw-rw- 1 root system 129 Oct 14 13:19 pd.sth-rw------- 1 root system 1070 Oct 14 13:18 pdcacert.b64

./lock:total 0



#!/bin/ksh#

# The Standby Policy Server must use the same configuration files as the# Primary Policy Server. For this reason, the following links must be created# in order for the Standby Policy Server to function correctly.## Note the Access Manager configuration software will automatically create# a link to the ivmgrd.conf file that is stored in the shared external file system.

# Backup pd.conf to pd.bkp and link to pd.conf in the shared external file systemmv /opt/PolicyDirector/etc/pd.conf /opt/PolicyDirector/etc/pd.conf.bkpln -s /share/PolicyDirector/pd.conf /opt/PolicyDirector/etc

# Backup keytab, db and lock directories and link the keytab, db, and lock# directories to their corresponding files in the shared external file system.

mv /var/PolicyDirector/keytab /var/PolicyDirector/keytab_bkpln -s /share/PolicyDirector/keytab /var/PolicyDirector

mv /var/PolicyDirector/db /var/PolicyDirector/db_bkpln -s /share/PolicyDirector/db /var/PolicyDirector

mv /var/PolicyDirector/lock /var/PolicyDirector/lock_bkpln -s /share/PolicyDirector/lock /var/PolicyDirector

# Change the group and ownership of the five links above to ivmgr.chown -h ivmgr /opt/PolicyDirector/etc/pd.confchown -h ivmgr /var/PolicyDirector/dbchown -h ivmgr /var/PolicyDirector/keytabchown -h ivmgr /var/PolicyDirector/lockchgrp -h ivmgr /opt/PolicyDirector/etc/pd.confchgrp -h ivmgr /var/PolicyDirector/dbchgrp -h ivmgr /var/PolicyDirector/keytabchgrp -h ivmgr /var/PolicyDirector/lock



��: Standby �� , ��

/opt/PolicyDirector/etc p:d.!-:

==> ls -ltotal 3668-rw-r----- 1 ivmgr ivmgr 1682440 Oct 10 11:48 AccessManagerBaseAutoTraceDatabaseFile.obfuscated-rw-r--r-- 1 ivmgr ivmgr 2703 Oct 16 13:26 activedir_ldap.conf-rw-r----- 1 ivmgr ivmgr 2703 Jul 14 14:21 activedir_ldap.conf.template-rw-r----- 1 ivmgr ivmgr 18195 Jul 07 10:46 additional_licenses.txtdrw-rw---- 2 ivmgr ivmgr 512 Dec 31 1969 blades-rw-r----- 1 ivmgr ivmgr 5890 Jan 24 2003 config-rw-r----- 1 ivmgr ivmgr 718 May 13 11:40 domino.conf.template-rw-r----- 1 ivmgr ivmgr 114 Oct 10 11:48 ffdclrwxrwxrwx 1 root system 36 Oct 16 13:32 ivmgrd.conf -> /am510fs1/PolicyDirector/ivmgrd.conflrwxrwxrwx 1 root system 40 Oct 16 13:32 ivmgrd.conf.obf -> /am510fs1/PolicyDirector/ivmgrd.conf.obf-rw-r----- 1 ivmgr ivmgr 16731 Oct 10 11:29 ivmgrd.conf.template-rw-r--r-- 1 ivmgr ivmgr 2319 Oct 16 13:31 ldap.conf-rw-r----- 1 ivmgr ivmgr 2187 Oct 10 11:21 ldap.conf.template-rw-r--r-- 1 ivmgr ivmgr 36544 Sep 29 12:45 novschema.def-rw-r--r-- 1 ivmgr ivmgr 26260 Sep 29 12:45 nsschema.deflrwxrwxrwx 1 ivmgr ivmgr 32 Oct 16 13:36 pd.conf -> /am510fs1/PolicyDirector/pd.conf-rw-r--r-- 1 ivmgr ivmgr 3741 Oct 16 13:32 pd.conf.bkp-rw-r----- 1 ivmgr ivmgr 3645 Oct 10 11:29 pd.conf.template-rw-r----- 1 ivmgr ivmgr 5576 Oct 10 10:05 pdbackup.lst-rw-r----- 1 ivmgr ivmgr 7448 Oct 10 10:05 pdinfo.lst-rw-r--r-- 1 ivmgr ivmgr 5255 Oct 10 11:36 pdmgrd_routing.template-rw-r--r-- 1 ivmgr ivmgr 1492 Oct 16 13:27 pdversion.dat-rw-r--r-- 1 ivmgr ivmgr 1492 Aug 18 11:37 pdversion.dat.template-rw-r----- 1 ivmgr ivmgr 1466 Jan 24 2003 product-rw-r--r-- 1 ivmgr ivmgr 5810 Oct 16 13:27 routing-rw-r--r-- 1 ivmgr ivmgr 5674 Oct 10 11:36 routing.template-rw-r--r-- 1 ivmgr ivmgr 14035 Sep 29 12:45 secschema.def-rw-r--r-- 1 ivmgr ivmgr 11236 Jan 24 2003 secschema390.def-rw-r--r-- 1 ivmgr ivmgr 1 Oct 16 13:27 startup-rw-r--r-- 1 ivmgr ivmgr 1 Jun 24 10:48 startup.template-rw-r--r-- 1 ivmgr ivmgr 1233 Jan 24 2003 upgrade3.7_ibm_schema.def-rw-r--r-- 1 ivmgr ivmgr 1938 Jan 24 2003 upgrade3.7_ibm_schema390.def-rw-r--r-- 1 ivmgr ivmgr 1744 Jan 24 2003 upgrade3.7_netscape_schema.def



/var/PolicyDirector p:d.!-:

==> ls -Rltotal 7drwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 auditlrwxrwxrwx 1 ivmgr ivmgr 27 Oct 16 13:36 db -> /am510fs1/PolicyDirector/dbdrwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 db_bkplrwxrwxrwx 1 ivmgr ivmgr 31 Oct 16 13:36 keytab -> /am510fs1/PolicyDirector/keytabdrwxrwxrwx 2 ivmgr ivmgr 512 Dec 31 1969 keytab_bkplrwxrwxrwx 1 ivmgr ivmgr 29 Oct 16 13:36 lock -> /am510fs1/PolicyDirector/lockdrwxr-x--- 2 ivmgr ivmgr 512 Dec 31 1969 lock_bkpdrwxrwxrwx 2 ivmgr ivmgr 512 Dec 31 1969 logdrwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 pdbackupdrwxr-x--- 2 ivmgr ivmgr 512 Oct 16 13:24 pdmgrd./audit:total 0

./db_bkp:total 0

./keytab_bkp:total 0

./lock_bkp:total 0


� 26 � Tivoli Access Manager ��

pdadmin �� Tivoli Access Manager��

� ��.


��

amwebcfg WebSEAL �� , �� .

AMWLSConfigure -action config Tivoli Access Manager for WebLogic Server� ��.

AMWLSConf igure -ac t ion

unconfig

Tivoli Access Manager for WebLogic Server� �� .


create_realm



delete_realm

WebLogic Server�� .

amwpmcfg Web Portal Manager �� .

ivrgy_tool �� LDAP �� Tivoli Access Manager ��

��.

migrateEAR4 �� (�� )�� Tivoli Access

Manager for WebSphere Application Server, �� 4.0.6��

policy �� .

migrateEAR5 �� (�� )�� Tivoli Access

Manager for WebSphere Application Server, �� 5.0.2� ��

policy �� .

pdbackup Tivoli Access Manager �� , �� .

pdconfig Tivoli Access Manager Java �� Tivoli


pdjrtecfg Tivoli Access Manager Java �� .

pd_start UNIX �� , �� . ��

�� .

pdwascfg Tivoli Access Manager for WebSphere Application Server� �

� � �� .

pdweb WebSEAL Servers� ��, ��

��.

pdwebpi Tivoli Access Manager Plug-in for Web Servers ��

��. ��, Plug-in for Web Servers� ��

� �� .

pdwebpi_start UNIX �� Tivoli Access Manager Plug-in for Web Servers

�� , �� . ��, ��

�� .

pdwpi-version Tivoli Access Manager Plug-in for Web Servers ��

� � �� .

pdwpicfg -action config Tivoli Access Manager Plug-in for Web Servers� ��.


45. Tivoli Access Manager �� (��)

pdwpicfg -action unconfig Tivoli Access Manager Plug-in for Web Servers� ��

�.

wesosm Edge Server �� Tivoli Access Manager ��

�� .

wslstartwte Edge Server � �� UNIX� Plug-in for

Edge Server� ��.

wslstopwte UNIX �� Edge Server � �� .


amwebcfgWebSEAL �� , �� .

��

amwebcfg -action config -host host_name -listening_port am_listening_port

-inst_name instance_name -nw_interface_yn {yes|no} -ip_address ip_address -ssl_yn

{yes|no} -key_file key_file -key_file_pwd key_file_pwd -cert_label cert_label

-ssl_port ssl_port -http_yn {yes|no} -http_port http_port -https_yn {yes|no}

-https_port https_port-doc_root doc_root

amwebcfg -action config -rspfile response_file

amwebcfg -action config -interactive

amwebcfg -action unconfig -inst_name instance_name

amwebcfg -action unconfig -rspfile response_file

amwebcfg -action unconfig -interactive

amwebcfg -operations

amwebcfg -help [options]

amwebcfg -usage

amwebcfg -?

��

-action {config | name | status | unconfig}

� � �� .

config WebSEAL �� .

name Tivoli Access Manager WebSEAL �� name �

� pdconfig �� . � � pdconfig��

��. �� .

status status �� pdconfig �� . � � pdconfig�

�� . �� .

unconfig

WebSEAL Server �� .

� 26 � Tivoli Access Manager �� 451

-cert_label cert_label

LDAP �� . � � WebSEAL LDAP

�� SSL �� (-ssl_yn yes)� �� .

WebSEAL LDAP �� SSL �� SSL� LDAP

�� . ��, � ��

� � amwebcfg� -ssl_yn yes� ��

�. �� , SSL� � � � � �

� �� .

-action config� � ��.

-doc_root doc_root

�� . � �� .

-action config� � ��.

� � �� amwebcfg� ��

��. �� www- �� .

�� , �� web1 � �� doc_root� ��

� �� .

UNIX:opt/pdweb/www-web1/docsWindows: installation_directory\pdweb\www-web1\docs

� �� WebSEAL ��

default� �� doc-root� � �� , amwebcfg

� �� .

UNIX:opt/pdweb/www-default/docsWindows: installation_directory\pdweb\www-default\docs

-help [options]

��

�. �� , WebSEAL� � ��

� �� .

-host host_name

WebSEAL Server� �� Tivoli Access Manager Policy Server

� �� . � � -action config� ��

�.

� � �� amwebcfg� ��

�� .


host_name� �� IP �� . ��

�, �� .

libra.dallas.ibm.com

-http_yn {yes|no}

WebSEAL Server �� HTTP ��

��. � � -action config� ��.

�� Boolean �� yes �� no��. �� . � �

�� amwebcfg� ��

�� .

-http_port http_port

�� HTTP �� . �� 80

��.

http_yn� yes� �� -action config� ��. http_yn

� yes� �� , amwebcfg� �

�� .

-https_yn {yes|no}

WebSEAL Server �� HTTPS ��

��. � � -action config� ��.

�� Boolean �� yes �� no��. �� . � �

�� amwebcfg� ��

�� .

-https_port https_port

�� HTTP �� . �� 443��.

https_yn� yes� �� -action config� ��.

https_yn� yes� �� ,

amwebcfg� �� .

-inst_name instance_name

WebSEAL Server �� . �� , web1

��. � �� . � � -action

config� ��.

�� 20��. ��

�.

v �� ASCII �(A-Z �� a-z)

v � ( . )

v ��( - )

v ��( _ )


GUI� �� WebSEAL Server �� , amwebcfg

� �� default� ��. � ��

�� (�: webseal1).

-interactive

�� . WebSEAL� ��

� ��

�� .

�: �� UNIX�� . Windows �� -interactive

� ��

��.

-ip_address ip_address

WebSEAL Server� IP �� .

� � -nw_interface_yn� yes� �� -action config� �

��.

-nw_interface_yn� yes� �� -ip_address� �� ,

amwebcfg� �� IP �� .

-key_file key_file

LDAP SSL � � ��.

� � WebSEAL Server� LDAP Server �� SSL ��

� �� -action config� ��.

-key_file_pwd key_file_pwd

LDAP SSL � �� .

� � WebSEAL Server � LDAP Server �� SSL ��

� �� -action config� ��.

-listening_port am_listening_port

Tivoli Access Manager Policy Server� �� .

� �� WebSEAL Server � Policy Server� �� .

� �� 1024�� .

� � -action config� � ��. � � ��

� ��, amwebcfg� �� .

-nw_interface_yn {yes|no}

�� . �� Boolean

�� yes �� no��.


� �� WebSEAL Server �� -action config�

� ��. �� . � � �� ,


-operations

�� .

-rspfile response_file

� �� WebSEAL Server ��

� � ��. ��

�. �� . �� =� ��

� ��. �� IBM Tivoli Access Manager for

e-business �� .

-ssl_port ssl_port

WebSEAL Server� LDAP �� SSL ��

��. �� 636��.

� � -action config� �� ssl_yn� yes� ��

��. ssl_yn� yes� ��


-ssl_yn {yes|no}

WebSEAL Server� LDAP �� SSL ��

��. �� Boolean �� yes �� no��.

� � -action config� � ��. �� . � �

�� , amwebcfg� ��

�� .

-usage � �� . �� .

-? � �� . �� .

�� WebSEAL Server �� amwebcfg� ��. �

�� , �� . ��

� �� . �� , �

� � �� . � ��

� �� , �� doc �� . � � �

�� . �� , ��

�� . �� , ��

�� . �� .


��

v �� , LDAP �� SSL ��

� � �� WebSEAL �� .

amwebcfg -action config -inst_name default -host diamond.subnet2.ibm.com-listening_port 7234 -admin_id sec_master -admin_pwd mypassw0rd -ssl_yn yes-key_file /tmp/client.kdb -keyfile_pwd mypassw0rd -cert_label ibm_cert-ssl_port 636 -http_yn yes -http_port 80 -https_yn yes -https_port 443-doc_root /usr/docs

v �� , WebSEAL ��

�� LDAP �� SSL ��

�.

amwebcfg -action config -host emerald.subnet2.ibm.com -listening_port 7235-inst_name web1 -nw_interface_yn yes -ip_address 111.222.333.222-admin_id sec_master -admin_pwd mypassw0rd -http_yn yes -http_port 81-https_yn yes -https_port 444

v �� WebSEAL �� .

amwebcfg -action unconfig -admin_id sec_master -admin_pwd mypassw0rd

v �� , web1�� WebSEAL ��

��.

amwebcfg -action unconfig -inst_name web1 -admin_id sec_master-admin_pwd mypassw0rd

��

� �� .

v UNIX ��:

/opt/pdweb/bin/amwebcfg

v Windows ��:

c:\Program Files\Tivoli\pdweb\bin\

�� , � �� bin

�� (�� , install_dir\bin\).

� ��

�� .

0 �� .

1 �� .

�� , �� 16� �� (��

�, 0x15c3a00c). IBM Tivoli Access Manager Error Message Reference� �

��. � �� 10� �� 16� �� Tivoli Access Manager ��

�� .


AMWLSConfigure -action configTivoli Access Manager for WebLogic Server� ��.

��

AMWLSConfigure -act ion config -domain_admin domain_admin

-domain_admin_pwd domain_admin_password -remote_acl_user remote_acl_user

-sec_master_pwd sec_master_pwd -pdmgrd_host pdmgrd_host -pdacld_host

pdacld_host [-deploy_extension {true|false}] [-wls_server_url wls_server_url]

[-am_domain am_domain] [-pdmgrd_port pdmgrd_port] [-pdacld_port pdacld_port]

[-amwls_home amwls_home] [-verbose {true|false}]

��

-am_domain am_domain

Tivoli Access Manager �� . �� Default��

�.

-amwls_home amwls_home

Tivoli Access Manager for WebLogic Server ��

��.

-deploy_extension {true|false}

true� �� Tivoli Access Manager Web Logic Server, �� 5.1, �

�� . �� true��.

-domain_admin domain_admin

WebLogic �� .

-domain_admin_pwd domain_admin_password

WebLogic �� .

-pdacld_host pdacld_host

Tivoli Access Manager Authorization Server �� .

-pdacld_port pdacld_port

Tivoli Access Manager Authorization Server � �� . ��

� �� 7136��.

-pdmgrd_host pdmgrd_host

Tivoli Access Manager Policy Server �� .

-pdmgrd_port pdmgrd_port

Tivoli Access Manager Policy Server � �� . ��

� 7135��.


-remote_acl_user remote_acl_user

Authorization Server� � �� Tivoli Access Manager ��(��)�

��.

-sec_master_pwd sec_master_pwd

Tivoli Access Manager �� (�� sec_master)� ��.

-verbose {true|false}

true� �� . �� false��.

-wls_server_url wls_server_url

�� WebLogic Server� �� URL� ��. ��

t3://localhost:7001��.

��

� �� .

v UNIX ��:

/opt/pdwls/sbin/

v Windows ��:

C:\Program Files\Tivoli\pdwls\sbin\

�� , � ��

sbin �� (�� , install_dir\sbin\).

� ��

�� .

0 �� .

1 �� .

�� . �� IBM

Tivoli Access Manager Error Message Reference� ��.


AMWLSConfigure -action unconfigTivoli Access Manager for WebLogic Server� �� .

��

AMWLSConfigure -action unconfig -domain_admin_pwd domain_admin_pwd

-sec_master_pwd sec_master_pwd [-verbose {true|false}]

��

-domain_admin_pwd domain_admin_pwd

Tivoli Access Manager for WebLogic Server �� .

-sec_master_pwd sec_master_pwd

Tivoli Access Manager �� ( �� sec_master)� ��.



��

� �� .

v UNIX ��:

/opt/pdwls/sbin/

v Windows ��:


�� , � ��


� ��

�� .

0 �� .

1 �� .

�� . �� IBM



AMWLSConfigure -action create_realmWebLogic Server� �� .

��

AMWLSConfigure -action create_realm -realm_name realm_name

-domain_admin_pwd domain_admin_pwd -user_dn_suffix user_dn_suffix

-group_dn_suffix group_dn_suffix -admin_group admin_group [-user_dn_prefix

user_dn_prefix] [-group_dn_prefix group_dn_prefix] [-sso_enabled {true|false}]

[-sso_user sso_user] [-sso_pwd sso_pwd] [-verbose {true|false}]

��

-admin_group admin_group



WebLogic �� .

-group_dn_prefix group_dn_prefix

�� (DN) �� .

-group_dn_suffix group_dn_suffix

�� (DN) �� .

-realm_name realm_name

�� WLS �� .

-sso_enabled {true|false}

true� �� . �� false�

��.

-sso_pwd sso_pwd

�� (sso_user)� ��.

-sso_user sso_user

Tivoli Access Manager��

��.

-user_dn_prefix user_dn_prefix

�� (DN) �� .

-user_dn_suffix user_dn_suffix

�� (DN) �� .




��

� �� .

v UNIX ��:

/opt/pdwls/sbin/

v Windows ��:


�� , � ��


� ��

�� .

0 �� .

1 �� .

�� . �� IBM



AMWLSConfigure -action delete_realmWebLogic Server�� .

��

AMWLSConfigure -action delete_realm -domain_admin_pwd domain_admin_pwd

[-registry_clean {true|false}] [-verbose {true|false}]

��


WebLogic �� .

-registry_clean {true|false}

�� . �� false��.



��

� �� .

v UNIX ��:

/opt/pdwls/sbin/

v Windows ��:


�� , � ��


� ��

�� .

0 �� .

1 �� .

�� . �� IBM



amwpmcfgWeb Portal Manager� �� , �� , ��

�� .

��

amwpmcfg -action config -host policy_server_host [-port policy_server_port]

-waspath websphere_installation_path [-admin_id admin_id -admin_pwd

admin_password]

amwpmcfg -action config -interactive

amwebcfg -action config -rspfile response_file

amwebcfg -action unconfig -rspfile response_file

amwpmcfg -action unconfig [-admin_id admin_id -admin_pwd admin_password]

- ho s t po l i c y_ s e r v e r _ho s t [ - por t po l i c y_ s e r v e r _po r t ] -wa spa th

websphere_installation_path

amwpmcfg -action unconfig -interactive [-admin_id admin_id -admin_pwd

admin_password

amwpmcfg -action status [-admin_id admin_id -admin_pwd admin_password]

amwpmcfg -operations

amwpmcfg -help [options]

amwpmcfg usage

amwpmcfg -?

��

-action {config|name|status|unconfig}

�� . �� .

config Tivoli Access Manager Web Portal Manager� ��

��.

name Tivoli Access Manager Web Portal Manager ��

name �� pdconfig �� . � � pdconfig

�� . �� .

status Tivoli Access Manager Web Portal Manager� ��


�� pdconfig �� . �

� pdconfig�� . ��

��.

unconfig

Tivoli Access Manager Web Portal Manager� ��

��.

-a admin_id

�� admin_id� ��. � � ��

��.

-p password

�� admin_id� �� . � � ��

� �� . -action config �� -action unconfig � �

�� .

-host policy_server_host


host_name� �� IP �� .

��: host = libra.dallas.ibm.com

-help [option]

��

�� .

-interactive

�� Tivoli Access Manager Web Portal Manager

� �� . �� , ��

��(�) �� .

-operations

�� .

-port policy_server_port

Tivoli Access Manager Policy Server � �� . �� 7135

��.


� �� Web Portal Manager ��

� � ��. ��

��. �� . �� =� ��

�� . �� 515 �� 27 � ��

� ��.

-usage � �� . �� .


-waspath websphere_installation_path

IBM WebSphere Application Server �� .

/bin/wsadmin �� /java/jre/lib/ext/PD.jar � �

�� websphere_installation_path� �� . ��


�� .

-? � �� . �� .

��

� �� .

v UNIX ��:

/opt/PolicyDirector/sbin/

v Windows ��:

c:\Program Files\Tivoli\Policy Director\sbin\

�� , � ��


� ��

�� .

0 �� .

1 �� .

�� , �� 16� �� (��



�� .


ivrgy_tool�� LDAP �� Tivoli Access Manager �� . ��

�� Tivoli Access Manager Policy Server(pdmgrd)� ��

��. Tivoli Access Manager� � �� , � ��

�� LDAP �� Tivoli Access Manager� ��

��.

��

ivrgy_tool -h host_name -p port -D ldap_admin_dn -w ldap_admin_pwd -d [ -Z

-K ldap-ssl-key-filename -P ldap-ssl-keyfile-password [ -N ldap-ssl-keyfile-label]]

schema

��

-d �� .

-D ldap_admin_dn

LDAP �� . ��

��.

cn=root

-h host_name

LDAP �� IP �� .


��:

host = libra

host = libra.dallas.ibm.com

-K ldap-ssl-key-filename

SSL � �� . � ��

� -Z� �� . LDAP ��

�� SSL � � ��. ��

� �� .kdb��.

Windows� �� : C:\pd\keytab\ivmgrd.kdb

UNIX� �� : /opt/PolicyDirector/keytab/ivmgrd.kdb

-N ldap-ssl-keyfile-label

SSL �� LDAP ��

� ��, LDAP �� SSL � ��

�� .


� �� . � �� SSL� ��(-Z ��

�� ) LDAP ��

��.

�� Tivoli Access Manager � �� , ��

�� PDLDAP��.

-p port

LDAP �� .

port�� LDAP �� . ��

SSL(Secure Sockets Layer)� �� 636� SSL� ��

� 389��.

-P ldap-ssl-keyfile-password

SSL � �� . � �� -Z � �

�� .

�: �� SSL � �� key4ssl��.

-w ldap_admin_pwd

LDAP �� .

-Z SSL� �� .

schema

IBM Directory Server� Tivoli Access Manager ��

� � ��. �� 5.2 �� IBM Directory Server ��

�� .

Tivoli Access Manager �� . � � ��

�� LDAP �� . � �� Tivoli

Access Manager LDAP �� .

v secschema.def -- IBM Directory Server� ��.

v nsschema.def -- Sun ONE Directory Server� ��.

v novschema.def -- Novell eDirectory Server� ��.

� � Tivoli Access Manager �� , Tivoli Access Manager


�: �� IBM Directory ldapmodify �� LDIF(LDAP Data

Interchange Format) ��

��.


� ��

�� .

0 �� .

1 �� .

�� .


migrateEAR4�� (�� )�� Tivoli Access Manager for

WebSphere Application Server, �� 4.0.6�� policy ��

��.

��

migrateEAR4 -j absolute_pathname_to_application_EAR_file -c URI -a admin_ID

-p admin_pwd -w Websphere_admin_ID -d user_registry_domain_suffix [-r

root_objectspace_name] [-t ssl_timeout] [-e enterprise_application_name]

��

-a admin_ID

Tivoli Access Manager �� . � �� , ��

ACL� �� . �� , -a

sec_master��.

� �� . �� , ��

� � � �� .

-c URI

pdwascfg �� PdPerm.properties � URI(Uniform Resource

Indicator) �� . WebSphere Application Server� ��

�� URL� �� .

v AIX ��:

file:/usr/WebSphere/AppServer/java/jre/PdPerm.properties


file:/opt/WebSphere/AppServer/java/jre/PdPerm.properties

v Windows ��:

file:/c:\WebSphere\AppServer\java\jre\PdPerm.properties

-d user_registry_domain_suffix

�� . �� , LDAP ��

�� , �� .

"o=ibm,c=us"

�:

1. Windows�� .

2. pdadmin user show �� DN� �� .

-e enterprise_application_name

��


�� . � � �� ,

�� .ear �� .xml � ��

��.


�� . � �� EAR � �� . EAR �

�� , �� .


�� -e � ��.

-j path

Java 2 Enterprise Edition �� . ��

� � EAR �� .

WebSphere Application Server� �� , ��

admin.ear � �� .

v AIX ��:

/usr/WebSphere/AppServer/config/admin.ear


/opt/WebSphere/AppServer/config/admin.ear

v Windows ��:

C:\WebSphere\AppServer\config\admin.ear

-p admin_pwd

Tivoli Access Manager �� . �� , �

�� ACL� �� . �� ,

-a sec_master �� -p myPassword� �� .

� �� . �� , ��

�� .

-r root_objectspace_name

WebSphere Application Server��

�� . � ��

��. � �� WebAppServer��.

�� , ��

PDWAS.properties � �� .

�� . ��, ��

� � �� .

-t ssl_timeout


SSL �� ( )� ��. � ��

Tivoli Access Manager Authorization Server� Policy Server �� SSL ��

�� .

�� 60 ��. �� 10 ��. �� Tivoli Access Manager

ssl-v3-timeout �� . ssl-v3-timeout� �� 120

��.

� �� . � �� , ��

� �� .

-w WebSphere_admin_ID


�� . �� 250 �� WebSphere� �� Tivoli Access

Manager �� . Tivoli Access

Manager ��

��.

WebSphere �� , ��

��. � ��, �� invalid� �

��. � �� valid� ��.

�� ACL� ��. �� ACL ��

pdwas-admin�� .

v T -- Traverse ��

v i -- Invoke ��

v WebAppServer -- �� . WebAppServer� �� .

�� -r � �� (�

�� )� �� .

admin.ear � �� pdwas-admin� ��

�� .

� �� (�� )�� Tivoli Access Manager

for WebSphere� �� policy �� . � �� UNIX �

�� Windows �� .

� �� Java �� com.tivoli.pdas.migrate.Migrate� ��.

� ��

��. � �� Java� ��.

v -Dpdwas.lang.home


Tivoli Access Manager for WebSphere� � ��

� �� . � �� Tivoli Access Manager for

WebSphere �� . �� , ��

��.

-Dpdwas.lang.home=%PDWAS_HOME%\java\nls

v -cp %CLASSPATH% com.tivoli.pdwas.migrate.Migrate

CLASSPATH� Java �� .

� ��, Windows� �� -j � -c � � � %WAS_HOME% ��

WebSphere Application Server� �� . � ��

� ��.

v �� .

v PdPerm.properties � �� URL �� .

��

� �� .

v UNIX ��:

/opt/amwas/bin/

v Windows ��:

C:\Program Files\Tivoli\amwas\bin\

�� , � �� bin


� ��

�� .

0 �� .

1 �� .

�� . �� IBM



migrateEAR5�� (�� )�� Tivoli Access Manager for

WebSphere Application Server, �� 5.0.2� �� policy ��

�.

��

migra t eEAR5 - j pa t h - c URI - a adm in_ ID - p adm in_pwd -w

Websphere_admin_user -d user_registry_domain_suffix [-r root_objectspace_name]

[-t ssl_timeout] [-e enterprise_application_name]

��

-a admin_ID

�� ID� ��. �� , �� ACL� ��

� �� . �� , -a sec_master��.

� �� . �� , ��

� � � �� .

-c URI

pdwascfg �� PdPerm.properties � URI(Uniform Resource

Indicator) �� . WebSphere Application Server� ��

�� URL� �� .

v AIX ��:

file:/usr/WebSphere/AppServer/java/jre/PdPerm.properties


file:/opt/WebSphere/AppServer/java/jre/PdPerm.properties

v Windows ��:

file:/c:\WebSphere\AppServer\java\jre\PdPerm.properties

-d user_registry_domain_suffix

�� . �� , LDAP ��

�� , �� .

"o=ibm,c=us"

�:

1. Windows�� .

2. pdadmin user show �� DN� �� .

-e enterprise_application_name

��


�� . � � �� ,

�� .ear �� .xml � ��

��.


�� . � �� EAR � �� . EAR �

�� , �� .


�� -e � ��.

-j path

Java 2 Enterprise Edition ��

� ��. ��, � ��

�� . WebSphere Application Server� �� ,

�� .

v AIX ��:

/usr/WebSphere/AppServer/installedApps/cellname/adminconsole.ear/usr/WebSphere/AppServer/config/cells/cellname/admin-authz.xml/usr/WebSphere/AppServer/config/cells/cellname/naming-authz.xml


/opt/WebSphere/AppServer/installedApps/cellname/adminconsole.ear/opt/WebSphere/AppServer/config/cells/cellname/admin-authz.xml/opt/WebSphere/AppServer/config/cells/cellname/naming-authz.xml

v Windows ��:

C:\Program Files\WebSphere\AppServer\installedApps\cellname\adminconsole.earC:\Program Files\WebSphere\AppServer\config\cells\cellname\admin-authz.xmlC:\Program Files\WebSphere\AppServer\config\cells\cellname\naming-authz.xml

-p admin_pwd

Tivoli Access Manager �� . �� , �

�� ACL� �� . �� ,

-a sec_master �� -p myPassword� �� .

� �� . �� , ��

�� .

-r root_objectspace_name

WebSphere Application Server��

�� . � ��

��.

� �� WebAppServer��. ��

� �� , �� PDWAS.properties

� �� .


�� . ��, ��

�� .

-t ssl_timeout

SSL �� ( )� ��. � ��

Tivoli Access Manager Authorization Server� Policy Server �� SSL ��

�� .

�� 60 ��. �� 10 ��. �� Tivoli Access Manager

ssl-v3-timeout �� . ssl-v3-timeout� �� 120

��.

� �� . � �� , ��

� �� .

-w WebSphere_admin_user


�� . �� 250 �� WebSphere� �� Tivoli Access

Manager �� . Tivoli Access

Manager ��

�� .

WebSphere �� , ��

��. � ��, �� invalid� �

��. � �� valid� ��.

�� ACL� ��. �� ACL ��

pdwas-admin�� .

v T -- Traverse ��

v i -- Invoke ��

v WebAppServer -- �� . WebAppServer� �� .

�� -r � �� (�

�� )� �� .

� �� (�� )�� Tivoli Access Manager

for WebSphere� �� policy �� . � �� UNIX �

�� Windows �� .

� �� Java �� com.tivoli.pdas.migrate.Migrate� ��.

� ��

��. � �� Java� ��.

v -Dpdwas.lang.home



� �� . � �� Tivoli Access Manager for WebSphere

�� . �� , �� .


v -cp %CLASSPATH% com.tivoli.pdwas.migrate.Migrate

CLASSPATH� Java �� .

� ��, Windows� �� -j � -c � � � %WAS_HOME% ��

WebSphere Application Server� �� . � ��

� ��.

v �� .

v PdPerm.properties � �� URL �� .

��

� �� .

v UNIX ��:

/opt/amwas/bin/

v Windows ��:

C:\Program Files\Tivoli\amwas\bin\

�� , � �� bin


� ��

�� .

0 �� .

1 �� .

�� . �� IBM



pdbackupTivoli Access Manager �� , �� .

��

pdbackup -action backup -list path_to_list_file [-path path] [-file filename]

pdbackup -action restore -file filename [-path path]

pdbackup -action extract -file filename -path path

pdbackup -usage

pdbackup -?

��

� � � � � ��, �� .

�� , -action� � -a� �� -list� � -l� �� . ,

� �� .

-action [backup|restore|extract]

�� , �� .

-file filename

�� .

v -a backup � �� , list_filename_date.time[.tar|.dar] �

� � �� .

��

��. �� , �� .

– UNIX

/var/PolicyDirector/pdbackup/list_filename_date.time.tar

– Windows

C:\Program Files\Tivoli\PolicyDirector\pdbackup\list_filename_date.time.dar

v -a restore � �� , ��

� �� . �� . � � -a restore �

�� .

v -a extract � �� , ��

� �� . �� . � � -a extract �

�� .

-list path_to_list_file

�� (�� ASCII )� �


� �� . � � -a backup � ��

��. �� . � ��

�� .

v UNIX �� , �� .

/opt/PolicyDirector/etc/pdbackup.lst

v Windows �� , �� .

C:\Program Files\Tivoli\PolicyDirector\etc\pdbackup.lst

-path path

�� .

v -a backup � �� , � � ��

��. -a backup �� , ��

�� .

– UNIX �� , �� .

/var/PolicyDirector/pdbackup/

– Windows �� , �� .

amrte_install_dir\pdbackup\

�� amrte_install_dir� Tivoli Access Manager ��

�� .

v -a restore � �� (UNIX �� ), ��

� �� . ��

� � � �� . Windows �� , ��

�� -p � �� .

v -a extract � �� , ��

� ��. �� . -p � -a extract � ��

� �� .

-usage � �� . �� .

-? � �� . �� .

Tivoli Access Manager �� pdbackup ��

�. � �� , ��

� � ��.

� �� .

v Tivoli Access Manager Base �� , �� .

v Tivoli Access Manager WebSEAL �� , �� .


v Tivoli Access Manager Web Server �� , ��

� �� . ��, �� Tivoli

Access Manager Base �� Tivoli Access Manager �� ,

�� .


� �� -file � ��

��. � � �� . ��

�� , �� . � ��

� � �� 46� ��.

� � � Tivoli Access Manager �� pdbackup ��

� ��. -path � ��

��.

�� Tivoli Access Manager� � ��

� �� .

46. � �

Tivoli Access Manager Base

UNIX /var/PolicyDirector/pdbackup/pdbackup.lst_ddmmmyyyy.hh_mm.tar

Windows amrte_install_dir\pdbackup\pdbackup.lst_ddmmmyyyy.hh_mm.dar

Tivoli Access Manager WebSEAL

UNIX /var/pdweb/pdbackup/amwebbackup.lst_ddmmmyyyy.hh_mm.tar

Windows amrte_install_dir\PDweb\pdbackup\amwebbackup.lst_ddmmmyyyy.hh_mm.dar

Tivoli Access Manager Plug-in for Web Servers

UNIX /var/pdwebpi/pdbackup/pdwebpi.lst_ddmmmyyyy.hh_mm.tar

Windows amrte_install_dir\PDwebpi\pdbackup\pdwebpi.lst_ddmmmyyyy.hh_mm.dar

�� , UNIX� �� Tivoli Access Manager Base ��

� � � backup.lst_14Oct2003.11_22.tar��.


� �� .

� �� -file � ��

��. � � �� . ��

� � � �� , �� .

� �� 480 �� 47� ��

��.


�� -path � �� . ��

� �� , �� . �� Tivoli Access Manager

�� etc �� .

�� Tivoli Access Manager� � ��

� �� .

47. �� (pdinfo)

��

Tivoli Access Manager Base

UNIX /opt/PolicyDirector/etc/pdinfo.lst_ddmmmyyyy.hh_mm.tar

Windows C:\Program Files\Tivoli\PolicyDirector\etc\pdinfo.lst_ddmmmyyyy.hh_mm.dar

Tivoli Access Manager WebSEAL

UNIX /opt/pdweb/etc/pdinfo-amwebbackup.lst_ddmmmyyyy.hh_mm.tar

Windows C:\Program Files\Tivoli\PolicyDirector\etc\pdinfo-amwebbackup.

lst_ddmmmyyyy.hh_mm.dar

Tivoli Access Manager Plug-in for Web Servers

UNIX /opt/pdweb/etc/opt/pdwebpi/etc/pdinfo-pdwebpi.lst_ddmmmyyyy.hh_mm.tar

Windows C:\Program Files\Tivoli\PDWebpi\etc\pdinfo-pdwebpi.lst_ddmmmyyyy.

hh_mm.dar

�� , UNIX� �� Tivoli Access Manager Base ��

� � � pdinfo.lst_14Oct2003.11_22.tar��.


� �� . � � ��

� ��.

v UNIX

�� . -path� ��

�� .UNIX �� ,

�� .

v Windows

�� . -path � �� .


� �� pdbackup� ��. � ��

�� , �� .

�� -file � ��.

�� -path � ��.


�: Windows �� -a extract �� .

��

� �� .

v UNIX ��:

/opt/PolicyDirector/bin/

v Windows ��:

c:\Program Files\Tivoli\Policy Director\bin\

�� , � �� bin


��

Tivoli Access Manager Base� �

v � �� .

UNIXpdbackup -a backup -list /opt/PolicyDirector/etc/pdbackup.1st

Windowspdbackup -a backup -list installation_dir\etc\pdbackup.1st

�: pdbackup -a backup -l� � �� .

� �� .

UNIX:/var/PolicyDirector/pdbackup/pdbackup.lst_15dec2003.10_41.tar

Windows\installation_dir\pdbackup\pdbackup.lst_15dec2003.10_41.dar

v � �� . ��

� �� /var/backup ��(UNIX) �� C:\pdback(Windows)� ��

�� .

UNIXpdbackup -a backup -list /opt/PolicyDirector/etc/pdbackup.1st -p /var/backup

Windowspdbackup -a backup -list installation_dir\etc\pdbackup.1st -path c:\pdback

v � �� . ��

� �� pdarchive.tar(UNIX) �� pdarchive.dar(Windows)��

� � ��. � �� .


UNIXpdbackup -a backup -list /opt/PolicyDirector/etc/pdbackup.1st -f pdarchive

Windowspdbackup -a backup -list base_dir\etc\pdbackup.1st -f pdarchive

pdarchive � � �� (UNIX� �� .tar, Windows� �

� .dar)� ��. � � �� /var/PolicyDirector/

pdbackup(UNIX) �� installation_dir\pdbackup(Windows)� ��.

Tivoli Access Manager WebSEAL� �

v � �� .

UNIXpdbackup -a backup -list /opt/pdweb/etc/amwebbackup.1st

Windowspdbackup -a backup -list installation_dir\etc\amwebbackup.1st

� �� .

UNIX:/var/PolicyDirector/pdbackup/amwebbackup.lst_15dec2003.10_41.tar

Windows\installation_dir\pdbackup\amwebbackup.lst_15dec2003.10_41.dar

v � �� . ��


�� .

UNIXpdbackup -a backup -list /opt/pdweb/etc/amwebbackup.1st -p /var/backup

Windowspdbackup -a backup -list installation_dir\etc\amwebbackup.1st -path c:\pdback

v � �� . ��

� �� amwebarchive.tar (UNIX) or amwebarchive.dar(Windows)��

� � � � ��. � �� .

UNIXpdbackup -a backup -list /opt/pdweb/etc/amwebbackup.1st -f amwebarchive

Windowspdbackup -a backup -list base_dir\etc\amwebbackup.1st -f amwebarchive




Tivoli Access Manager Plug-in for Web Servers� �

v � �� .


UNIXpdbackup -a backup -list /opt/pdwebpi/etc/pdwebpi.lst

Windowspdbackup -a backup -list install-dir\etc\pdwebpi.lst

� �� .

UNIX:/var/PolicyDirector/pdbackup/pdinfo-pdwebpi_15dec2003.10_41.tar

Windows\installation_dir\pdbackup\pdinfo-pdwebpi_15dec2003.10_41.dar

v � �� . ��


�� .

UNIXpdbackup -a backup -list /opt/pdweb/etc/pdwebpi.lst -p /var/backup

Windowspdbackup -a backup -list installation_dir\etc\pdwebpi.lst -path c:\pdback

v � �� . ��

� �� amwebarchive.tar(UNIX) �� amwebarchive.dar(Windows)�

�� . � �� .

UNIXpdbackup -a backup -list /opt/pdweb/etc/pdwebpi.lst -f amwebarchive

Windowspdbackup -a backup -list base_dir\etc\pdwebpi.lst -f amwebarchive




Tivoli Access Manager Base� ��

v � ��

��.

UNIXpdbackup -a restore -f /var/PolicyDirector/pdbackup/pdbackup.1st_15dec2003.07_24.tar

Windowspdbackup -a restore -f base_dir\pdbackup\pdbackup.1st_15dec2003.07_24.dar

v � �� (�: /var/pdback(UNIX) ��

\pdbackup(Windows)� �� .


UNIXpdbackup -a restore -f /var/pdback/pdbackup.1st_15dec2003.07_25.tar

Windowspdbackup -a restore -f h:\pdbackup\pdbackup.1st_15dec2003.07_25.dar

v (UNIX ��) � �� /var/pdback� ��

� � �� . �� /pdtest

�� .

pdbackup -a restore -p pdtest -f /var/pdback/pdbackup.1st_15dec2003.07_25.tar

Tivoli Access Manager WebSEAL� ��

v � ��

��.

UNIXpdbackup -a restore -f /var/PolicyDirector/pdbackup/amwebbackup.1st_15dec2003.07_24.tar

Windowspdbackup -a restore -f base_dir\pdbackup\amwebbackup.1st_15dec2003.07_24.dar


� � �� . �� /amwebtest

�� .

pdbackup -a restore -p amwebtest -f /var/pdback/amwebbackup.1st_15dec2003.07_25.tar

Tivoli Access Manager Plug-in for Web Servers� ��

v � ��

��.

UNIXpdbackup -a restore -f /var/PolicyDirector/pdbackup/pdinfo-pdwebpi.lst_15dec2003.07_24.tar

Windowspdbackup -a restore -f install_directory\pdbackup\pdinfo-pdwebpi.lst_15dec2003.07_24.dar


� � �� . �� /amwebtest

�� .

pdbackup -a restore -p amwebtest -f /var/pdback/pdinfo-pdwebpi.lst_15dec2003.07_25.tar

Tivoli Access Manager Base� ��


� �� /var/pdbackup(UNIX) �� C:\pdback(Windows)��

�� pdextract�� .

UNIXpdbackup -a extract -p pdextract -f /var/pdbackup/pdbackup.1st_15dec2003.07_25.tar

Windowspdbackup -a extract -p e:\pdextract -f c:\pdback\pdbackup.1st_15dec2003.07_25.dar

pdextract �� .

Tivoli Access Manager WebSEAL� ��


�� amwebextract�� .

UNIXpdbackup -a extract -p amwebextract -f /var/pdbackup/pdbackup.1st_15dec2003.07_25.tar

Windowspdbackup -a extract -p e:\amwebextract -f c:\pdback\pdbackup.1st_15dec2003.07_25.dar

amwebextract �� .

Tivoli Access Manager Plug-in for Web Servers� ��


�� amwebextract�� .

UNIXpdbackup -a extract -p amwebextract -f /var/pdbackup/pdinfo-pdwebpi.lst_15dec2003.07_25.tar

Windowspdbackup -a extract -p e:\amwebextract -f c:\pdback\pdinfo-pdwebpi.lst_15dec2003.07_25.dar

amwebextract �� .

� ��

�� .

0 �� .

1 �� .


�� , �� 16� �� (��



�� .


pdconfigTivoli Access Manager ��

��.

��

pdconfig

��

��.

��

� �� .

v UNIX ��:


v Windows ��:

c:\Program Files\Tivoli\Policy Director\bin\

�� , � �� bin


� ��

�� .

0 �� .

1 �� .

�� , �� 16� �� (��



�� .


pdjrtecfgTivoli Access Manager Java �� . Tivoli Access Manager

Java �� Java �� Tivoli Access Manager ��

� �� .

��

pdjrtecfg -action config -host policy_server_host [-port policy_server_port]

[-java_home jre_home] [-domain domain_name] [-config_type full] [-enable_tcd

[-tcd path]]

pdjrtecfg -action config [-config_type standalone]


pdjrtecfg -action config -rspfile response_file

pdjrtecfg -action unconfig -rspfile response_file

pdjrtecfg -action unconfig [-java_home {jre_home| all}] [-remove_common_jars]

pdjrtecfg -action unconfig -interactive

pdjrtecfg -action status [-java_home jre_home]

pdjrtecfg -action name

pdjrtecfg -operations

pdjrtecfg -help [options]

pdjrtecfg -usage

pdjrtecfg -?

��

-action {config|name|status|unconfig}

�� . �� .

config Tivoli Access Manager Java ��

��.

name Tivoli Access Manager Java ��

pdconfig �� . � � pdconfig��

�. �� .

status Tivoli Access Manager Java ��


�� pdconfig �� . � � pdconfig��

��. �� .

unconfig

Tivoli Access Manager Java ��

��.

-config_type {full|standalone}

�� . �� .

full Tivoli Access Manager Java ��

�� Tivoli Access Manager Policy Server ��

�� . �� full��.

standalone

Tivoli Access Manager Java ��

�� Tivoli Access Manager Policy Server ��

�� . � �� Tivoli Access Manager

Policy �� Tivoli Access Manager Java API� ��

��.

-domain domain_name

�� Java �� . ��

�� Tivoli

Access Manager �� . � � �� , ��

�� .

-enable_tcd [-tcd path]

TCD(Tivoli Common Directory) ��

�� . TCD

� �� , �� Tivoli Access Manager ��

� �� .

-help [options]

��

�� . ��, ��

��.

-host policy_server_host



��:

host = libra

host = libra.dallas.ibm.com


-interactive

�� Tivoli Access Manager Java ��

� �� . ��

� ��, �� (�) �� .

�: Sun JRE, �� 1.4� �� pdjrtecfg -interactive(�� )�

�� pdconfig �� . ��

�� pdjrtecfg �� . Tivoli Access

Manager Java ��, �� 1.4� pdjrtecfg -interactive(�� )


-java_home jre_path

Java �� (�� , JRE� �

�� ). -java_home� �� JRE� ��. �

� �, �� .

c:\Program Files\IBM\JAVA13\JRE

�� (-action unconfig), �� JRE� �� all

� �� .

-operations

�� .

-port policy_server_port

Tivoli Access Manager Policy Server � �� . �� 7135

��.

-remove_common_jars

Tivoli Access Manager Java �� JRE� �� IBM

�� JAR � ��. -remove_common_jars � ��

�� Tivoli Access Manager Java �� JRE

� � �� JAR� �� .

�� , �� JAR �� IBM ��JAR

� �� .


� �� Java ��

� � ��. ��

��. �� . �� =� ��

�� . �� 515 �� 27 � ��

� ��.

-usage � �� . �� .

-? � �� . �� .


� �� Java ��

� �� Tivoli Access Manager Java �� .

� �� jre_home\lib\ext �� JAR � ��

�� . �� PD.jar � ��, � � �� .

�� Java �� . pdjrtecfg ��

�� JRE� � Tivoli Access Manager Java ��

��.

�: �� pdjrtecfg �� PdJrteCfg Java ��

�� .

��

1. �� Tivoli Access Manager Java �� .

pdjrtecfg -action config -host sys123.acme.com -port 7135-java_home E:\apps\IBM\Java131\jre

2. �� Tivoli Access Manager Java �� .

pdjrtecfg -action unconfig -java_home E:\apps\IBM\Java131\jre-remove_common_jars

��

� �� .

v UNIX ��:

/opt/PolicyDirector/sbin/

v Windows ��:

c:\Program Files\Tivoli\Policy Director\sbin\

�� , � ��


� ��

�� .

0 �� .

1 �� .

�� , �� 16� �� (��



�� .


pd_startUNIX �� , �� . �� .

�: Windows �� , �� .

��

pd_start start [server_name ]

pd_start stop [server_name ]

pd_start restart [server_name ]

pd_start status [server_name ]

��

restart �� Tivoli Access Manager �� .

start �� Tivoli Access Manager

�� .

status �� Tivoli Access Manager �� (��

� �� ).

stop �� Tivoli Access Manager

�� .

��

�� . UNIX �� pd_start ��

�� . � ��

� �� .

�� pd_start� �� .

��

� �� UNIX �� .


�� , � �� bin

�� (�� , install_dir/bin/).

� ��

�� .


0 �� .

1 �� .

�� , �� 16� �� (��



�� .


pdwascfgTivoli Access Manager for WebSphere Application Server� ��

��. � �� sec_master� ��

�� .

��

pdwascfg -action {configWAS4|configWAS5} -remote_acl_user user

-sec_master_pwd password -was_home was_home_dir -pdmgrd_host

policy_server_hostname -pdacld_host authorization_server_hostname[-amwas_home

amwas_install_path] [-pdmgrd_port policy_server_port] [-pdacld_port

authorization_server_port] [-embedded {true|false}] [-action_type {all|local|remote}]

[-am_domain was_domain] [-cfg_url pdjrte_config_file_URL] [-key_url

pdjrte_keystore_URL ] [-verbose {true|false}]

pdwascfg -action {unconfigWAS4|unconfigWAS5} -remote_acl_user user

-sec_master_pwd password -was_home was_install path -pdmgrd_host

policy_server_hostname -pdacld_host authorization_server_hostname

pdwascfg -help [ options]

��

-action {configWAS4|configWAS5}

� �� . Tivoli Access Manager for WebSphere

Application Server� ��.

-action {unconfigWAS4|unconfigWAS5}

� �� . Tivoli Access Manager for WebSphere

Application Server� �� .

-action_type {all|local|remote}

�� . �� all, local �� remote��.

local � �� (SvrSslCfg� �

�� ). remote � ��

(SvrSslCfg� �). �� all��.

-am_domain was_domain

Tivoli Access Manager for WebSphere� �� Tivoli Access Manager ��

� ��. �� Tivoli Access Manager �� (pdacld)� ��

� � �� Tivoli Access Manager ��

�.


-amwas_home amwas_install_path

Tivoli Access Manager for WebSphere� �� Tivoli

Access Manager for WebSphere �� . � �� -action

{configWAS4|configWAS5} �� -action {unconfigWAS4|unconfigWAS5}

� ��.

�: Tivoli Access Manager for WebSphere� ��

-amwas_home � pdwascfg �� .

-cfg_url pdjrte_config_file_url

PDJrte �� . -action_type remote �� -action_type

all � �� , � � ��

�.

-embedded {true|false}

True� �� , � �� WebSphere� � �� . �

�� false��.

-help [options]

�� . �� , �

� �� .

-key_url pdjrte_keystore_url

PDJrte � �� . -action_type remote ��

-action_type all � �� , � � ��

� ��.

-pdacld_host authorization_server_hostname

Tivoli Access Manager Authorization Server� �� . � �

�� -action {configWAS4|configWAS5} �� -action

{unconfigWAS4|unconfigWAS5} � ��.

-pdacld_port authorization_server_port

� �� Tivoli Access Manager Authorization Server

� � �� . � �� -action {configWAS4|configWAS5}

�� -action {unconfigWAS4|unconfigWAS5} � ��. �

� �� pdmgrd_port� �� .

-pdmgrd_host policy_server_hostname

Tivoli Access Manager Policy Server� �� . � ��

� -action {configWAS4|configWAS5} �� -action


-pdmgrd_port policy_server_port

� �� Tivoli Access Manager Policy Server� �


�� . � �� -action {configWAS4|configWAS5} ��

-action {unconfigWAS4|unconfigWAS5} � ��.

-remote_acl_user user

Authorization Server� �� (��)� ��. �

�� Tivoli Access Manager Authorization Server�� SSL ��

��. �� . � �� -action


� ��.

�� , -remote_acl_user pdpermadmin��.

-sec_master_pwd password

�� (�� sec_master)� �� . � �� -action


� ��.


true� �� . ��

�� . �� false��.

-was_home was_home_dir


��. � �� -action {configWAS4|configWAS5} �� -action


�� , �� .

v AIX(WAS4 � WAS5):

/usr/WebSphere/AppServer

v HP-UX, Linux �� Solaris(WAS4 � WAS5):

/opt/WebSphere/AppServer

v Windows:

WAS 4 → c:\WebSphere\AppServerWAS 5 → "c:\Program Files\WebSphere\AppServer"

pdwascfg �� UNIX �� Windows ��

�� . config ��

� �� .

v Tivoli Access Manager for WebSphere� �� WebSphere� ��.

v Java �� com.tivoli.mts.SvrSslCfg� �� Tivoli Access Manager for

WebSphere �� Policy Server � Authorization Server � � ��

SSL �� .


v �� Tivoli Access Manager for WebSphere �� ID

� ��.

� ��

��. %WAS_HOME% �� WebSphere Application Server ��

�� . %PDWAS_HOME%� Tivoli Access Manager for WebSphere

�� . pdwascfg ��

�� Java� ��.

v -Dpdwas.lang.home


� �� . � �� Tivoli Access Manager for WebSphere

�� . �� , �� .


v -Dpdwas.home

Tivoli Access Manager for WebSphere� �� (��) ��. �� , �

� ��.

-Dpdwas.home=%PDWAS_HOME%

�: � �� Tivoli Access Manager for WebSphere ��

� �� .

v -Dwas.home

WebSphere Application Server� �� (��) ��. �� , ��

��.

-Dwas.home=%WAS_HOME%

pdwascfg� � �� Java ��

java -Dpdwas.lang.home=%PDWAS_HOME%\java\nls-Dpdwas.home=%PDWAS_HOME%-Dwas.home=%WAS_HOME%PDWAScfg -action configWAS5-remote_acl_user pdpermadmin-sec_master_pwd myPassword-was_home c:\WebSphere\AppServer-pdmgrd_host pdmgrserver.mysubnet.ibm.com-pdacld_host pdacldserver.mysubnet.ibm.com

��

� �� .

v UNIX ��:

/opt/amwas/sbin/

v Windows ��:

C:\Program Files\Tivoli\amwas\sbin\


�� , � ��


� ��

�� .

0 �� .

1 �� .

�� . �� IBM



pdwebUNIX �� WebSEAL Server� ��, ��

� ��.

��

pdweb start [WebSEAL_server_instance_name ]

pdweb stop [WebSEAL_server_instance_name ]

pdweb restart [WebSEAL_server_instance_name ]

pdweb status [WebSEAL_server_instance_name ]

��

start WebSEAL Server� �� . ��

� �� . ��

��, �� .

stop WebSEAL �� . ��

�� . ��

��, �� .

restart WebSEAL Server� �� . �

�� . ��

�� , �� .

status �� WebSEAL Server� �� .

WebSEAL_server_instance_name

WebSEAL Server �� server_name-

host_name �� .

�� , WebSEAL Server� ��

server_name� default-webseald��. � � �


server_name� WebSEAL Server ��

�� -webseald� ��. �� ,

WebSEAL �� webseal2� ��,

server_name� webseal2-webseald��.

�� 20��. ��

� �� .

v �� ASCII �(A-Z �� a-z)

v � ( . )


v ��( - )

v ��( _ )

pdweb �� UNIX �� .

pdweb �� pdweb_start �� .

�: Windows �� net �� WebSEAL Server� ��

� � ��.

��

v � �� WebSEAL Server � �� .

# /usr/bin/pdweb start

v � �� .

# /usr/bin/pdweb start webseal3

v � �� WebSEAL Server �� .

# /usr/bin/pdweb restart

v � �� WebSEAL Server �� .

# /usr/bin/pdweb stop

v � �� .

# /usr/bin/pdweb stop webseal3

v � �� .

# /opt/PolicyDirector/bin/pdweb status

Access Manager �� ------------------------------------------webseald � �webseald-webseal2 � �webseald-webseal3 � �

��

� �� .

v UNIX ��:

/opt/pdweb/bin/pdweb_start

�� , � �� bin

�� (�� , install_dir/bin/).


� ��

�� .

0 �� .

1 �� .

�� , �� 16� �� (��



�� .


pdwebpiTivoli Access Manager Plug-in for Web Servers �� . ��,

Plug-in for Web Servers� ��

�� .

��

pdwebpi [-foreground] [-version]

��

-foreground

�� Plug-in for Web Servers ��

�� .

-version

Plug-in for Web Servers �� .

��

� �� .

v UNIX ��:

/opt/pdwebpi/bin/

v Windows ��:

C:\Program Files\Tivoli\pdwebpi\bin\

�� , � �� bin


� ��

�� .

0 �� .

1 �� .

�� 16� �� (��

�, 0x14c012f2). IBM Tivoli Access Manager Error Message Reference� �


�� .


pdwebpi_startUNIX �� Tivoli Access Manager Plug-in for Web Servers �� ,

�� . Plug-in for Web Servers� Tivoli Access Manager Base

�� . ��, �

� �� .

�: �� , pdwebpi_start �� Plug-in for Web Servers� Tivoli

Access Manager Base �� .

��

pdwebpi_start start

pdwebpi_start stop

pdwebpi_start restart

pdwebpi_start status

��

pdwebpi_start {start|stop|restart|status} ��,

start

UNIX �� Plug-in for Web Servers �� .

stop

UNIX �� Plug-in for Web Servers �� .

restart

UNIX �� Plug-in for Web Servers ��

�.

status

UNIX �� Plug-in for Web Servers� �� .

Windows �� Plug-in for Web

Servers �� .

��

� �� .

v UNIX ��:

/opt/pdwebpi/sbin/

v Windows ��:


C:\Program Files\Tivoli\pdwebpi\sbin\

�� , � ��


� ��

�� .

0 �� .

1 �� .


pdwpi-versionTivoli Access Manager Plug-in for Web Servers ��

� ��.

��

pdwpi-version [-h] [-V] [-l | binary [binary ... ]]

��

-h �� .

-l �� .

-V pdwpi-version �� .

binary [binary]

�� , ��

� �� .

��

� �� .

v UNIX ��:

/opt/pdwebpi/bin/

v Windows ��:


�� , � �� bin


� ��

�� .

0 �� .

1 �� .


pdwpicfg -action config

Tivoli Access Manager Plug-in for Web Servers� ��.

��

pdwpicfg -action config -admin_id admin_id -admin_pwd admin_pwd -auth_port

authorization_port_number -web_server {iis|iplanet|ihs|apache} -iis_filter {yes|no}

-web_directory server_install_directory -vhosts virtual_host_id -ssl_enable {yes|no}

-keyfile keyfile -key_pwd key_password -key_label key_label -ssl_port

ssl_port_number

pdwpicfg -action config -interactive {yes|no}

pdwpicfg -action config -rspfile response_file

pdwpicfg -operations

pdwpicfg -help [ options]

pdwpicfg -usage

pdwpicfg -?

��

-admin_id admin_id

�� ID(��, sec_master)� ��.

-admin_pwd admin_pwd

�� admin_id� �� .

-auth_port authorization_port_number

Authorization Server� � �� . �� 7237��.

-help [options]

� � � �� . �� , �

� �� .

-interactive {yes|no}

yes� ��

� �� . �� yes��.

-iis_filter {yes|no}

yes� ��, IIS(Internet Information Services) ��

�, �� IIS �� .


-keyfile keyfile

LDAP SSL � � ��. �� . ��

�� Plug-in for Web Servers� LDAP �� SSL ��

�� .

-key_label key_label

LDAP SSL � �� . �� . ��

�� Plug-in for Web Servers� LDAP �� SSL ��

�� .

-key_pwd key_password

LDAP SSL � �� .

-operations

� � � �� .


� �� Plug-in for Web Servers ��

� � ��. �� .

�� . �� =� ��

��. �� 515 �� 27 � ��

�.

-ssl_enable {yes|no}

yes� �� LDAP� SSL �� , �� LDAP� SSL

�� . �� yes��.

-ssl_port ssl_port_number

LDAP SSL �� . �� 636��.

-usage

� �� . �� .

-vhosts virtual_host_id

�� . � �� ID� � � � � �

�� . �� ID �� .

-web_directory server_install_directory

�� .

-web_server {iis|iplanet|ihs|apache}

Plug-in for Web Servers� �� . IIS(Internet

Information Services)� � iis, Sun ONE Server� � iplanet, IBM HTTP

Server� � ihs �� Apache Server� � apache� ��. �

� �� .

-? � �� . �� .


��

� �� .

v UNIX ��:

/opt/pdwebpi/bin/

v Windows ��:


�� , � �� bin


� ��

�� .

0 �� .

1 �� .

�� 16� �� (��



�� .


pdwpicfg -action unconfig

Tivoli Access Manager Plug-in for Web Servers� �� .

��

pdwpicfg -action unconfig -admin_id admin_id -admin_pwd admin_pwd -force

{yes|no} -remove {none|acls|objspace|all} -vhosts virtual_host_id

pdwpicfg -action unconfig -interactive {yes|no}

pdwpicfg -action unconfig -rspfile response_file

pdwpicfg -operations

pdwpicfg -help [ options]

pdwpicfg -usage

pdwpicfg -?

��

-admin_id admin_id

�� ID(��, sec_master)� ��.

-admin_pwd admin_pwd

�� admin_id� �� .

-force {yes|no}


�� no��.

-help [options]

� � � �� . �� , �

� �� .

-interactive {yes|no}

yes� ��

� �� . �� yes��.

-operations

� � � �� .

-remove {none|acls|objspace|all}

�� ACL ��

�� . �� none��.



� �� Plug-in for Web Servers ��

� � ��. �� .

�� . �� =� ��

��. �� 515 �� 27 � ��

�.

-usage

� �� . �� .

-vhosts virtual_host_id

�� ID� ��. � �� ID� � �

� � � �� . �� ID ��

��.

-? � �� . �� .

��

� �� .

v UNIX ��:

/opt/pdwebpi/bin/

v Windows ��:


�� , � �� bin


� ��

�� .

0 �� .

1 �� .

�� 16� �� (��



�� .


wesosmEdge Server �� Tivoli Access Manager ��

��.

��

wesosm -start [-infile input_file] [-logging [log_file] [-clean][-force [ branch]]

[-fast]

wesosm -stop [-infile input_file] [-logging [log_file] [-clean][-force [ branch]] [-fast]

wesosm -run [-infile input_file] [-logging [log_file] [-clean][-force [ branch]] [-fast]

wesosm -file [-infile input_file] [-logging [log_file] [-clean][-force [ branch]] [-fast]

wesosm -skiperrors

wesosm -verbose

��

-clean �� osdef.conf�� /ESproxy ��

�� . ��

�� ACL� �� .

-fast Tivoli Access Manager ��

��

��. Tivoli Access Manager ��

�� . �� , ��

�� ,

� �� .

-file [output_file]

��


�� , �� .

-force [branch]

��

��

��. �� , ��

�. �� .

-infile input_file

�� osdef.conf� �

�� .


-logging [log_file]

��

�� . ��

wesosm.log� ��.

-run ��

�� .

-skiperrors �� Tivoli Access Manager ��

�� . ��

� �� .

-start �� . � �� osdef.conf

��

�� . ��

�� .

-stop �� . � ��

� �� .

-verbose �� , �� , � � ��

�� .

��

� �� .

v UNIX ��:

/opt/pdweb-lite/bin/

v Windows ��:

C:\Program Files\Tivoli\pdweb-lite\bin\

�� , � �� bin


� ��

�� .

0 �� .

1 �� .

�� . �� IBM



wslstartwteEdge Server � �� UNIX� Plug-in for Edge Server�

��.

��

wslstartwte

��

��.

Windows�� Plug-in for Edge Server� �� IBM � ��

��.

��

� �� .

v UNIX ��:


v Windows ��:


�� , � �� bin


� ��

�� .

0 �� .

1 �� .

�� . �� IBM



wslstopwteUNIX �� Edge Server � �� .

��

wslstopwte

��

��.

Windows�� Plug-in for Edge Server� �� IBM � ��

��.

��

� �� .

v UNIX ��:


v Windows ��:


�� , � �� bin


� ��

�� .

0 �� .

1 �� .

�� . �� IBM



� 27 � ��


�� . ��

�� . �� .

��

� �� . ��, ��

�� .

�� .

install_amrte -options filename

�� filename� �� . �� , �� .

install_amrte -options d:\temp\response

48� �� Tivoli Access Manager Base ��

� �� . � �� IBM Tivoli

Access Manager Base CD� \rspfile �� .

48. ��

�� Tivoli Access Manager Base ��

�� .

��

Authorization Server install_amacld.options.template

Development(ADK) install_amadk.options.template

Java Runtime Environment install_amjrte.options.template

Policy Server install_ammgr.options.template

Policy proxy server install_amproxy.options.template

Runtime install_amrte.options.template

Web Portal Manager install_amwpm.options.template

IBM DB2� �� IBM Tivoli Directory Server install_ldap_server.options.template

install_db2.options.template

516 �� 49� �� Tivoli Access Manager Web Security �

�� . � �� IBM Tivoli

Access Manager Web Security CD� \rspfile �� , ��

�� Attribute Retrieval Service �� IBM Tivoli

Access Manager Attribute Retrieval Service CD� � ��.


49. ��

�� Tivoli Access Manager Web Security

�� .

��

Tivoli Access Manager for WebSphere install_amwas.options.template

WebSEAL Server install_amweb.options.template

WebSEAL Development(ADK) install_amwebadk.options.template

Attribute Retrieval Service install_amwebars.options.template

Tivoli Access Manager for WebLogic install_amwls.options.template


�� .

50. ��


Access Manager WebSEAL Server(��) amweb_config.rsp.template

Access Manager WebSEAL Server(�� ) amweb_unconfig.rsp.template

Access Manager Web Portal Manager(��) amwpmcfg.rsp.template

Access Manager Java Runtime Environment(�

�)

pdjrtecfg.rsp.template

Access Manager Policy Proxy Server(��) pdproxycfg.rsp.template

��


�� . �� 345

�� 22 � �� .

################################################################################## InstallShield Options File Template## Wizard name: Setup# Wizard source: install_ammgr_setup.jar# Created on: Thu Oct 02 17:06:17 CDT 2003# Created by: InstallShield Options File Generator# Recorded for IBM Tivoli Access Manager 5.1## This file can be used to create an options file (i.e. response file) for the# wizard "Setup". Options files are used with "-options" on the command line to# modify wizard settings.## The settings that can be specified for the wizard are listed below. To use# this template, follow these steps:## 1. Enable a setting below by removing leading ’###’ characters from the# line (search for ’###’ to find settings you can change).## 2. Specify a value for a setting by replacing the characters ’<value>’.# Read each settings documentation for information on how to specify its# value.## 3. Save the changes to the file.

��


## 4. To use the options file with the wizard, specify -options <file-name># as a command line argument to the wizard, where <file-name> is the name# of this options file.#################################################################################

################################################################################## User Input Field - regType## Enter the registry type. The valid options are: LDAP, Active Directory, or# Domino.#

### -W AMRTE_RegistryTypeUIPanel.regType="<value>"

################################################################################## Directory name## Specify the product’s installation directory.#

### -W GSKIT_DestinationPanel.productInstallLocation=<value>


### -W LDAPC_DestinationPanel.productInstallLocation=<value>


### -W AMRTE_DestinationPanel.productInstallLocation=<value>

################################################################################## User Input Field - useTcd## Enable Tivoli Common Logging (yes or no)#

### -W AM_TCDPanel.useTcd="<value>"

################################################################################## User Input Field - tcdDir

��

� 27 � �� 517

## Tivoli Common Directory - full path#

### -W AM_TCDPanel.tcdDir="<value>"

################################################################################## User Input Field - hostName## Host name of the Policy Server in the secure domain.#

### -W AMRTE_ServerOptionsUIPanel.hostName="<value>"

################################################################################## User Input Field - listeningPort## Port on which the policy server listens.#

### -W AMRTE_ServerOptionsUIPanel.listeningPort="<value>"

################################################################################## User Input Field - certFile## If the policy server allows the automatic download of the cerfificate file,# leave this option blank. Otherwise you must specify the file name here.#

### -W AMRTE_ServerOptionsUIPanel.certFile="<value>"

################################################################################## User Input Field - localDomain## Enter the local domain name. Use Default if you do not need to specify one.#

### -W AMRTE_ServerOptionsUIPanel.localDomain="<value>"

################################################################################## User Input Field - localHostName## Local host name with domain extension#

### -W AMRTE_ServerOptionsUIPanel.localHostName="<value>"

################################################################################## User Input Field - ldapHost## Host name of the IBM Directory server (LDAP)#

��


### -W AMRTE_LDAPOptionsUIPanel.ldapHost="<value>"

################################################################################## User Input Field - ldapPort## LDAP Listening Port#

### -W AMRTE_LDAPOptionsUIPanel.ldapPort="<value>"

################################################################################## User Input Field - enableSSL## Enable SSL communication with the LDAP server - yes or no#

### -W AMRTE_LDAPOptionsUIPanel.enableSSL="<value>"

################################################################################## User Input Field - multipleDomains## Use multiple domains for Active Directory configuration: 1=Yes or 0=No#

### -W AMRTE_ADServerInfoUIPanel.multipleDomains="<value>"

################################################################################## User Input Field - hostName## Active Directory host name#

### -W AMRTE_ADServerInfoUIPanel.hostName="<value>"

################################################################################## User Input Field - domainName##

### -W AMRTE_ADServerInfoUIPanel.domainName="<value>"

################################################################################## User Input Field - encryptedConnection## Enable encrypted connections with the Active Directory server: 1=Yes, 0=No#

### -W AMRTE_ADServerInfoUIPanel.encryptedConnection="<value>"

################################################################################## User Input Field - multipleDomains

��

� 27 � �� 519

## Use multiple domains for Active Directory configuration: 1=Yes or 0=No#

### -W AMRTE_ADServerInfoDifDomUIPanel.multipleDomains="<value>"

################################################################################## User Input Field - hostName## Active Directory host name#

### -W AMRTE_ADServerInfoDifDomUIPanel.hostName="<value>"

################################################################################## User Input Field - domainName## Active Directory domain name#

### -W AMRTE_ADServerInfoDifDomUIPanel.domainName="<value>"

################################################################################## User Input Field - enableSSL##

### -W AMRTE_ADServerInfoDifDomUIPanel.enableSSL="<value>"

################################################################################## User Input Field - adminId## Active Directory administrator id#

### -W AMRTE_ADAdminInfoUIPanel.adminId="<value>"

################################################################################## User Input Field - adminPwd## Active Directory administrator password#

### -W AMRTE_ADAdminInfoUIPanel.adminPwd="<value>"

################################################################################## User Input Field - sslKeyfile## Full path to the LDAP SSL client keyfile#

��


### -W AMRTE_SSLOptionsUIPanel.sslKeyfile="<value>"

################################################################################## User Input Field - sslKeyfilePassword## Password of the LDAP SSL client keyfile#

### -W AMRTE_SSLOptionsUIPanel.sslKeyfilePassword="<value>"

################################################################################## User Input Field - sslKeyfileLabel## LDAP SSL client keyfile label (DN) - only if required#

### -W AMRTE_SSLOptionsUIPanel.sslKeyfileLabel="<value>"

################################################################################## User Input Field - sslPort## LDAP SSL port number#

### -W AMRTE_SSLOptionsUIPanel.sslPort="<value>"

################################################################################## User Input Field - distName## Access Manager data location: distinguished name#

### -W AMRTE_ADDataInfoUIPanel.distName="<value>"


### -W LDAPC_DestinationPanel_AD.productInstallLocation=<value>

################################################################################## User Input Field - dominoServer## Domino server name#

��

� 27 � �� 521

### -W AMRTE_DominoUIPanel.dominoServer="<value>"

################################################################################## User Input Field - notesClientPwd## Notes client password#

### -W AMRTE_DominoUIPanel.notesClientPwd="<value>"

################################################################################## User Input Field - nabDbName## NAB database name#

### -W AMRTE_DominoUIPanel.nabDbName="<value>"

################################################################################## User Input Field - amDbName## Access Manager database name#

### -W AMRTE_DominoUIPanel.amDbName="<value>"


### -W AMMGR_DestinationPanel.productInstallLocation=<value>

################################################################################## User Input Field - secmasterPwd##

### -W AMMGR_ConfigOptions.secmasterPwd="<value>"

################################################################################## User Input Field - secmasterPwdConfirm## Re-enter the password for confirmation.#

��


### -W AMMGR_ConfigOptions.secmasterPwdConfirm="<value>"

################################################################################## User Input Field - secmasterPort##

### -W AMMGR_ConfigOptions.secmasterPort="<value>"

################################################################################## User Input Field - SSLcertlife##

### -W AMMGR_ConfigOptions.SSLcertlife="<value>"

################################################################################## User Input Field - SSLtimeout##

### -W AMMGR_ConfigOptions.SSLtimeout="<value>"

################################################################################## User Input Field - ldapadminid##

### -W AMMGR_ConfigOptions.ldapadminid="<value>"

################################################################################## User Input Field - ldapadminpwd##

### -W AMMGR_ConfigOptions.ldapadminpwd="<value>"

################################################################################## User Input Field - enableSSL## Enable SSL - 1=Yes, 0=No#

### -W AMMGR_EnableSSLUIPanel.enableSSL="<value>"

################################################################################

��

� 27 � �� 523

## User Input Field - sslKeyfile## Full path to the SSL client keyfile#

### -W AMMGR_SSLOptionsUIPanel.sslKeyfile="<value>"

################################################################################## User Input Field - sslKeyfilePassword## Password for the SSL client keyfile#

### -W AMMGR_SSLOptionsUIPanel.sslKeyfilePassword="<value>"

################################################################################## User Input Field - sslKeyfileLabel## SSL client keyfile label#

### -W AMMGR_SSLOptionsUIPanel.sslKeyfileLabel="<value>"

################################################################################## User Input Field - sslPort## SSL port number#

### -W AMMGR_SSLOptionsUIPanel.sslPort="<value>"

��


��

� �� . IBM� ��

�� , �� . �

� �� IBM ��

�. � �� IBM ��, �� IBM ��, �

�� . IBM� ��

�� , �� , ��

� � ��. �� IBM ��, ��

�� .

IBM� � ��

�� . � ��

�� . �� .

135-270

�� 467-12, ��

� ��.. ��

��

��: 080-023-8080

2��(DBCS) �� IBM ��

��

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106, Japan

�� . IBM�

�� , ��

( , �� ) �� ″��

��″ ��. � ��

�� , � �� .

� �� . � �

�� , �� . IBM� � ��

�� (��) �� (��) ��

��.


� �� IBM� �� , ��

�� !�� . � ��

IBM ��

� �� .

IBM� ��

� �� .

(i) �� (� �� ) ��

(ii) ��

�� .

135-270

�� 467-12, ��

� ��.. ��

��

�� (�� , �� )� �� .

� ��

�� IBM� IBM �� , IBM �� (IPLA)

�� .

IBM �� , ��

�� . IBM�� IBM �� , �

�� , ��

�. IBM �� .

IBM� ��

��.

� ��

��. � �� , ��, � � �

�� . � � � ��

� �� .

��:

� ��

�� . ��

�� , ��, ��

�� , �

� � �� . ��

��. �� IBM� �� , ��


� �� . �� IBM� �� (API)� �

�� , ��, ��

� �� , �� .

��

�� .

© ( �� ) (��). � �� IBM Corp.� � ��

��. © Copyright IBM Corp. _��_. All rights reserved.

� ��

�.

� �� 3 ��

��. � �� .

OpenSSL�3 �� , ��

� ��, � �� 3 ��

�� IBM� ��

�� . �� , ��

� �� . ��

�� . ��

�� .

�� IBM �� IBM �� (�� ″IBM″)� ��

�� , �� 3 �� ″�� ″��, ��

�� .

v � �� ″��″ ��.

v IBM� � �� , � ��

� �� ( , ��

��) �� .

– IBM� � ��

�� .

– IBM� � �� , �� , �� , ��

�, �� .

OpenSSL: � �� OpenSSL Project (http://www.openssl.org/)� ��

�� . IBM� OpenSSL ��

�� .

�� 527

�� ==============

OpenSSL �� . �� , � �� OpenSSL�� SSLeay �� .�� . ��, � �� BSD��

Open Source ��. OpenSSL� �� [email protected].� ��.

OpenSSL ��---------------

/* ====================================================================* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.** Redistribution and use in source and binary forms, with or without* modification, are permitted provided that the following conditions* are met:** 1. Redistributions of source code must retain the above copyright* notice, this list of conditions and the following disclaimer.** 2. Redistributions in binary form must reproduce the above copyright* notice, this list of conditions and the following disclaimer in* the documentation and/or other materials provided with the* distribution.** 3. All advertising materials mentioning features or use of this* software must display the following acknowledgment:* "This product includes software developed by the OpenSSL Project* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"** 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to* endorse or promote products derived from this software without* prior written permission. For written permission, please contact* [email protected].** 5. Products derived from this software may not be called "OpenSSL"* nor may "OpenSSL" appear in their names without prior written* permission of the OpenSSL Project.** 6. Redistributions of any form whatsoever must retain the following* acknowledgment:* "This product includes software developed by the OpenSSL Project* for use in the OpenSSL Toolkit (http://www.openssl.org/)"** THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS’’ AND ANY* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED* OF THE POSSIBILITY OF SUCH DAMAGE.* ====================================================================** This product includes cryptographic software written by Eric Young* ([email protected]). This product includes software written by Tim* Hudson ([email protected]).**/


�� SSLeay ��

/* Copyright (C) 1995-1998 Eric Young ([email protected])* All rights reserved.** This package is an SSL implementation written* by Eric Young ([email protected]).* The implementation was written so as to conform with Netscapes SSL.** This library is free for commercial and non-commercial use as long as* the following conditions are aheared to. The following conditions* apply to all code found in this distribution, be it the RC4, RSA,* lhash, DES, etc., code; not just the SSL code. The SSL documentation* included with this distribution is covered by the same copyright terms* except that the holder is Tim Hudson ([email protected]).** Copyright remains Eric Young’s, and as such any Copyright notices in* the code are not to be removed.* If this package is used in a product, Eric Young should be given attribution* as the author of the parts of the library used.* This can be in the form of a textual message at program startup or* in documentation (online or textual) provided with the package.** Redistribution and use in source and binary forms, with or without* modification, are permitted provided that the following conditions* are met:* 1. Redistributions of source code must retain the copyright* notice, this list of conditions and the following disclaimer.* 2. Redistributions in binary form must reproduce the above copyright* notice, this list of conditions and the following disclaimer in the* documentation and/or other materials provided with the distribution.* 3. All advertising materials mentioning features or use of this software* must display the following acknowledgement:* "This product includes cryptographic software written by* Eric Young ([email protected])"* The word ’cryptographic’ can be left out if the rouines from the library* being used are not cryptographic related :-).* 4. If you include any Windows specific code (or a derivative thereof) from* the apps directory (application code) you must include an acknowledgement:* "This product includes software written by Tim Hudson ([email protected])"** THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS’’ AND* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF* SUCH DAMAGE.** The licence and distribution terms for any publically available version or* derivative of this code cannot be changed. i.e. this code cannot simply be* copied and put under another distribution licence* [including the GNU Public Licence.]*/

XML Parser Toolkit ��

Copyright © 1998, 1999, 2000 Thai Open Source Software Center Ltd

�� 529

Permission is hereby granted, free of charge, to any person obtaining a copy of

this software and associated documentation files (the ″Software″), to deal in the

Software without restriction, including without limitation the rights to use, copy,

modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,

and to permit persons to whom the Software is furnished to do so, subject to

the following conditions:

The above copyright notice and this permission notice shall be included in all

copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED ″AS IS″, WITHOUT WARRANTY OF ANY

KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE

WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR

PURPOSE AND NONINFRINGEMENT.

IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE

LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER

IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR

OTHER DEALINGS IN THE SOFTWARE.

Pluggable Authentication Module ��

Copyright © 1995 by Red Hat Software, Marc Ewing Copyright (c) 1996-8,

Andrew G. Morgan <[email protected]>

All rights reserved

Redistribution and use in source and binary forms, with or without modification,

are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, and the

entire permission notice in its entirety, including the disclaimer of warranties.

2. Redistributions in binary form must reproduce the above copyright notice, this

list of conditions and the following disclaimer in the documentation and/or

other materials provided with the distribution.

3. The name of the author may not be used to endorse or promote products

derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED ″AS IS″’ AND ANY EXPRESS OR IMPLIED

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE


LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER

IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE

OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Apache Axis ServletCopyright ©2002 The Apache Software Foundation. All rights reserved.



1. Redistributions of source code must retain the above copyright notice, this list

of conditions and the following disclaimer.




3. The end-user documentation included with the redistribution, if any, must include

the following acknowledgment: ″This product includes software developed by

the Apache Software Foundation (http://www.apache.org/).″ Alternately, this

acknowledgment may appear in the software itself, if and wherever such

third-party acknowledgments normally appear.

4. The names ″Apache Forrest″ and ″Apache Software Foundation″ must not be

used to endorse or promote products derived from this software without prior

written permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called ″Apache″, nor may

″Apache″ appear in their name, without prior written permission of theApache

Software Foundation.

THIS SOFTWARE IS PROVIDED ``AS IS’’ AND ANY EXPRESSED OR

IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A

PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE

FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

�� 531

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED

AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN

IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on

behalf of the Apache Software Foundation. For more information on the Apache

Software Foundation, please see http://www.apache.org/.

JArgs command line option parsing suite for JavaCopyright ©2001, Stephen Purcell All rights reserved.








3. Neither the name of the copyright holder nor the names of its contributors

may be used to endorse or promote products derived from this software without

specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND

CONTRIBUTORS ″AS IS″ AND ANY EXPRESS OR IMPLIED WARRANTIES,

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF

MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER

IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE

OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


Java DOM ��

Copyright © 2000-2002 Brett McLaughlin & Jason Hunter. All rights

reserved.Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this

list of conditions, and the following disclaimer.


list of conditions, and the disclaimer that follows these conditions in the

documentation and/or other materials provided with the distribution.

3. The name ″JDOM″ must not be used to endorse or promote products derived

from this software without prior written permission. For written permission,

please contact [email protected].

4. Products derived from this software may not be called ″JDOM″, nor may

″JDOM″ appear in their name, without prior written permission from the JDOM

Project Management ([email protected]).

5. In addition, we request (but do not require) that you include in the end-user

documentation provided with the redistribution and/or in the software itself an

acknowledgement equivalent to the following: ″This product includes software

developed by the JDOM Project (http://www.jdom.org/).″

6. In addition, we request (but do not require) that you include in the end-user

documentation provided with the redistribution and/or in the software itself an

acknowledgement equivalent to the following: ″This product includes software

developed by the JDOM Project (http://www.jdom.org/).″ Alternatively, the

acknowledgment may be graphical using the logos available at

http://www.jdom.org/images/logos.

THIS SOFTWARE IS PROVIDED ``AS IS’’ AND ANY EXPRESSED OR




JDOM AUTHORS OR THE PROJECT CONTRIBUTORS BE LIABLE FOR ANY

DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR






�� 533



This software consists of voluntary contributions made by many individuals on

behalf of the JDOM Project and was originally created by Brett McLaughlin

([email protected]) and Jason Hunter ([email protected]). For more information on

the JDOM Project, please see http://www.jdom.org/.

Alfalfa SoftwareCopyright for Alfalfa Software Copyright 1990, by Alfalfa Software Incorporated,

Cambridge, Massachusetts.

All Rights Reserved

Permission to use, copy, modify, and distribute this software and its documentation

for any purpose and without fee is hereby granted, provided that the above copyright

notice appear in all copies and that both that copyright notice and this permission

notice appear in supporting documentation, and that Alfalfa’s name not be used

in advertising or publicity pertaining to distribution of the software without specific,

written prior permission.

ALFALFA DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS

S O F T W A R E , I N C L U D I N G A L L I M P L I E D W A R R A N T I E S O F

MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL ALFALFA BE

LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES

OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,

DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,

NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

KerberosCopyright for IBM Kerberos

Copyright (C) 1985-2001 by the Massachusetts Institute of Technology.

All rights reserved.

Export of this software from the United States of America may require a specific

license from the United States Government. It is the responsibility of any person

or organization contemplating export to obtain such a license before exporting.


WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute

this software and its documentation for any purpose and without fee is hereby

granted, provided that the above copyright notice appear in all copies and that

both that copyright notice and this permission notice appear in supporting

documentation, and that the name of M.I.T. not be used in advertising or publicity

pertaining to distribution of the software without specific, written prior permission.

Furthermore if you modify this software you must label your software as modified

software and not distribute it in such a fashion that it might be confused with

the original MIT software. M.I.T. makes no representations about the suitability

of this software for any purpose. It is provided ″as is″ without express or implied

warranty.

THIS SOFTWARE IS PROVIDED ``AS IS’’ AND WITHOUT ANY EXPRESS

OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE


PARTICULAR PURPOSE.

Individual source code files are copyright MIT, Cygnus Support, OpenVision, Oracle,

Sun Soft, FundsXpress, and others.

Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and

Zephyr are trademarks of the Massachusetts Institute of Technology (MIT). No

commercial use of these trademarks may be made without prior written permission

of MIT.

″Commercial use″ means use of a name in a product or other for-profit manner.

It does NOT prevent a commercial firm from referring to the MIT trademarks

in order to convey information (although in doing so, recognition of their trademark

status should be given).

InfoZipCopyright for InfoZip

Copyright (c) 1990-2002 Info-ZIP. All rights reserved.

For the purposes of this copyright and license, ″Info-ZIP″ is defined as the following

set of individuals: Mark Adler, John Bush, Karl Davis, Harald Denker, Jean-Michel

Dubois, Jean-loup Gailly, Hunter Goatley, Ian Gorman, Chris Herborth, Dirk Haase,

Greg Hartwig, Robert Heath, Jonathan Hudson, Paul Kienitz, David Kirschbaum,

Johnny Lee, Onno van der Linden, Igor Mandrichenko, Steve P. Miller, Sergio

�� 535

Monesi, Keith Owens, George Petrov, Greg Roelofs, Kai Uwe Rommel, Steve

Salisbury, Dave Smith, Christian Spieler, Antoine Verheijen, Paul von Behren, Rich

Wales, Mike White

This software is provided ″as is,″ without warranty of any kind, express or implied.

In no event shall Info-ZIP or its contributors be held liable for any direct, indirect,

incidental, special or consequential damages arising out of the use of or inability

to use this software.

Permission is granted to anyone to use this software for any purpose, including

commercial applications, and to alter it and redistribute it freely, subject to the

following restrictions:

1. Redistributions of source code must retain the above copyright notice, definition,

disclaimer, and this list of conditions.

2. Redistributions in binary form (compiled executables) must reproduce the above

copyright notice, definition, disclaimer, and this list of conditions in

documentation and/or other materials provided with the distribution. The sole

exception to this condition is redistribution of a standard UnZipSFX binary

as part of a self-extracting archive; that is permitted without inclusion of this

license, as long as the normal UnZipSFX banner has not been removed from

the binary or disabled.

3. Altered versions--including, but not limited to, ports to new operating systems,

existing ports with new graphical interfaces, and dynamic, shared, or static

library versions--must be plainly marked as such and must not be misrepresented

as being the original source. Such altered versions also must not be

misrepresented as being Info-ZIP releases--including, but not limited to, labeling

of the altered versions with the names ″Info-ZIP″ (or any variation thereof,

including, but not limited to, different capitalizations), ″Pocket UnZip,″ ″WiZ,″

or ″MacZip″ without the explicit permission of Info-ZIP. Such altered versions

are further prohibited from misrepresentative use of the Zip-Bugs or Info-ZIP

e-mail addresses or of the Info-ZIP URL(s).

4. Info-ZIP retains the right to use the names ″Info-ZIP,″ ″Zip,″ ″UnZip,″

″UnZipSFX,″ ″WiZ,″ ″Pocket UnZip,″ ″Pocket Zip,″ and ″MacZip″ for its own

source and binary releases.

gSOAPPart of the software embedded in this product is gSOAP software.


Portions created by gSOAP are Copyright (C) 2001-2003 Robert A. van Engelen,

Genivia inc. All Rights Reserved.

THE SOFTWARE IN THIS PRODUCT WAS IN PART PROVIDED BY GSOAP

SOFTWARE AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,

B U T N O T L I M I T E D T O , T H E I M P L I E D W A R R A N T I E S O F

MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR








gSOAP source code is available under the terms of the gSOAP Public License

and is available at http://gsoap2.sourceforge.net.

A copy of the license is available at http://www.cs.fsu.edu/~engelen/soaplicense.html

Any terms in the IBM Tivoli Access Manager for e-business license that differ

from the gSOAP license are offered by IBM and not offered by the Initial

Developer or any Contributor originator of the gSOAP source code.

Apache SoftwareApache ��

�� Apache Xalan, Xerces, FOP � Log4J Library� ��, � �

�� .

The Apache Software License, Version 1.1 Copyright (c) 1999 The Apache Software

Foundation. All rights reserved. Redistribution and use in source and binary forms,

with or without modification, are permitted provided that the following conditions

are met:






�� 537

3. The end-user documentation included with the redistribution, if any, must include

the following acknowledgment: ″This product includes software developed by

the Apache Software Foundation (http://www.apache.org/).″ Alternately, this

acknowledgment may appear in the software itself, if and wherever such

third-party acknowledgments normally appear.

4. The names ″Xerces″ and ″Apache Software Foundation″ must not be used to

endorse or promote products derived from this software without prior written

permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called ″Apache″, nor may

″Apache″ appear in their name, without prior written permission of the Apache

Software Foundation.

THIS SOFTWARE IS PROVIDED ″AS IS″ AND ANY EXPRESSED OR




APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE

FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR








��

�� IBM Corporation� � ��

� ��.

AIX

DB2

IBM

IBM �

J2EE

Lotus

NotesMVS

OS/390

SecureWayTivoli


Tivoli �

Universal Database

WebSphere

zSeries

z/OS

Java � �� Java �� Sun

Microsystems,Inc� � �� .

Microsoft, Windows, Windows NT � Windows ��

�� Microsoft Corporation� � ��. Java � �� Java ��

�� Sun Microsystems,Inc� � ��

� ��.

UNIX� �� Open Group� �� .

�� , �� .

�� 539

��

�

�� (virtual hosting). ��

�� .

� �(private key). ��

�� . �� .

�� (public key). ��

� �� . �� .

�� (management domain). Tivoli Access Manager

� ��, �� policy� ��

�� . � �� Policy Server� ��

��. ��(domain) ��.

�� (management server). � �� .

Policy Server ��.

�� (administration service). Tivoli Access Manager

� ��

� � �� API �� . ��

��

�� pdadmin ��

� ��. � �� ADK� ��

�� .

�� (distinguished name:DN). ��

�� . �� :�� , �

� � ��.

��(configuration). (1) ��

�� . (2) ��, ��

� �� , �� .

�� (authorization rule). �(rule) ��.

�� (authorization service plug-in). �� API

�� ,

�� Tivoli Access Manager �� API ��

�� (DLL �

� �� ). ��

��, �� , �� , �� PAC ��

�� . � �� ADK� ��

�� .

�� (entitlement service). ��

�� API

�� . ��

��

��

��. � �� ADK� ��

��.

�� (credentials modification service).


�� API �� . � ��

��

� �� , ��

�� .

�� (credentials). �� , ��

, �� ID �� .

�� , ��

� �� .

��(authorization). (1) ��

� �� . (2) �

��, � ��

�� .

��(entitlement). �� policy ��

� ��. ��

�� policy �� .

��(permission). ��

�� . ��

ACL(Access Control List)�� . ACL(Access Control

List) ��.

�� (basic authentication). ��

� � �� , ��

� �� .


�

�� (network-based authentication). ��

� IP(Internet Protocol) ��

�� policy(POP). POP(Protect Object Policy)

��.

�

�� (multi-factor authentication). ��

��

�� policy(POP). �� , ��

�� /�� /��

� �� . POP(Protected Object Policy) ��.

�� (step-up authentication). ��

� �� , �� policy ��

�� policy(POP). ��

POP� ��

�� , ��

�� policy�� .

�� (domain name). ��

�� . ��

� ��. �� , ��

� (FQDN)� as400.rchland.vnet.ibm.com ��, ��

� �� . as400. rchland .vnet . ibm.com,

vnet.ibm.com, ibm.com.

��(domain). (1) ��

�� , �� . (2) �

� � �� .

�� (domain name) ��.

�� (directory schema). ��

� �� . ��

� �� (�� , ��

��, �� )�

��.

��(daemon). ��

�� .

� �� ,

�� .

�� (digital signature). e-commerce��

� �� , �

� � ��

�� .

�

�� (routing file). ��

�� ASCII .

��(run time). �� . ��

�� .

��(registry). ��, ��

�� .

�(rule). �� (�� )� ��

� ��

� �� .

�

��(migration). ��

�� .

��(metadata). ��

.

�(bind). ID� ��

�. �� , ID� �, �� ID� ��, ��

�� .

� ��(security management). ��

� � ��

�� .

�� (quality of protection). ��, ��

� �� .

�� (protected object space). ACL � POP

� ��

� �� . ��

(protected object) � POP(Protect Object Policy) ��.

�� (protected object). ACL � POP� ��

��


�� . POP(Protect Object Policy) � ��

�� (protected object space) ��.

��(replica). �� .

��

�� .

��(blade). ��

�� .

�� (business entitlement). ��

��

� �� .

�

�� (user registry). ��(registry) ��.

��(user). �� , �, ��, ��, ��,

��

�, �, ��, ��, ��, �� .

��(service). �� . ��

�� ( ��, HTTP �

�, � �� ), � ��

� �� .

�� (attribute list). ��

� �� . �� = � �

� ��.

��(schema). ��

� ��, �� . ��

�� , � �� , ��

�� .

�� (trusted root). SSL(Secure Sockets Layer)

�� CA(Certificate Authority)� ��

.

�

��(encryption). ��

� ��

� ��.

��(cipher). �� (�� )�

� �� .

� � ��(access permission). ��

�� .

� � ��(access control). ��

��

�� .

�� (role assignment). ��

�� , ��

�� .

�� (role activation). ��

��.

��(connection). (1) ��

�� . (2) TCP/IP��

� ��

�� . �� TCP ��

�� TCP �� .

(3) ��

�� .

�� (external authorization service). Tivoli

Access Manager ��

� �� API ��

��. � �� ADK� ��

� ��.

�� (response file). ��

�� , ��

� �� .

�(certificate). ��

� ID� ��

� ��. �� CA(Certificate Authority)�� .

(authentication). (1) �� ID ��

�� . (2) ��

� �� . (3) �

��

� �� . �� , ��

(authentication) � �� (authentication) ��.

�� (Internet suite of protocols). ��

�� IETF(Internet Engineering Task Force)

� � RFC(Requests for Comment)� �� .

�� 543

�

�� (silent installation). ��

�� . ��

�� .

�� (response file) ��.

�� (resource object). ��, � ��

�� .

�� (self-registration). ��

� � �� Tivoli Access Manager �

�� .

��(suffix). ��

�� . LDAP(Lightweight Directory

Access Protocol)�� ,

� ��

��. ��

�� .

��(action). ACL(Access Control List) �� .

ACL(Access Control List) ��.

�

�� (container object). ��

�� region� �� .

��(cookie). ��

�� . ��

�� .

�� (scalability). ��

�� .

� �� (key database file). � �(key ring) �

�.

� �(key ring). �� , �� , ��

� � � �� .

� �(key pair). �� . ��

�� , ��

� ��, ��

��. �� , ��

�� , ��

� �� .

� ��(key file). � �(key ring) ��.

�(key). ��

�� . ��

��.

�

��(token). (1) �� !��

� ��

�� . ��

�� . ��

�� . (2) ��

��!(LAN)��

� ��. �� , � ��

��.

�

(portal). �� , ��

�� (�: ��, �� )� �

� �� .

��(polling). ��

�� .

�

��(host). ��(�: �� SNA ��)� �

�� .

��

�� . �� , ��

�� .

A

ACL. ACL(Access Control List) ��.

ACL(Access Control List). ��

�� ,

�� . �� , ACL� � ��

� �� , � � � ��

� �� , �� .

B

BA. �� (basic authentication) ��.


C

CA. CA(Certificate Authority) ��.

CA(Certificate Authority). �� .

CA(Certificate Authority)� �� ID� � ��

�� , � �� , � �

�� , ��

� �� .

CDAS. CDAS(Cross Domain Authentication Service) ��.

CDAS(Cross Domain Authentication Service). ��

WebSEAL �� , Tivoli Access Manager ID�

WebSEAL� ��

�� WebSEAL ��.

WebSEAL ��.

CDMF. CDMF(Cross Domain Mapping Framework) ��.

CDMF(Cross Domain Mapping Framework). ��

WebSEA e-Community SSO �� ID �

� � ��

�� .

CGI. CGI(Common Cateway Interface) ��.

CGI(Common Cateway Interface). HTTP ��

��

� �� . �� . CGI ��

�� Perl �� CGI ��

�.

D

DN. �� (distinguished name:DN) ��.

E

EAS. ��

F

FTP(File Transfer Protocol). ��

�� TCP�

Telnet �� .

G

GSO. GSO(Global Signon) ��.

GSO(Global Signon). ��

� ��

�� . ��

��

��. ��

��

� GSO� ��

�� . GSO(Global Signon) ��.

H

HTTP. HTTP(Hypertext Transfer Protocol) ��.

HTTP(Hypertext Transfer Protocol). ��

� ��

��.

I

IP. IP(Internet Protocol) ��.

IPC. IPC(Interprocess Communication) ��.

IPC(Interprocess Communication). (1) ��

�� . ��, ��

� �� . (2) �

��

� �� .

IP(Internet Protocol). ��

��

� ��

��.

J

junction. �� WebSEAL Server� ��

�� HTTP �� HTTPS ��. WebSEAL�

junction� ��

��.

�� 545

L

LDAP. LDAP(Lightweight Directory Access Protocol) ��.

LDAP(Lightweight Directory Access Protocol). (a) X.500

��

� TCP/IP� ��, (b) � �� X.500 DAP(Directory

Access Protocol)� � �� .

LDAP� �� (��

�� )� �� (�: � ��

��, �� ) ��

� �� . LDAP� �

� RFC 1777� �� . LDAP �� 3� RFC

2251� �� , IETF� ��

�� . IETF�� LDAP� � �

�� RFC 2256�� .

LTPA. LTPA(Lightweight Third Party Authentication) ��.

LTPA(Lightweight Third Party Authentication). ��

��

�� .

M

MPA(Multiplexing Proxy Agent). ��

� �� . � ��

WAP� �� , WAP(Wireless

Access Protocol) �� . ��

�� , ��

�� .

P

PAC. PAC(Privilege Attribute Certificate) ��.

PAC ��(privilege attribute certificate service). ��

�� PAC� Tivoli Access Manager �� , �

� � �� API �� .

��


�� . � �� ADK� ��

� �� . PAC(Privilege Attribute

Certificate) ��.

PAC(Privilege Attribute Certificate). ��(��)� �

� ��

�.

policy. �� .

Policy Server. ��

� �� Tivoli Access Manager ��.

POP. POP(Protect Object Policy) ��.

POP(Protect Object Policy). ��

�� ACL policy� ��

� policy ��. POP ��

��. ACL(Access Control List), �� (protected

object) � �� (protected object space) ��.

R

RSA ��(RSA encryption). ��

� � �� . 1977� Ron Rivest, Adi Shamir �

Leonard Adleman� � �� . � �

� � �� !� �� , ��

�� .

S

SSL. SSL(Secure Sockets Layer) ��.

SSL(Secure Sockets Layer). ��

� ��. SSL� ��/�� , ��

� ��

�� . SSL� Netscape Communications Corp.� RSA

Data Security, Inc.�� .

SSO. SSO(Single Signon) ��.

SSO(Single Signon). ��

��

� �� . GSO(Global Signon) ��

U

URI. URI(Uniform Resource Identifier) ��.

URI(Uniform Resource Identifier). � � (��

� ), � ��(�� ) �

� �� (HTTP� �� )� ��


�� . URI� � ��

�� , � URL� ��.

URL. URL(Uniform Resource Locator) ��.

URL(Uniform Resource Locator). ��

�� . � � ��

�� (a) ��

�� (b) ��

�� . �� , ��

� ��

��(�: http, ftp, gopher, telnet, news). IBM � ��

� URL� http://www.ibm.com��.

W

WebSEAL. Tivoli Access Manager ��. WebSEAL�


�� . WebSEAL� ��

� �� policy� ��

� � ��.

WPM. WPM(Web Portal Manager) ��.

WPM(Web Portal Manager). �� Tivoli Access

Manager Base � WebSEAL �� policy� ��

�� . pdadmin ��

�� , � GUI� ��

� �, ��

� �� .

�� 547

��

��

�� 8

�� 5

�� 3

�� 22

�� 12

ADK 6

AM for WebLogic Server 9

AM for WebSphere 9

Attribute Retrieval Service 9

Authorization Server 6

GSKit 11

IBM JRE 11

IBM Tivoli Directory Client 11

IBM Tivoli Directory Server 12

Java Runtime Environment 6

Plug-in for Web Servers 10

Policy Proxy Server 7

Policy Server 7

provisioning fast start 8

Web Portal Manager 8

Web Security Runtime 10

WebSEAL 10

WebSEAL ADK 10

WebSphere Application Server 12

�� 394

�� 395, 415

�� xviii

��

�� 322

��

� 195

� 188


��

Authorization Server 385, 391

Policy Server 389

WebSEAL Server 392

��

�� 11

�� 6

�� 12

�� (��)

Base 6

Web Security 9

��

AIX 319

��

Solaris�� 324

Tivoli Access Manager 322

Windows�� 325

�� , Windows 50

�� ADK

�� 322

��, �� 395, 415

�� 477

�� 477

�� 477

��, �� 5

�� 30, 31, 32

��

� 8

��

Solaris�� 324

Windows�� 325

��

�� 17

�� 17

��, �� 25

�� 52

��

UNIX 51

Windows 51

��, ��

�� 22

��

�� 257, 259


�� (��)

� �� 257, 259

�� 30, 31, 32

��

�� 52

� �� 52

��, �� 22

��

�� 4

�� 4

��

�� 50

LANG

UNIX 51

Windows 51

NLSPATH

�� 52

��, �� 52

�� , � 5

�� 190

�� 11

��

��

�� 412, 417

�� 188

�� 393, 414

�� 393

�� 408, 409

��, �� 6, 9

�� 218

� 3

�� 1

�� 6

�� 6, 9

�� 22

�� 45, 47

�� 23

�� 23

�� JRE

AIX� 295

Solaris� 297

Windows� 297

�� (��)

AIX 218

GSKit

AIX� 285

Solaris� 287

Windows� 288

IBM Tivoli Directory Client

AIX� 291

Solaris� 293

Windows� 293


Solaris� 64, 68

Windows� 71

Java Runtime Environment

Solaris� 135

Windows� 136


Solaris� 111, 120, 144, 151

WebSphere Application Server

AIX� 299

�� 1

��

� 22

� 22

install_ampfs 23

��

�� 49

�� 25

�� 30, 31, 32

�� 40

�� 26

�� 25

�� 33

�� 33

Active Directory 29


IBM z/OS Security Server LDAP Server 28

iPlanet Directory 29

Lotus Domino 29

Novell eDirectory 30

OS/390� IBM Security Server 28

Sun ONE Directory 29

��, �� 12

�� 194

�� , �� 50


��

� 44

�� 50

�� , �� 52

��

UNIX 51

Windows 51

�� 52

�� 53

�� , �� 45, 47

�� , �� 49

�� 40

��, �� 33

�� 25

� ��, �� 33

��

� 23

��

� 12

�� , �� 26

��

AMWLSConfigure -action config 457

AMWLSConfigure -action create_realm 460

AMWLSConfigure -action delete realm 462

AMWLSConfigure -action unconfig 459

amwpmcfg 463

ivrgy_tool 466

migrateEAR4 469

migrateEAR5 473

pdbackup 477

pdconfig 487

pdinfo(�� ) 477

pdinfo(�� ), pdbackup �� 477

pdjrtecfg 488

pdwascfg 494

pdweb 451, 499

pdwebpi 502

pdwebpi_start 503

pdweb_start 500

pdwpicfg -action config 506

pdwpicfg -action unconfig 509

pdwpi-version 505

pd_start 492

wesosm 511

wslstartwte 513

wslstopwte 514

��

�� 394, 395

�� (��)

�� 395

�� 393

�� 393, 414

��

�� 415

�� 415

�� 408, 409

� �� 396, 416

�� 43

�� 50

�� 52

�� 52

�� 47, 49

�� 44

�� 53

� �� 396, 416

� �� 396, 416

� �� 396, 416

�� 81

��

�� 322

�� 25

�� 12

�� , �� 33

��, �� 41

��

�� 53

�� 53

� �� 394, 411, 414

��

�� 53

��, Tivoli Identity Manager 8

��

� �� 411, 414

� �� (.kdb) 395

�� 551

(��)

� ��(.kdb) 394

gsk7ikm.exe 395, 411, 414, 416

��, �� 33

��

AIX�� 321

��, �� 23

��, �� 12

�� 12

�� 33

�� 41

��, � 40

AActive Directory, �� 29

ADK

��

Solaris�� 324

Windows�� 325

AIX

�� 319

�� 218

�� JRE 295

GSKit 285


WebSphere Application Server 299

�� 321

AM for WebLogic Server

� 9

AM for WebSphere

� 9

AMWLSConfigure -action config 457

AMWLSConfigure -action create_realm 460

AMWLSConfigure -action delete realm 462

AMWLSConfigure -action unconfig 459

amwpmcfg �� 463

Attribute Retrieval Service

� 9

�� 18

�� 18

Authorization Server

� 6

�� 385, 391

Authorization Server (��)

��

Solaris� 111, 120, 144, 151

�� 322

Solaris�� 324

Windows�� 325

�� 14

�� 14

BBase, �� 6

CCLASSPATH

startWebLogic� �� 228

DDevelopment(ADK) ��

�� 14

�� 14

GGlobal Security Kit

�� 322

GSKit� ��. 11

gsk7ikm 395, 411, 414, 416

GSKit

� 11

��

AIX� 285

Solaris� 287

Windows� 288

��

Solaris�� 324

Windows�� 325

HHP-UX

��

GSKit 286


Tivoli Access Manager �� 108, 117, 125, 141, 149


IIBM JRE

� 11


��

�� 76

��

�� 322

IBM Tivoli Directory Client

� 11

��

AIX� 291

Solaris� 293

Windows� 293

��

Solaris�� 324

uninstalling

Windows�� 325


� 12

��

Solaris� 64, 68

Windows� 71

�� 15

�� 15

IBM Tivoli Directory Server, �� 25

IBM z/OS Security Server LDAP Server, �� 28

iKeyman � ��

� �� 411

SSL �� 394

installp 218

install_ampfs 23

iPlanet Directory Server

�� 99

iPlanet Directory, �� 29

ivrgy_tool �� 466

JJava Runtime Environment

� 6

��

AIX� 295

Solaris� 135

Windows� 136

��

Solaris�� 324

Java Runtime Environment (��)

�� (��)

Windows�� 325

�� 15

�� 15

JRE(Java Runtime Environment)

IBM JRE �� 11

Junction

�� 234

LLANG ��

�� 50

UNIX 51

Windows 51

LDAP ��

SSL �� 397

Lotus Domino, �� 29

MmigrateEAR4 �� 469

migrateEAR5 �� 473

NNLSPATH ��

�� 52

Novell eDirectory, �� 30

OOS/390� IBM Security Server, �� 28

Ppdbackup �� 477

pdconfig �� 487

pdinfo ��(�� ) 477

pdinfo ��(�� )

pdbackup �� command 477

pdjrtecfg

Java �� 488

pdwascfg �� 494

pdwas_migrate.log 257, 259

pdweb �� 451, 499

pdwebpi 502

�� 553

pdwebpi_start 503

pdweb_start �� 500

pdwpicfg -action config 506

pdwpicfg -action unconfig 509

pdwpi-version 505

pd_start �� 492

plug-in for Apache Web Server

�� 20

�� 20

plug-in for Edge Server

�� 20

�� 20

plug-in for IBM HTTP Server

�� 21

�� 21

plug-in for IIS

�� 21

�� 21

plug-in for Sun ONE Web Server

�� 21

�� 21

Plug-in for Web Servers

� 10

Policy Proxy Server

� 7

��

Solaris�� 324

Solaris� �� 111, 120, 144, 151

Policy proxy server

�� 16

�� 16

Policy Server

� 7

�� 389

�� 16

�� 16

provisioning fast start, � 8

RRuntime Environment

�� 322

SsecAuthority=Default 81, 102

Solaris

�� 324

Solaris (��)

��

GSKit 287


IBM Tivoli Directory Server 64, 68


Tivoli Access Manager �� 111, 120, 128, 144, 151

�� JRE �� 297

SSL(Secure Sockets Layer)

�� 393

�� 404, 413, 418

LDAP �� 397

startWebLogic, � �� CLASSPATH �� 228

Sun ONE Directory Server

�� 99

Sun ONE Directory, �� 29

TTivoli Access Manager ADK

� 6

Tivoli Access Manager for WebLogic

�� 19

�� 19


�� 20

�� 20

Tivoli Access Manager �� 12

Tivoli Access Manager �� 12

Tivoli Identity Manager �� 8

UUnicode 53

UNIX

�� 51

UTF-8 �� 53

WWAS_HOME

�� 256, 257

Web Portal Manager

� 8

�� 17

�� 17

amwpmcfg �� 463


Web Security Runtime

� 10

Web Security, �� 9

WebSEAL

� 10

�� 234

WebSEAL ADK

� 10

WebSEAL Development(ADK)

�� 19

�� 19

WebSEAL Junction

�� 234

WebSEAL Server

�� 392

�� 19

�� 19

WebSphere Application Server

� 12

wesosm �� 511

Windows

�� 325

��

�� JRE 297

GSKit 288




�� 51

wslstartwte �� 513

wslstopwte �� 514

� ��.kdb 395

�� 555

��

Printed in Denmark by IBM Danmark A/S

SA30-2208-00

IBM€¦ · Novell eDirectory ................................30 ............................30...

Documents

Transcript of IBM€¦ · Novell eDirectory ................................30 ............................30...