IBM Tivoli Access Manager for Linux on zSeries...

IBM Tivoli Access Manager for Linux on zSeries

Installation GuideVersion 3.9

GC23-4796-00

NoteBefore using this information and the product it supports, read the information in “Notices” on page 49.

First Edition (April 2002)

©Copyright Sun Microsystems, Inc. 1999

© Copyright International Business Machines Corporation 2001, 2002. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vWho should read this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vWhat this book contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vPublications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

IBM Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viRelease information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viBase information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viWebSEAL information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viDeveloper references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiTechnical supplements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiIBM DB2® Universal Database™ . . . . . . . . . . . . . . . . . . . . . . . . . . viiiIBM Global Security Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiIBM SecureWay Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Accessing publications online . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixOrdering publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixProviding feedback about publications . . . . . . . . . . . . . . . . . . . . . . . . . ix

Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixContacting customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xConventions used in this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Chapter 1. Installation overview . . . . . . . . . . . . . . . . . . . . . . . . . 1Planning for deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Secure domain overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Installation components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Access Manager runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Application development kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Authorization server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3IBM Global Security Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3IBM SecureWay Directory client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Policy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Supported operating system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Supported user registry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

IBM SecureWay Directory server. . . . . . . . . . . . . . . . . . . . . . . . . . . 4OS/390 Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5z/OS Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

IBM Global Security Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5IBM SecureWay Directory client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Release Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 2. Installing Access Manager components . . . . . . . . . . . . . . . . . 7Installation considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Installation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Installing the IBM Global Security Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . 8Installing the IBM SecureWay Directory client . . . . . . . . . . . . . . . . . . . . . . . . 9Installing and configuring Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . 9Configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Access Manager runtime (PDRTE-PD-3.9.0-0) . . . . . . . . . . . . . . . . . . . . . . . 10LDAP registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Policy server (PDMgr-PD-3.9.0-0) . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Authorization server (PDAcld-PD-3.9.0-0) . . . . . . . . . . . . . . . . . . . . . . . . 12

Default ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Uninstalling Access Manager for Linux on zSeries . . . . . . . . . . . . . . . . . . . . . . 13

© Copyright IBM Corp. 2001, 2002 iii

Uninstallation considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Unconfiguring Access Manager for Linux on zSeries Components . . . . . . . . . . . . . . . . 13Removing Access Manager for Linux on zSeries Packages . . . . . . . . . . . . . . . . . . . 14

Chapter 3. Configuring supported LDAP servers. . . . . . . . . . . . . . . . . . 15LDAP server configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Configuring the IBM SecureWay Directory server. . . . . . . . . . . . . . . . . . . . . . . 16Configuring z/OS or OS/390 LDAP servers . . . . . . . . . . . . . . . . . . . . . . . . 19

Create a DB2 database for the TDBM backend. . . . . . . . . . . . . . . . . . . . . . . 19Create an LDAP configuration file for a TDBM backend . . . . . . . . . . . . . . . . . . . 20Start the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Update and load schema files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Enabling LDAP replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Add a stanza to the replica LDAP server’s configuration file . . . . . . . . . . . . . . . . . 22Add an object to the master LDAP server’s backend. . . . . . . . . . . . . . . . . . . . 22

Configuring Access Manager for LDAP . . . . . . . . . . . . . . . . . . . . . . . . . 22Native authentication user administration . . . . . . . . . . . . . . . . . . . . . . . . 22Sample LDAP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Sample DB2 database and tablespace script for SPUFI . . . . . . . . . . . . . . . . . . . . 24Sample DB2 index script for SPUFI . . . . . . . . . . . . . . . . . . . . . . . . . . 30Sample CLI bind batch job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Sample CLI initialization file . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Chapter 4. Enabling SSL for LDAP servers . . . . . . . . . . . . . . . . . . . . 35Configuring the IBM SecureWay Directory server for SSL access . . . . . . . . . . . . . . . . . . 35

Creating the key database file and the certificate . . . . . . . . . . . . . . . . . . . . . . 36Obtaining a personal certificate from a certificate authority . . . . . . . . . . . . . . . . . . 37Creating and extracting a self-signed certificate . . . . . . . . . . . . . . . . . . . . . . 37Enabling SSL access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Configuring OS/390 or z/OS SecureWay LDAP servers for SSL access . . . . . . . . . . . . . . . 38Create a key database file for the server . . . . . . . . . . . . . . . . . . . . . . . . . 39Create a self-signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Store the server certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Add a security stanza to the LDAP configuration file . . . . . . . . . . . . . . . . . . . . 40Restart the LDAP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Configuring the IBM SecureWay Directory client for SSL access . . . . . . . . . . . . . . . . . . 41Creating a key database file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Adding a signer certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Testing SSL access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Configuring LDAP server and client authentication . . . . . . . . . . . . . . . . . . . . . . 44Creating a key database file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Obtaining a personal certificate from a certificate authority . . . . . . . . . . . . . . . . . . 45Creating and extracting a self-signed certificate . . . . . . . . . . . . . . . . . . . . . . 45Adding a signer certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Testing the SSL access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Appendix. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

iv IBM Tivoli Access Manager for Linux on zSeries: Installation Guide

Preface

IBM® Tivoli® Access Manager (Access Manager) is the base software that isrequired to run applications in the Access Manager product suite. It enables theintegration of Access Manager applications that provide a wide range ofauthorization and management solutions. Sold as an integrated solution, theseproducts provide an access control management solution that centralizes networkand application security policy for e-business applications.

Note: IBM Tivoli Access Manager is the new name of the previously releasedsoftware entitled Tivoli SecureWay® Policy Director. Also, for users familiarwith the Tivoli SecureWay Policy Director software and documentation, theterm management server is now referred to as policy server.

The IBM Tivoli Access Manager Base for Linux on zSeries™ Installation Guide explainshow to install and configure Access Manager Base for Linux on the zSeriesplatform.

Who should read this bookThis guide is for system administrators responsible for the installation anddeployment of Access Manager.

Readers should be familiar with the following: IBMv zSeries platformv Database architecture and conceptsv Security managementv Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and

Telnetv A supported Lightweight Directory Access Protocol (LDAP) user registry and

directory servicesv Authentication and authorizationIf you are enabling Secure Sockets Layer (SSL) communication, you also should befamiliar with SSL protocol, key exchange (public and private), digital signatures,cryptographic algorithms, and certificate authorities.

What this book containsThis guide contains the following sections:v Chapter 1, “Installation overview” on page 1v Chapter 2, “Installing Access Manager components” on page 7v Chapter 3, “Configuring supported LDAP servers” on page 15v Chapter 4, “Enabling SSL for LDAP servers” on page 35

PublicationsThis section lists publications in the Access Manager library and any other relateddocuments. It also describes how to access Tivoli publications online, how to orderTivoli publications, and how to make comments on Tivoli publications.

© Copyright IBM Corp. 2001, 2002 v

IBM Tivoli Access ManagerThe Access Manager library is organized into the following categories:v Release informationv Base informationv WebSEAL informationv Developer reference informationv Supplemental technical information

For additional sources of information about Access Manager and related topics, seethe following Web sites:

http://www.ibm.com/redbookshttps://www.tivoli.com/secure/support/documents/fieldguides

Release informationv IBM Tivoli Access Manager for e-business Read Me First, GI11-0918

(am39_readme.pdf)Provides information for installing and getting started using Access Manager.

v IBM Tivoli Access Manager for e-business Release Notes, GI11-0919(am39_relnotes.pdf)Provides late-breaking information, such as software limitations, workarounds,and documentation updates.

Base informationv IBM Tivoli Access Manager Base for Linux on zSeries Installation Guide, GC23-4796

(am39_zinstall.pdf)Explains how to install and configure Access Manager Base for Linux on thezSeries platform.

v IBM Tivoli Access Manager Base Installation Guide, GC32-0844 (am39_install.pdf)Explains how to install, configure, and upgrade Access Manager software,including the Web portal manager interface.

v IBM Tivoli Access Manager Base Administrator’s Guide, GC23-4684(am39_admin.pdf)Describes the concepts and procedures for using Access Manager services.Provides instructions for performing tasks from the Web portal managerinterface and by using the pdadmin command.

WebSEAL informationv IBM Tivoli Access Manager WebSEAL for Linux on zSeries Installation Guide,

GC23-4797 (amweb39_zinstall.pdf)Provides installation, configuration, and removal instructions for WebSEALserver and the WebSEAL application development kit for Linux on the zSeriesplatform.

v IBM Tivoli Access Manager WebSEAL Installation Guide, GC32-0848(amweb39_install.pdf)Provides installation, configuration, and removal instructions for the WebSEALserver and the WebSEAL application development kit.

v IBM Tivoli Access Manager WebSEAL Administrator’s Guide, GC23-4682(amweb39_admin.pdf)

vi IBM Tivoli Access Manager for Linux on zSeries: Installation Guide

Provides background material, administrative procedures, and technicalreference information for using WebSEAL to manage the resources of yoursecure Web domain.

v IBM Tivoli Access Manager WebSEAL Developer’s Reference, GC23-4683(amweb39_devref.pdf)Provides administration and programming information for the Cross DomainAuthentication Service (CDAS), the Cross Domain Mapping Framework(CDMF), and the Password Strength Module.

Developer referencesv IBM Tivoli Access Manager Authorization C API Developer’s Reference, GC32-0849

(am39_authC_devref.pdf)Provides reference material that describes how to use the Access Managerauthorization C API and the Access Manager service plug-in interface to addAccess Manager security to applications.

v IBM Tivoli Access Manager Authorization Java Classes Developer’s Reference,GC23-4688 (am39_authJ_devref.pdf)Provides reference information for using the Java™ language implementation ofthe authorization API to enable an application to use Access Manager security.

v IBM Tivoli Access Manager Administration C API Developer’s Reference, GC32-0843(am39_adminC_devref.pdf)Provides reference information about using the administration API to enable anapplication to perform Access Manager administration tasks. This documentdescribes the C implementation of the administration API.

v IBM Tivoli Access Manager Administration Java Classes Developer’s Reference,SC32-0842 (am39_adminJ_devref.pdf)Provides reference information for using the Java language implementation ofthe administration API to enable an application to perform Access Manageradministration tasks.

v IBM Tivoli Access Manager WebSEAL Developer’s Reference, GC23-4683(amweb39_devref.pdf)Provides administration and programming information for the Cross DomainAuthentication Service (CDAS), the Cross Domain Mapping Framework(CDMF), and the Password Strength Module.

Technical supplementsv IBM Tivoli Access Manager Capacity Planning Guide, GC32-0847

(am39_capplan.pdf)Assists planners in determining the number of WebSEAL, LDAP, and backendWeb servers needed to achieve a required workload.

v IBM Tivoli Access Manager Error Message Reference, SC32-0845(am39_error_ref.pdf)Provides explanations and recommended actions for the messages produced byAccess Manager.

The Tivoli Glossary includes definitions for many of the technical terms related toTivoli software. The Tivoli Glossary is available, in English only, at the followingWeb site:

http://www.tivoli.com/support/documents/glossary/termsm03.htm

Preface vii

Related publicationsThis section lists publications related to the Access Manager library.

IBM DB2® Universal Database™IBM DB2 Universal Database is required when installing IBM SecureWay Directory,z/OS™, and OS/390® SecureWay LDAP servers. DB2 information is available atthe following Web site:

http://www.ibm.com/software/data/db2/

IBM Global Security ToolkitAccess Manager provides data encryption through the use of IBM Global SecurityToolkit (GSKit). GSKit is shipped on the IBM Tivoli Access Manager Base CD foryour particular platform.

The GSKit package installs the iKeyman key management utility (gsk5ikm), whichenables you to create key databases, public-private key pairs, and certificaterequests. The following document is available in the /doc/GSKit directory:v Secure Sockets Layer Introduction and iKeyman User’s Guide (gskikm5c.pdf)

Provides information for network or system security administrators who plan toenable SSL communication in their Access Manager secure domain.

IBM SecureWay Directorythe following documents are available in the /doc/Directory path on the IBMTivoli Access Manager Base CD for your particular platform:v IBM SecureWay Directory for Linux: Installation, Configuration, and Administration

Guide (lparent.pdf)Provides installation, configuration, and migration information for IBMSecureWay Directory components on AIX®, Linux, Solaris, and Microsoft®

Windows® operating systems.v IBM SecureWay Directory Release Notes (relnote.pdf)

Supplements IBM SecureWay Directory, Version 3.2.2, product documentationand describes features and functions made available to you in this release.

v IBM SecureWay Directory Readme Addendum (addendum322.pdf)Provides information about changes and fixes that occurred after the IBMSecureWay Directory documentation had been translated. This file is in Englishonly.

v IBM SecureWay Directory Client Readme (client.pdf)Provides a description of the IBM SecureWay Directory Client SDK, Version3.2.2. This software development kit (SDK) provides LDAP applicationdevelopment support.

v IBM SecureWay Directory Configuration Schema (scparent.pdf)Describes the directory information tree (DIT) and the attributes that are used toconfigure the slapd32.conf file. In IBM SecureWay Directory Version 3.2, thedirectory settings are stored using the LDAP Directory Interchange Format(LDIF) in the slapd32.conf file.

For information about IBM SecureWay Directory, see the following Web site:

http://www.software.ibm.com/network/directory/library/

viii IBM Tivoli Access Manager for Linux on zSeries: Installation Guide

Accessing publications onlinePublications in the product libraries are included in Portable Document Format(PDF) on the product CD. To access these publications using a Web browser, openthe infocenter.html file, which is located in the /doc directory on the product CD.

When IBM publishes an updated version of one or more online or hardcopypublications, they are posted to the Tivoli Information Center. The TivoliInformation Center contains the most recent version of the publications in theproduct library in PDF or HTML format, or both. Translated documents are alsoavailable for some products.

You can access the Tivoli Information Center and other sources of technicalinformation from the following Web site:

http://www.tivoli.com/support/documents/

Information is organized by product, including release notes, installation guides,user’s guides, administrator’s guides, and developer’s references.

Note: If you print PDF documents on other than letter-sized paper, select the Fit topage check box in the Adobe Acrobat Print dialog (which is available whenyou click File → Print) to ensure that the full dimensions of a letter-sizedpage are printed on the paper that you are using.

Ordering publicationsYou can order many Tivoli publications online at the following Web site:

http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968v In other countries, for a list of telephone numbers, see the following Web site:

http://www.tivoli.com/inside/store/lit_order.html

Providing feedback about publicationsWe are very interested in hearing about your experience with Tivoli products anddocumentation, and we welcome your suggestions for improvements. If you havecomments or suggestions about our products and documentation, contact us in oneof the following ways:v Send an e-mail to [email protected] Complete our customer feedback survey at the following Web site:

http://www.tivoli.com/support/survey/

AccessibilityAccessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use software products successfully.

Preface ix

Contacting customer supportIf you have a problem with any Tivoli product, you can contact Tivoli CustomerSupport. See the Tivoli Customer Support Handbook at the following Web site:

http://www.tivoli.com/support/handbook/

The handbook provides information about how to contact Tivoli CustomerSupport, depending on the severity of your problem, and the followinginformation:v Registration and eligibilityv Telephone numbers and e-mail addresses, depending on the country in which

you are locatedv What information to gather before contacting support

Conventions used in this bookThis guide uses several conventions for special terms and actions, operatingsystem-dependent commands and paths, and margin graphics.

Typeface conventionsThe following typeface conventions are used in this book:

Bold Command names and options, keywords, and other informationthat you must use literally appear in bold.

Italic Variables, command options, and values you must provide appearin italics. Titles of publications and special words or phrases thatare emphasized also appear in italics.

Monospace Code examples, command lines, screen output, file and directorynames, and system messages appear in monospace font.

x IBM Tivoli Access Manager for Linux on zSeries: Installation Guide

Chapter 1. Installation overview

Before you begin installing IBM Tivoli Access Manager (Access Manager), Version3.9 you must become familiar with its components, and installation options, andsystem requirements.

This chapter includes the following sections:v “Planning for deployment”v “Secure domain overview” on page 2v “Installation components” on page 3v “System requirements” on page 4

Planning for deploymentBefore you implement a particular Access Manager solution, you must determinethe specific security and management capabilities that are required of yournetwork.

The first step in planning the deployment of an Access Manager securityenvironment is to define the security requirements for your computingenvironment. Defining security requirements means determining the businesspolicies that must apply to users, programs, and data. This includes defining thefollowing:v Objects to be securedv Actions permitted on each objectv Users that are permitted to perform the actions

Enforcing a security policy requires an understanding of the flow of accessrequests through your network topology. This includes identifying proper rolesand locations for firewalls, routers, and subnets. Deploying an Access Managersecurity environment (called a secure domain) also requires identifying the optimalpoints within the network for installing software that evaluates user accessrequests, and grants or denies the requested access.

Implementation of a security policy requires understanding the quantity of users,data, and throughput that your network must accommodate. You also mustevaluate performance characteristics, scalability, and the need for failovercapabilities. Integration of legacy software, databases, and applications with AccessManager software must also be considered.

After you have an understanding of the features that you want to deploy, you candecide which Access Manager components and applications can be combined tobest implement your security policy.

Note: For useful planning documents, see the IBM Tivoli Access Manager CapacityPlanning Guide and applicable field guides located at the following Webaddress: https://wwwl.tivoli.com/secure/support/documents/fieldguides/

© Copyright IBM Corp. 2001, 2002 1

Secure domain overviewThe Access Manager product family is based on a model that combines a set ofservers and runtime libraries with one or more applications, such as AccessManager for Operating Systems. The servers and runtime libraries provide asecurity framework that includes authentication and authorization libraries.

The Access Manager secure domain is a secure computing environment in whichAccess Manager enforces your security policies for authentication, authorization,and access control. The following graphic represents the systems in a typical securedomain and their associated components. For descriptions of these components,see “Installation components” on page 3.

Table 1 lists required components for the Access Manager systems illustratedabove. For descriptions of these components, see “Installation components” onpage 3.

Table 1. Types of Access Manager systems

Type of Access Manager system Required Components

Policy server IBM Global Security ToolkitAccess Manager runtimeIBM SecureWay Directory clientPolicy server

Runtime system IBM Global Security ToolkitAccess Manager runtimeIBM SecureWay Directory client

Development system IBM Global Security ToolkitAccess Manager runtimeIBM SecureWay Directory clientApplication Development Kit

Authorization server Global Security ToolkitAccess Manager runtimeIBM SecureWay Directory clientAuthorization server

2 IBM Tivoli Access Manager for Linux on zSeries: Installation Guide

Installation componentsThis section provides an overview of the installation components that constitute asecure domain. For more information, see “System requirements” on page 4.

Access Manager runtimeThe Access Manager runtime component contains runtime libraries and supportingfiles that applications can use to access Access Manager servers. You must installthe runtime on every system that is part of your secure domain.

Application development kitThe application development kit (ADK) provides a development environment thatenables you to code third-party applications to query the authorization server forauthorization decisions. The ADK contains support for using both C APIs and Javaclasses for authorization and administration functions. This component is optional.

Authorization serverThe authorization server offloads access control and authorization decisions fromthe policy server. It maintains a replica of the authorization policy database andfunctions as the authorization decision-making evaluator. A separate authorizationserver also provides access to the authorization service for third-party applicationsthat use the Access Manager authorization API in remote cache mode. Thiscomponent is optional.

IBM Global Security ToolkitAccess Manager provides data encryption through the use of IBM Global SecurityToolkit (GSKit). The GSKit package installs the iKeyman key management utility(gsk5ikm), which enables you to create key databases, public-private key pairs,and certificate requests. For more information about this utility and enabling SSL,see Chapter 4, “Enabling SSL for LDAP servers” on page 35.

IBM SecureWay Directory clientAccess Manager supports the IBM SecureWay Directory client. This client isshipped with IBM SecureWay Directory product on the IBM Tivoli Access ManagerBase for Linux on zSeries CD.

The IBM SecureWay Directory client fully supports any of the supported userregistries. You must install and configure this client on each system that runsAccess Manager.

The IBM SecureWay Directory client installation package includes a graphical userinterface (GUI). The Directory Management Tool (DMT) enables you to browse andedit information in your directory, such as schema definitions, the directory tree,and data entries. Indepth documentation for this interface is available through theonline help system.

Policy serverThe policy server, previously referred to as the management server, maintains themaster authorization policy database for the secure domain. This server is key tothe processing of access control, authentication, and authorization requests. It also

Chapter 1. Installation overview 3

updates authorization database replicas and maintains location information aboutother Access Manager servers in the secure domain.

There can be only one instance of the policy server and its master authorizationdatabase in any secure domain at one time. However, you can have a secondserver in standby mode to provide cold failover capabilities. The policy serverreplicates its access control list (ACL) database to all other Access Manager serversin the secure domain.

System requirementsAccess Manager Base for Linux on zSeries has specific system prerequisites thatmust be met before it can be installed and deemed fully functional.

The requirements listed in the following sections constitute the recommendedenvironment for Access Manager components at the time of publication. For themost current information, see the IBM Tivoli Access Manager Release Notes fore-business, Version 3.9 on the Tivoli Customer Support Web site.

Supported operating systemAccess Manager Base for Linux on zSeries is supported on the following platform:v SuSE Linux Enterprise Server 7 for s/390 and zSeries (SLES-7)

This is SuSE Linux 7.2 for zSeries, kernel 2.4.7, 31-bit.– It is required to install the compat-libstdc++ package to provide the legacy

C++ support required by GSKit. This file, named compat.rpm, is located on theSuSE SLES-7 develo[per CD 1 in the /suse/a1 directory.

This is the only configuration currently supported by IBM.

Supported user registryAccess Manager Base for Linux on zSeries supports the following user registries.The following sections list their supported operating systems and necessaryprerequisites.

IBM SecureWay Directory serverAccess Manager Base for Linux on zSeries supports the use of IBM SecureWayDirectory, Version 3.2.2, as the user registry.

This LDAP server is supported on the following operating systems:v AIX 4.3.3 and 5.1.0 with the bos.rte.libpthreads patch at level 4.3.3.51 or greater

Note: You can download this patch from the following Web address:

http://www.ibm.com/support/rs6000.htmlv Linux 2.2 kernel distributionsv Solaris 2.7 and 2.8v Windows NT 4.0 with Service Pack 6av Windows 2000 Advanced Server with Service Pack 2

Prerequisite software for the IBM SecureWay Directory server is as follows:v IBM DB2 Universal Database Edition, Version 7.2, with Fixpack 5 which

currently is only supported on a Linux 2.2 kernel distribution. You can alsoinstall IBM DB2 Universal Database Edition, Version 7.2, and IBM SecureWay


Directory, Version 3.2.2, server on a Linux 2.2 kernel distribution in a zSeriesLinux image, separate from the 2.4 kernel images running the Access Managercomponents.

Note: To register and download IBM SecureWay Directory, Version 3.2.2, forS/390 Linux, see the following Web address:

http://www.ibm.com/software/network/directory/

Attention:

v If you have a preexisting version of LDAP from a vendor other than IBM, youmust remove it before installing IBM SecureWay Directory. If you attempt toinstall IBM SecureWay Directory without removing the other vendor’s version,the resulting file name conflicts might prevent either version from working.

v SLES-7 systems are installed with OpenLDAP. Ensure that OpenLDAP isremoved before installing IBM SecureWay Directory. To query if there areinstalled LDAP packages, enter the following command:rpm -qa | grep -i ldap

OS/390 Security ServerAccess Manager Base for Linux on zSeries supports the use of IBM OS/390 Server,Version 2, Release 10, as a user registry. In addition, the following PTFs arerequired:v APAR OW46344, which provides the configuration files and libraries to support

the Access Manager schemav APAR OW53402, which provides support for empty attribute replace operations

z/OS Security ServerAccess Manager Base for Linux on zSeries supports the use of IBM z/OS, Version1, Release 2 and higher, as a user registry. In addition, the following PTFs arerequired:v APAR OW46344, which provides the configuration files and libraries to support

the Access Manager schemav APAR OW53402, which provides support for empty attribute replace operations

IBM Global Security ToolkitAccess Manager Base for Linux on zSeries supports IBM Global Security Toolkit(GSKit), Version 5.0.4.67, which is shipped on the IBM Tivoli Access Manager Base forLinux on zSeries CD. Version 5 is not compatible with GSKit, Version 4.x but theseversions can coexist on the same system.

It is recommended that you also install the newly-released GSKit downloadavailable at the following Web site:https://www.tivoli.com/secure/support/downloads/secureway/policy_dir/downloads.html

The IBM Global Security Toolkit contains a utility called gsk5ikm. This utility hasdependencies on two additional pieces of software:v Java Runtime Environment (JRE) Version 1.3.1

You can obtain this product from the IBM Java Developer Kit for Linuxdownload site at:http://www6.software.ibm.com/dl/dk1x130/dk1x130-p

Chapter 1. Installation overview 5

Note: The gsk5ikm utility shipped with GSKit does not support JRE Version 1.3.This utility requires JRE Version 1.3.1.

v The SuSE Linux Enterprise Server Version 7 compat-libstdc++ softwareinstallation package.This package is required to provide the legacy C++ support required by GSKiton SuSE Linux Enterprise Server Version 7. You can obtain the package from thefollowing location on the SuSE Linux Enterprise Server Version 7 developer CD1:/suse/a1/compat.rpm

To use GSKit services on SuSE Linux Enterprise Server Version 7, you must setthe LD_PRELOAD environmental variable to /usr/lib/libstdc++-libc6.1-2.so.3by entering the following:export LD_PRELOAD=/usr/lib/libstdc++libc6.1-2.so.3

IBM SecureWay Directory clientAccess Manager Base for Linux on zSeries supports the IBM SecureWay Directory,Version 3.2.2, client with e-fix1. This client is shipped on the IBM Tivoli AccessManager Base for Linux on zSeries CD.

Release Note: It is recommended that you also install the newly-released e-fix 2patch available at the following Web site:http://www.ibm.com/software/network/directory/downloads/

Attention: The Directory Management Tool (DMT) is a Java-based applicationinstalled with the IBM SecureWay Directory client. Because the supported Javalevel on a SuSE SLES-7 distribution is 1.3.1, Java 1.3.1 must be installed to use thistool. In addition, the DMT tool is an X-windows application. Therefore, it must bestarted using an X-windows session.

Release LimitationsAccess Manager Base for Linux on zSeries, Version 3.9, limitations are as follows:v The only supported directories for this release are IBM SecureWay Directory,

OS/390 Security Server, and z/OS Security Server.v Operation on Linux distributions other than 31-bit SuSE SLES-7 is not supported

by IBM.v Localization support is not available. Software and documentation is provided in

the English language only.


Chapter 2. Installing Access Manager components

This chapter provides information about installing and configuring AccessManager components on Linux for zSeries systems. Before you begin, make surethat you review the installation process on page “Installation process” and arefamiliar with “Configuration options” on page 10.

This chapter contains the following main sections:v “Installation considerations”v “Installation process”v “Installing the IBM Global Security Toolkit” on page 8v “Installing the IBM SecureWay Directory client” on page 9v “Installing and configuring Access Manager” on page 9v “Configuration options” on page 10v “Uninstalling Access Manager for Linux on zSeries” on page 13

Installation considerationsBefore you begin using the installation process, ensure that the followingconditions are met:v You must install and configure only one policy server for each secure domain.v If you are installing the policy server, you must install the runtime environment

first. However, you must not configure the runtime environment until the policyserver is installed.

v After configuring the policy server, you can install and configure theauthorization server, ADK, or both, to any system in the secure domain,including the system that hosts the policy server.

v If you are installing the runtime on a different host system than the policy serverand download certificate is not enabled for this policy server, you must obtain theSSL certificate file from the policy server system. To do this, use a file transferprogram, such as ftp, to place a copy of the file in a location of your choice. Onthe policy server, the certificate file is located in the following directory:/var/PolicyDirector/keytab/pdcacert.b64

Note that you should copy this file after installing the runtime component butbefore configuring it. In addition, you must have user and group ownership ofivmgr.

Installation processThe following procedure shows you how to install all Access Manager componentsin the appropriate order. Depending on your system requirements, select only thecomponents that you need to install. For example, if you plan to set up adevelopment system, required components include GSKit, the Access Managerruntime, the IBM SecureWay Directory client, and the ADK.

To install Access Manager components, follow these basic steps:

Note: For descriptions of the configuration values that you are prompted forduring installation, see “Configuration options” on page 10.


1. Plan your Access Manager deployment. Ensure that you understand thebusiness security requirements for which Access Manager is being deployed.For information, see “Planning for deployment” on page 1.

2. Decide which combination of Access Manager components that you want toinstall and ensure that you met all system requirements listed on page 4.

3. Install the IBM Global Security Toolkit (GSKit) before installing any otherAccess Manager component. As part of the GSKit installation, install thecompat.rpm utility. GSKit is a prerequisite to the runtime environment, whichis required on all systems in the secure domain. For GSKit installationinstructions, see “Installing the IBM Global Security Toolkit”.

4. Install a supported user registry and perform basic configuration. If you havean existing LDAP server that you want to use for Access Manager, see“Supported user registry” on page 4 for more information.For installation instructions, do one of the following:v To install and configure OS/390 or z/OS security servers, consult your

product documentation.v To install and configure the IBM SecureWay Directory server, see the IBM

SecureWay Installation and Configuration Guide for Linux, located in/doc/Directory on the IBM Tivoli Access Manager Base CD for yourparticular platform.

5. Install the IBM SecureWay Directory client. This client is required on eachsystem that runs Access Manager. For client installation instructions, see“Installing the IBM SecureWay Directory client” on page 9.

6. Configure a supported user registry for use with Access Manager. Forinstructions, see Chapter 3, “Configuring supported LDAP servers” on page 15.

7. Depending on the type of Access Manager system that you are setting up,install one or more of the following components in this order:v IBM Global Security Toolkit (GSKit)v IBM SecureWay Directory clientv Access Manager runtimev Policy serverv Authorization serverv ADK

For instructions, see “Installing and configuring Access Manager” on page 98. Optional: To enable SSL communication between your LDAP server and IBM

SecureWay Directory clients, see Chapter 4, “Enabling SSL for LDAP servers”on page 35.

Installing the IBM Global Security ToolkitTo install GSKit on a Linux system, follow these steps:1. Log in to the system as root.2. Insert the IBM Tivoli Access Manager for Linux on zSeries, Version 3.9 CD.3. Change to the directory /mnt/cdrom/zSeries where /mnt/cdrom is the mount

point for your CD.4. To install GSKit in the default location, enter the following:

rpm –i gsk5bas-5.0.4.67.s390.rpm

After you install GSKit, no configuration is necessary.


Notes:v The iKeyman key management utility (gsk5ikm) is installed with the GSKit

package. This enables you to create key databases, public-private key pairs, andcertificate requests.

v To use GSKit services on SuSE SLES-7 systems, you need to set theLD_PRELOAD environment variable to the following:export LD_PRELOAD=/usr/lib/libstdc++-libc6.1-2.so.3

Set the LD_PRELOAD environment variable before starting an LDAP clientapplication which uses SSL or before starting the gsk5ikm utility.

Installing the IBM SecureWay Directory clientTo install the IBM SecureWay Directory client on a Linux system, follow thesesteps.

Note: Before installing the IBM SecureWay Directory client on your Linux system,remove the nss_ldap-149-1 package, if it is installed. Otherwise, aninstallation failure occurs.

1. Ensure that you have installed GSKit. For instructions, see “Installing the IBMGlobal Security Toolkit” on page 8. As part of the GSKit installation, make sureyou install the compat.rpm utility as follows:rpm -i compat.rpm

2. Log in to the system as root.3. Obtain access to the Access Manager for Linux on zSeries rpm files. This can be

done by using ftp to transfer the files to Linux on zSeries from a system, or bymounting the CD on a system, and accessing it from Linux on zSeries usingNFS.

4. Change to the directory /mnt/cdrom/zSeries where /mnt/cdrom is the mountpoint for your CD.

5. To install the IBM SecureWay Directory client in the default location, enter thefollowing:rpm –i ldap-clientd-3.2.2-1.s390.rpm

After you install the IBM SecureWay Directory client, no configuration is necessary.

Installing and configuring Access ManagerYou must configure the runtime environment before configuring any otherpackage. For descriptions of configuration options you are prompted for, see“Configuration options” on page 10.

To install Access Manager components on Linux, follow these steps:1. Log in to the system as root.2. Obtain access to the Access Manager for Linux on zSeries rpm files. This can

be done by using ftp to transfer the files to Linux on zSeries from a system, orby mounting the CD on a system, and accessing it from Linux on zSeriesusing NFS.

3. Change to the directory /mnt/cdrom/zSeries where /mnt/cdrom is the mountpoint for your CD.

4. To install components in the default location, enter the following:rpm –i package

Chapter 2. Installing Access Manager components 9

where package is one of the following:

PDRTE-PD-3.9.0-0.s390.rpmIndicates the Access Manager runtime.

PDMgr-PD-3.9.0-0.s390.rpmIndicates the policy server.

PDAcld-PD-3.9.0-0.s390.rpmIndicates the authorization server.

PDAuthADK-PD-3.9.0-0.s390.rpmIndicates the ADK.

5. Change to the following directory:cd /opt/PolicyDirector/bin

6. To ensure that the correct C++ library are used by the pdconfig utility orLDAP / GSKit command line programs, enter the following:export LD_PRELOAD=/usr/lib/libstdc++-libc6.1-2.so.3

Note: This command not required to run Access Manager programs.7. To start the Access Manager configuration utility, enter the following

command:pdconfig

The Access Manager Setup Menu is displayed.8. Type the menu number for Configure Package. The Access Manager

Configuration Menu is displayed. The list of installed Access Managerpackages is displayed.

9. Select the component that you want to configure, one at a time.Depending on the component that you selected, you are prompted forconfiguration options. For assistance with these configuration options, see“Configuration options”.

10. When a message appears indicating that the package has been successfullyconfigured, press Enter to configure another component or select the x optiontwice to close the configuration utility.

Configuration optionsThis section lists configuration information that is required during the nativeinstallation process. It is recommended that you identify these values before youare prompted during installation. If you are planning to enable Secure SocketsLayer (SSL), configuration options also are provided.

Note that the configuration information for the policy server is used forconfiguring every Access Manager component except for GSKit, the IBMSecureWay Directory client, and the application development kit (ADK) whereconfiguration is not required.

Access Manager runtime (PDRTE-PD-3.9.0-0)During the configuration of the Access Manager runtime component, you areprompted for the following information:v User Registry Selection—Click to select the type of registry you configured for

Access Manager. Note that LDAP registry is the only supported choice forAccess Manager for Linux on zSeries.


LDAP registryDuring the configuration of the Access Manager runtime environment, you areprompted for the following information:v LDAP server hostname—Specifies the fully qualified host name of the LDAP

server. For example:ldapserver.tivoli.com

v LDAP server port number—Specifies the port number on which the LDAPserver listens. The default port number is 389.

If the Access Manager policy server is not installed on the same system as theAccess Manager runtime environment, then you are also prompted for thefollowing information:v Hostname of the Policy Server machine— Specifies the fully qualified host

name of the policy server. For example:pdmgr.tivoli.com

v SSL listening port used by Policy Server— Specifies the port number on whichthe policy server listens for SSL requests. The default port number is 7135.

Policy server (PDMgr-PD-3.9.0-0)During the configuration of the policy server, you are prompted for the followinginformation:v LDAP administrative user DN—Specifies the distinguished name of the LDAP

administrator. The default name is cn=root.v LDAP administrative user password—Specifies the password associated with

the LDAP administrator ID.v Enable SSL communication between the Access Manager Policy Server and

the LDAP server—Specifies whether SSL should be enabled yes or no. If yes isspecified, the following information is requested.– Location of the LDAP SSL client key file—Specifies the fully qualified path

name where the client GSKit key database file is located on the policy server.To enable SSL support between your policy server and LDAP server, theAccess Manager Base CD provides the following sample key file for evaluationuse only:/common/pd_ldapkey.kdb

This file is not intended for use in a production environment. To acquire yourown certificate, see information about creating a key database file andcertificate in Chapter 4, “Enabling SSL for LDAP servers” on page 35Chapter8, “Enabling Secure Sockets Layer for LDAP registries” on page 121.

– SSL client certificate label (if required)—Specifies the label in the clientGSKit key database file of the client certificate to be sent to the server. Thislabel is required if the server is configured to require client authenticationduring SSL establishment. If you use the ezinstall_ldap_server script andthe default key file (pd_ldapkey.kdb), then the label should be left blank.Typically, the LDAP server requires only server-side certificates that werespecified during creation of the client .kbd file. In addition, if the SSL clientkey file label is not required, leave this field blank when configuring thepolicy server.

– LDAP SSL client key file password—Specifies the password of the clientGSKit key database file. The pd_ldapkey.kdb file shipped with easyinstallation has a default password of gsk4ikm. These defaults are usable ifyou install and configure the IBM SecureWay Directory server using the


ezinstall_ldap_server script. If you decide to change this password usingthe gsk5ikm utility, you must recall this default password.

– LDAP server SSL port number—Specifies the port number on which theLDAP server listens for SSL requests. The default port number is 636.

v LDAP DN for GSO database—Specifies the distinguished name of where in theLDAP server directory information tree (DIT) that the Tivoli Global Sign-On(GSO) database is located. For example:o=tivoli,c=us For more information about the GSO suffix, see “LDAP serverconfiguration overview” on page 15“LDAP server configuration overview” onpage 35.

v Access Manager Administrator Password—Specifies the password associatedwith the sec_master primary administrator ID. You are prompted to confirm thispassword.

v SSL server port for Access Manager Policy Server—Specifies the port numberon which the policy server listens for SSL requests. The default port number is7135.

v Policy server SSL certificate lifetime— Specifies the number of days that theSSL certificate file is valid. The default number of days is 365.

v Enable root CA Certificate download—Specify yes to enable automaticdownloading of the SSL certificate authority file. Regardless of whether youspecify yes or no, the SSL certificate authority file is placed in the followingdirectory:/var/PolicyDirector/keytab/pdcacert.b64

If this option is set to no, you must copy the pdcacert.b64 file on each AccessManager runtime system in your secure domain.

Authorization server (PDAcld-PD-3.9.0-0)During the configuration of the authorization server system, you are prompted forthe following information:v LDAP administrative user DN —Specifies the distinguished name of the LDAP

administrator. The default name is cn=root.v LDAP administrator user password—Specifies the password associated with the

LDAP administrator ID.v Enable SSL communication between the Access Manager Policy Server and

the LDAP server—Specifies whether SSL should be enabled yes or no. If yes isspecified, the following information is requested.– Location of the LDAP SSL client key file—Specifies the fully qualified path

name where the client GSKit key database file is located on the policy server.To enable SSL support between your policy server and LDAP server, theAccess Manager Base CD provides the following sample key file for evaluationuse only:/common/pd_ldapkey.kdb

This file is not intended for use in a production environment. To acquire yourown certificate, see information about creating a key database file andcertificate in Chapter 4, “Enabling SSL for LDAP servers” on page 35

– SSL client certificate label (if required)—Specifies the label in the clientGSKit key database file of the client certificate to be sent to the server. Thislabel is required if the server is configured to require client authenticationduring SSL establishment. If you use the ezinstall_ldap_server script andthe default key file (pd_ldapkey.kdb), then the label for configuring the LDAP


server should be PDLDAP. Typically, the LDAP server requires onlyserver-side certificates that were specified during creation of the client .kbdfile.

Note: If the SSL client key file label is not required, leave this field blankwhen configuring the authorization server.

– LDAP SSL client key file password—Specifies the password of the clientGSKit key database file. The pd_ldapkey.kdb file shipped with easyinstallation has a default password of gsk4ikm. These defaults are usable ifyou install and configure the IBM SecureWay Directory server using theezinstall_ldap_server script. If you decide to change this password usingthe gsk5ikm utility, you must recall this default password.

– LDAP server SSL port number—Specifies the port number on which theLDAP server listens for SSL requests. The default port number is 636.

v Password for the Access Manager Administrator—Specifies the passwordassociated with the sec_master primary administrator ID.

Default portsDefault port numbers are as follows:v LDAP server non-SSL port: 389v LDAP server SSL port: 636v Policy server SSL port: 7135v LDAP server SSL client port: 636

Uninstalling Access Manager for Linux on zSeriesUninstalling Access Manager, Version 3.9 is a two-part process. You mustunconfigure components and then remove Access Manager packages.

Uninstallation considerationsBefore you begin the uninstall process, ensure that the following conditions aremet:v Stop all Access Manager services and applications before uninstalling

components.v Unconfigure and remove the policy server system last.v Unconfigure any other Access Manager applications, such as WebSEAL, before

unconfiguring the policy server and runtime environment.v You do not have to unconfigure the ADK before removing it.

Unconfiguring Access Manager for Linux on zSeriesComponents

Before you remove Access Manager packages from a Linux system, you mustunconfigure components. To do so, follow these steps:1. Log in as root.2. Change to the following directory:

cd /opt/PolicyDirector/bin

3. Start the Access Manager configuration utility:pdconfig

The Access Manager Setup Menu is displayed.


4. Type the number of the menu item for the Access Manager component that youwant to unconfigure.

5. Repeat this procedure for each package that you want to unconfigure.

Removing Access Manager for Linux on zSeries PackagesTo remove components from a Linux system, follow these steps:1. Ensure that you have unconfigured components. Follow instructions in

“Unconfiguring Access Manager for Linux on zSeries Components” on page 13.2. To remove one or more packages, enter the following:

rpm -e package

where package is one or more of the following:

PDMgr-PD-3.9.0-0 Indicates the policy server.

PDAcld-PD-3.9.0-0 Indicates the authorization server.

PDAuthADK-PD-3.9.0-0 Indicates the ADK.

PDRTE-PD-3.9.0-0 Indicates the runtime environment.

ldap_clientd-3.2.2-1 Indicates the IBM SecureWay Directory client.

gsk5bas-5.0-4.67 Indicates GSKit.

Package removal completes silently. The Linux command prompt returns uponsuccessful completion.

A message is displayed indicating that the removal of the software package wassuccessful.


Chapter 3. Configuring supported LDAP servers

The following chapter shows you how to configure Access Manager data for usewith your particular LDAP server.

Main sections are as follows:v “LDAP server configuration overview”v “Configuring the IBM SecureWay Directory server” on page 16v “Configuring z/OS or OS/390 LDAP servers” on page 19

LDAP server configuration overviewData is stored within the LDAP server in a hierarchical tree structure called thedirectory information tree (DIT). The top of the tree is called a suffix (also referredto as a naming context or root). An LDAP server can contain multiple suffixes toorganize the data tree into logical branches or organizational units.

The following sections show you how to create Access Manager suffixes for yourparticular LDAP server. During the configuration process, Access Managerautomatically attempts to add appropriate access control lists (ACLs) to everysuffix that currently exists in the LDAP server. This is necessary to give AccessManager needed permission to manage users and groups defined within thosesuffixes. If you add suffixes after the initial configuration of Access Manager, youmust add the appropriate ACLs manually. For more information, see the IBM TivoliAccess Manager Base Administrator’s Guide.

Access Manager requires that you create a suffix named secAuthority=Default,which maintains Access Manager metadata. You must add this suffix onlyonce—when you first configure the LDAP server. This suffix enables AccessManager to easily locate and manage the data. It also secures access to the data,thus avoiding integrity or corruption problems.

Additionally, you are prompted for a Global Sign-On (GSO) distinguished name(DN) during configuration of the policy server. To store GSO metadata, you caneither create a suffix or specify the distinguished name of an existing LDAP DITlocation. You can store the GSO metadata anywhere you choose within the LDAPDIT, but the location must already exist. If you decide to create a suffix, you mightconsider storing both GSO metadata and your user definitions in a single suffix.For instance, the following sections use o=tivoli,c=us as an example to store bothGSO metadata and user definitions. Note that you also can create additionalsuffixes to maintain user and group definitions.

After you create suffixes, you also must create directory entries for each suffix.This is necessary to instantiate the suffix. Otherwise, Access Manager is unable toattach ACLs when it is being configured. ACLs give Access Manager neededpermission to manage users and groups defined within those suffixes.

Note: For complete instructions about creating suffixes, see the productdocumentation shipped with your particular LDAP server. The followinginstructions serve as a general guide to creating suffixes. It is recommendedthat you create suffixes that mirror your organizational structure.


Configuring the IBM SecureWay Directory server1. To configure the IBM SecureWay server, you must manually modify the

slapd32.conf file to add required suffixes.In the following example, the dn: cn=Directory section of the slapd32.conf fileis modified to add the required Access Manager suffix and use the suffixo=ibm,c=us for GSO metadata and user definitions.

2. To create directory entries for suffixes added to the slapd32.conf file, enter dmtfrom a command prompt to start the directory management tool (DMT). Thefollowing window is displayed:

dn: cn=Directory,cn=RDBM Backends,cn=IBM SecureWay,cn=Schemas,cn=Configurationobjectclass: topobjectclass: ibm-slapdRdbmBackendcn: Directory# The following attributes must match the database being usedibm-slapdDbInstance: ldapdb2ibm-slapdDbName: ldapdb2ibm-slapdDbUserId: ldapdb2# You MUST set the DB2 user passwordibm-slapdDbUserPW: pass4db2# The following suffix is used by /usr/ldap/examples/sample.ldifibm-slapdSuffix: o=ibm,c=usibm-slapdSuffix: secAuthority=Defaultibm-slapdPlugin: database /lib/libback-rdbm.so rdbm_backend_initibm-slapdDbConnections: 30ibm-slapdSuffix: cn=localhostibm-slapdReadOnly: FALSE


3. Click Add server in the bottom portion of the frame. A window similar to thefollowing is displayed:

4. Do one of the following:v If you want to use Secure Sockets Layer (SSL) between the DMT and the

LDAP server, follow these steps:a. Select Simple in the Authentication type field.b. In the Server name field, type your LDAP server name, for example,

dliburd2.tivoli.com. You can use either the IP address or the domainname.

c. In the User DN field, type the LDAP administrator ID used to connect tothe server, for example:cn=root

d. In the User password field, type the LDAP administrator password.e. Select the Use SSL check box.f. In the Port field, enter the SSL port number.g. Complete the Keyclass file name and the Keyclass file password fields.

The certificate name is optional based on how you set up the LDAPserver and the kdb file.

h. Click OK.v If you do not want to use SSL between the DMT and the LDAP server,

follow these steps:a. Select Simple in the Authentication type field.b. In the Server name field, type your LDAP server name, for example,

dliburd2.tivoli.com. You can use either the IP address or the domainname.

c. In the User DN field, type the LDAP administrator ID used to connect tothe server, for example:cn=root

d. In the User password field, type the LDAP administrator password.e. Click OK.

5. Select Browse Tree from the left frame. Warning messages are displayedindicating that the suffixes that you created do not contain data. Click OK to

Chapter 3. Configuring supported LDAP servers 17

dismiss these messages. A window similar to the following is displayed:

6. Select the host name in the list on the right and click Add. For example, thehost name is ldap://dliburd2.tivoli.com:389 in the previous example.

7. In the Add an LDAP Entry window, complete the fields and click OK. Forexample, if you are adding a directory entry for the GSO suffix, a windowsimilar to the following is displayed:

8. Enter values for the attributes and then click Add. For example, the GSO suffixexample appears as shown:

9. When you have completed adding directory entries for the suffixes you created,click Exit to close the IBM SecureWay Directory Management Tool window.


Configuring z/OS or OS/390 LDAP serversThis section describes the configuration steps necessary to prepare the LDAPserver on z/OS or OS/390 for Access Manager. Particular emphasis is given toconfiguring Access Manager against a native security authorization facility (SAF)user registry.

These guidelines assume a new LDAP server instance dedicated to the AccessManager user registry. For more information, consult the OS/390 SecureWaySecurity Server LDAP and z/OS SecureWay Security Server LDAP productdocumentation. For system requirements and applicable program temporary fixes(PTFs), see “Supported user registry” on page 4.

Note: If you are using an existing LDAP server, some of these guidelines mightalready be met. However, you must add the Access Manager schema to thez/OS LDAP directory.

This chapter includes the following sections. Sample configuration files are alsoprovided.v Create a DB2 database for the TDBM backendv Create an LDAP configuration file for a TDBM backendv Start the serverv Update and load schema filesv Enabling LDAP replicationv Configuring Access Manager for LDAP

Create a DB2 database for the TDBM backendCreate a DB2 database for the TDBM backend. To do this, follow instructions inthe README file located in the following directory of your LDAP installation:/usr/lpp/ldap/examples/sample_server

Steps are as follows:1. Bind the Call Level Interface (CLI). The CLI provides an abstraction layer to

SQL commands. This step establishes the environment needed for the LDAPserver to use the CLI. The sample server provides a job file to bind the CLI. Anadministrator must move the file to an MVS® partition before it is possible toexecute the job. See “Sample CLI bind batch job” on page 32 for a copy of thisfile.

2. Create a CLI initialization file. The initialization file provides the LDAP server afacility and the data source for the CLI. An example of this file is found withthe sample server. It is referred to in the LDAP configuration file. See “SampleCLI initialization file” on page 34 for a copy of this file.

3. Create a new database. Use SQL Processor Using File Input (SPUFI) scripts torun with DB2 Interactive (DB2I) on OS/390 to perform SQL commands. Tocreate a new database and associated tablespaces, run the SPUFI file located in“Sample DB2 database and tablespace script for SPUFI” on page 24. To createthe indexes for the new database, run the SPUFI located in “Sample DB2 indexscript for SPUFI” on page 30. Note that to execute a SPUFI script, you mustinvoke DB2I and select SPUFI from the Primary Option Menu.


Create an LDAP configuration file for a TDBM backendA sample configuration file can be found in “Sample LDAP configuration” onpage 23. The following entries are required for a TDBM:

database TDBM GLDBTDBMSpecifies the database type and library name. This entry marks thebeginning of the TDBM section for the configuration file.

databasename dbnameSpecifies the name of the DB2 database used for the backend. It is specifiedin the CREATE DATABASE option of the SPUFI used to create thedatabase and tablespaces. See Step 3 on page 19

dsnaoini datasetSpecifies the DB2 initialization file. See Step 2 on page 19 for details aboutcreating this file. The value of this option is of the formUSERID.FILENAME.

dbuserid useridSpecifies the OS/390 user that owns the DB2 tables. The userid is the sameas the administrator who ran the SPUFI scripts (per Step 2 on page 19)

servername stringSpecifies the name of the DB2 server location that manages the tables forthe LDAP server. The string is the value specified in the DATA SOURCEstanza of the CLI initialization file.

attrOverflowSize num-of-bytesSpecifies the size at which the entries of attributes are loaded in separateDB2 tables. Choose a value such that large binary data is stored in theseparate table space.

suffix dn_suffixSpecifies the root of a subtree in the namespace managed by this serverwithin this backend. Include both the organization suffix DN for your userregistry and the secAuthority=Default, which specifies the DN for theAccess Manager security registry.

The following additional entries are required to make use of nativeauthentication. For detailed explanations about these entries, see theOS/390 LDAP Server Administration and Usage publication.

UseNativeAuth [SELECTED | ALL | OFF]The SELECTED option specifies that user entries with a value for theibm-nativeId attribute are authenticated against SAF. Choosing SELECTEDprovides the most flexibility and minimizes additional administrativeduties. The ALL option specifies that the SAF authentication is madeagainst the user name found in an entry’s UID attribute (if no ibm-nativeIdattribute is specified).

NativeAuthSubTree dn_suffixSpecifies the root of a subtree or trees in the namespace for which nativeauthentication applies.

nativeAuthUpdateAllowed YESEnables Access Manager users to update their SAF passwords through thepkmspasswd utility.


Start the serverProvide the location of the configuration file created in “Configuring AccessManager for LDAP” on page 22. The LDAP server searches for and loads a numberof dynamic load libraries (DLLs) during its startup processing. The DLLs arelocated in a PDS file system. When starting slapd from the z/OS shell, the correctPDS must be referenced in the STEPLIB environment variable as follows:export STEPLIB=GLD.SGLDLNKexport PATH=$PATH:/usr/lpp/ldap/sbinGLDSLAPD –f slapd.conf

Update and load schema filesCopy the following schema files to your working directory:v schema.user.ldifv upgrade3.7_ibm_schema390.defThe schema files contain the objects and attributes used to organize data for theAccess Manager services, as well as the SAF native authentication objectclass.

Note: The following required schema files are automatically added in the/usr/lpp/etc/ldap directory.v schema.IBM.ldifv PolicyDirector.ldif

Modify each schema file to match the organization DN suffix in the LDAPconfiguration file. There is a single line describing the DN of the schema to beupdated.

Edit each file and change the following:dn: cn=schema, suffix

to (for example):dn: cn=schema,o=ibm,c=us

Load the files using the ldapmodify command as follows:ldapmodify –h hostname –p port –D bind_DN –w bind_pwd –f schema_file

Attention: The fix for APAR OW46344 adds the Access Manager required schemafor a TDBM database to the schema.IBM.ldif file in the /usr/lpp/etc/ldapdirectory.

The fix also adds the file PolicyDirector.ldif to the /usr/lpp/etc/ldap directory.This file contains only the Access Manager required schema for a TDBM databaseand cannot be used on a pre-existing LDAP directory.

To load the PolicyDirector.ldif file, modify the suffix value at the top of the fileto a valid suffix, and run the ldapmodify command using the ldif file as input.

The changes provided in the fix for APAR OW46344 are included in z/OS 1.3.

Enabling LDAP replicationThis section describes how to enable LDAP replication. LDAP servers behave inthe master-slave model for replication tasks. The master server forwards directoryupdates to the slave. The slave, or replica server, can share the load for readrequests and act as a backup server.


By default, an LDAP server is configured to run as a master server. Providing themaster with an object detailing the location of one or more replica servers enablesreplication.

Add a stanza to the replica LDAP server’s configuration fileTo add a stanza to the replica LDAP server’s configuration file, see the stanzaexample in “Sample LDAP configuration” on page 23. Required entries for a replicaLDAP server are as follows:

masterServer ldapURLSpecifies the LDAP URL in the form ldap://servername:port. This optionrefers to the FQDN and port of the master server.

masterServerDN DNSpecifies the DN that you provide the replicaBindDN in “Add an object tothe master LDAP server’s backend”.

masterServerPW stringSpecifies the password that you provide the replicaCredentials in “Add anobject to the master LDAP server’s backend”.

Add an object to the master LDAP server’s backendAn example of a ldif file representing such an object is as follows:dn: cn=replicasobjectclass: replicaObjectcn: replicasreplicaHost: hostnamereplicaPort: portreplicaBindDn: any_unique_DN_to_bind_withreplicaCredentials: password_to_bind_withdescription:"Description Here"

This object can be loaded with an ldapmodify command as follows:ldapmodify –h hostname –p port –D bind_DN –w bind_pwd –f schema_file

Configuring Access Manager for LDAPThe procedure to configure Access Manager servers for LDAP on OS/390 is thesame as the directory on any other platform.

To use native authentication, you must turn off auth-using-compare. To do so, editthe [ldap] stanza of the ivmgrd.conf file and change the line as follows:auth-using-compare = no

By default, authentications to LDAP are made with a compare operation, ratherthan a bind.

Access Manager supports LDAP failover and load-balancing for read operations.Access Manager read operations include authentication requests and queries forGSO data. If you configured a replica server (see “Enabling LDAP replication” onpage 21), you may provide the replica hostname to Access Manager inthe ldap.conf file.

Native authentication user administrationThe majority of administrative tasks remain unchanged with the addition of nativeauthentication. Operations such as user create, user show, adding a user to an ACLentry or group, and all user modify commands (except password) work the sameas Access Manager configured against a standard LDAP registry. Users can changetheir own SAF passwords with the pkmspasswd utility.


Native authentication provides the added feature of many-to-one mapping ofAccess Manager users to SAF user IDs. Multiple users may have the sameibm-nativeId, and all bind with the same password. For this reason, it may beprudent to prevent many-to-one mapped users from changing the SAF password(lest users inadvertently lock their peers out of their accounts).pdadmin> group modify SAFusers add user1pdadmin> acl create deny_pkmspdadmin> acl modify deny_pkms set group user1 Tpdadmin> acl attach /Webseal//pkmspasswd deny_pkms

OS/390 LDAP native authentication bind does not provide the authority toperform a password reset. For example, with native authentication enabled, thefollowing Access Manager administration command does not work:pdadmin> user modify user1 password ChangeMe1

Furthermore, there is no out-of-the-box administration command to set theibm-nativeId entry for a user. To that end, the following instructions assist themanagement of Access Manager users with an associated nativeId.

The user create command does not change:pdadmin> user create user1 cn=user1,o=ibm,c=us user1 user1 ChangeMe1pdadmin> user modify user1 account-valid yes

The password (ChangeMe1, in this example) is set to the user’s userpasswordentry in LDAP, which has no effect with native authentication enabled. Inproduction, it might be a good idea to make this password something long anddifficult to guess-in case native authentication is ever inadvertently disabled.

To set the ibm-nativeId entry for a user, create a ldif file similar to the following:cn=user1,o=ibm,c=usobjectclass=inetOrgPersonobjectclass=ibm-nativeAuthenticationibm-nativeId=SAF_username

You can load the ldif file using the ldapmodify command as follows:ldapmodify –h hostname –p port –D bind_DN –w bind_pwd –f schema_file

The SAF command to reset a user’s password is as follows:subsystem_prefix ALTUSER userid PASSWORD password

Sample LDAP configuration########################################################################## The values provided in this configuration file may reflect the## generic values given in the example DB2 setup files. Make sure you## use values appropriate for a production installation.########################################################################

########################################################################## Global definitions########################################################################port 3389adminDN "cn=root"adminPW password1########################################################################## tdbm database definitions########################################################################database tdbm GLDBTDBMservername LOC1


dbuserid LDAPSRVdatabaseName LDAPR10dsnaoini SUADMIN.DSNAOINI.DB2INIsuffix "o=ibm,c=us"suffix "secAuthority=Default"AttrOverflowSize 80########################################################################## Native (SAF) Authentication for TDBM########################################################################useNativeAuth SELECTEDnativeAuthSubtree "o=ibm,c=us"nativeUpdateAllowed YES########################################################################## SSL definitions########################################################################securePort 6636security SSLsslKeyRingFile "/usr/lpp/ldap/etc/ldapserver.kdb"sslKeyRingFilePW password1sslCipherSpecs 15104########################################################################## Replica definitions########################################################################masterServer "ldap://jeff.endicott.ibm.com:3389"masterServerDN cn=mastermasterServerPW password1

Sample DB2 database and tablespace script for SPUFI

--*********************************************************************/--* This file contains sample code. IBM PROVIDES THIS CODE ON AN */--* ’AS IS’ BASIS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS */--* OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES */--* OF MERCHANT ABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */--*********************************************************************/

-- Use the following statements to create your LDAP Server DB2 database-- and tablespaces in SPUFI. The database and tablespace names you-- create will be used to update the database section of the LDAP-- Server configuration file. You also need to make DB2 decisions,-- in terms of buffer pool size selection for tablespaces and column-- size selection, all of which will be directly related to the data that-- will be stored in the database. See the instructions below for-- more information.---- *************************-- Database Name Information-- *************************-- Change LDAPR10 to the name of the LDAP database name you want to create.-- Be sure this name is updated to match what is defined for databasename in-- the server configuration file.---- **************************-- DataBase Owner Information-- **************************-- Change the LDAPSRV to the MVS database owner id. This ID will be the-- highlevel qualifier for the tables---- **********************-- Tablespace Information-- **********************---- *********************************************************************-- NOTE: Refer to the DB2 manuals for a complete listing of valid buffer-- pool names.-- *********************************************************************


---- Change the ENTRYTS to the LDAP entry tablespace name you want to create.---- Change the BP0 to the buffer pool name for the LDAP entry tablespace.-- The size of the buffer pool can be determined with the formula:---- result = 62 bytes + +-- +-- ---- There is also a concept of a "spill over" table, where if the entry-- data does not fit into the row size, it will be broken up in order-- to fit into a row. Entry data may be spread across multiple rows-- if needed. So in the above formula, the -- does not need to be the maximum size of the data, maybe the median-- size of the data would be a better choice. See the long entry-- tablespace description below.---- The default suggested size is 4K.---- Change the LENTRYTS to the LDAP long entry tablespace name you want to-- create.---- Change the BP0 to the buffer pool name for the LDAP long entry-- tablespace. The long entry table space will hold "spill over" rows-- for entry data that does not fit into the entry table tablespace.-- To minimize the number of spill over rows, choose a large buffer-- pool size.---- The default suggested size is 4K.---- Change the LATTRTS to the LDAP long attribute tablespace name you want to-- create.---- Change the BP0 to the buffer pool name for the LDAP long attribute-- tablespace. The long attribute table space will hold "spill over" rows-- for attribute data that does not fit into the entry table tablespace.-- To minimize the number of spill over rows, choose a large buffer-- pool size.---- The default suggested size is 4K.---- Change the MISCTS to the LDAP miscellaneous tablespace name you want to-- create.---- Change the DESCTS to the LDAP descendants tablespace name you want to-- create.---- Change the SEARCHTS to the LDAP search tablespace name you want to create.---- Change the BP0 to the buffer pool name for the LDAP search tablespace.-- The size of the buffer pool can be determined with the simple formula:---- result = 16 bytes + +-- ---- The result value is the maximum number of bytes a row in the search-- table containing an attribute value will occupy. Choose a buffer pool-- size which will accommodate this size.---- The default suggested size is 4K.---- Change the REPTS to the LDAP replica tablespace name you want to create.---- *********************************-- Column Size Selection Information-- *********************************


-- All searchable attributes of a given entry will be stored in two forms.-- The first will be a truncated version, which will be used as part of-- a DB2 index. The second version will be the entire attribute value,-- potentially truncated by the buffer pool size you choose. The reason-- two versions are stored is so that LDAP/DB2 can use indexes to increase-- search performance. The reason we do not index the entire searchable-- attribute value is because the cost (in terms of DASD) associated with-- having indexes on a large column where there is a large amount of data.---- The choice of the search column trunc size should take into account system-- limits you may have (as described in the above), and should account-- for the typical size of the attribute values that are stored in-- LDAP. For example, if most of your data is only 20 bytes long,-- choosing 20 for this trunc size would be wise.---- Change 32 to the search column trunc size you determine best fits your-- attribute data.---- The default suggested size is 32.---- Another search performance enhancement is related to the DN attribute.-- The DN attribute value is stored separately from the entry data to allow-- a fast path lookup. It is also stored in two versions as well. The-- reasons are similar to those mentioned above for the attribute column.-- Since the DN data is stored in it’s own column, you need to define the-- maximum DN attribute value size here. You also need to choose a dn-- column trunc size that best fits your data.---- Change 32 to the dn trunc size you determine best fits your dn data.---- The default suggested size is 32.---- Change 512 to the maximum size of a DN. This value includes the null-- terminator, so the actual maximum length of a DN will be one less than-- this value.---- The default suggested size is 512.------ *************************-- Storage Group Information-- *************************-- Change the SYSDEFLT to the storage group you want to contain the-- LDAP DB2 tablespaces. Use SYSDEFLT to choose the default storage group.-- NOTE: The values provided below for PRIQTY and SECQTY probably need to be-- modified depending on the projected size of the Directory information to-- be stored.--

-- ***************************************************************************-- Use the following statements if you need to delete your LDAP Server DB2-- database and tablespaces in SPUFI. You need to remove the ’--’-- from each line before you can run these statements.-- Change the ENTRYTS to the LDAP entry tablespace name you want to delete.-- Change the LENTRYTS to the LDAP long entry tablespace name you want to-- delete.-- Change the LATTRTS to the LDAP long attr tablespace name you want to-- delete.-- Change the MISCTS to the LDAP miscellaneous tablespace name you want to-- delete.-- Change the SEARCHTS to the LDAP search tablespace name you want to delete.-- Change the REPTS to the LDAP replica tablespace name you want to delete.-- Change the DESCTS to the LDAP descendants tablespace name you want to-- delete.-- Change the LDAPR10 to the LDAP database name you want to delete.-- ***************************************************************************


--DROP TABLESPACE LDAPR10.ENTRYTS;--DROP TABLESPACE LDAPR10.LENTRYTS;--DROP TABLESPACE LDAPR10.LATTRTS;--DROP TABLESPACE LDAPR10.MISCTS;--DROP TABLESPACE LDAPR10.SEARCHTS;--DROP TABLESPACE LDAPR10.REPTS;--DROP TABLESPACE LDAPR10.DESCTS;--DROP DATABASE LDAPR10;--COMMIT;

-- ************************-- Create the LDAP database-- ************************CREATE DATABASE LDAPR10 STOGROUP SYSDEFLT;

-- ********************************-- Create the LDAP entry tablespace-- ********************************CREATE TABLESPACE ENTRYTS IN LDAPR10

USING STOGROUP SYSDEFLTBUFFERPOOL BP0;

-- *************************************-- Create the LDAP long entry tablespace-- *************************************CREATE TABLESPACE LENTRYTS IN LDAPR10


-- ************************************-- Create the LDAP long attr tablespace-- ************************************CREATE TABLESPACE LATTRTS IN LDAPR10


-- *****************************-- Create the LDAP 4K tablespace-- *****************************CREATE TABLESPACE MISCTS IN LDAPR10

SEGSIZE 4USING STOGROUP SYSDEFLTBUFFERPOOL BP0;

-- *********************************-- Create the LDAP search tablespace-- *********************************CREATE TABLESPACE SEARCHTS IN LDAPR10


-- *********************************-- Create the LDAP replica tablespace-- *********************************CREATE TABLESPACE REPTS IN LDAPR10


-- *****************************-- Create the LDAP descendants tablespace-- *****************************CREATE TABLESPACE DESCTS IN LDAPR10


-- *********************-- Create the DB2 tables


-- *********************

-- **************************-- Create the DIR_ENTRY table-- **************************CREATE TABLE LDAPSRV.DIR_ENTRY (

EID DECIMAL(15 , 0) NOT NULL,PEID DECIMAL(15 , 0),ENTRY_SIZE INTEGER,LEVEL INTEGER,ACLSRC DECIMAL(15 , 0),ACLPROP CHAR(1),OWNSRC DECIMAL(15 , 0),OWNPROP CHAR(1),CREATE_TIMESTAMP TIMESTAMP,MODIFY_TIMESTAMP TIMESTAMP,DN_TRUNC CHAR(32) FOR BIT DATA,DN VARCHAR(512) FOR BIT DATA,ENTRYDATA LONG VARCHAR FOR BIT DATA,PRIMARY KEY( EID ) )

IN LDAPR10.ENTRYTS;

-- ******************************-- Create the DIR_LONGENTRY table-- ******************************CREATE TABLE LDAPSRV.DIR_LONGENTRY (

EID DECIMAL(15 , 0) NOT NULL,SEQ INTEGER NOT NULL,ENTRYDATA LONG VARCHAR FOR BIT DATA,PRIMARY KEY( EID, SEQ ) )

IN LDAPR10.LENTRYTS;

-- *****************************-- Create the DIR_LONGATTR table-- *****************************CREATE TABLE LDAPSRV.DIR_LONGATTR (

EID DECIMAL(15 , 0) NOT NULL,ATTR_ID INTEGER NOT NULL,VALUENUM INTEGER NOT NULL,SEQ INTEGER NOT NULL,ATTRDATA LONG VARCHAR FOR BIT DATA,PRIMARY KEY( EID, ATTR_ID, VALUENUM, SEQ ) )

IN LDAPR10.LATTRTS;

-- *****************************-- Create the DIR_MISC table-- *****************************CREATE TABLE LDAPSRV.DIR_MISC (

NEXT_EID DECIMAL(15 , 0),NEXT_ATTR_ID INTEGER,DB_VERSION CHAR(10),DB_CREATE_VERSION CHAR(10) )

IN LDAPR10.MISCTS;

-- **************************-- Create the DIR_CACHE table-- **************************CREATE TABLE LDAPSRV.DIR_CACHE (

CACHE_NAME CHAR(25) NOT NULL,MODIFY_TIMESTAMP TIMESTAMP NOT NULL,PRIMARY KEY( CACHE_NAME, MODIFY_TIMESTAMP ) )

IN LDAPR10.MISCTS;

-- ***************************-- Create the DIR_ATTRID table-- ***************************CREATE TABLE LDAPSRV.DIR_ATTRID (


ATTR_ID INTEGER,ATTR_NOID VARCHAR(200) NOT NULL,PRIMARY KEY( ATTR_NOID ) )

IN LDAPR10.MISCTS;

-- *************************-- Create the DIR_DESC table-- *************************CREATE TABLE LDAPSRV.DIR_DESC (

DEID DECIMAL(15 , 0) NOT NULL,AEID DECIMAL(15 , 0) NOT NULL,PRIMARY KEY( DEID, AEID ) )

IN LDAPR10.DESCTS;

-- ***************************-- Create the DIR_SEARCH table-- ***************

IBM Tivoli Access Manager for Linux on zSeries...

Documents

Transcript of IBM Tivoli Access Manager for Linux on zSeries...