IBM Tivoli Privacy Manager for e-business: Installation...

IBM Tivoli Privacy Manager for e-business

Installation GuideVersion 1.2

SC32-1123-00

��

Note:Before using this information and the product it supports, read the information in Appendix E, “Notices”, on page 67.

First Edition (September 2003)

This edition applies to version 1.2 of Tivoli Privacy Manager (product number 5724–C07) and to all subsequentreleases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 2002, 2003. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Tables . . . . . . . . . . . . . . . v

Preface . . . . . . . . . . . . . . viiWho should read this book . . . . . . . . . viiPublications . . . . . . . . . . . . . . vii

Tivoli Privacy Manager publications . . . . . viiRelated publications . . . . . . . . . . viiiAccessing publications online . . . . . . . viii

Accessibility . . . . . . . . . . . . . . ixContacting software support . . . . . . . . . ixConventions used in this book . . . . . . . . ix

Typeface conventions . . . . . . . . . . ix

Chapter 1. Setting up the environment . 1Product package contents . . . . . . . . . . 1Tivoli Privacy Manager installation CD . . . . . 2Hardware requirements. . . . . . . . . . . 3

Operational hard disk space . . . . . . . . 4Operating system and Web browser requirements . . 4Software requirements . . . . . . . . . . . 4

Tivoli Privacy Manager server . . . . . . . 5LDAP monitor. . . . . . . . . . . . . 5Software developer kit (SDK) . . . . . . . . 5

Network considerations. . . . . . . . . . . 5Installing the prerequisites . . . . . . . . . . 7

Chapter 2. Installing the Tivoli PrivacyManager components . . . . . . . . . 9Installation overview . . . . . . . . . . . 9

Tivoli Privacy Manager server installationoverview . . . . . . . . . . . . . . 9Tivoli Privacy Manager LDAP monitorinstallation overview . . . . . . . . . . 10Tivoli Privacy Manager SDK installationoverview . . . . . . . . . . . . . . 10

Installation procedure . . . . . . . . . . . 10Results of the installation . . . . . . . . . . 12Troubleshooting installation problems . . . . . 13

Chapter 3. Setting up the Tivoli PrivacyManager server . . . . . . . . . . . 15Creating the Tivoli Privacy Manager DB2 database 15

Using the DB2 database creation program . . . 15Manually creating the database and tables . . . 16

Setting up the WebSphere Application Server . . . 18Setup procedures using WebSphere ApplicationServer 4.x . . . . . . . . . . . . . . 19Setup procedures using WebSphere ApplicationServer 5.x . . . . . . . . . . . . . . 23

Deploying Tivoli Privacy Manager into theWebSphere Application Server environment . . . 27

Deployment instructions for WebSphereApplication Server 4.x . . . . . . . . . . 27

Deployment instructions for WebSphereApplication Server 5.x . . . . . . . . . . 30

Compiling the Java server pages . . . . . . . 32Compiling the JSP in WebSphere ApplicationServer 4.x . . . . . . . . . . . . . . 32Compiling the JSP in WebSphere ApplicationServer 5.x . . . . . . . . . . . . . . 33

Starting the Tivoli Privacy Manager enterpriseapplication . . . . . . . . . . . . . . 33Configuring Tivoli Access Manager . . . . . . 34

Configuring the Java Runtime Environment . . 34Configuring the Tivoli Access Managerenvironment . . . . . . . . . . . . . 34

Enabling language support . . . . . . . . . 35Language support in a clustered environment . . 35

Chapter 4. Setting up the LDAPmonitor . . . . . . . . . . . . . . 37LDAP storage system data . . . . . . . . . 37

Creating the directory information tree index . . 38Filtering . . . . . . . . . . . . . . 38Master key . . . . . . . . . . . . . 38

Configuring the LDAP Monitor. . . . . . . . 38Configuring the communication protocol . . . 39Configuring WebSphere security . . . . . . 41Updating the LDAP monitor properties . . . . 42

Starting the LDAP monitor . . . . . . . . . 47LDAP monitor registration process . . . . . 48Stopping the LDAP monitor . . . . . . . . 49

Deploying the LDAP monitor . . . . . . . . 50Monitor administration . . . . . . . . . 50Classifying storage locations . . . . . . . . 51

Chapter 5. Uninstalling IBM TivoliPrivacy Manager for e-business . . . . 53Removing the enterprise application from theWebSphere Application Server . . . . . . . . 53

Uninstall procedures using WebSphereApplication Server 4.x . . . . . . . . . . 53Uninstall procedures using WebSphereApplication Server 5.x . . . . . . . . . . 54

Removing the product code . . . . . . . . . 54Removing from Windows . . . . . . . . 54Removing from AIX, Linux, and Sun Solaris . . 55

Deleting product directories . . . . . . . . . 55Removing the language pack . . . . . . . . 55

Removing from Windows . . . . . . . . 55Removing from AIX and Sun Solaris . . . . . 55

Troubleshooting problems when uninstalling . . . 55

Appendix A. Installation checklist . . . 57

Appendix B. File inventory . . . . . . 59Base . . . . . . . . . . . . . . . . . 59

© Copyright IBM Corp. 2002, 2003 iii

Tivoli Privacy Manager server . . . . . . . . 59LDAP monitor . . . . . . . . . . . . . 60SDK . . . . . . . . . . . . . . . . . 60

Privacy Tools . . . . . . . . . . . . . 62

Appendix C. Console mode installationprocedures . . . . . . . . . . . . . 63Starting the console mode installation . . . . . 63

Appendix D. Accessibility keyboardshortcuts. . . . . . . . . . . . . . 65

Appendix E. Notices . . . . . . . . . 67Trademarks . . . . . . . . . . . . . . 68

Glossary . . . . . . . . . . . . . . 71

Index . . . . . . . . . . . . . . . 75

iv IBM Tivoli Privacy Manager for e-business: Installation Guide

Tables

1. Part numbers for Tivoli Privacy Manager CDs 12. Part numbers for Tivoli Access Manager CDs 13. Part numbers for WebSphere Application Server

CDs . . . . . . . . . . . . . . . 14. Part numbers for DB2 CDs . . . . . . . . 25. Part numbers for IBM Directory Server CDs 26. Hardware requirements — minimum . . . . 37. Hardware requirements — recommended 38. Server software requirements . . . . . . . 49. Client Web browser requirements . . . . . 4

10. Tivoli Privacy Manager server environmentrequirements . . . . . . . . . . . . 5

11. LDAP Monitor environment requirements 512. SDK environment requirements . . . . . . 513. Installation program. . . . . . . . . . 1114. Default installation directory . . . . . . . 1115. Installation storage size . . . . . . . . 1216. Database creation program . . . . . . . 1617. Database configuration parameters . . . . . 1718. Starting the WebSphere Application Server and

Administrative Console . . . . . . . . 19

19. Stopping the WebSphere Application Serverand Administrative Console . . . . . . . 20

20. Suggested connection pool properties values 2221. Starting the WebSphere Application Server 2322. Stopping the WebSphere Application Server 2423. Suggested connection pool properties values 2624. Properties for IIOP protocol . . . . . . . 3925. Properties for Web services protocol . . . . 4126. WebSphere Application Server security options 4227. Required LDAP monitor properties . . . . 4328. Optional LDAP monitor properties. . . . . 4329. Starting the LDAP monitor using the IIOP

protocol . . . . . . . . . . . . . . 4730. Starting the LDAP monitor using Web services

protocol . . . . . . . . . . . . . . 4731. Default installation directory . . . . . . . 6332. Installation storage size . . . . . . . . 6433. Graphical installation shortcuts . . . . . . 65

© Copyright IBM Corp. 2002, 2003 v

vi IBM Tivoli Privacy Manager for e-business: Installation Guide

Preface

The IBM® Tivoli® Privacy Manager product is a tool for administering andmonitoring privacy policies that protect personally identifiable information (PII).IBM Tivoli Privacy Manager for e-business (Tivoli Privacy Manager in subsequentmention) runs on the Solaris, Windows®, AIX, and Linux operating systems.

The IBM Tivoli Privacy Manager Installation Guide provides procedures for installingand configuring the IBM Tivoli Privacy Manager server, and procedures necessaryfor deploying the product as an WebSphere Application Server enterpriseapplication. Additionally, this guide describes how to uninstall Tivoli PrivacyManager.

Who should read this bookThis document is written for systems administrators, integrators, and installers.

Users need a working knowledge of the following products:v IBM WebSphere® Application Serverv IBM DB2 Universal Database™

v IBM Tivoli Access Manager for e-business

PublicationsRead the descriptions of the Tivoli Privacy Manager library, the prerequisitepublications, and the related publications to determine which publications youmight find helpful. After you determine the publications you need, refer to theinstructions for accessing publications online and ordering publications.

Tivoli Privacy Manager publicationsThe publications in the Tivoli Privacy Manager library are:v IBM Tivoli Privacy Manager Release Notes, GI11–4200

Provides information on obtaining required fixes and APARs, and describesupdates, corrections, amendments, and workarounds for tasks and topicsdescribed in the Tivoli Privacy Manager library.

v IBM Tivoli Privacy Manager Prerequisite Installation Guide, SC32–1375Provides information on planning for the installation and configuration of TivoliPrivacy Manager prerequisite software necessary to install Tivoli PrivacyManager.

v IBM Tivoli Privacy Manager Planning Guide, SC32–1284Provides information on planning for the installation, operation, andadministration of Tivoli Privacy Manager.

v IBM Tivoli Privacy Manager Installation Guide, SC32–1123Provides information on installing and configuring Tivoli Privacy Manager.

v IBM Tivoli Privacy Manager User’s Guide, SC32–1285Provides information on creating and deploying privacy policies and onoperating Tivoli Privacy Manager.

v IBM Tivoli Privacy Manager Monitor Developer’s Guide, SC32–1286

© Copyright IBM Corp. 2002, 2003 vii

Provides information about the application programming interface (API) systemprogrammers can use to create a monitor.

v IBM Tivoli Privacy Manager Problem Determination Guide, SC32–1287Provides information on diagnosing and solving problems with Tivoli PrivacyManager. Product messages are also included.

v Online user assistance for Tivoli Privacy Manager consoleProvides integrated online help topics for all Tivoli Privacy Manageradministrative tasks.

Related publicationsInformation related to Tivoli Privacy Manager is available in the followingpublications:v IBM Tivoli Access Manager for e-business

The documents required to support IBM Tivoli Access Manager for e-businessare available at:http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

v IBM Universal DB2® Enterprise EditionThe documents required to support DB2 are available at:http://www.ibm.com/software/data/db2/library

v IBM WebSphere Application ServerAccess publications for this product at:http://www.ibm.com/software/webservers/appserv/library.html

v IBM HTTP ServerAccess publications for this product at:http://www.ibm.com/software/webservers/httpservers/library.html

v The Tivoli Software Library provides links to a variety of Tivoli publicationssuch as white papers, datasheets, demonstrations, redbooks, and announcementletters. The Tivoli Software Library is available on the Web at:http://www.ibm.com/software/tivoli/library/

v The Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available, in Englishonly, at the following Web site:http://publib.boulder.ibm.com/tividd/glossary/termsmst04.htm

Accessing publications onlineThe publications for this library are available online in Portable Document Format(PDF) or Hypertext Markup Language (HTML) format, or both at the TivoliInformation Center: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Information is organized by product and includes release notes, installation guides,user’s guides, administrator’s guides, and developer’s references.

Note: To ensure proper printing of PDF publications, select the Fit to page checkbox in the Adobe Acrobat Print window (which is available when you clickFile →Print).

viii IBM Tivoli Privacy Manager for e-business: Installation Guide

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

http://www.ibm.com/software/data/db2/library

http://www.ibm.com/software/webservers/appserv/library.html

http://www.ibm.com/software/webservers/httpservers/library.html

http://www.ibm.com/software/tivoli/library/

http://publib.boulder.ibm.com/tividd/glossary/termsmst04.htm

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

AccessibilityAccessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You also canuse the keyboard instead of the mouse to operate all features of the graphical userinterface.

The product documentation includes features to aid accessibility:v Documentation is available in both HTML and convertible PDF formats to give

the maximum opportunity for users to apply screen-reader software.v All images in the documentation are provided with alternative text so that users

with vision impairments can understand the contents of the images.

Refer to Appendix D, “Accessibility keyboard shortcuts”, on page 65 for additionalinformation about the accessibility features available during installation.

Contacting software supportBefore contacting IBM Tivoli Software support with a problem, refer to the IBMTivoli Software support Web site at:http://www.ibm.com/software/sysmgmt/products/support/

If you need additional help, contact software support by using the methodsdescribed in the IBM Software Support Guide at the following Web site:http://techsupport.services.ibm.com/guides/handbook.html

The guide provides the following information:v Registration and eligibility requirements for receiving supportv Telephone numbers, depending on the country in which you are locatedv A list of information you should gather before contacting customer support

Conventions used in this bookThis reference uses several conventions for special terms and actions and foroperating system-dependent commands and paths.

Typeface conventionsThe following typeface conventions are used in this reference:

Bold Lowercase commands or mixed case commands that are difficult todistinguish from surrounding text, keywords, parameters, options, namesof Java classes, and objects are in bold.

Italic Variables, titles of publications, and special words or phrases that areemphasized are in italic.

MonospaceCode examples, command lines, screen output, file and directory namesthat are difficult to distinguish from surrounding text, system messages,text that the user must type, and values for arguments or commandoptions are in monospace.

Preface ix

http://www.ibm.com/software/sysmgmt/products/support/

http://techsupport.services.ibm.com/guides/handbook.html

x IBM Tivoli Privacy Manager for e-business: Installation Guide

Chapter 1. Setting up the environment

Before installing IBM Tivoli Privacy Manager for e-business, you must performcertain pre-installation tasks. During the installation process, the installationprogram verifies that your system has the prerequisite software installed. If aprerequisite is missing or is not at the correct level, a message is displayed. Themessage describes the appropriate action for continuing the installation.

This chapter describes the hardware, environment, and software prerequisites forinstalling the Tivoli Privacy Manager product. Refer to the IBM Tivoli PrivacyManager Prerequisite Installation Guide for installing the prerequisites.

Product package contentsThe IBM Tivoli Privacy Manager for e-business package contains the Tivoli PrivacyManager installation CD and a set CDs containing the required softwareprerequisites. This packaging allows you easy access to prerequisite software thatis not already a part of your network environment. The prerequisite CDs containonly the essential product components needed by Tivoli Privacy Manager tofunction correctly.

The product package contains the following CDs:v IBM Tivoli Privacy Manager for e-business

Table 1. Part numbers for Tivoli Privacy Manager CDs

Product Part Number

IBM Tivoli Privacy Manager for e-business C2563ML

v IBM Tivoli Access Manager for e-business

Table 2. Part numbers for Tivoli Access Manager CDs

Product Part Number

IBM Tivoli Access Manager Base for AIX C24EGML

IBM Tivoli Access Manager Base for Linux C25HCML

IBM Tivoli Access Manager Base for Solaris C23I7ML

IBM Tivoli Access Manager Base for Windows C23IBML

v WebSphere Application Server

Table 3. Part numbers for WebSphere Application Server CDs

Product Part Number

IBM WebSphere Application Server for AIX C23BOML

IBM WebSphere Application Server for Linux C23B2ML

IBM WebSphere Application Server for Linux on zSeries C23B3ML

IBM WebSphere Application Server for Solaris C23B1ML

IBM WebSphere Application Server for Windows C23AZML

© Copyright IBM Corp. 2002, 2003 1

v IBM DB2 Universal Database

Table 4. Part numbers for DB2 CDs

Product Part Number

DB2 UDB EE for AIX C23MMML

DB2 UDB EE for AIX (add’l NLVs) C23MNML

DB2 UDB EE for AIX (add’l NLVs) C23MPML

DB2 UDB EE for Solaris C23MQML

DB2 UDB EE for Solaris (add’l NLVs) C23MRML

DB2 UDB EE for Solaris (add’l NLVs) C23MSML

DB2 UDB EE for Linux C23MTML

DB2 UDB EE for Linux on zSeries C23MUML

DB2 UDB EE for Windows C23MKML

v IBM Directory Server

Table 5. Part numbers for IBM Directory Server CDs

Product Part Number

IBM WebSphere Application Server for AIX C23J1ML

IBM WebSphere Application Server for Linux C23J3ML

IBM WebSphere Application Server for Linux on zSeries C23J4ML

IBM WebSphere Application Server for Solaris C23J2ML

IBM WebSphere Application Server for Windows C23J0ML

Be sure to review the IBM Tivoli Privacy Manager Release Notes for fixes andupdates. The Tivoli Privacy Manager product library is located at the followingWeb site:

http://www.ibm.com/software/tivoli/library

Tivoli Privacy Manager installation CDThe IBM Tivoli Privacy Manager for e-business installation CD contains thefollowing components:v Tivoli Privacy Manager serverv Tivoli Privacy Manager LDAP monitorv Tivoli Privacy Manager software development kitv Tivoli Privacy Manager privacy tools

The Tivoli Privacy Manager components can be installed separately or in anycombination.

Tivoli Privacy Manager serverThe Tivoli Privacy Manager server provides the interfaces that allow youto define privacy policies, categorize data as personally identifiableinformation (PII), define users authorized to access PII, gather and viewaudit reports.

LDAP monitorThe LDAP monitor observes the data traffic to and from the LDAPdirectory storage system. The LDAP monitor is located between the LDAP

2 IBM Tivoli Privacy Manager for e-business: Installation Guide


client and LDAP server. The LDAP monitor interacts with the TivoliPrivacy Manager server to identify PII and to record PII submission andaccess requests for data maintained on the LDAP storage system. TheTivoli Privacy Manager LDAP monitor can be installed on the samemachine as the LDAP server or another machine.

Software Developer Kit (SDK)Provides a toolkit for the development of storage system monitors. Thetoolkit provides application programming interfaces (API) used tocommunicate with the Tivoli Privacy Manager server. For detailed SDKinformation, refer to the IBM Tivoli Privacy Manager Monitor Developer’sGuide. The SDK can be installed on the same machine as the Tivoli PrivacyManager server or on a different machine.

Privacy ToolsProvides a set of tools that allow:v Generation of reports using a command line interface.

This document addresses each installation option provided on the CD. Afterinstalling the components, proceed to the appropriate configuration chapter.

Hardware requirementsTable 6 lists the minimum machine requirements necessary to install Tivoli PrivacyManager.

Table 6. Hardware requirements — minimum

OperatingSystem

Windows orLinux on Intel

AIX® Sun Solaris zLinux

Processor Intel x86 RS/6000® Sparc zSeries

Processor speed 2.2 GHz 2–way 750 MHz 2–way 1 GHz G5

RAM 1 GB 1 GB 1 GB 1 GB

CD-ROM drive Yes Yes Yes See note

Networkconnectivity

Yes Yes Yes Yes

Install diskspace

4 GB 4 GB 4 GB 4 GB

Note: If there is no CD-ROM drive, you must FTP the files from a CD drive onanother machine to perform the installation.

Table 7 lists the suggested machine requirements for installing Tivoli PrivacyManager.

Table 7. Hardware requirements — recommended

OperatingSystem

WindowsLinux on Intel

AIX Sun Solaris zLinux

Processor Intel x86 RS/6000 UltraSparc II G6

RAM 2 GB 2 GB 2 GB 2 GB

CD-ROM drive Yes Yes Yes See note

Networkconnectivity

Yes Yes Yes Yes

Chapter 1. Setting up the environment 3

Table 7. Hardware requirements — recommended (continued)

OperatingSystem

WindowsLinux on Intel

AIX Sun Solaris zLinux

Install diskspace

100 MB 100 MB 100 MB 100 MB

Note: If there is no CD-ROM drive, you must FTP the files from a CD drive onanother machine to perform the installation.

Operational hard disk spaceThe install disk space considerations is the amount of storage needed to installTivoli Privacy Manager and prerequisite products. Additional disk space isrequired for the Tivoli Privacy Manager database and the amount is dependent onthe amount of information to be maintained by your organization.

Use the following formulas to calculate the amount of disk space needed for theTivoli Privacy Manager database.v For access records: 500 bytes x number of access recordsv For submission records: 500 bytes x number of submission records

The sum of the two values provides an estimate of the amount of disk spaceneeded.

Operating system and Web browser requirementsThe Tivoli Privacy Manager server must be installed on a machine with one of theoperating systems listed in Table 8. To use the Tivoli Privacy Manager console aWeb browser is required. Table 9 lists the supported Web browsers.

Table 8. Server software requirements

Operating System

AIX 5.1 Maintance package 5100–02 or 5100–03 plus APAR IY36884AIX 5.2

Microsoft Windows 2000 Server SP3 or laterMicrosoft Windows 2000 Advanced Server SP3 or later

Red Hat Linux Advance Server for Intel 2.1 2.4 Kernel

Sun Solaris 8 Patch Cluster of June 27, 2003Sun Solaris 9 Patch Cluster of June 27, 2003SuSE SLES zLinux Version 7 2.4 Kernel for zSeries

Table 9. Client Web browser requirements

AIX Sun Solaris orRed Hat Linux

Windows

Netscape 7.0 Netscape 7.0 Internet Explorer 6.0Netscape 7.0

Software requirementsThis section contains the software requirements for the Tivoli Privacy Managercomponents.


Note: Refer to the IBM Tivoli Privacy Manager Release Notes located at the followingWeb site for fixes and updates to these requirements:


Tivoli Privacy Manager serverTable 10 lists the prerequisites for the Tivoli Privacy Manager server.

Table 10. Tivoli Privacy Manager server environment requirements

Product Name Version

WebSphere Application Server Advanced Edition Version 4.0.6Version 5.0.1

IBM Tivoli Access Manager for e-business Java™ RuntimeEnvironment

Version 3.9Version 4.1

IBM DB2 Universal Database Version 7.2 Fixpack 9Version 8.1 Fixpack 1 plus

APARs IY34909 and LI70172

LDAP monitorThe Tivoli Privacy Manager LDAP monitor component provides for monitoring ofan LDAP storage system. In addition to the services of the Tivoli Privacy Managerserver, the LDAP monitor requires the prerequisites listed in Table 11.

Note: The J2EE client is included with WebSphere Application Server.

Table 11. LDAP Monitor environment requirements

J2EE LDAP

WebSphere J2EE Client Version 4.0.6WebSphere Java Thin Client Version 4.0.6WebSphere Application Client Version 5.0.2

IBM Directory Server Version 4.1 Fixpack 1IBM Directory Server Version 5.1Sun ONE Directory Server 5.1

Software developer kit (SDK)The Tivoli Privacy Manager SDK requires the services of a Java developmentenvironment for code compilation. In order for a monitor to operate, it needs tocommunicate with the Tivoli Privacy Manager server. Refer to the IBM TivoliPrivacy Manager Monitor Developer’s Guide for additional monitor requirements.

Table 12 lists the prerequisites for the Tivoli Privacy Manager SDK component.

Table 12. SDK environment requirements

JDK

Java Development Kit (JDK) 1.3 SR 9a

Network considerationsIn addition to considering the hardware and software requirements you must alsoconsider the location of the Tivoli Privacy Manager components in the network.Figure 1 on page 7 shows a simple Tivoli Privacy Manager environment. For detailsconcerning network considerations, refer to the IBM Tivoli Privacy Manager PlanningGuide.


The Tivoli Privacy Manager environment includes the following:v Tivoli Access Manager Java Runtime Environmentv Tivoli Access Manager Policy Serverv DB2v Monitor SDKv Tivoli Privacy Manager consolev Tivoli Privacy Manager serverv Storage systemv Storage system monitorv Web serverv WebSphere Application Serverv WebSphere Application Server J2EE client

Tivoli Access Manager Java Runtime EnvironmentProvides the communication between the Tivoli Privacy Manager serverand the Tivoli Access Manager server.

Tivoli Access Manager Policy serverThe Tivoli Access Manager Policy server provides authorization services byidentifying data users and their group memberships to Tivoli PrivacyManager.

DB2 Database used by Tivoli Privacy Manager server for maintaining data, suchas policy definitions and audit records.

Monitor SDKThe Monitor SDK is an application programming interface (API) made upof a set of Java classes and methods used to create storage systemmonitors.

No network connectivity is required to develop and compile a monitor. Totest and implement the monitor in your environment, the Tivoli PrivacyManager server is required, along with the necessary storage system thatthe monitor supports.

Tivoli Privacy Manager consoleAuthorized users can perform their tasks from any client equipped with asupported browser. The browser provides access to the Tivoli PrivacyManager console. Any number of users can use the Tivoli Privacy Managerconsole at the same time.

Tivoli Privacy Manager serverThe Tivoli Privacy Manager server provides the core Tivoli PrivacyManager functions. The Tivoli Privacy Manager server must be installed onthe same machine as the WebSphere Application Server.

Storage systemThe storage system is the medium for maintaining PII used by datacollector applications.

Storage system monitorThe storage system monitor is code developed using the Tivoli PrivacyManager SDK. The monitor enables communication between the TivoliPrivacy Manager server and the storage system. The LDAP monitorprovided with the product allows for monitoring of PII associated with anLDAP storage system.


The LDAP monitor component must be installed on a machine that hasaccess to the LDAP storage system and the applications accessing andsubmitting data to the LDAP storage system. The LDAP client applicationcommunicates with the LDAP monitor as if it is LDAP server. Logically,the LDAP monitor and any other storage monitor is a liaison between thedata collector application and the storage system.

Web serverThe Web server provides hypertext transport protocol (HTTP)communication used by Web browsers and Web servers to transfer HTMLand other files.

WebSphere Application ServerWebSphere Application Server provides infrastructure under which theTivoli Privacy Manager server enterprise application operates.

WebSphere Application clientThe WebSphere Application client allows monitors to communicate withthe WebSphere Application Server. Any of the following clients can beused:v WebSphere J2EE Clientv WebSphere Java Thin Clientv WebSphere Application Client

Installing the prerequisitesBefore starting the installation process, verify that the necessary prerequisites areinstalled and operational. For information on installing the prerequisites, refer tothe IBM Tivoli Privacy Manager Prerequisite Installation Guide. The IBM Tivoli PrivacyManager Prerequisite Installation Guide provides step-by-step procedures for afirst-time installation of the prerequisites.

Figure 1. Tivoli Privacy Manager network


Chapter 2. Installing the Tivoli Privacy Manager components

This chapter provides step-by-step information for installing Tivoli PrivacyManager. An overview of the installation process for each component is providedalong with detailed installation steps. The installation process places the TivoliPrivacy Manager component on the designated machine. Some components requireadditional steps to be operational.

Before you begin installing IBM Tivoli Privacy Manager for e-business, refer toIBM Tivoli Privacy Manager Planning Guide. There are a number of planningconsiderations to review before starting the installation process.

Review the IBM Tivoli Privacy Manager Release Notes located at the following Website for late-breaking product information before you begin:


Installation overviewThe following descriptions provide high-level overviews of installing the TivoliPrivacy Manager components. The descriptions also include post-installation tasks.If you are installing multiple components, you need to review the process for eachcomponent.

Before you begin the installation procedures, refer to Appendix A, “Installationchecklist”, on page 57 which lists the information you might need during theinstallation and configuration processes.

Tivoli Privacy Manager server installation overviewBecause the Tivoli Privacy Manager server communicates with other networksoftware (such as, WebSphere Application Server and DB2), you need to haveinformation available about them (such as the DB2 administrator ID andpassword). The following list shows the tasks that must be completed before youcan start the Tivoli Privacy Manager server.v Verify that the proper prerequisites are installed (Refer to the IBM Tivoli Privacy

Manager Prerequisite Installation Guide)v Install the Tivoli Privacy Manager serverv Create DB2 databasev Create the Tivoli Privacy Manager database tablesv Prepare to deploy the Tivoli Privacy Manager enterprise application into the

WebSphere Application Server environment:– Create a JDBC Provider– Create a data source– Verify the module visibility

v Deploy the Tivoli Privacy Manager server into the WebSphere Application Serverenvironment

v Compile the Java Server Pages (JSPs)



After the Tivoli Privacy Manager server component is installed, go to Chapter 3,“Setting up the Tivoli Privacy Manager server”, on page 15 for details on theconfiguration and deployment steps.

Tivoli Privacy Manager LDAP monitor installation overviewThe Tivoli Privacy Manager LDAP monitor is installed on the machine that acts asa proxy between the LDAP storage system and LDAP client applications accessingdata to and from the storage system.v Verify that the proper prerequisites are installed (Refer to the IBM Tivoli Privacy

Manager Prerequisite Installation Guide)v Install the Tivoli Privacy Manager LDAP monitor componentv Configure the LDAP monitor

– Configure the communication protocol– Configure WebSphere security– Update the monitor properties file

v Start the Tivoli Privacy Manager enterprise applicationv Start the LDAP monitorv Monitor administrationv Classify storage locations

After the LDAP monitor component is installed, go to Chapter 4, “Setting up theLDAP monitor”, on page 37 for details on the configuration and starting the LDAPmonitor.

Tivoli Privacy Manager SDK installation overviewThe Tivoli Privacy Manager SDK installation places the Java classes anddocumentation on a machine used by developers for creating a storage systemmonitor.v Verify that the proper prerequisites are installed (Refer to the IBM Tivoli Privacy

Manager Prerequisite Installation Guide)v Install the Tivoli Privacy Manager SDK

After the installation is complete, refer to the IBM Tivoli Privacy Manager MonitorDeveloper’s Guide for details on setting up the monitor development and testenvironments.

Installation procedureThe installation program provides a graphical user interface that guides youthrough the process. The installation process places the appropriate code in theinstallation directory. When the installation process completes, you must completethe appropriate configuration tasks.__ Step 1. Log on to the operating system as a user with root or Administrator

privileges.__ Step 2. Insert the Tivoli Privacy Manager installation CD into the CD-ROM

drive.

Note: For installing on a machine with no CD-ROM drive, FTP thefiles from a CD-ROM drive on another machine.

__ Step 3. Switch to the CD-ROM drive root directory. For some UNIX® systems,this switch requires creation of a mount point.


__ Step 4. Start the installation program by issuing the appropriate commandshown in Table 13.

Table 13. Installation program

Operating system Installation program command

AIX aix_install

Linux linux_install

Solaris sparc_install

Windows win32_install.exe

z-Linux zlinux_install

Note: Use the non-graphical installation procedure if you experiencefont problems. See Appendix C, “Console mode installationprocedures”, on page 63 for details on the non-graphicalinstallation process.

__ Step 5. When the installation program starts, a message box is displayed,which indicates the start of a Java Virtual Machine.

__ Step 6. From the IBM Tivoli Privacy Manager for e-business Welcomewindow, click Next to continue.

__ Step 7. You must accept the product terms and conditions before continuingwith the installation process. Review the terms and conditions of theproduct. To continue, click I agree–>Next.

__ Step 8. Enter the installation directory. Table 14 shows the default installationdirectories for each operating system. Click Next.

Table 14. Default installation directory

Operating system Installation directory

AIXLinuxSun Solaris

/opt/IBM/PrivacyManager

Windows C:\Program Files\IBM\PrivacyManager

Note: After you have installed one Tivoli Privacy Managercomponent and later install another component, the installationprogram uses the existing installation directory for installingthe subsequent component. For example, if you install theTivoli Privacy Manager server in a directory named d:\privacyand later install the Tivoli Privacy Manager LDAP monitor onthe same machine, the LDAP Monitor component will beinstalled in the d:\privacy directory with the Tivoli PrivacyManager Server component.

To specify another directory on a subsequent installation, youmust go through the uninstallation process to remove theexisting installation directory and Tivoli Privacy Managercomponents.

__ Step 9. Select the component to install and click Next.v Privacy Server

v Privacy Monitor SDK

v Privacy LDAP Monitor

Chapter 2. Installing the Tivoli Privacy Manager components 11

v Privacy Tools

Selecting Privacy Server installs the Tivoli Privacy Manager server.

You can change the features to be installed by selecting or de-selectingfeatures. The amount of size needed for installation is dependent onthe features selected and the operating system platform. See Table 15for the range of storage space used during installation.

Table 15. Installation storage size

Minimum Maximum

50 MB 155 MB

__ Step 10. If Privacy Server is selected, a prompt to automatically update theTivoli Access Manager Java Runtime environment (PDJRTE)configuration is displayed. Click Yes to schedule the configurationduring installation. If No is selected this task can be completedmanually. See “Configuring the Java Runtime Environment” onpage 34 for manual instructions.The Tivoli Access Manager Java Runtime environment (PDJRTE)configuration sets the WebSphere Application Server’s JDK to use theTivoli Access Manager libraries. This is a one time task done manuallyor by the installation program.

__ Step 11. Validation of prerequisite software installed. Message is displayed ifprerequisite validation fails.

__ Step 12. From the installation summary window, the component sizerequirements and associated product features to be installed aredisplayed. Click Next to proceed with the installation.

__ Step 13. After the installation completes, a completion message is displayed.Click Finish to exit the installation program.

Results of the installationThe installation process creates a number of product directories based on thefeatures installed.

_jvm Represents the Java virtual machine used by the installation anduninstallation programs.

_uninstContains the uninstallation program.

bin Tivoli Privacy Manager executable code.

ddl Contains the set of SQL files used to create the Privacy Manager databasetables.

javadocContains Javadoc information for the APIs associated with the referencemonitor and PSA toolkit.

ldapmonContains executable code for the Tivoli Privacy Manager LDAP monitor.

lib Contains Tivoli Privacy Manager binary files.

licenseContains the license agreement.


samplesContains properties files.

tools Contains the command line report tool.

Troubleshooting installation problemsDuring the installation process, the PMinstall.log file is created. This file is locatedin the installation root directory and updated each time the installation program isrun.

Note: Until the Tivoli Privacy Manager files are stored on the server machine, theinstallation log is in a temporary directory.v For AIX, Linux, and Solaris the log is located in /tmp

v For Windows, use the %TEMP% environment variable to determine thetemporary directory.

If an error occurs before the files are stored (for example, prerequisitefailure), you will need to look in the temporary directory for the installationlog.

Use the log file to gather information related to installation failures. In addition,messages related to the validation of perquisites are displayed during theinstallation process.

Refer to the IBM Tivoli Privacy Manager Problem Determination Guide for help withtroubleshooting problems, message descriptions, and information on contacting theTivoli Support Center.

Chapter 2. Installing the Tivoli Privacy Manager components 13

Chapter 3. Setting up the Tivoli Privacy Manager server

After the Tivoli Privacy Manager server has been successfully installed, it must beconfigured and deployed into the WebSphere environment. This chapter describesthe tasks to complete for the Tivoli Privacy Manager server to be operational.

Refer to the IBM Tivoli Privacy Manager Planning Guide for tuning information.

Creating the Tivoli Privacy Manager DB2 databaseThe IBM DB2 Universal Database is a prerequisite for installing Tivoli PrivacyManager. Tivoli Privacy Manager requires certain tables to be created in DB2 priorto its use. The DB2 database must be created prior to installing the Tivoli PrivacyManager enterprise application into the WebSphere environment.

This document does not cover details related to IBM DB2 Universal Database.Refer to the IBM Tivoli Privacy Manager Prerequisite Installation Guide or IBM DB2Universal Database documentation for instructions on installing the IBM DB2Universal Database.

After DB2 is installed, the following must be done:1. Create the Tivoli Privacy Manager database.2. Create the Tivoli Privacy Manager database tables.3. Update the database configuration parameters.

Steps 1 through 3 can be completed by starting the Tivoli Privacy Managerdatabase creation program or using the DB2 command line interface.v “Using the DB2 database creation program”v “Manually creating the database and tables” on page 16

Using the DB2 database creation programThe Tivoli Privacy Manager installation provides a program, you can use to createthe Tivoli Privacy Manager database, set configuration values, and create the TivoliPrivacy Manager database tables. The setupPMDB program or manual databasecreation must be completed before using the Tivoli Privacy Manager product.

Before starting setupPMDB,v DB2 must be active.v For AIX, Linux, and Sun Solaris, the setupPMDB command must run as root.

The root user must be part of the DB2 Administrator group (for example,db2iadm group created during the DB2 Universal Database installation). Todetermine whether an users is part of the administrator group, use the db2 getdbm cfg command searching for sysadm configuration property.

v For Windows, to run the database creation tool , you will need to open a DB2command interface.

Table 16 on page 16 contains the name of the database creation program. Thedatabase creation program is located in the pm_install/bin directory wherepm_install is the name of the Tivoli Privacy Manager installation directory.


Table 16. Database creation program

Operating system Command for database creation

AIX, Linux, and Sun Solaris setupPMDB.sh

Windows setupPMDB.bat

From a DB2 command interface, start the database creation program by issuing thefollowing command:

setupPMDB db2_userid db2_pw dbname

dbnameName of Tivoli Privacy Manager database.

db2_pwDB2 instance owner password

db2_useridDB2 instance owner user ID

Note: Any additional parameters specified on the database creation program areignored.

A series of messages are displayed that show the progress of the database creationprogram.

Status information related to the database creation process is located in a log file.The log file, dbSetup.log, is created in the pm_install/log directory wherepm_install is the name of the Tivoli Privacy Manager installation directory.

Go to “Setting up the WebSphere Application Server” on page 18.

Manually creating the database and tablesTo manually create and configure the Tivoli Privacy Manager database, use theDB2 command interface. From the DB2 command interface, you can:v Create the Tivoli Privacy Manager databasev Create the Tivoli Privacy Manager tablesv Configure the Tivoli Privacy Manager database

When you have completed the preceding tasks go to “Setting up the WebSphereApplication Server” on page 18.

Creating the databaseThe database is created from the DB2 command interface. Before starting thecommand interface:v DB2 must be active.v For AIX, Linux, and Sun Solaris, the DB2 instance owner ID, such as db2inst1,

must be part of the db2iadm group. The db2iadm group is created during theDB2 Universal Database installation.

From a DB2 command line interface, issue the following command to create thedatabase:

db2 create database db_name alias alias_name using codeset UTF-8 territory US


db_nameName assigned to the database

alias_nameDatabase alias name. If no alias is provided, the specified database name isused.

Note: The alias name is not required, however, if an alias name is used it must bethe same as the database name.

Creating the database tablesDuring the installation of the Tivoli Privacy Manager server component, filesdefining the required DB2 tables are placed in the pm_install/ddl directory wherepm_install is the name of the Tivoli Privacy Manager installation directory. Eachdata definition language (DDL) file contains SQL for creating a database tables.__ Step 1. Change to the pm_install/ddl directory.__ Step 2. Issue the following commands to connect to the DB2 database being

used for Tivoli Privacy Manager:db2 attach to instancename user db2_userid using db2_pwdb2 connect to db_name user db2_userid using db2_pw

instancenameName of the database instance where the Tivoli Privacy Managertables are to be created

db2_useridUser ID of the database instance owner (userid)

db2_pwPassword associated with the instance userid specified

db_nameName of the Tivoli Privacy Manager database

__ Step 3. Issue the db2 -tvf command for each DDL file contained in the TivoliPrivacy Manager installation directory. Issue the following commandsto create the Tivoli Privacy Manager database tables:db2 -tvf IBM_Tivoli_Privacy_admin_ejb_jar-jar_Table.ddldb2 -tvf IBM_Tivoli_Privacy_Manager_audit-jar_Table.ddldb2 -tvf IBM_Tivoli_Privacy_cms-jar_Table.ddldb2 -tvf IBM_Tivoli_Privacy_conformance_cache-jar.ddldb2 -tvf IBM_Tivoli_Privacy_deploy-jar_Table.ddldb2 -tvf IBM_Tivoli_Privacy_pes-jar_Table.ddldb2 -tvf IBM_Tivoli_Privacy_rpt_server_ejb-jar_Table.ddldb2 -tvf IBM_Tivoli_Privacy_SAEServer-j_r_Table.ddldb2 -tvf IBM_Tivoli_Privacy_Trim_server-jar_Table.ddl

Configuring the databaseAfter the Tivoli Privacy Manager database is created, certain database parametersmust be configured. Table 17 lists the database parameters and the values neededfor using Tivoli Privacy Manager.

Table 17. Database configuration parameters

Database parameter Value Description

applheapsz 256 Specifies the size, in pages, of the application heapthat is available for each individual agent.

Chapter 3. Setting up the Tivoli Privacy Manager server 17

Table 17. Database configuration parameters (continued)

Database parameter Value Description

app_ctl_heap_sz 256 This parameter determines the maximum size, in 4KBpages, for the application control heap. The heap isrequired to share information among agents workingon behalf of the same application at a node in anMPP or an SMP system. If complex applications arebeing run, or the MPP configuration has a largenumber of nodes, the size of this heap should beincreased.

locklist 500

logfilsiz 2500 Specifies the amount of disk storage, in pages,allocated to log files used for data recovery. Thisparameter defines the size of each primary andsecondary log file.

logsecond 4 Specifies the number of secondary log files that canbe used for database recovery.

maxappls 250 Specifies the maximum number of applicationprograms (both local and remote) that can connect tothe database at one time.

Issue the following command for each of the database parameters to customize theDB2 program environment.

db2 update database cfg for db_name using db_parm value

db_nameName of the Tivoli Privacy Manager database

db_parmDB2 database parameter to be updated

valueValue for the specified DB2 database parameter

For example:db2 update database cfg for db_name using applheapsz 256db2 update database cfg for db_name using app_ctl_heap_sz 256db2 update database cfg for db_name using logfilsiz 2500db2 update database cfg for db_name using logsecond 4db2 update database cfg for db_name using maxappls 250db2 update database cfg for db_name using locklist 500

Setting up the WebSphere Application ServerBefore you can start Tivoli Privacy Manager, you must deploy it into theWebSphere environment. Setting up the WebSphere Application Server involvesconfiguring the server and supporting resources. For Tivoli Privacy Manager tocommunicate with the DB2 database, data access settings are required. This setupincludes JDBC providers and data source configurations.v Enable security

Security must be enabled for users to be authenticated to the WebSphereApplication Server.

v Create a JDBC provider


The JDBC provider is software that enables Java applications to connect toJDBC-compliant databases, such as DB2, through the use of DataSource objects.The JDBC provider specifies database connection pooling parameters, such asthe maximum number of connections to maintain in the pool.

v Create a data sourceA data source instance is needed for every application server instance that usesthe DataSource object. The connection pool associated with a data source isshared by all application components running in an application server. A datasource is associated with a JDBC Provider.

v Defining static communication portsOptionally, you can assign port numbers to be use for communication betweenthe WebSphere Application Server and monitor. Assigning static port numberscauses the same port numbers to be used during a restart of the WebSphereApplication Server. Otherwise, port numbers are dynamically assigned duringeach restart causing credentials to be re-establish in order for communication tocontinue. Using static definitions eliminates the mismatch.

The preceding WebSphere Application Server setup tasks must be completedbefore Tivoli Privacy Manager server can be deployed into the WebSphereApplication Server environment. The actual steps for the setting up the TivoliPrivacy Manager depends upon the WebSphere Application Server level.v Go to “Setup procedures using WebSphere Application Server 4.x” if the level of

WebSphere Application Server is Version 4.x.v Go to “Setup procedures using WebSphere Application Server 5.x” on page 23 if

the level of WebSphere Application Server is Version 5.x.

Setup procedures using WebSphere Application Server 4.xThe WebSphere Administrative Console is used to setup the WebSphereApplication Server so that it recognizes the Tivoli Privacy Manager server. TheWebSphere Administrative Console is a graphical, Java-based administrative clientto the IBM WebSphere Application Server administrative server. Thisadministrative console provides the full range of product administrative activities.

The WebSphere administrative server must be running before you start theWebSphere Administrative Console. By default, the server does not startautomatically when you start the machine.

Table 18 shows the commands for starting the WebSphere Application Server andAdministrative Console for the supported operating systems. The commands mustbe issued from the was_install/bin directory, where was_install is the WebSphereApplication Server installation directory.

Table 18. Starting the WebSphere Application Server and Administrative Console

OperatingSystem

Operation Command

AIXSolarisLinux

Start server startupServer.sh

Start console adminclient.sh

Windows Start server From the Control Panel, click Services→ IBM WSAdminServer 4.0→ Start

Start console Click Start→ Programs→ IBM WebSphere→ ApplicationServer 4.0→ Administrator’s Console


Enabling securityUse the WebSphere Administrative Console to enable security. You will need to usethe user ID and password for your local machine to log in.__ Step 1. From the WebSphere Administrative Console menu, click Console→

Security Center.__ Step 2. From the General tab, verify that Enable Security is checked.__ Step 3. From the Authentication tab, click Local Operating System and

complete the following:

Security Server IDThe WebSphere Administrative Console administrator user ID.

Security Server PasswordPassword associated with the user.

__ Step 4. Click OK.__ Step 5. Restart the WebSphere Application Server for the change to take effect.

Note: The instructions for enabling security assume you are using a user ID fromthe operating system registry. If using LTPA, refer to the appropriate LTPAdocumentation for enabling security.

Table 19 shows the commands for stopping the WebSphere Application Server andWebSphere Administrative Console.

Table 19. Stopping the WebSphere Application Server and Administrative Console

OperatingSystem

Operation Command

AIXSolarisLinux

Stop console From the WebSphere Administrative Console clickConsole→ Exit.

Stop server From the WebSphere Administrative Console clickWebsphere Administrative Domain→ Nodes. Right-clickthe host name for the server then click Stop. Both theconsole and server will be stopped.

Windows Stop console Click Start→ Programs→ IBM WebSphere→ ApplicationServer 4.0→ Stop Administrator’s Console.

Stop server From the Control Panel, click Services→ IBM WSAdminServer 4.0→ Stop.

When security is enabled, you will be required to use the user ID and passwordwhen accessing the WebSphere Administrative Console.

Creating a JDBC providerBefore you can create the necessary data source for Tivoli Privacy Manager, a JDBCProvider must be available.

To create a JDBC provider do the following:__ Step 1. From the WebSphere Administrator Console menu, click Console→

New→ JDBC Provider.__ Step 2. On the JDBC Provider Properties General tab, complete the following

fields:

NameAssign a name for the JDBC Provider associated with the TivoliPrivacy Manager connection to the DB2 database.


DescriptionEnter a description for the JDBC Provider being created.

Implementation ClassLocate and click com.ibm.db2.jdbc.DB2ConnectionPoolDataSourceas the implementation class from the list.

__ Step 3. On the Provider Properties Nodes tab, do the following:a. Click Install New to view a list of machines.b. Select the machine where the application is being installed and click

Specify Driver→ Add Driver.c. Locate the db2java.zip file. The typical location for this file is

db2_install/SQLLIB/java_level where

db2_installDB2 installation directory

java_levelDirectory containing the db2java.zip file.

If using DB2 V7.2, use the Java 1.2 version of the db2java.zipfile.

Click Open to add the file.d. Click Set.e. Click Install.

__ Step 4. Click Apply.__ Step 5. After the JDBC provider is created, an information dialog displays

indicating the JDBC provider has been successfully created. Click OK.

Creating a data sourceThe data source configuration provides for connections between Tivoli PrivacyManager server and the required DB2 database. Before you start to configure thedata source, be sure a JDBC Provider is created and available.

Complete the following tasks to create a data source:__ Step 1. From the WebSphere Administrator Console menu, click Console→

New→ Data Source

__ Step 2. From the Data Source Properties panel, on the General tab completethe following information:

NameAssign a name for the data source.

Use PrivacyDataSource as the data source name.

JNDI nameEnter a JNDI name for the resource, including any namingsubcontexts. This name is used as the linkage between theplatform’s binding information for resources defined in the clientapplication’s deployment descriptor and actual resources boundinto JNDI by the platform.

You must use jdbc/btb120/Privacy as the JNDI name.

DescriptionEnter a description for the data source being created.


JDBC ProviderSelect from the list of available JDBC providers the JDBC Providerwith which this data source is associated. Use the JDBC providercreated earlier.

Complete the following properties listed in the Custom Propertiestable.

databasenameEnter the name of the DB2 database created for Tivoli PrivacyManager.

userEnter the DB2 instance owner user ID.

passwordEnter the password associated with the specified DB2 instanceowner user ID.

__ Step 3. On the Connection Pooling tab, enter the following connection poolproperties values.

Table 20. Suggested connection pool properties values

Maximum Pool Size 30

Connection Timeout 360

Idle Timeout 360

Orphan Timeout 360

Statement Cache size 200

__ Step 4. Click Test Connection to verify that the connection works.__ Step 5. Click OK.

Defining static communication portsThe following procedure allows you to define communication ports used betweenthe WebSphere Application Server and monitor.__ Step 1. Add the following statements in the admin.config file located in the

was_install/bin directory, where was_install is the WebSphereApplication Server installation directory.

com.ibm.CORBA.ListenerPort

com.ibm.CORBA.SSLPort

com.ibm.CORBA.LSDPort

com.ibm.CORBA.LSDSSLPort

The com.ibm.CORBA.LSDPort statement is for non-securecommunications and the com.ibm.CORBA.LSDSSLPort statement forsecure communications.

__ Step 2. From the WebSphere Administrative Console, expand WebSphereAdministrative Domain→ Nodes.

__ Step 3. Locate and expand the node containing the WebSphere ApplicationServer. Expand Application Servers and click Default Server.

__ Step 4. From the Name window, click the JVM Settings tab.__ Step 5. Add the following system properties by repeating steps 5a on page 23

and 5b on page 23 for each system property.com.ibm.CORBA.ListenerPort


com.ibm.CORBA.SSLPort

The com.ibm.CORBA.ListenerPort statement is for nonsecurecommunications and the com.ibm.CORBA.SSLPort statement for securecommunications.a. Click Add under System Propertiesb. Complete the following fields for each system property to be

added.

NameEnter one of the system property name.

ValueEnter a port number to be associated with the property. Eachsystem property must have a unique port number.

__ Step 6. Click Apply.

Proceed to “Deploying Tivoli Privacy Manager into the WebSphere ApplicationServer environment” on page 27 for procedures to deploy the Tivoli PrivacyManager application into the WebSphere Application Server environment.

Setup procedures using WebSphere Application Server 5.xThe WebSphere Administrative Console is used to setup the WebSphereApplication Server so that it recognizes the Tivoli Privacy Manager server. TheWebSphere Administrative Console is a graphical, Web-based administrative clientto the WebSphere Application Server administrative server. This administrativeconsole provides the full range of product administrative activities.

The WebSphere application server must be running before you start the WebSphereAdministrative Console. By default, the server does not start automatically whenyou start the machine.

Table 21 shows the commands for starting the WebSphere Application Server forthe supported operating systems.

Notes:

1. For AIX, Linux, and Solaris, issue the command from the was_install/bindirectory, where was_install is the WebSphere Application Server installationdirectory.

2. For AIX, Linux, and Solaris, source db2profile before starting the applicationserver, if any applications are connecting to DB2. For example, in a korn shellissue the following command: /home/db2instl/sqllib/db2profile.

Table 21. Starting the WebSphere Application Server

Operating System Command

AIXLinuxSolaris

startServer.sh server1 [-username was_username} [-passwordwas_password}

Windows From the Start menu, click Programs→IBM WebSphere→ ApplicationServer v5.0→ Start the Server.

After the administrative server is started, you can access the WebSphereAdministrative Console. The WebSphere Administrative Console can be accessedthrough a Web browser at the following URL:


http://server_name:port_number/admin

where,

server_nameName of the administrative server.

port_numberPort number of the administrative server. The typical port number is 9090 or9043. Other port numbers are used if a conflict occurs. Check theSystemOut.log file for the port number being used.

Additionally, for Windows the WebSphere Administrative Console can be accessedfrom the Start menu. From the Start menu, click Programs→ IBM WebSphere→Application Server v5.0→ Administrative Console

After the WebSphere Administrative Console is started, a login prompt isdisplayed. If security is not enabled, use any valid user ID for the log in prompt.

Enabling securityUse the WebSphere Administrative Console to enable security. You will need to usethe user ID and password for your local machine to login.__ Step 1. From the WebSphere Administrative Console menu, expand Security→

User Registries. Click Local OS and enter the WebSphere administratoridentity.a. Enter the administrator user ID in the Server User ID field.b. Enter the password associated with the ID in the Server User

Password field.

Click OK.__ Step 2. Click Save.__ Step 3. From the Global Security window, click Enable Security. Verify that

Enforce Java 2 Security is off.__ Step 4. Click OK→ Save.__ Step 5. Restart the WebSphere Application Server for the change to take effect.

Note: The instructions for enabling security assume you are using a user ID fromthe operating system registry. If using LTPA, refer to the appropriate LTPAdocumentation for enabling security.

Table 22 shows the commands for stopping the application server.

Table 22. Stopping the WebSphere Application Server


AIXLinuxSolaris

stopServer.sh server1 —username was_username —passwordwas_password

Windows From the Start menu, click Programs→IBM WebSphere→ ApplicationServer v5.0→ Stop the Server.

When security is enabled, you will be required to use the specified user ID andpassword when accessing the WebSphere Administrative Console.

Setting server propertiesUse the WebSphere Administrative Console to set the server properties.


__ Step 1. From the WebSphere Administrative Console menu, expand Serversand click Application Servers.

__ Step 2. From the Application Servers window, click server1→ ProcessDefinition→ Java Virtual Machine. Enter a value for Maximum HeapSize.Suggested values are:v 128 MB, for systems with less than one GB of memoryv 256 MB, for systems with one to two GB of memoryv 512 MB, for systems with more than 2 GB of memory

For additional information and considerations for specifying the Javavirtual machine (JVM) heap size, refer to the IBM Tivoli PrivacyManager Planning Guide.

__ Step 3. Click OK.__ Step 4. From the Server Configuration window, click Transaction Service and

enter 600 as the value for Total transaction lifetime timeout. Click OK.__ Step 5. Click Save from the console menu for the change to take effect.

Creating a data sourceThe data source configuration provides for connections between Tivoli PrivacyManager server and the required DB2 database. Before you start to configure thedata source, be sure that a JDBC Provider is created and available.

Complete the following tasks to create a data source:__ Step 1. From the WebSphere Administrator Console menu, click

Environment→ Managed WebSphere Variable.__ Step 2. From the WebSphere Variables window, click

DB2_JDBC_DRIVER_PATH. Complete the Value field by specifyingthe complete path for db2java.zip file. The typical location for thisfile is db2_install/SQLLIB/java_level where

db2_installDB2 installation directory

java_levelDirectory containing the db2java.zip file.

If using DB2 V7.2, use the Java 1.2 version of the db2java.zip file.__ Step 3. Expand Resources and click JDBC Provider→ New. From the

drop-down list , select DB2 JDBC Provider.

Note: A note might be displayed indicating the DB2 JDBC Provider isdeprecated. Ignored the note and continue to the next step.

__ Step 4. From the Configuration tab under Additional Properties, click DataSources (Version 4).

__ Step 5. From the Data Sources (Version 4) window, click New.__ Step 6. From the New window Configuration tab complete the Data Source

Properties panel with the following information and click OK:

NameAssign a name for the data source.

Use PrivacyDataSource as the data source name.

JNDI nameEnter a JNDI name for the resource, including any naming


subcontexts. This name is used as the link between the platform’sbinding information for resources defined in the clientapplication’s deployment descriptor and actual resources boundinto JNDI by the platform.

Use jdbc/btb120/Privacy as the JNDI name.

Database NameEnter the name of the DB2 database created for Tivoli PrivacyManager.

Default User IDEnter the database administrator ID.

Default PasswordEnter the password associated with the specified databaseadministrator ID.

__ Step 7. Click Apply.__ Step 8. In the PrivacyDataSource window, click Connection Pool which is in

the Additional Properties list. Then enter the following connectionpool properties values.

Table 23. Suggested connection pool properties values

Maximum Pool Size 30

Connection Timeout 360

Idle Timeout 360

Orphan Timeout 360

Statement Cache size 200

Click OK.__ Step 9. Click Save (located under Message(s) at top of console) to save

changes to the master configuration.__ Step 10. Restart the WebSphere Application Server for changes to take affect.

Defining static communication portsThe following procedure allows you to define communication ports used betweenthe WebSphere Application Server and monitor.__ Step 1. From the WebSphere Administrative Console, click Servers→

Application Servers.__ Step 2. From the Application Servers window, click the node containing the

WebSphere Application Server.__ Step 3. On the server page, Configuration tab under Additional Properties

click End Points .__ Step 4. From the End Points window, assign a port number to the following

end points.ORB_LISTENER_ADDRESS

CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS

SAS_SSL_SERVERAUTH_LISTENER_ADDRESS

The ORB_LISTENER_ADDRESS end point is for nonsecure communicationsand the SAS_SSL_SERVERAUTH_LISTENER_ADDRESS end point is for securecommunications.


If the end point name is located in the End Point Name table, click thename and complete the following starting at step 4b. If end point nameis not listed, click New and do all of the following steps.clicka. From the New window, select the end point name from the End

Point Name field.b. On the Configuration tab, complete the following fields.

HostEnter host name of the server containing the WebSphereApplication Server.

PortEnter a port number to be associated with the property. Eachend point must have a unique port number. You can use anyunassigned port number.

c. Click Apply.__ Step 5. Click Save.

Deploying Tivoli Privacy Manager into the WebSphere ApplicationServer environment

After the JDBC Provider and data source have been created for data access,additional WebSphere Application Server configuration must be done to ensurethat the Tivoli Privacy Manager enterprise application is fully functional within theenvironment. This task is called ″Install Enterprise Application″. Installing theapplication refers to the process of placing an Enterprise Archive (EAR) file in therun-time environment of an application server. A number of tasks must beperformed during this process. Some of these tasks are accomplished through theTivoli Privacy Manager deployment descriptor packaged with its EAR file. Otherconfiguration tasks are performed using the WebSphere Administrative Console.

The WebSphere Install Enterprise Application Wizard leads you through all thetasks for installing the Tivoli Privacy Manager enterprise application into theWebSphere Application Server environment. Because the Tivoli Privacy Managerapplication is already generated and contains a set of deployment descriptors, thedefault options can be taken for a number of steps.

The actual steps for the deploying the Tivoli Privacy Manager application isdependent on the WebSphere Application Server version in your environment.v Go to “Deployment instructions for WebSphere Application Server 4.x” if the

level of WebSphere Application Server is Version 4.x.v Go to “Deployment instructions for WebSphere Application Server 5.x” on

page 30 if the level of WebSphere Application Server is Version 5.x.

Deployment instructions for WebSphere Application Server 4.x__ Step 1. Set the module visibility value

The module visibility value is used to resolve references to classes. Itprovides the name and location of the application or module to theWebSphere Application Server. Tivoli Privacy Manager is defined as aWebSphere Application Server enterprise application.a. From the WebSphere Advanced Administrative Console, click

WebSphere Administrative Domain→ Nodes → ApplicationServers to expand the list of servers.


b. Select the name of the server containing the WebSphereApplication Server, click Installed EJB Module.

c. From the Installed EJB Module window, under the General tab,verify the Module Visibility field contains application.

__ Step 2. From the WebSphere Advanced Administrative Console, clickConsole→ Wizards→ Install Enterprise Application to start the InstallEnterprise Application Wizard.From the Specifying the Application or Module window specify theTivoli Privacy Manager EAR file:a. Click Install application.b. Enter the fully qualified pathname for the privacy.ear file or use

the Browse function to locate the file. The file is located in thepm_install\lib directory, where pm_install is the name of thePrivacy Manager installation directory.

c. Click Next.__ Step 3. From the Unprotected Methods window, click Yes to deny access to

all unprotected methods.__ Step 4. Assign users or groups to the roles defined by Tivoli Privacy

Manager in the Mapping Users to Roles window.Mapping users or groups from the user registry to a role authorizesthose users or groups to access applications defined by the role. Thereare six roles defined by Tivoli Privacy Manager. The Mapping Usersto Roles window displays the roles defined by Tivoli PrivacyManager.a. From the list of roles, click on a role and click Select.b. From the Select Users/Groups window, click Select Users/Groups

and enter a search argument and click Search to display a list inthe available users and groups table.

c. Select the desired users and groups from the list and click Add.d. Click OK when you are finished mapping a user or group to the

role.e. Repeat steps 4a to 4d for each of the Tivoli Privacy Manager roles.f. When completed, click Next to exit the Role Mapping window.

__ Step 5. Map EJB RunAs Roles to Users:Tivoli Privacy Manager contains a predefined RunAs roles that needsto be associated with a user.The SERVER role is a predefined RunAs role. This step identifies theSERVER role to WebSphere as the RunAs role. The Mapping EJBRunAs Roles to Users window displays the Tivoli Privacy Managerroles defined as RunAs. The SERVER role is the only one defined bythe Tivoli Privacy Manager application as RunAs.a. Click SERVER from the list and click Select.b. From the Select User—SERVER window, enter a user ID and

password mapped to the SERVER role and click OK. If theSERVER role is mapped to a group, use one of the usersassociated with the group.

c. Click Next.__ Step 6. Bind Enterprise Beans to JNDI Names:

Connects each Tivoli Privacy Manager enterprise bean to a JNDIname. Use the defaults.


From the Binding Enterprise Beans to JNDI Names window, clickNext.

__ Step 7. Map EJB References to Enterprise Beans:Associate each Tivoli Privacy Manager EJB reference to an enterprisebean. Use the defaults.From the Mapping EJB References to JNDI Names window, clickNext.

__ Step 8. Map Resource References to Resources:Map each Tivoli Privacy Manager resource reference to a resource.Use the defaults.From the Mapping Resource References to Resources window, clickNext.

__ Step 9. Specify the Default Data Source for EJB Modules:Define the default data source for the EJB Module containing theCMP beans. Use the defaults.From the Specifying the Default Data Source for EJB Moduleswindow, click Next.

__ Step 10. Specify Data Sources for Individual CMP Beans:Associate a data source to a CMP bean. Use the defaults.From the Specifying Data Sources for Individual CMP Beans window,click Next.

__ Step 11. Specify Virtual Hosts for Web Modules:Define a virtual host name for the location of the Tivoli PrivacyManager Web modules. Use the defaults.From the Selecting Virtual Hosts for Web Modules window, clickNext.

__ Step 12. Select Application Servers:Define the application server that the Tivoli Privacy Managerapplication modules will run. Use the defaults.From the Selecting Application Servers window, click Next.

__ Step 13. Complete the Enterprise Application Install WizardA summary of the installation process is displayed. Listed is the nodewhere the Tivoli Privacy Manager application is installed. After youclick Finish, the Install Wizard starts the installation process andcreates the installation directory.From the Completing the Application Install Wizard window, verifythe information and click Finish.

__ Step 14. From the Deploy window, click No so that the Tivoli Privacy Managerapplication code is not generated. The Tivoli Privacy Manager code isalready generated.

__ Step 15. After the installation process is complete, an information dialogdisplays the following: Command "EnterpriseApp.install" completedsuccessfully. Click OK.

When the Tivoli Privacy Manager enterprise application is installed, an entry iscreated under the Enterprise Application subtree. From the WebSphereAdministrative Console, click WebSphere Administrative Domain→ EnterpriseApplications to expand the tree. The IBM Tivoli Privacy Manager for e-businessenterprise application is named IBM_Tivoli_Privacy_Manager.


Note: Using the WebSphere Administrative Console you can change the name ofthe Tivoli Privacy Manager enterprise application. The instructionscontained in this document assume the default name,IBM_Tivoli_Privacy_Manager, is being used. If you change the name youwill need to make the appropriate changes to the instructions.

The next step is to compile the Java Server Pages. See “Compiling the Java serverpages” on page 32 for details.

Deployment instructions for WebSphere Application Server 5.x__ Step 1. From the WebSphere Advanced Administrative Console, expand

Applications→ Install New Application.__ Step 2. From the Preparing for the application installation window:

a. Click Server path.b. Enter the fully qualified pathname for the privacy.ear file:

pm_install/lib/privacy.ear directory, where pm_install is theTivoli Privacy Manager installation directory.

c. Click Next

__ Step 3. Click Next, from the Preparing for the application installationwindow.

__ Step 4. Select to pre-compile the JSPs.From the Step 1: Provide options to perform the installationwindow, click Pre-compile JSP →Next.

__ Step 5. Connect each Tivoli Privacy Manager enterprise bean to a JNDI name.Use the defaults.From the Step 2: Provide JNDI Names for Beans window, click Next.

__ Step 6. Define the default data source for the EJB Module containing theCMP beans.Use the defaults.From the Step 3: Provide default datasource mapping for modulescontaining 1.x entity beans window, click Next.

__ Step 7. Associate a data source to a CMP bean.Use the defaults.From the Step 4: Map datasources for all 1.x CMP beans window,click Next.

__ Step 8. Map each Tivoli Privacy Manager EJB reference to an Enterprise bean.Use the defaults.From the Step 5: Map EJB references to beans window, click Next.

__ Step 9. Map each Tivoli Privacy Manager EJB resource reference to resource.Use the defaults.From the Step 6: Map resource references to resources window, clickNext.

__ Step 10. Define a virtual host name for the location of the Tivoli PrivacyManager Web modules.Use the defaults.From the Step 7: Map virtual hosts for web modules window, clickNext.

__ Step 11. Define a virtual host name for the location of the Tivoli PrivacyManager Web modules.


Use the defaults.From the Step 8: Map modules to applications window, click Next.

__ Step 12. Assign users or groups to the roles defined by Tivoli PrivacyManager.Mapping users or groups from the user registry to a role authorizesthose users or groups to access applications defined by the role. Thereare six roles defined by Tivoli Privacy Manager.a. From the Step 9: Map security roles to users/groups window,

select a role and click Lookup users to map to users or clickLookup groups to map to a group. You can map a role to both auser or a group. After completing one task select the other. Thesteps are the same for mapping users and groups after you selectthe appropriate button.

b. From the Lookup users/groups window, enter a search argumentand click Search to display a list in the available users and groupstable. The default search argument, asterisk, displays all users orgroups defined to the operating system.You can select multiple roles to map simultaneously if the sameuser or group is desired for all roles.

c. Select the desired users or groups from the list and click >>.d. Click OK when you are finished.e. Repeat steps 12a to 12d for each of the Tivoli Privacy Manager

roles.f. When completed, click Next to exit the role mapping task.

__ Step 13. Identify the SERVER role to WebSphere as the RunAs role.The Tivoli Privacy Manager roles defined as RunAs are displayed.The SERVER role is the only one defined by the Tivoli PrivacyManager application as RunAs.a. From the Step 10: Map RunAs roles to users window, click

SERVER under the Role column.b. Enter a user ID and password mapped to the SERVER role in the

username and password fields. If the SERVER role is mapped to agroup, use one of the users associated with the group.

c. Click Next.__ Step 14. A summary of the installation options is displayed.

From the Step 11: Summary window, click Finish to start theinstallation process and create the installation directory.

__ Step 15. Click server instance→ JVM Settings→ System Properties

__ Step 16. From the window indicating that IBM_Tivoli_Privacy_Manager isinstalled correctly, click Save to Master Configuration → Save.

From the WebSphere Administrative Console, click Applications→ EnterpriseApplications to display the list of installed applications. The IBM Tivoli PrivacyManager for e-business enterprise application is namedIBM_Tivoli_Privacy_Manager.

Note: Using the WebSphere Administrative Console you can change the name ofthe Tivoli Privacy Manager enterprise application. The instructionscontained in this document assume the default name,IBM_Tivoli_Privacy_Manager, is being used. If you change the name youwill need to make the appropriate changes to the instructions.


To complete the deployment process, the Classloader mode must be changed. Fromthe Enterprise Applications window:__ Step 1. Click IBM_Tivoli_Privacy_Manager from the list of applications.__ Step 2. From the Configuration tab, locate the Classloader Mode property.

Select PARENT_LAST from the list of modes and click Apply.__ Step 3. Click Web Modules from the Related Items list.__ Step 4. From the Web Module window, click privacy.war.__ Step 5. Locate the Classloader Mode property. Select PARENT_LAST from the

list of modes and click OK.__ Step 6. Click Save from the console menu for the change to take effect.

The Tivoli Privacy Manager server is ready to start.

Compiling the Java server pagesThe Tivoli Privacy Manager console uses Java server pages (JSPs) for building theconsole windows. JSPs must be compiled before they can be used. WebSphereApplication Server compiles the JSPs the first time a page is accessed from theTivoli Privacy Manager console. You must compile the Java server pages beforestarting the console.

The actual steps for the compiling the JSP pages is dependent on the WebSphereApplication Server version in your environment.v Go to “Compiling the JSP in WebSphere Application Server 4.x” if the level of

WebSphere Application Server is Version 4.x.v Go to “Compiling the JSP in WebSphere Application Server 5.x” on page 33 if the

level of WebSphere Application Server is Version 5.x.

Compiling the JSP in WebSphere Application Server 4.xThe compiling of the JSPs can run in the background while you perform othertasks. Be sure to occasionally check whether compiling has completed. TheJspBatchCompiler command is used to compile the JSPs. To start the process, openan operating system command interface.

For the Windows operating system:Step 1. Go to the was_install\bin directory, where was_install is the WebSphere

Application Server installation directory.Step 2. Enter a user ID and password. Use the WebSphere Application Server

administrator user ID.Step 3. Enter the following command exactly as shown on a single line:

JspBatchCompiler -enterpriseApp IBM_Tivoli_Privacy_Manager-webModule privacy.war

For the AIX, Linux, or Sun Solaris operating systems:Step 1. Go to the was_install/bin directory, where was_install is the WebSphere

Application Server installation directory.Step 2. Enter a user ID and password. Use the WebSphere Application Server

administrator user ID.Step 3. Enter the following command exactly as shown on a single line:

./JspBatchCompiler.sh -enterpriseApp IBM_Tivoli_Privacy_Manager-webModule privacy.war


Compiling the JSP in WebSphere Application Server 5.xPre-compiling of the JSP pages is done during the deployment of Tivoli PrivacyManager into the WebSphere Application Server environment (as described in step4 on page 30 ).

To perform the compile manually, use the JspBatchCompiler command.

cell_nameName of the machine

node_nameName of the machine

server_nameName of the server. The default value for server_name is server1.

For the Windows operating system:Step 1. Go to the was_install\bin directory, where was_install is the WebSphere

Application Server installation directory.Step 2. Enter the following command exactly as shown on a single line:

JspBatchCompiler -enterpriseapp.name IBM_Tivoli_Privacy_Manager-webmodule.name privacy.war -cell.name cell_name -node.namenode_name -server.name server_name

For the AIX, Linux, or Sun Solaris operating systems:Step 1. Go to the was_install/bin directory, where was_install is the WebSphere

Application Server installation directory.Step 2. Enter the following command exactly as shown on a single line:

JspBatchCompiler.sh -enterpriseapp.name IBM_Tivoli_Privacy_Manager-webmodule.name privacy.war -cell.name cell_name -node.namenode_name -server.name server_name

Starting the Tivoli Privacy Manager enterprise applicationWhen the Tivoli Privacy Manager enterprise application is installed and deployedin the WebSphere Application Server environment, it can be started and users canaccess the Tivoli Privacy Manager console. To start the Tivoli Privacy Managerenterprise application, use the WebSphere Administrative Console.

From the WebSphere Administrative Console 4.x:Step 1. Click WebSphere Administrative Domain → Enterprise Applications to

expand the tree.Step 2. Right-click IBM_Tivoli_Privacy_Manager.Step 3. Click Start.

After the Tivoli Privacy Manager enterprise application has started, an informationdialog box is displayed indicating that the application started successfully. ClickOK to close the dialog box.

From the WebSphere Administrative Console 5.x:Step 1. Click Applications→ Enterprise Applications to display the list of installed

applications.Step 2. Click IBM_Tivoli_Privacy_Manager check box.Step 3. Click Start.


After the Tivoli Privacy Manager enterprise application has started, the status fieldcontains a green arrow.

To start the console you will need to open a supported Web browser. When theWeb browser is ready, go to the following URL:http://server_name:9080/privacy

where, server_name is the host name of the machine where the Tivoli PrivacyManager application is installed.

You can begin using the product when the Tivoli Privacy Manager Welcome screenis presented. For information about using the console refer to the IBM Tivoli PrivacyManager User’s Guide.

Configuring Tivoli Access ManagerTwo tasks must be completed to communicate with IBM Tivoli Access Manager fore-business:v Configure the Tivoli Access Manager Java Runtime Environmentv Configure the Tivoli Access Manager environment

Configuring the Java Runtime EnvironmentConfiguring the Tivoli Access Manager Java Runtime Environment (PDJRTE) is aone time task. This task configures the WebSphere Application Server java virtualmachine (JVM) as the JVM to be used for accessing Tivoli Access Manager server.

If you selected to configure the PDJRTE during the Tivoli Privacy Managerinstallation (see 10 on page 12), skip the following configuration steps and continuewith “Configuring the Tivoli Access Manager environment”.

To configure the PDJRTE, use the Tivoli Access Manager pdjrtecfg command. Froma command line interface:1. Change to the accmg_install/sbin directory, where accmg_install is the Tivoli

Access Manager installation directory.2. Enter the following command:

pdjrtecfg -action config -java_home was_install/java/jre

-action configConfigures the Tivoli Access Manager Java Runtime Environment.

-java_home jre_path/java/jreSpecifies the fully qualified path to the Java Runtime Environment, forexample:was_install/java/jre

where was_install is the WebSphere Application Server installation directory.

Configuring the Tivoli Access Manager environmentConfiguration information must be exchanged between the Tivoli Privacy Managerserver and the Tivoli Access Manager server for communication to flow betweenthem. Use the Tivoli Privacy Manager console to perform this configuration task.Before starting ensure the LDAP server and Tivoli Access Manager server arerunning. Log on to the console using a user ID assigned to the ADMIN_STAFF


role. From the task list in the My Work section of the console, click ConfigureTivoli Access Manager. The following configuration information is required:

Configuration UserA unique ID for the Tivoli Privacy Manager server to communicate with TivoliAccess Manager. A unique ID is required for each instance of the Tivoli PrivacyManager server. During the configuration process, the configuration ID iscreated and added to the Tivoli Access Manager list of IDs. This ID identifiesthe Tivoli Privacy Manager server to the Tivoli Access Manager server. If theID specified is already defined for another Tivoli Privacy Manager server, theconfiguration process will fail.

Password for sec_masterThe password assigned to the Tivoli Access Manager sec_master user ID.Contact the Tivoli Access Manager administrator for this password.

Management Server HostnameHost name assigned to the Tivoli Access Manager server. Contact the TivoliAccess Manager administrator for the host name.

Management Server Port NumberPort number for the Tivoli Access Manager server. The default value is 7135.Contact the Tivoli Access Manager administrator for the port number.

Click OK or Apply for the configuration data to be exchanged between the TivoliPrivacy Manager server and the Tivoli Access Manager server.

Enabling language supportTo enable support for non-English languages, you must install the Tivoli PrivacyManager language pack after deploying Tivoli Privacy Manager enterpriseapplication into the WebSphere Application Server environment.

Use the java -jar languageSupport_install.jar command to install the languagepack. The language pack is located in the root directory of the Tivoli PrivacyManager installation CD.

See “Removing the language pack” on page 55 for instruction on removing thelanguage pack.

Language support in a clustered environmentIn a WebSphere Application Server Version 5 clustered environment, the languagepack is not automatically applied to the clustered machines. After the languagepack is installed on the primary machine, the language files need to be copied tothe clustered machines.

Files to be copied are in the directory structure where Tivoli Privacy Manager isdeployed in the WebSphere Application Server environment. Copy the files intothe corresponding directory on the clustered machine.__ Step 1. Copy the l10n directory containing theTivoli Privacy Manager

resources located in the following directory:was_install/AppServer/installedApps/cell_name/IBM_Tivoli_Privacy_Manager.ear/l10n

was_installName of the WebSphere Application Server installation directory.

cell_nameName of the machine the language pack is installed.


__ Step 2. Copy the help files from the following directory. There is a separatedirectory for each language. Each directory is identified with a uniquetwo-character identifier. For example, ″fr″ is the directory containingFrench.was_installAppServer/installedApps/cell_name/privacy.war/help


Chapter 4. Setting up the LDAP monitor

After the Tivoli Privacy Manager LDAP Monitor component has been successfullyinstalled, it must be configured and started to be operational. Other tasks such asclassifying storage data and monitor administration must be done before themonitor begins the task of monitoring data and reporting the use of PII to theTivoli Privacy Manager server. This chapter describes the configuration anddeployment tasks related to the Tivoli Privacy Manager LDAP monitor.

LDAP storage system dataThe LDAP monitor uses an index of the directory information tree (DIT) to assistthe monitoring of traffic. The index is created by the LDAP monitor based on themonitor properties provided during startup processing of the monitor. Anunderstanding of the LDAP storage system DIT is critical to specifying theseproperties.

Information in the DIT is stored hierarchically using distinguished names (DN). ADN is made up of attributetype and attributevalue pairs called relativedistinguished names (RDN). The tree starts at the root and children are addedcreating more specific entries. For example (see Figure 2), the root DN of an LDAPDIT could be c=US. The c is an LDAP attributetype and the US is theattribute/value. A child could be created off the root DN called o=ibm. The DN forthe child would now be o=IBM,c=US. LDAP DNs move from most specific to leastspecific as you move from left to right. The DN for a R&D employee could becn=first last, ou=R&D, o=IBM, c=US.

Directory tree (root)

cn=first lastcn=system1

o=IBM

ou=R&Dsc=systemConfig ou=Marketing

c=US

Figure 2. LDAP storage system data


Creating the directory information tree indexThe index of the DIT is created after the monitor is started. Information providedin the ldapMonitor.properties file is used to determine the attributes and attributehierarchy of the index. The schema processing properties identify the location ofthe LDAP schema file and any vendor-specific attributes, which are extensions tothe standard LDAP attributes. Properties under the index of the DIT managementcategory identify filters and master keys used by the monitor to determine whatinformation to monitor and its location in the LDAP monitor DIT.

The LDAP monitor uses the index of the DIT to give it an edge in monitoringLDAP traffic. For example (see Figure 2 on page 37), assume that a company storesall of its system configuration in DNs that follow the convention cn=system1,sc=systemConfig, o=IBM, c=US. None of these entries need to be monitoredbecause they do not contain PII. However, there might be thousands of theseentries, which makes it difficult for the administrator and the monitor to manage.The LDAP monitor uses abbreviated DNs to overcome this problem. Anabbreviated DN is simply a DN that includes attributetypes. For example, theabbreviated DN for cn=system1, sc=systemConfig, o=IBM, c=US would be cn, sc,o, c. The abbreviated DN allows one representation of an indefinite amount ofreal LDAP DNs. The abbreviated DN cn, sc, o, c would match all of the systemconfiguration DNs and the monitor would know to ignore the traffic.

FilteringFiltering provides for the exclusion of DIT subtrees that do not contain any PII. Forexample, the subtree of the DIT containing system configuration information doesnot need to be monitored. Specifying these subtrees as filtering properties putsthem in the index of the DIT. The filters will keep the monitor from examining thesubtrees but the DIT index will keep a record of the filtered subtrees. The filterproperties use the abbreviated DN format described in “Creating the directoryinformation tree index”.

Master keyA list of master keys associated with the monitored storage system is contained inthe index of the DIT. The DIT index management properties provide informationfor identifying master keys.

The LDAP monitor uses an abbreviated DN and an LDAP attributetype to find amaster key for a record with PII-tagged storage locations. When the monitor sees aDN that matches a master key abbreviated DN, it conducts a search using the DNand the master key attributetype to collect the master key. For example (seeFigure 2 on page 37), a master key abbreviated DN/attributetype pair iscn,o,c/ePersonDNPointer. When the monitor sees the DN cn=first last, o=IBM,c=US flow in the traffic and the DN contains PII-tagged storage locations, themonitor retrieves the value for ePersonDNPointer from cn=first last, o=IBM,c=US. If the value for ePersonDNPointer is cn=first m last, o=IBM, c=US, it is usedinstead of the master key value cn=first last, o=IBM, c=US.

Configuring the LDAP MonitorThe following tasks must be completed to configure the LDAP Monitor:v Provide the appropriate property file to configure the communication protocolv Define the authentication options to configure the WebSphere securityv Specify the LDAP monitor properties defining communication between the

LDAP monitor and Tivoli Privacy Manager server


Configuring the communication protocolCommunication between the Tivoli Privacy Manager server and LDAP serveroccurs using either Internet Inter-ORB Protocol (IIOP) or Web services (HypertextTransfer Protocol (HTTP) or Hypertext Transfer Protocol over secure socket layer(HTTPS)).

Using the IIOP protocolThe iiop.sdk.properties is located in the pm_install/ldapmon directory, wherepm_install is the name of the Tivoli Privacy Manager installation directory Theproperty file contains the communication information used for communicationbetween the LDAP server and Tivoli Privacy Manager server over an IIOPcommunication protocol.

Before starting the LDAP monitor, you must edit the iiop.sdk.properties file andmake the appropriate changes. Optional properties contain the comment character(#) and will not be used unless the comment character is deleted and a value isspecified. Replace the < and > symbols and all data between these symbols withthe desired value.

Table 24 describes the properties contained in the iiop.sdk.properties file.

Table 24. Properties for IIOP protocol

Attribute Value

PSAClass= Indicates that the communication protocol is being used. Theonly allowable value is iiop for the iiop.sdk.properties file.

The default value is iiop.

InitialContextFactory= Identifies the class name of the JNDI InitialContextFactory tobe used. The value is determined by the provider of yourJ2EE environment.

The default iscom.ibm.websphere.naming.WsnInitialContextFactory. Thisvalue is provided by WebSphere Application Server.

Chapter 4. Setting up the LDAP monitor 39

Table 24. Properties for IIOP protocol (continued)

Attribute Value

ProviderURL= Identifies the provider URL used for communicating withWebSphere Application Server. The syntax is

iiop://myhost<:myport>

myhostThe host running the Tivoli Privacy Manager server.

myportThe port number of the server. The port number isoptional. The default values for port number are:

v 900 for WebSphere 4.x

v 2809 for WebSphere 5.x.

For a clustered environment the syntax is dependent on theWebSphere Application Server version in your environment.

WebSphere Application Server 5.x environment is:

corbaloc:://myhost<:myport>,myhost<:myport>....

WebSphere Application Server 4.x environment is:

iiop://myhost<:myport>

myhostFor WebSphere Application Server 4.x the name of anyhost running the Tivoli Privacy Manager server in thecluster.

For WebSphere Application Server 5.x you will need tospecify the name of each host running the Tivoli PrivacyManager server in the cluster.

Additionally, the iiop.sdk.properties file contains the JNDI names to which thePrivacy Manager EJBs were mapped when the Privacy Manager application wasinstalled into WebSphere Application Server. The default JNDI names are:MonitorConnectionEJBName=btb120/com/ibm/btb/cms/session/MonitorConnectionHomeStorageLocationManagerEJBName=btb120/com/ibm/btb/cms/session/StorageLocationManagerHomeSubmissionServerEJBName=btb120/com/ibm/btb/server/consent/ConsentHomeAccessServerEJBName=btb120/com/ibm/btb/server/access/AccessHomeEnforcementServerEJBName=btb120/com/ibm/btb/server/conformance/ConformanceEngineHomeBeanCounterEJBName=btb120/com/ibm/btb/beancounter/BeanCounterHome

You will need to verify that the JNDI names are being used in your environment.

Considerations when specifying a user ID and password: A user ID andpassword is needed to allow communication between the LDAP monitor andTivoli Privacy Manager server. The user ID specified must be assigned theMONITOR role (during the deployment of the Tivoli Privacy Manager applicationprogram into the WebSphere Application Server environment) for the necessaryauthorization to communicate with the Tivoli Privacy Manager server. Refer to“Deploying Tivoli Privacy Manager into the WebSphere Application Serverenvironment” on page 27 for deployment information.v The user ID and password must not be specified in the iiop.sdk.properties

file.v The user ID and password method must be specified in sas.client.props file.

See “Using the Web services protocol” on page 41 for details.


Using the Web services protocolThe ws.sdk.properties is located in the pm_install/ldapmon directory, wherepm_install is the name of the Tivoli Privacy Manager installation directory. Theproperty file contains the communication information used for communicationbetween the LDAP server and Tivoli Privacy Manager server over a Web servicescommunication protocol. Before starting the LDAP monitor, you must edit thews.sdk.properties file and make the appropriate changes.

Table 25 describes the properties contained in the ws.sdk.properties file.

Table 25. Properties for Web services protocol

Attribute Value

PSAClass= Defines the Web services communication protocol being used.The only allowable value for the ws.sdk.properties file iswebservice.

The default value is webservice.

Host= Identifies the host name of the Tivoli Privacy Manager server.

The default value is the local host.

Port= Identifies the port number used by the socket on which theTivoli Privacy Manager server is listening.

The default value is 9080.

Transport= Defines the transport mechanism used for communicationbetween the LDAP monitor and Tivoli Privacy Managerserver.

The default value is http. Use https if you provide andconfigure a JSSE provider. When using http, the usernameand password are transmitted in clear text.

Userid= Specifies the userid used to log in to the WebSphereApplication Server domain where the Tivoli Privacy Managerserver is located. The monitor must authenticate with thePrivacy Manager server in order to perform its duties. If thisproperty is not provided, the monitor will attempt to operateanonymously.

Password= Specifies the password associated with the Userid property.The monitor will attempt to log in without a password ifPassword is not specified and Userid is specified.

SSLProtocolHandler= Identifies the secure socket layer (SSL) protocol handler usedwhen the Transport=https is specified. This property isrequired for the https transport when running on a 1.3.x JVM,and should correspond to the JSSE provider in use. Note thatthis JSSE provider must also be listed in the JVM’sjava.security file and might need to be added to theclasspath.

SSLTrustStoreLocation= Specifies a fully qualified path to the trust file containingpublic keys. The trust store is used to establish that theserver’s certificate can be trusted by the client.

Configuring WebSphere securityThe sas.client.props is a WebSphere Application Server configuration file,typically located in the was_install/properties directory, where was_install is thename of the WebSphere Application Server installation directory. Tivoli Privacy


Manager requires specifying the authentication options described in Table 26. Theauthentication options are used by the WebSphere Application Server secureassociation services (SAS) component. Before starting the LDAP monitor, you mustedit the sas.client.props file and make the appropriate changes.

Table 26. WebSphere Application Server security options

Attribute Value

com.ibm.CORBA.loginSource= Indicates the source for the user IDs and passwords.Specify one of the following values:

promptThe user is prompted to enter a user ID andpassword. A graphical panel is presented forcollecting the user ID and password.

propertiesThe authentication values are contained in the fileby specifying the following properties:

com.ibm.CORBA.loginUserid=

com.ibm.CORBA.loginPassword=

stdinThe user is prompted to enter a user ID andpassword through a non-graphical consoleprompt.

com.ibm.CORBA.loginUserid= Specifies an authorized user of the user registry, usedwhen com.ibm.CORBA.loginSource= is specified.

There is no default value.

com.ibm.CORBA.loginPassword= Specifies the password associated with the specifieduser ID.

There is no default value.

Updating the LDAP monitor propertiesThe ldapMonitor.properties file is located in the pm_install/ldapmon directory,where pm_install is the name of the Tivoli Privacy Manager installation directory.The properties file contains the configuration information for the LDAP monitor.The properties defined in the file describe the communication behavior betweenthe LDAP monitor and the Tivoli Privacy Manager server and is referenced eachtime the LDAP monitor is started.

Table 27 on page 43 describes the required properties and Table 28 on page 43describes the optional properties. Before the LDAP monitor is started, you mustedit the ldapMonitor.properties file and make the appropriate changes to at leastthe required properties. The values for these properties are contained in the filebetween the < and > symbols. These symbols must be removed and the valueschanged appropriately. For the optional properties, if the value is not defined inthe file or is incorrect, the default (if any) value is used. Also, refer to thebeginning of the file for coding restrictions.

The network configuration affects the values in the ldapMonitor.properties file,such as the use of multiple LDAP monitors for a single LDAP server. Refer to theIBM Tivoli Privacy Manager Planning Guide for details and considerations formodifying the properties file.


Several properties can be changed after the monitor is started. The monitor, at fiveminute intervals, checks for changes to the properties file. This interval is basedupon the polling interval that is defined using the Tivoli Privacy Manager console.Changes made after startup take effect when the monitor does this check. Dynamicchanges are made by editing the file and changing the properties. The followingproperties can be changed after the monitor is started:v LDAP.MONITOR.IS.LOGGINGv LDAP.MONITOR.IS.TRACING

Table 27. Required LDAP monitor properties

Attribute Value

LDAP.MONITOR.CLIENT.SIDE.PORT The port number used by the LDAP monitor tolisten for LDAP client traffic.

The typical port number for the LDAP client is1389.

LDAP.MONITOR.SERVER.SIDE.HOST Internet address of the LDAP server. The valuemust equal the host name or IP address of theLDAP server.

LDAP.MONITOR.SERVER.SIDE.PORT The port number for the LDAP server.

The typical port number assigned to the LDAPserver is 389.

Table 28. Optional LDAP monitor properties

Attribute Value

Monitor Configuration Attributes used by the Tivoli Privacy Managerserver for locating the LDAP monitor.

LDAP.MONITOR.DESCRIPTION Description associated with the monitor.

LDAP.MONITOR.NAME A unique name assigned to the LDAP monitor.This is the name used by the Tivoli PrivacyManager server.

If this attribute is omitted, the value ishost_name.LDAPMonitor, where host_name is thehost name of the server on which the LDAPmonitor is installed.

LDAP.MONITOR.PSA.TYPE The method of communication used between theLDAP monitor and Tivoli Privacy Managerserver.

The default value is SDK.

Logging and Tracing Properties used by the LDAP monitor for logand trace attributes.

LDAP.MONITOR.LOG.FILE.NAME The name of the file used to record log messages.If a fully qualified path is not specified, the file islocated in the directory where the LDAP monitoris started.

If this attribute is omitted, the value ishost_name.ldapmonitor.log, where host_name isthe name of the server on which the LDAPmonitor is installed.


Table 28. Optional LDAP monitor properties (continued)

Attribute Value

LDAP.MONITOR.LOG.FILE.SIZE.LIMIT The maximum size in megabytes of the log andtrace files.

The default is 50 megabytes. There is no upperlimit.

LDAP.MONITOR.IS.LOGGING Flag indicating if logging is active.

0 Inactive

1 Active


LDAP.MONITOR.LOG.FILE.RECORD.SIZE.MULTIPLE

An even integer used to define the length of alog record. The value specified is multiplied by64 to obtain the size of a log record. Tracerecords exceeding the trace record length aretruncated.

The default is 4.

LDAP.MONITOR.TRACE.FILE.NAME The name of the file used to record trace entries.If a fully qualified path is not specified, the file islocated in the directory where the LDAP monitoris started.

If this attribute is omitted, the value ishost_name.ldapmonitortrace.log, wherehost_name is the host name of the server onwhich the LDAP monitor is installed.

LDAP.MONITOR.IS.TRACING Flag indicating if tracing is active.

0 Inactive

1 Active


LDAP.MONITOR.TRACE.FILE.SIZE.LIMIT

The size of the trace file when new messages arerecorded at the beginning of the trace file.Specify the size in megabytes.

The default value is 50. There is no upper limit.

LDAP.MONITOR.TRACE.FILE.RECORD.SIZE.MULTIPLE

An even integer used to define the length of atrace record. The value specified is multiplied by64 to obtain the size of a trace record. Tracerecords exceeding the trace record length aretruncated.

The default is 4.

Schema Processing Properties related to the LDAP schema forcommunication between the LDAP monitor andLDAP server. The LDAP database administratorshould be consulted for values.



Attribute Value

LDAP.SCHEMA.EXT.TOTAL The number of vendor-specific attributes. Eachvendor-specific attribute is defined as a set of thefollowing properties:

v LDAP.SCHEMA.EXT.ATTR.#

v LDAP.SCHEMA.EXT.ATTR.NAME.#

v LDAP.SCHEMA.EXT.ATTR.DESC.#

Where # is the integer value associated with thevendor-specific attributes. Start with the value of1 and increase the value by 1 for each attribute.Each attribute must contain a complete set of thethree properties listed above.

The default is 0, indicating there are novendor-specific attributes associated with theLDAP storage system being monitored. There isno upper limit.

LDAP.SCHEMA.EXT.ATTR.# The name of a vendor-specific LDAP schemaattribute. The value is not the name of theproperty itself but the definition of the extendedattributetype.

# is the integer value associated with thevendor-specific attribute. There must bematching LDAP.SCHEMA.EXT.ATTR.NAME.#and LDAP.SCHEMA.EXT.ATTR.DESC.#properties coded.

LDAP.SCHEMA.EXT.ATTR.NAME. # The NAME key word of the vendor-specificattribute.

LDAP.SCHEMA.EXT.ATTR.DESC.# The DESCRIPTION key word of thevendor-specific attribute.

DIT Index Management Properties related to monitoring the LDAPdirectory structure.

LDAP.MONITOR.MASTER.KEY.TOTAL The number of master key entries stored in theproperties file. Each master key entry is definedusing the LDAP.MONITOR.MASTER.KEY.DN.#and LDAP.MONITOR.MASTER.KEY.ATTR.#properties.

The default is 0, indicating there are no masterkey entries used by the monitor. There is noupper limit.

LDAP.MONITOR.MASTER.KEY.DN.# Specifies the location of the master key. Useabbreviated distinguished names. Separate eachabbreviated relative distinguished name (RDN)with a comma.

LDAP.MONITOR.MASTER.KEY.ATTR.# Specifies the attribute that points to the masterkey.



Attribute Value

LDAP.MONITOR.DN.FILTER.TOTAL The number of filter entries defined. Filters aredefined using the LDAP.MONITOR.DN.FILTER.#property.

# is the integer value associated with theproperty. Start with the value of 1 and increasethe value by 1 for each property.

The default is 0, indicating there are no filtersused by the monitor.

LDAP.MONITOR.DN.FILTER.# Specifies the subtree domain names in the LDAPdirectory to be ignored by the monitor. Useabbreviated distinguished names. Separate eachabbreviated relative distinguished name (RDN)with a comma.

Runtime Configuration Properties related to how the monitor and TivoliPrivacy Manager server communicate.

LDAP.MONITOR.MAX.QUEUE.LENGTH The number of entries in the PII recordprocessing queue before the LDAP monitordenies LDAP connections.

The default is 1000.

LDAP.MONITOR.SERVER.CONNECTIONS.MAX

Maximum number of connections for sendingaccess and submission records to the TivoliPrivacy Manager server. See note.

The default is 10.

LDAP.MONITOR.SSA.THREAD.MIN Minimum size of the Tivoli Privacy ManagerSSA thread pool.

The default is 5.

LDAP.MONITOR.SSA.THREAD.INCREMENT

Amount by which the Tivoli Privacy ManagerSSA thread pool is increased when necessary.

The default is 5.

LDAP.MONITOR.SSA.THREAD.MAX Maximum number of pending records to be sentto the Tivoli Privacy Manager server.

The default is 100.

MAX.APPL.CONNECTIONS Maximum number of connections used toperform real-time conformance checks. See note.

Note: The sum of the values specified for LDAP.MONITOR.SERVER.CONNECTIONS.MAX and MAX.APPL.CONNECTIONS plus one is thetotal number of monitor connections to the Tivoli Privacy Manager server.

Sample property fileThe following sample LDAP monitor properties file shows one vendor-specifiedproperty, one master key identified, and two filters specified.LDAP.MONITOR.NAME=LDAPMonitorLDAP.MONITOR.DESCRIPTION=LDAP MonitorLDAP.MONITOR.PSA.TYPE=SDKLDAP.MONITOR.LOG.FILE.NAME=ldapmonitor.logLDAP.MONITOR.LOG.FILE.SIZE.LIMIT=50LDAP.MONITOR.LOG.FILE.RECORD.SIZE.MULTIPLE=4


LDAP.MONITOR.TRACE.FILE.NAME=ldapmonitortrace.logLDAP.MONITOR.TRACE.FILE.SIZE.LIMIT=50LDAP.MONITOR.TRACE.FILE.RECORD.SIZE.MULTIPLE=4LDAP.MONITOR.IS.LOGGING=1LDAP.MONITOR.TRACE.TO.STDOUT=0LDAP.MONITOR.IS.TRACING=0LDAP.MONITOR.REFMON.IS.TRACING=0LDAP.MONITOR.PSA.IS.TRACING=0LDAP.MONITOR.CLIENT.SIDE.PORT=1389LDAP.MONITOR.SERVER.SIDE.HOST=ldap.tivoli.comLDAP.MONITOR.SERVER.SIDE.PORT=389LDAP.SCHEMA.EXT.TOTAL=1LDAP.SCHEMA.EXT.ATTR.1=ibmattributetypesLDAP.SCHEMA.EXT.ATTR.NAME.1=DBNAMELDAP.SCHEMA.EXT.ATTR.DESC.1=DBDESCLDAP.MONITOR.MASTER.KEY.TOTAL=1LDAP.MONITOR.MASTER.KEY.DN.1=cn,o,cLDAP.MONITOR.MASTER.KEY.ATTR.1=ePersonDNPointerLDAP.MONITOR.DN.FILTER.TOTAL=1LDAP.MONITOR.DN.FILTER.1=cn,ou,o,cLDAP.MONITOR.SERVER.CONNECTIONS.MAX=10LDAP.MONITOR.SSA.THREAD.MIN=5LDAP.MONITOR.SSA.THREAD.INCREMENT=5LDAP.MONITOR.SSA.THREAD.MAX=100LDAP.MONITOR.MAX.QUEUE.LENGTH=1000LDAP.MONITOR.MAX.APPL.CONNECTIONS=10

Starting the LDAP monitorThe Tivoli Privacy Manager server must be installed and functional before youstart the LDAP monitor because the LDAP monitor has to communicate with theTivoli Privacy Manager server.

Table 29 and Table 30 show the commands for starting the LDAP monitor. Thecommands must be issued from the was_install/bin directory, where was_install isthe WebSphere Application Server installation directory.

Table 29. Starting the LDAP monitor using the IIOP protocol


AIXLinuxSun Solaris

run_ldapmon.sh

Windows run_ldapmon.bat

Table 30. Starting the LDAP monitor using Web services protocol


AIXLinuxSun Solaris

ws_ldapmon.sh

Windows ws_ldapmon.bat

After the properties file has been updated, you can start the LDAP monitor. Tostart the LDAP monitor, issue the appropriate command using the followingsyntax:

command [-background]


-backgroundSpecifies the LDAP monitor is to run in the background. This parameterapplies only when issuing the command on the AIX, Linux, or Solarisenvironment.

The LDAP monitor startup process requires 16 MB of temporary file space. TheLDAP monitor requires 8 MB while it is running.

The command uses the ldapMonitor.properties file as the monitor configurationfile.

When the LDAP monitor is started, the following messages are issued:BTBLM0004I The LDAP Monitor is starting....BTBLM0043I The LDAP Monitor is being configured with the information loaded ...BTBLM0062I The LDAP Monitor has retrieved and processed the storage location...BTBLM0002I The LDAP Monitor has been successfully initialized.BTBLM0005I The LDAP Monitor is active.BTBLM0006I Type "stop" and press the "Enter" key to shutdown the LDAP Monitor.

After message BTBLM0004I, a login prompt is displayed to enter a user ID andpassword. Use an ID and password associated with the MONITOR role definedduring configuration of the Tivoli Privacy Manager server. Message BTBLM005I isdisplayed when the monitor is active.

Note: If -background is specified on the start command, messages related tomonitor processing are not viewable. Messages are recorded in a log filewhen tracing is active.

LDAP monitor registration processWhen the LDAP monitor is started, the registration process with the Tivoli PrivacyManager server begins. During registration, communication is established betweenthe LDAP monitor and the Tivoli Privacy Manager server. Communication isestablished based on the information supplied in the LDAP monitor properties file.

To understand the values in the properties file, you need to understand thecommunications between the LDAP monitor, the LDAP server, and the TivoliPrivacy Manager server.


Figure 3 shows a simple network environment with the LDAP monitor installed.The LDAP monitor can be located on the same machine as the LDAP server or theTivoli Privacy Manager server, or on another machine. A consideration forplacement should include network performance. All data submitted to andaccessed from the LDAP storage system passes through the LDAP monitorregardless of its PII classification.

The LDAP monitor can be installed with minimum impact to existing LDAPclients. The LDAP.MONITOR.CLIENT.SIDE.PORT property enables you to specifythe same port currently used by the LDAP server as the port that is now used bythe LDAP monitor. The LDAP.MONITOR.SERVER.SIDE.PORT property is thenused to route LDAP requests to the LDAP server.

In addition to registering the monitor with the Tivoli Privacy Manager server, theLDAP monitor provides a list of storage locations to the Tivoli Privacy Managerserver. This list is used during the deployment process.

Stopping the LDAP monitorTo stop the LDAP monitor, enter stop or close the command line interface. Usingthe stop command provides an orderly shutdown of the monitor. The shutdownprocess does not start until all of the data currently being processed is completed.Closing the command line interface or pressing Ctrl+C stops the sessionimmediately. Any data that has not completed processing is lost.

To stop the LDAP monitor and terminate all data processing immediately, use theforce command.

If the monitor is running in the background (see “Starting the LDAP monitor” onpage 47), use the kill command to stop the monitor.

PrivacyManagerServer

LDAPMonitor

LDAPClient

LDAPServer

Figure 3. LDAP monitor


Deploying the LDAP monitorAfter the registration process between the LDAP monitor and Tivoli PrivacyManager server is complete, the LDAP monitor passes to the Tivoli PrivacyManager server all of the storage locations associated with the LDAP server. Afterthe storage locations are registered with the Tivoli Privacy Manager server, you canassign registered storage locations to privacy policies.

The deployment process is performed using the Tivoli Privacy Manager console.Using the Tivoli Privacy Manager console, you can determine if the monitor hasstarted, perform monitor administration tasks, and start the monitoring of storagelocations for privacy policy conformance. From the Tivoli Privacy Manager console,click Administer Monitors to select the monitor to be deployed. The list ofmonitors displayed are those monitors where the registration process is complete.A monitor can be in one of three states:

Not DeployedA monitor that is not deployed actively polls the Tivoli Privacy Managerserver for updates to monitor properties and storage location information.Because the monitor is not active, it does not monitor access to the storagesystem.

In TestAn in-test monitor polls the Tivoli Privacy Manager server and sendsnotification of data access to the Tivoli Privacy Manager server as does adeployed monitor. However, the Tivoli Privacy Manager server logs accessrecords differently for monitors with a status of In Test.

DeployedA deployed monitor actively polls the Tivoli Privacy Manager server forupdates to monitor properties and storage location information. Deployedmonitors also send notification of data access to the Tivoli PrivacyManager server.

When the deployment of a monitor is complete, the monitor can be changed to InTest or Deployed state.

Until the LDAP monitor is in the Deployed or In Test state, no monitoring of databetween the LDAP server and client is performed by the monitor. When the LDAPmonitor has successfully started, it becomes involved in the communicationbetween the LDAP server and client and passes the data between the two. Afterthe monitor state is changed to Deployed or In Test, submission and access recordsto PII are created and access is verified.

Monitor administrationThe Administer Monitors task in the Tivoli Privacy Manager console allows you todefine additional monitor properties not specified during registration, such aspolling interval, status, and master key usage.

DescriptionBrief description associated with the monitor. This information is used when alist of monitors is displayed.

Polling IntervalInterval at which the monitor polls the Tivoli Privacy Manager server forupdates. The allowed interval values are 1, 5, 10, 30, 45, and 60 minutes.


StatusCurrent state of the monitor.

Activate real-time enforcementSpecifies whether to prohibit data access by unauthorized users. If real-timeenforcement is not specified, the monitor does not prohibit data access fornonconformance to the privacy policy; instead violations are logged to theaudit trail.

Master key storage locationSpecifies the master key. For the LDAP monitor, the master key is always theLDAPMonitorFullyQualifiedDN. Additional master keys are specified in theLDAP monitor properties file.

Classifying storage locationsStorage locations used by a policy must be classified in order to be monitored. TheTivoli Privacy Manager console is used to classify storage locations. After monitorregistration is complete, use the console to view the list of storage locations knownto the monitor.

Classifying storage locations involves identifying each storage location registeredwith the Tivoli Privacy Manager server as one of the following:v PIIv Non-PIIv Unclassified.

The default value is Unclassified. Only storage locations classified as PII are passedto the Tivoli Privacy Manager server to check for conformance with a privacypolicy.

Refer to the IBM Tivoli Privacy Manager Planning Guide and IBM Tivoli PrivacyManager User’s Guide for details on classifying storage locations.


Chapter 5. Uninstalling IBM Tivoli Privacy Manager fore-business

This chapter describes the process of uninstalling Tivoli Privacy Manager.Depending on which Tivoli Privacy Manager component is to be uninstalled, theprocess will require two or three steps. The overall process involves:1. Removing the enterprise application from the WebSphere Application Server.2. Removing the product code.3. Deleting the installation and product directories.

Step 1 needs to be performed only when uninstalling the Tivoli Privacy Managerserver component.

Removing the enterprise application from the WebSphere ApplicationServer

Use the WebSphere Administrative Console to remove the Tivoli Privacy Managerenterprise application from the WebSphere Application Server. Removing the TivoliPrivacy Manager enterprise application does not remove the JDBC and datasources created during the configuration of the Tivoli Privacy Manager server.These resources can be used again to communicate with the database with whichthey are associated.v Go to “Uninstall procedures using WebSphere Application Server 4.x” if the level

of WebSphere Application Server is Version 4.x.v Go to “Uninstall procedures using WebSphere Application Server 5.x” on page 54

if the level of WebSphere Application Server is Version 5.x.

Uninstall procedures using WebSphere Application Server 4.xFrom the WebSphere Administrative Console do the following to remove the TivoliPrivacy Manager enterprise application from the WebSphere Application Server.Step 1. From the tree in the left pane of the WebSphere Administrative Console,

expand the WebSphere Administrative Domain node.Step 2. Expand the Enterprise Application node.Step 3. Under the Enterprise Application node, right-click

IBM_Tivoli_Privacy_Manager→ Stop.Step 4. When the information dialog is displayed indicating the application has

stopped successfully, click OK.Step 5. Again, right-click IBM_Tivoli_Privacy_Manager→ Remove.Step 6. Click No when asked if you want to export the application.Step 7. From the remove confirmation window, click Yes.Step 8. When the removal process is complete, an information dialog box is

displayed. Click OK.

If the temporary directory used by WebSphere Application Server for the TivoliPrivacy Manager enterprise application is not removed during the removal process,you must remove it manually. Leaving the directory can cause problems with alater installation of Tivoli Privacy Manager. The temporary directory is:


was_install/temp/node_name/server_name/IBM_Tivoli_PrivacyManager


node_nameHostname of the machine where WebSphere Application Server is installed.

server_nameName of the server instance on the node. The default value for WebSphereApplication Server Version 4.x is Default_Server and for WebSphereApplication Server Version 5.x is Server1.

Uninstall procedures using WebSphere Application Server 5.xFrom the WebSphere Administrative Console do the following to remove the TivoliPrivacy Manager enterprise application from the WebSphere Application Server.Step 1. From the WebSphere Administrative Console, click Applications→

Enterprise Applications.Step 2. Select IBM_Tivoli_Privacy_Manager→ and click Stop.Step 3. When the information dialog is displayed indicating the application has

stopped successfully, click OK.Step 4. Again, select IBM_Tivoli_Privacy_Manager→ Uninstall.Step 5. Click No when asked if you want to export the application.Step 6. From the remove confirmation window, click Yes.Step 7. When the removal process is complete, an information dialog box is

displayed. Click OK.

If the temporary directory used by WebSphere Application Server for the TivoliPrivacy Manager enterprise application is not removed during the removal process,you must remove it manually. Leaving the directory can cause problems with alater installation of Tivoli Privacy Manager. The temporary directory is:

was_install/temp/node_name/server_name/IBM_Tivoli_PrivacyManager


node_nameHostname of the machine where WebSphere Application Server is installed.

server_nameName of the server instance on the node. The default value for WebSphereApplication Server Version 4.x is Default_Server and for WebSphereApplication Server Version 5.x is Server1.

Removing the product codeTo remove the Tivoli Privacy Manager components from the installation directory,use either the operating system remove function or the uninstall program. Thisstep removes the files related to the component from the installation directory. Filescreated by the database are not removed.

Removing from WindowsUse the Windows Add/Remove Programs to remove the product.1. From the Control Panel, click Add/Remove Programs.


2. Locate ″IBM Tivoli Privacy Manager for e-business Version 1.2″ in the list ofcurrently installed programs and click Change/Remove.

Removing from AIX, Linux, and Sun SolarisUse the uninstall program created during the installation process to remove theproduct.1. Open a command line interface.2. Issue the following command: pm_install/_uninst/PMremove where pm_install is

the name the Tivoli Privacy Manager installation directory.3. A list of installed component features is displayed. You can select specified

features to uninstall. This is useful for selectively removing a component.

Note: When uninstalling the Tivoli Privacy Manager server, LDAP monitor,and Monitor SDK, the associated features to be removed are listed.Electing not to remove a feature makes the component unusable.

Deleting product directoriesSome files and directories are not completely removed after the uninstall programhas completed. Typically, log or data files created in the installation directory afterthe product is installed are not removed. The uninstall program removes onlythose files added during the installation process. When the uninstall completes,you can delete any remaining files and directories in the Tivoli Privacy Managerinstallation directory. Be sure to save any files such as log files, properties files, andscript files you want to keep before deleting the directory.

Removing the language packTo remove the Tivoli Privacy Manager components from the installation directory,use either the operating system remove function or the uninstall program. Thisstep removes the files related to the component from the installation directory. Filescreated by the database are not removed.

Removing from WindowsUse the uninstall program created during the installation process to remove theproduct.1. Open a command line interface.2. Issue the following command:

java -jar Program Files\IBM\PrivacyManagerLP\LP_uninst\uninstall.jar

Removing from AIX and Sun SolarisUse the uninstall program created during the installation process to remove theproduct.1. Open a command line interface.2. Issue the following command:

java -jar /opt/IBM/PrivacyManagerLPJ/Privacy/LP_uninst/uninstall.jar

Troubleshooting problems when uninstallingThe PMremove.log file is updated or created during the uninstall process. This fileis created in the installation root directory. In addition, the final panel of theuninstall process can contain error information.

Chapter 5. Uninstalling IBM Tivoli Privacy Manager for e-business 55

Refer to the IBM Tivoli Privacy Manager Problem Determination Guide for help withtroubleshooting problems, message descriptions, and information on contacting theTivoli Support Center.


Appendix A. Installation checklist

Before you start the installation process, you will need the following information:__ Target installation directory__ Tivoli Access Manager installation directory__ Password for the Tivoli Access Manager sec_master user ID__ Hostname for the Tivoli Access Manager server__ Port number for the Tivoli Access Manager server__ DB2 server name__ DB2 instance owner user ID__ DB2 instance owner password__ Tivoli Privacy Manager database name__ Tivoli Privacy Manager database alias name__ WebSphere administrator ID__ WebSphere administrator password

If you install the LDAP Monitor component, you need the following additionalinformation:__ LDAP properties file name__ LDAP monitor name


Appendix B. File inventory

This section contains the list of files included in the installation directory when youinstall the product. All files are installed in the Tivoli Privacy Manager installationdirectory. The base files are always installed. Additional files are installed based onthe Tivoli Privacy Manager component installed. For example, when installing theLDAP Monitor component the files, listed in the base section and those listed inthe LDAP Monitor section are installed.

Note: Some files are listed twice because the file is operating-system specific, forexample PMremove and PMremove.exe. The file installed is the one appropriatefor the operating system. File PMremove is installed if the operating system isAIX or Solaris and PMremove.exe is installed if the operating system isWindows.

BaseThe files listed as base files are installed regardless of the Tivoli Privacy Managercomponent installed._jvm_uninst_uninst\PMremove(.exe)_uninst\uninstall.dat_uninst\uninstall.jarliblib\buildinfo.propertieslib\utils.jarlicenselicense\Chinese.txtlicense\Chinese_TW.txtlicense\Czech.txtlicense\English.txtlicense\French.txtlicense\German.txtlicense\Italian.txtlicense\Japanese.txtlicense\Korean.txtlicense\Polish.txtlicense\Portuguese.txtlicense\Spanish.txtlicense\Turkish.txt

Note: The files contained in the /_jvm/ directory are not listed. The files in thisdirectory are different depending on the operating system platform theproduct is installed.

Tivoli Privacy Manager serverThe following files are installed in the Tivoli Privacy Manager installation directorywhen the Privacy Server component is installed.binbin\setupPMDB(.bat)(.sh)bin\run_pdjrtecfg.sh {UNIX Only}ddlddl\IBM_Tivoli_Privacy_Manager_audit-jar_Table.ddlddl\IBM_Tivoli_Privacy_SAEServer-jar_Table.ddlddl\IBM_Tivoli_Privacy_Trim_server_jar_Table.ddl


ddl\IBM_Tivoli_Privacy_admin_ejb_jar-jar_Table.ddlddl\IBM_Tivoli_Privacy_cms-jar_Table.ddlddl\IBM_Tivoli_Privacy_conformance_cache-jar.ddlddl\IBM_Tivoli_Privacy_deploy-jar_Table.ddlddl\IBM_Tivoli_Privacy_pes-jar_Table.ddlddl\IBM_Tivoli_Privacy_rpt_server_ejb-jar_Table.ddlliblib\privacy.ear

LDAP monitorThe following files are installed in the Tivoli Privacy Manager installation directorywhen the Privacy LDAP monitor component is installed.ldapmonldapmon\iiop.sdk.propertiesldapmon\ldapMonitor.propertiesldapmon\libldapmon\lib\LDAPMonitor.jarldapmon\lib\ldapMonitorUtils.jarldapmon\logsldapmon\run_ldapmon.batldapmon\ws.sdk.propertiesldapmon\ws_ldapmon(.bat)(.sh)liblib\monitor_support.jar

SDKThe following files are installed in the Tivoli Privacy Manager installation directorywhen the Privacy Monitor SDK component is installed.

javadocjavadoc\refmonjavadoc\refmon\allclasses-frame.htmljavadoc\refmon\comjavadoc\refmon\com\ibmjavadoc\refmon\com\ibm\btbjavadoc\refmon\com\ibm\btb\monitorjavadoc\refmon\com\ibm\btb\monitor\referencejavadoc\refmon\com\ibm\btb\monitor\reference\ConformanceCheckResults.htmljavadoc\refmon\com\ibm\btb\monitor\reference\MonitorAssistantException.htmljavadoc\refmon\com\ibm\btb\monitor\reference\MonitorAssistantInterface.htmljavadoc\refmon\com\ibm\btb\monitor\reference\ReferenceMonitor.htmljavadoc\refmon\com\ibm\btb\monitor\reference\ReferenceMonitorApplicationException.htmljavadoc\refmon\com\ibm\btb\monitor\reference\ReferenceMonitorException.htmljavadoc\refmon\com\ibm\btb\monitor\reference\ReferenceMonitorFactory.htmljavadoc\refmon\com\ibm\btb\monitor\reference\ReferenceMonitorRemoteException.htmljavadoc\refmon\com\ibm\btb\monitor\reference\ReferenceMonitorSetupException.htmljavadoc\refmon\com\ibm\btb\monitor\reference\class-usejavadoc\refmon\com\ibm\btb\monitor\reference\class-use\ConformanceCheckResults.htmljavadoc\refmon\com\ibm\btb\monitor\reference\class-use\MonitorAssistantException.htmljavadoc\refmon\com\ibm\btb\monitor\reference\class-use\MonitorAssistantInterface.htmljavadoc\refmon\com\ibm\btb\monitor\reference\class-use\ReferenceMonitor.htmljavadoc\refmon\com\ibm\btb\monitor\reference\class-use\ReferenceMonitorApplicationException.htmljavadoc\refmon\com\ibm\btb\monitor\reference\class-use\ReferenceMonitorException.htmljavadoc\refmon\com\ibm\btb\monitor\reference\class-use\ReferenceMonitorFactory.htmljavadoc\refmon\com\ibm\btb\monitor\reference\class-use\ReferenceMonitorRemoteException.htmljavadoc\refmon\com\ibm\btb\monitor\reference\class-use\ReferenceMonitorSetupException.htmljavadoc\refmon\com\ibm\btb\monitor\reference\logtracejavadoc\refmon\com\ibm\btb\monitor\reference\logtrace\LogTraceCallbackInterface.htmljavadoc\refmon\com\ibm\btb\monitor\reference\logtrace\LogTraceFactory.htmljavadoc\refmon\com\ibm\btb\monitor\reference\logtrace\LogTraceInterface.htmljavadoc\refmon\com\ibm\btb\monitor\reference\logtrace\class-usejavadoc\refmon\com\ibm\btb\monitor\reference\logtrace\class-use\LogTraceCallbackInterface.html


javadoc\refmon\com\ibm\btb\monitor\reference\logtrace\class-use\LogTraceFactory.htmljavadoc\refmon\com\ibm\btb\monitor\reference\logtrace\class-use\LogTraceInterface.htmljavadoc\refmon\com\ibm\btb\monitor\reference\logtrace\package-frame.htmljavadoc\refmon\com\ibm\btb\monitor\reference\logtrace\package-summary.htmljavadoc\refmon\com\ibm\btb\monitor\reference\logtrace\package-tree.htmljavadoc\refmon\com\ibm\btb\monitor\reference\logtrace\package-use.htmljavadoc\refmon\com\ibm\btb\monitor\reference\package-frame.htmljavadoc\refmon\com\ibm\btb\monitor\reference\package-summary.htmljavadoc\refmon\com\ibm\btb\monitor\reference\package-tree.htmljavadoc\refmon\com\ibm\btb\monitor\reference\package-use.htmljavadoc\refmon\deprecated-list.htmljavadoc\refmon\help-doc.htmljavadoc\refmon\index-all.htmljavadoc\refmon\index.htmljavadoc\refmon\overview-frame.htmljavadoc\refmon\overview-summary.htmljavadoc\refmon\overview-tree.htmljavadoc\refmon\package-listjavadoc\refmon\packages.htmljavadoc\refmon\serialized-form.htmljavadoc\refmon\stylesheet.cssjavadoc\sdkjavadoc\sdk\allclasses-frame.htmljavadoc\sdk\comjavadoc\sdk\com\ibmjavadoc\sdk\com\ibm\btbjavadoc\sdk\com\ibm\btb\commonjavadoc\sdk\com\ibm\btb\common\ConfCheckInfo.htmljavadoc\sdk\com\ibm\btb\common\EvalResultInfo.htmljavadoc\sdk\com\ibm\btb\common\EvalRuleInfo.htmljavadoc\sdk\com\ibm\btb\common\MonitorInfo.htmljavadoc\sdk\com\ibm\btb\common\SKey.htmljavadoc\sdk\com\ibm\btb\common\SLocInfo.htmljavadoc\sdk\com\ibm\btb\common\package-frame.htmljavadoc\sdk\com\ibm\btb\common\package-summary.htmljavadoc\sdk\com\ibm\btb\common\package-tree.htmljavadoc\sdk\com\ibm\btb\monitorjavadoc\sdk\com\ibm\btb\monitor\sdkjavadoc\sdk\com\ibm\btb\monitor\sdk\MonitorException.htmljavadoc\sdk\com\ibm\btb\monitor\sdk\MonitorPSATrace.htmljavadoc\sdk\com\ibm\btb\monitor\sdk\MonitorParameterException.htmljavadoc\sdk\com\ibm\btb\monitor\sdk\MonitorRemoteException.htmljavadoc\sdk\com\ibm\btb\monitor\sdk\MonitorSupport.htmljavadoc\sdk\com\ibm\btb\monitor\sdk\package-frame.htmljavadoc\sdk\com\ibm\btb\monitor\sdk\package-summary.htmljavadoc\sdk\com\ibm\btb\monitor\sdk\package-tree.htmljavadoc\sdk\deprecated-list.htmljavadoc\sdk\help-doc.htmljavadoc\sdk\index-all.htmljavadoc\sdk\index.htmljavadoc\sdk\overview-frame.htmljavadoc\sdk\overview-summary.htmljavadoc\sdk\overview-tree.htmljavadoc\sdk\package-listjavadoc\sdk\packages.htmljavadoc\sdk\serialized-form.htmljavadoc\sdk\stylesheet.cssliblib\axis.jarlib\commons-discovery.jarlib\commons-logging.jarlib\jaxrpc.jarlib\log4j-1.2.8.jarlib\monitor_support.jarlib\refmon.jarlib\saaj.jarlib\xercesImpl.jar

Appendix B. File inventory 61

lib\xml-apis.jarsamplessamples\RefMon.propertiessamples\iiop.sdk.propertiessamples\ws.sdk.properties

Privacy ToolsThe following files are installed in the Tivoli Privacy Manager installation directorywhen the Privacy Tools component is installed.liblib\admin_ejb_jar.jarlib\cms_data.jarlib\global.jarlib\pes.jartoolstools\bintools\bin\CmdReport(.bat)(.sh)tools\bin\getReport(.bat)(.sh)tools\bin\report.propstools\libtools\lib\rpt_api.jartools\lib\rpt_cmdline.jartools\lib\rpt_server_ejb.jar


Appendix C. Console mode installation procedures

This section provides the step-by-step procedures for installing Tivoli PrivacyManager using a non-graphical installation process. Chapter 2, “Installing theTivoli Privacy Manager components”, on page 9 contains the description for usinga graphical interface installation program. The non-graphical or console modeinstallation is useful when installing the product on a machine that does not havea video card.

The program to start the console mode installation is located on the Tivoli PrivacyManager CD. The program requires Java 1.3 to run. The WebSphere ApplicationServer prerequisite contains Java 1.3, so you can start the console mode installationfrom file directory containing the Java binary files.

Starting the console mode installationThe command for starting the console mode installation is: java -cp setup.jar run-console. Issue the command from the file directory containing the java.exe file,such as was_install/java/bin where was_install is the WebSphere ApplicationServerinstallation directory. When the installation program starts you will beprompted to enter information related to installing the Tivoli Privacy Managerfiles.__ Step 1. From the IBM Tivoli Privacy Manager for e-business Welcome message,

click 1→ Enter to continue.__ Step 2. You must accept the product terms and conditions before continuing

with the installation process. Review the terms and conditions of theproduct. To continue, click 1→ Enter.

__ Step 3. Enter the installation directory for Tivoli Privacy Manager or accept thedefault. Table 31 shows the default installation directories for eachoperating system. Click Enter.

Table 31. Default installation directory

Operating system Installation directory

AIXLinuxSun Solaris

/opt/IBM/PrivacyManager

Windows C:\Program Files\IBM\PrivacyManager

Note: After you have installed one Tivoli Privacy Manager componentand later install another component, the installation programuses the existing installation directory for installing thesubsequent component. For example, if you install the TivoliPrivacy Manager server in a directory named d:\privacy andlater install the Tivoli Privacy Manager LDAP monitor on thesame machine, the LDAP Monitor component will be installed inthe d:\privacy directory with the Tivoli Privacy Manager Servercomponent.

To specify another directory on a subsequent installation, youmust go through the uninstall process to remove the existinginstallation directory and Tivoli Privacy Manager components.


__ Step 4. Select the component to install and enter the number associated withthe component and then click Enter.v [1] Privacy Server

v [2] Privacy Monitor SDK

v [3] Privacy LDAP Monitor

v [4] Privacy Tools

If installing multiple components, repeat the instruction above untileach component has been entered. To de-select a component enter itsnumber. When you are finished enter [0] to continue.

Selecting Privacy Server installs the Tivoli Privacy Manager server.

You can change the features to be installed by selecting or de-selectingfeatures. The amount of size needed for installation is dependent onthe features selected and the operating system platform. See Table 32for the range of storage space used during installation.

Table 32. Installation storage size

Minimum Maximum

50 MB 155 MB

__ Step 5. If Privacy Server is selected, a prompt to automatically update theTivoli Access Manager Java Runtime environment (PDJRTE)configuration is displayed. Click Yes to schedule the configurationduring installation. If No is selected this task can be completedmanually. See “Configuring the Java Runtime Environment” on page 34for manual instructions.The Tivoli Access Manager Java Runtime environment (PDJRTE)configuration sets the WebSphere Application Server’s JDK to use theTivoli Access Manager libraries. This is a one time task done manuallyor by the installation program.

__ Step 6. During the installation process validation of prerequisite software isperformed. A message is displayed if prerequisite validation fails. Theinstallation process will not complete.

__ Step 7. From the installation summary window, the component sizerequirements and associated product features to be installed aredisplayed. Click 1→Enter to proceed with the installation.

__ Step 8. After the installation completes, a completion message is displayed.Click Enter to exit the installation program.


Appendix D. Accessibility keyboard shortcuts

To navigate the windows in the Tivoli Privacy Manager installation program, usethe keyboard shortcuts defined in Table 33.

Table 33. Graphical installation shortcuts

Action Shortcut

Move to next Alt+N

Navigate out of Alt+C

back Alt+B

yes Alt+Y

no Alt+N

Finish Alt+F


Appendix E. Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this information and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

TrademarksThe following terms are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both:

AIXDB2 Universal DatabaseIBMIBM logoIntelRS/6000SecureWayTivoliTivoli logoWebSphere


Microsoft®, Windows, Windows NT®, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Java and all Java-based trademarks and logos aretrademarks or registered trademarks of Sun Microsystems,Inc. in the United States and other countries.

Other company, product, and service names may be trademarks or service marksof others.

Appendix E. Notices 69

Glossary

Aaccess record. See PII access record.

administrator (ADMIN_STAFF). Authorization rolethat enables specified users to perform serverconfiguration tasks through the Tivoli Privacy Managerconsole.

audit mode. The level of PII enforcement that allowsaccess to PII regardless of the result of the conformancecheck and that records both successful and failed PIIaccess attempts in the database. See also enforcementand enforcement mode.

auditor (AUDIT_STAFF). Authorization role thatenables specified users to generate reports through theTivoli Privacy Manager console. An auditor can besomeone outside the customer’s organization, such as athird-party privacy policy auditor.

authorization ID. The identifier of the application,group, or individual associated with the origination ofan access request. The Tivoli Privacy Manager consolelabels this field as the Access ID. See also PII accessor.

Cchief privacy officer (CPO). Individual responsible forensuring that an organization’s privacy policies complywith applicable privacy legislation and company policy.Defines an organization’s privacy policies.

compliance check. The process of determiningwhether a PII access attempt complies with allgoverning privacy policies. See also conformance check,ruling, and default ruling. A compliance check returnsAllow, Deny, or Error. See also conformance check,ruling, and default ruling.

condition rule. Boolean condition that is defined for agroup or purpose in a policy statement to furtherrestrict access to the PII defined in the statement. Seealso evaluation rule.

conformance. The process of determining whether arequest for personally identifiable information (PII)matches the rules defined in a single governing privacypolicy. See also conformance check.

conformance check. The process of determiningwhether a PII access attempt conforms to a singlegoverning privacy policy. See also compliance check,ruling, and default ruling.

consent record. Recording of a submission of PII andthe consent to a privacy policy associated with the PII.

CPO staff (CPO_STAFF). Authorization role thatenables specified users to translate the organization’sprivacy requirements into their organization’s privacypolicies, through the Tivoli Privacy Manager console.

Ddefault ruling. For a failed conformance check, asetting that defines the default course of action. Thedefault ruling is set to either ″deny,″ which causes theconformance check to fail regardless of theconformance check results of other governing privacypolicies, or to ″defer,″ which indicates that theconformance check failed, but the final result of thecompliance check depends on the classification of eachgoverning privacy policy and on the result of theconformance check against each governing privacypolicy.

deployment. The process of activating into fullfunctional use. Applies separately to monitors andprivacy policies. A monitor in deployed state monitorsdata accesses for privacy-sensitive operations andgenerates the appropriate submission and accessinformation. A privacy policy in deployed stateevaluates access attempts for policy conformance usinginformation supplied by monitors and generates accessand submission records.

Eenforcement. The process of determining whether PIIcan be accessed. The monitor levels are audit mode andenforcement mode. See also audit mode andenforcement mode.

enforcement mode. The level of PII enforcement thatgoverns access to the PII in real-time. A failedconformance check does not allow access to the PII.The access attempt is recorded in the database as adenied access attempt. See also audit mode.

evaluation rule. Three-part expression (<key><operator> <value>) that represents an individual’schoice to opt in or opt out of a specified group orpurpose, or to represent another condition, such as alegal restriction on the use of PII. See also conditionrule.

explicit consent. A type of consent classificationindicating that an individual’s explicit or implicitconsent to the terms of the applicable privacy policy isrequired. If a policy is classified as explicit consent, a


submission record is used as an indication of the PIIowner’s consent to the use of the PII owner’sinformation according to the terms of the applicableprivacy policy. See also implicit consent.

Ggroup. A policy statement element that defines the setof individuals, groups of individuals, or applicationsthat can access specific PII data. See also policystatement, PII type, and purpose.

Iimplicit consent. A type of consent classificationindicating that an individual’s explicit consent to theterms of the applicable privacy policy is not required.See also explicit consent.

IT staff (IT_STAFF). Authorization role that gives theuser the ability to deploy published policies tomonitored systems. Those assigned the IT staff roleunderstand the topography of the network, the systemsthat contain privacy-sensitive information, and whichinstances of the data in that system are privacysensitive. With this role, the user can also generatereports.

Mmonitor. In a privacy management environment, anentity that monitors PII-classified storage locations forattempts to submit data or retrieve data.

monitored application. An application that interfaceswith a Tivoli Privacy Manager monitor to enable accessto monitored items that flow between the applicationand the monitored system. See also monitored item.

monitored item. A discreet item, such as a data item,command, or attribute, that is associated with an ownerand that is received by a monitor. A monitored item isrepresented as a storage location in the Tivoli PrivacyManager console. See also monitored application.

monitored system. Any system in an enterprise whichstores PII data that needs to be monitored forcompliance to a privacy policy. Examples of systemsthat might need to be monitored include LDAPdirectories, CRM systems, and customer profilers.

Oopt in. In a privacy policy, a representation of anindividual’s implicit or explicit choice to accept theintended use of the individual’s privacy-sensitiveinformation. See also opt out.

opt out. In a privacy policy, a representation of anindividual’s implicit or explicit choice to decline the

intended use of the individual’s privacy-sensitiveinformation. See also opt in.

PP3P. See Platform for Privacy Preferences.

P3P privacy policy. Privacy policy based on the P3Pspecification. See also privacy policy.

personally identifiable information (PII). Dataelements that are associated with a specific individualand that can be accessed and used in such a way thatthe identity of the individual who submitted the PII isknown.

PII access. Request to retrieve information from aPII-classified storage location.

PII accessor. An application, group, or individual thatattempts a read or write operation on a PII-classifiedstorage location. The Tivoli Privacy Manager consolelabels this field as the Access Attribute. See alsoauthorization ID.

PII access record. Record generated by the TivoliPrivacy Manager server in response to accessinformation that a monitor has forwarded because a PIIaccess attempt has occurred.

PII-classified storage location. Storage locationidentified by the IT staff to contain privacy-sensitiveinformation subject to one or more privacy policies.

PII owner. An individual with whomprivacy-sensitive information is associated. As theowner of PII, the individual might have the legal rightto limit the propagation of the privacy-sensitiveinformation within the organization or to otherorganizations and individuals. See also PII.

PII submission. Request to update information in aPII-classified storage location.

PII submission record. Record generated by TivoliPrivacy Manager in response to a PII submissionrequest. Associates the submission information withone or more governing policies to which the owner ofthe information consents.

PII type. A category of privacy-sensitive informationfor which rules of allowable access are defined. Forexample, a privacy policy might define Home ContactInformation and Medical Records as PII types and thendefine the allowable purposes for which these typescan be used. See also group, purpose, and policystatement.

PII user. An individual or organization, or an agentacting on behalf of an individual or organization, thatcollects privacy-sensitive information from a PII owner


and then uses that information in accordance withgoverning privacy policies. See also PII owner and PIIaccessor.

Platform for Privacy Preferences (P3P). A World WideWeb Consortium (W3C) specification that enables Websites to define their privacy practices in a standardformat. For more information, see the P3P project Website (http://www.w3.org/P3P/).

policy. See privacy policy

portfolio. The left-hand frame of the Tivoli PrivacyManager console that presents the tasks that can beperformed.

privacy policy. Organization’s stated position on howit intends to use the privacy-sensitive information itcollects. A privacy policy constitutes an agreementbetween an organization and owners of personallyidentifiable information (PII) that the organizationcollects.

privacy policy statement. See policy statement.

privacy-sensitive information. Information that isclassified for protection from general and unauthorizeduse. In the Platform for Privacy Preferences (P3P)specification, privacy-sensitive information is referredto as personally identifiable information (PII). See alsoPlatform for Privacy Preferences and personallyidentifiable information.

publish. To make a privacy policy available fordeployment. Only the CPO staff role is authorized toput a policy into a published state.

purpose. A policy statement element that defines howassociated PII types can be used. See also policystatement, PII type, and group.

Rruling. The result of a conformance check for a singlegoverning privacy policy. A conformance check resultcan be Allow, Deny, or Defer. A failed conformancecheck returns a default ruling. See also default ruling.

Sstate. The functional level of a privacy policy ormonitor. A privacy policy can be in draft, published, ordeployed state. A monitor can be in test, deployed, ornon-deployed state.

storage location. Data elements within a storagesystem that can be mapped to the schema of thestorage system, such as a column in a database table, orto an aggregation of data, such as a table, or to a wayof accessing data, such as a transaction identifier. Seealso storage system.

storage system. Any system in a network thatpersistently stores data that is collected for future useor that acts as a gateway to such data. See also storagelocation.

Ttask. A selection in the portfolio of the Tivoli PrivacyManager console. Which tasks are displayed iscontrolled by the authorization role of the user loggedinto the console.

type. See PII type.

Upolicy statement. A logical sentence that identifieshow personally identifiable information (PII) can beused. A statement identifies PII types, the groups thatcan access the PII types, the purposes for which the PIItypes can be used, and conditions that might apply tothe use of the PII. For example a privacy policy mightinclude the following statement: ″Doctors (group) canaccess medical records (PII type) for diagnosis andtreatment (purpose).″

Glossary 73

Index

CCD 2component

software developer kit 5components

LDAP monitor 5Tivoli Privacy Manager server 5

configuredatabase tables 17Java Runtime Environment 34Tivoli Access Manager 34

createdata source 21, 25database tables 17JDBC provider 20

customer support ix

Ddata source

creating 21, 25description 19

databaseconfiguration 17, 18creating 15creation program 16

database tablesconfiguring 17creating 17

DB2 6, 15dbSetup.log 16DDL files 17deploy

Tivoli Privacy Manager enterpriseapplication 27

directory information treecreating 38overview 37

distinguished name 37DIT

creating 38overview 37

DN 37documents

accessing online viiiprerequisite viirelated vii

Eenvironment

requirements 1setup 1

Ffile inventory

base 59LDAP monitor 60

file inventory (continued)SDK 60Tivoli Privacy Manager 59Tivoli Privacy Manager server 59

filtering 38

Hhardware, requirements 3

IIBM Customer Support ixinstall procedures 10installation

CD 2checklist 57details 10directory 11, 63process 9program 11storage sizes 12, 64Tivoli Privacy Manager

components 9Tivoli Privacy Manager LDAP

monitor 10Tivoli Privacy Manager SDK 10Tivoli Privacy Manager server 9troubleshooting 13

JJava Runtime Environment

configure 34description 6

Java server pagescompile 32

JDBC providercreating 20description 18

JSPcompile 32

JspBatchCompiler 32

LlaunchClient 47LDAP monitor

administration 50configure 42deploy 50description 5, 6registration 48requirements 5setup 37starting 47

LDAP monitor propertiesoptional 43, 44, 45, 46required 43

LDAP monitor properties (continued)sample 46

LDAP storage systemdata 37overview 37

ldapMonitor.properties 38, 42, 49log file 13, 16, 55

Mmaster key 38master key storage location 51Monitor SDK 6

Nnetwork considerations 5

Ooperating system 4

Ppolling interval 50prerequisite documents viiprerequisites 7product directories

delete 55publications

accessing online viiiprerequisite viirelated vii

RRDN 37real-time enforcement 51related documents viirelative distinguished name 37requirements

hardware 3operating system 4software 4Web browser 4

SSDK 5security 18, 20, 24server properties 24software developer kit 5software, requirements 4static communication ports

description 19storage location 51storage system 6storage system monitor 6


TTivoli Access Manager

configure 34Tivoli Access Manager Java Runtime

Environment 6Tivoli Access Manager Java Runtime

Environment (JRTE) 34Tivoli Access Manager Policy server 6Tivoli Privacy Manager

components 9console 6database 15network diagram 7uninstall 53

Tivoli Privacy Manager databaseconfiguring 17creating

automatic 15manual 16

tables 17Tivoli Privacy Manager enterprise

applicationdescription 28starting 33

Tivoli Privacy Manager server 5configuration 15description 6post-installation procedures 15

troubleshooting 55install 13uninstall 55

typeface conventions ix

WWeb

browser 4server 7

WebSphere Administrative Consolestarting 19, 20, 23, 24

WebSphere Application Serverdeploy 18description 7removing 53

WebSphere Application Server J2EEclient 7


��

Program Number: 5724–C07

Printed in U.S.A.

SC32-1123-00

IBM Tivoli Privacy Manager for e-business: Installation...

Documents

Transcript of IBM Tivoli Privacy Manager for e-business: Installation...