Tivoli Identity Manager - IBMpublib.boulder.ibm.com/.../en_US/HTML/TAM_60_RPS.pdfProvides software...
Transcript of Tivoli Identity Manager - IBMpublib.boulder.ibm.com/.../en_US/HTML/TAM_60_RPS.pdfProvides software...
Tivoli® Identity Manager
Tivoli Access ManagerPassword Synchronization Adapter
Installation and Configuration Guide
for Version 4.6.3
SC32-1756-02
���
Tivoli® Identity Manager
Tivoli Access ManagerPassword Synchronization Adapter
Installation and Configuration Guide
for Version 4.6.3
SC32-1756-02
���
Note:
Before using this information and the product it supports, read the information in Appendix B, “Notices,” on page 15.
Ninth Edition (February 2006)
This edition applies to version 4.6.3 of Tivoli Identity Manager and to all subsequent releases and modifications
until otherwise indicated in new editions. This edition replaces all previous editions.
© Copyright International Business Machines Corporation 2004, 2005, 2006. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . . v
Who should read this book . . . . . . . . . v
Publications and related information . . . . . . v
Tivoli Identity Manager library . . . . . . . v
Prerequisite Product Publications . . . . . . vii
Related Publications . . . . . . . . . . viii
Accessing publications online . . . . . . . viii
Accessibility . . . . . . . . . . . . . . viii
Support information . . . . . . . . . . . ix
Conventions used in this book . . . . . . . . ix
Typeface conventions . . . . . . . . . . ix
Operating system differences . . . . . . . . ix
Definitions for HOME and other directory
variables . . . . . . . . . . . . . . . x
Chapter 1. Overview . . . . . . . . . 1
Product Version Information . . . . . . . . . 2
Distribution Package Contents . . . . . . . . 2
Chapter 2. Adapter Installation . . . . . 3
Before You Install . . . . . . . . . . . . . 3
Enable Password Synchronization in the Tivoli
Identity Manager Server . . . . . . . . . . 4
Install the Client-side Component . . . . . . . 4
Configure the Adapter to Work with the Tivoli
Identity Manager Server . . . . . . . . . . 5
Determining Pseudo-Distinguished Name Values 7
Configure the Adapter to Work With a WebSphere
Application Server 5.0 Cluster . . . . . . . . 8
Successful Installation Check . . . . . . . . . 9
Uninstallation . . . . . . . . . . . . . . 9
Troubleshooting . . . . . . . . . . . . . 9
Appendix A. Support information . . . 11
Searching knowledge bases . . . . . . . . . 11
Search the information center on your local
system or network . . . . . . . . . . . 11
Search the Internet . . . . . . . . . . . 11
Contacting IBM Software Support . . . . . . . 11
Determine the business impact of your problem 12
Describe your problem and gather background
information . . . . . . . . . . . . . 13
Submit your problem to IBM Software Support 13
Appendix B. Notices . . . . . . . . . 15
Trademarks . . . . . . . . . . . . . . 16
© Copyright IBM Corp. 2004, 2005, 2006 iii
iv Tivoli Access Manager Password Synchronization Adapter Guide
Preface
This integration guide describes the procedures required to achieve Reverse
Password Synchronization between IBM® Tivoli® Access Manager and IBM Tivoli
Identity Manager.
The Tivoli Access Manager Adapter for Tivoli Identity Manager only provides
password synchronization in one direction, from Tivoli Identity Manager to Tivoli
Access Manager. The Reverse Password Synchronization Adapter solves this
problem by providing password synchronization in the other direction, from Tivoli
Access Manager to Tivoli Identity Manager.
This document assumes that Tivoli Access Manager, Tivoli Identity Manager and
the Tivoli Access Manager Adapter for Tivoli Identity Manager are already
installed, configured and running on the target system. This guide does not
provide details on the installation and administration of these products.
Who should read this book
This manual is intended for security administrators responsible for installing
software on their company’s computer systems. The person performing this
installation should be familiar with their company’s network system standards.
This document assumes that the reader, or any administrator who executes this
installation, is familiar with all relevant elements of the Tivoli environment,
including Tivoli Access Manager and Tivoli Identity Manager. Readers are also
expected to understand security administration concepts including security
management, Internet authentication and authorization mechanisms, plus standard
protocols like TCP/IP, HTTP and SSL.
Publications and related information
Read the descriptions of the Tivoli Identity Manager library. To determine which
additional publications you might find helpful, read the “Prerequisite Product
Publications” on page vii and the “Related Publications” on page viii. After you
determine the publications you need, refer to the instructions in “Accessing
publications online” on page viii.
Tivoli Identity Manager library
The publications in the technical documentation library for your product are
organized into the following categories:
v Release information
v Online user assistance
v Server installation and configuration
v Problem determination
v Technical supplements
v Adapter installation and configuration
Release Information:
v Release Notes
© Copyright IBM Corp. 2004, 2005, 2006 v
Provides software and hardware requirements for the product, and additional
fix, patch, and other support information.
v Read This First Card
Lists the publications for the product.
Online user assistance:
Provides online help topics and an information center for administrative tasks.
Server installation and configuration:
Provides installation and configuration information for the product server.
Problem determination:
Provides problem determination, logging, and message information for the
product.
Technical supplements:
The following technical supplements are provided by developers or by other
groups who are interested in this product:
v Performance and tuning information
Provides information needed to tune your production environment, available on
the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate Tivoli Identity Manager
products. Click the link for your product, and then browse the information
center for the Technical Supplements section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web address:
http://www.ibm.com/developerworks/
Adapter installation and configuration:
The technical documentation library also includes a set of platform-specific
installation documents for the adapter components of the product. Adapter
information is available on the Web at:
http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home
vi Tivoli Access Manager Password Synchronization Adapter Guide
Click Support & downloads. Browse to the Downloads and drivers. Click the link
for the adapter.
Skills and training:
The following additional skills and technical training information were available at
the time that this manual was published:
v Virtual Skills Center for Tivoli Software on the Web at:
http://www.cgselearning.com/tivoliskills/
v Tivoli Education Software Training Roadmaps on the Web at:
http://www.ibm.com/software/tivoli/education/eduroad_prod.html
v Tivoli Technical Exchange on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html
Prerequisite Product Publications
To use the information in this book effectively, you must have knowledge of the
products that are prerequisites for your product. Publications are available from
the following locations:
v Operating systems
– IBM AIX®
http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm
– Solaris
http://docs.sun.com/db?q=solaris+9
– Red Hat Linux®
http://www.redhat.com/docs/
– Microsoft® Windows Server 2003
http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers
– IBM DB2® Universal Database
- Support: http://www.ibm.com/software/data/db2/udb/support.html
- Information center:
http://publib.boulder.ibm.com/infocenter/db2help/index.jsp
- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main
- DB2 product family: http://www.ibm.com/software/data/db2
- Fix packs:
http://www.ibm.com/software/data/db2/udb/support/downloadv8.html
- System requirements:
http://www.ibm.com/software/data/db2/udb/sysreqs.html– Oracle
http://www.oracle.com/technology/documentation/index.html
http://otn.oracle.com/tech/index.html
http://otn.oracle.com/tech/linux/index.html
– Microsoft SQL Server 2000
http://www.msdn.com/library/
http://www.microsoft.com/sql/v Directory server applications
Preface vii
– IBM Directory Server http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm http://www.ibm.com/software/network/directory
– Sun ONE Directory Server
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52v WebSphere Application Server
Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/
v WebSphere embedded messaging
http://www.ibm.com/software/integration/wmq/
v IBM HTTP Server
http://www.ibm.com/software/webservers/httpservers/library.html
Related Publications
Information that is related to your product is available in the following
publications:
v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, redbooks, and announcement letters.
The Tivoli Software Library is available on the Web at:
http://www.ibm.com/software/tivoli/literature/
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available from the
Glossary link of the Tivoli Software Library Web page at:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Accessing publications online
IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli software information center
Web site. Access the Tivoli software information center at the following Web
address:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z list, and then click the link for your product to
access the product library.
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe Reader to print letter-sized
pages on your paper.
Accessibility
The product documentation includes the following features to aid accessibility:
v Documentation is available in convertible PDF format to give the maximum
opportunity for users to apply screen-reader software.
v All images in the documentation are provided with alternative text so that users
with vision impairments can understand the contents of the images.
viii Tivoli Access Manager Password Synchronization Adapter Guide
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides the following ways for you to obtain the support you need:
v Searching knowledge bases: You can search across a large collection of known
problems and workarounds, Technotes, and other information.
v Contacting IBM Software Support: If you still cannot solve your problem, and
you need to work with someone from IBM, you can use a variety of ways to
contact IBM Software Support.
For more information about these ways to resolve problems, see Appendix A,
“Support information,” on page 11.
Conventions used in this book
This reference uses several conventions for special terms and actions and for
operating system-dependent commands and paths.
Typeface conventions
This guide uses the following typeface conventions:
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip:, and Operating system considerations:)
v Keywords and parameters in text
Italic
v Words defined in text
v Emphasis of words (words as words)
v New terms in text (except in a definition list)
v Variables and values you must provide
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Operating system differences
This guide uses the UNIX® convention for specifying environment variables and
for directory notation.
When using the Windows command line, replace $variable with %variable% for
environment variables and replace each forward slash (/) with a backslash (\) in
directory paths. The names of environment variables are not always the same in
Windows and UNIX. For example, %TEMP% in the Windows operating system is
equivalent to $tmp in a UNIX operating system.
Preface ix
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
Definitions for HOME and other directory variables
The following table contains the default definitions that are used in this guide to
represent the HOME directory level for various product installation paths. You can
customize the installation directory and HOME directory for your specific
implementation. If this is the case, you need to make the appropriate substitution
for the definition of each variable represented in this table.
The value of path varies for these operating systems:
v Windows: drive:\Program Files
v AIX: /usr
v Other UNIX: /opt
Path Variable Default Definition Description
DB_INSTANCE_HOME Windows:
path\IBM\SQLLIB
UNIX:
v AIX, Linux: /home/dbinstancename
v Solaris: /export/home/dbinstancename
The directory that
contains the
database for your
Tivoli Identity
Manager product.
LDAP_HOME v For IBM Directory Server Version 5.2
Windows:
path\IBM\LDAP
UNIX:
path/IBM/LDAP
– AIX, Linux: path/ldap
– Solaris: path/IBMldaps
v For IBM Directory Server Version 6.0
Windows:
path\IBM\LDAP
UNIX:
/opt/IBM/ldap/
– AIX, Solaris: /opt/IBM/ldap/
– Linux: /opt/ibm/ldap/
v For Sun ONE Directory Server
Windows:
path\Sun\MPS
UNIX:
/var/Sun/mps
The directory that
contains the
directory server
code.
x Tivoli Access Manager Password Synchronization Adapter Guide
Path Variable Default Definition Description
IDS_instance_HOME For IBM Directory Server Version 6.0
Windows:
drive\
idsslapd-instance_owner_name
The value of drive might be C:\. An
example of instance_owner_name might be
ldapdb2. For example, the log file might
be C:\idsslapd-ldapdb2\logs\ibmslapd.log.
UNIX:
INSTANCE_HOME/idsslapd-instance_name
On Linux and AIX systems, the default
home directory is the
/home/instance_name/idsslapd-instance_name directory. On Solaris
systems, for example, the directory is the
/export/home/ldapdb2/idsslapd-ldapdb2. directory.
The directory that
contains the IBM
Directory Server
Version 6.0 instance.
HTTP_HOME Windows:
path\IBMHttpServer
UNIX:
path/IBMHttpServer
The directory that
contains the IBM
HTTP Server code.
ITIM_HOME Windows:
path\IBM\itim
UNIX:
path/IBM/itim
The base directory
that contains the
Tivoli Identity
Manager code,
configuration, and
documentation.
WAS_HOME Windows:
path\WebSphere\AppServer
UNIX:
path/WebSphere/AppServer
The WebSphere
Application Server
home directory
WAS_MQ_HOME Windows:
path\ibm\WebSphere MQ
UNIX:
path/mqm
The directory that
contains the
WebSphere MQ
code.
WAS_NDM_HOME Windows:
path\WebSphere\DeploymentManager
UNIX:
path/WebSphere/DeploymentManager
The home directory
on the deployment
manager
Tivoli_Common_Directory Windows:
path\ibm\tivoli\common\
UNIX:
path/ibm/tivoli/common/
The central location
for all
serviceability-related
files, such as logs
and first-failure data
capture
Preface xi
xii Tivoli Access Manager Password Synchronization Adapter Guide
Chapter 1. Overview
The Tivoli Access Manager Adapter for Tivoli Identity Manager provides
integration between Tivoli Access Manager WebSEAL or the Web Plug-in and
Tivoli Identity Manager. The adapter provides synchronization in both directions
between Tivoli Identity Manager and Tivoli Access Manager for all user attributes
except user passwords. These are only synchronized in one direction, from Tivoli
Identity Manager to Tivoli Access Manager. To achieve synchronization of user
passwords from Tivoli Access Manager to Tivoli Identity Manager, the Password
Synchronization Adapter must be installed.
Below is a typical system architecture involving Tivoli Identity Manager, Tivoli
Access Manager, WebSEAL or the Web Plug-in, and the Tivoli Access Manager
Adapter for Tivoli Identity Manager:
The Password Synchronization Adapter has two basic components:
v a server-side component, installed on the Tivoli Identity Manager Server,
v a client-side component, installed on the Tivoli WebSEAL or the Web Plug-in
Server.
The server-side component is installed with Tivoli Identity Manager 4.6 Server.
Both these components must be installed before the Tivoli Identity Manager Server
will accept password changes from the WebSEAL or the Web Plug-in Password
Change web page, pkmspasswd. The adapter only synchronizes passwords changed
through this page.
SD
User Browser
IBM TivoliAccess Manager
WebSEALor Web Plug-in
ApplicationServers
IBM TivoliIdentity Manager
Passwordsynchronizationby Tivoli AccessManager Adapterfor Tivoli IdentityManager
HTTPS
IBM TivoliAccess Manager
Passwordsynchronizationby PasswordSynchronizationAdapter
Figure 1. system architecture showing password synchronization flow
© Copyright IBM Corp. 2004, 2005, 2006 1
Product Version Information
This installation guide is designed for the following product versions:
v IBM Tivoli Identity Manager 4.6
v IBM Tivoli Access Manager Adapter for IBM Tivoli Identity Manager
v IBM Tivoli Access Manager 6.0
v Either:
– IBM Tivoli Access Manager WebSEAL 6.0, or
– IBM Tivoli Access Manager Plug-in for Web Servers version 6.0
Installation packages are available for the following operating systems:
v Microsoft® Windows™
v Sun® Solaris™
v HP-UX®
v IBM AIX®
Distribution Package Contents
The contents of the distribution package will vary slightly, depending on your
operating system:
File Name Description
Windows:
revpwdchk.dll and revpwdsyn.dll
AIX: librevpwdchk.a and librevpwdsyn.a
HP-UX:
librevpwdchk.sl and librevpwdsyn.sl
Solaris: librevpwdchk.so and librevpwdsyn.so
Linux: librevpwdchk.so and librevpwdsyn.so
Dynamic libraries
passwdsync.conf Configuration file template
TAM_60_RPS.pdf This Installation Guide
release.txt Release information
2 Tivoli Access Manager Password Synchronization Adapter Guide
Chapter 2. Adapter Installation
To install and configure the Password Synchronization Adapter, the following steps
must be completed:
1. Enable password synchronization on the Tivoli Identity Manager Server. Refer
to the Tivoli Identity Manager Information Center or the online help for specific
instructions about Tivoli Identity Manager password synchronization.
2. Install the Password Synchronization Adapter client-side components on the
Tivoli WebSEAL or Web Plug-in Server.
3. Configure the Password Synchronization Adapter to work with the Tivoli
Identity Manager Server.
4. If Tivoli Identity Manager Server is installed on a WebSphere Application
Server cluster, you also need to configure SSL for IBM HTTP Server.
These steps are described in more detail below.
Before You Install
As part of the Tivoli Access Manager Adapter for Tivoli Identity Manager
installation, the Tivoli Identity Manager Server should have been configured so
that end users can manage their Tivoli Access Manager account passwords. Before
installing the Password Synchronization Adapter, check this configuration as
follows:
Tivoli Access Manager 4.6 Enterprise:
1. Log in to Tivoli Identity Manager as an administrator.
2. Select the My Organization tab.
3. Select the appropriate place in your organization tree.
4. From the left side task bar, select Control Access.
Tivoli Access Manager 4.6 Express:
1. Log in to Tivoli Identity Manager as an administrator.
2. Select Set System Security .
3. Select the Change an Access Control Item.
4. Click the Search button.
You should see that a corresponding organizational Access Control Information
(ACI) has been set for the Tivoli Access Manager account. If so, you can proceed
with the Password Synchronization Adapter installation process. If not, create an
ACI as follows (continuing from the above steps):
Tivoli Identity Manager 4.6 Enterprise:
1. Click Add.
2. Select the Account category.
3. If more than one service is installed on the TIM server, a drop down
menu is displayed. In this case, select TAM Account. If no drop down
menu appears, proceed to the next step.
4. Click Continue.
5. Enter the ACI name in the text field.
6. Select the subtree radio button.
© Copyright IBM Corp. 2004, 2005, 2006 3
7. Click Attribute Permissions.
8. Grant Read and Write permissions for the Password attribute.
9. Click Continue.
10. Click Submit.
Tivoli Identity Manager 4.6 Express:
1. Select Set System Security .
2. Select the Change an Access Control Item.
3. Select the Account category.
4. Select TAM Account.
5. Enter the ACI name in the text field.
6. Select Grant for the Modify operation. Click Next.
7. Grant Read and Write permissions for the Password attribute.
8. Click Finish.
For more details on ACI, see the Tivoli Identity Manager Policy and Organization
Administration Guide.
Enable Password Synchronization in the Tivoli Identity Manager Server
To enable Password Synchronization between accounts, the Tivoli Identity Manager
password synchronization feature must be configured as follows:
Tivoli Identity Manager 4.6 Enterprise:
1. Log in to Tivoli Identity Manager as an administrator.
2. Select the Configuration Tab.
3. Select Properties.
4. Select the Enable Password Synchronization checkbox.
5. Click Apply Changes.
Tivoli Identity Manager 4.6 Express:
1. Log in to Tivoli Identity Manager as an administrator.
2. Select Configure System then the Set System Properties tab.
3. Select the Enable Password Synchronization checkbox.
4. Click OK.
Note: Without this (technically optional) step, the adapter will still process the
password change, but the Tivoli Identity Manager server will not
synchronize the Tivoli Access Manager password with passwords for other
accounts. For example, no passwords will be modified when changing the
Tivoli Access Manager password.
Install the Client-side Component
The Password Synchronization client-side component must be installed on your
WebSEAL or Web Plug-in Server. Depending on your server’s operating system,
complete one of the following:
UNIX:
1. Copy the dynamic libraries librevpwdchk and librevpwdsyn from the
distribution package to the /usr/lib/ directory.
4 Tivoli Access Manager Password Synchronization Adapter Guide
2. With a text editor, open the configuration file
WebSEAL_or_WebPI_install_dir/etc/webseald-default.conf, where
default indicates your default WebSEAL domain name.
3. Modify the [authentication-mechanisms] stanza as follows (entered as
two single lines):
passwd-strength=/usr/lib/librevpwdchk.extension&WebSEAL_or_WebPI
_install_dir/etc/passwdsync.conf check
post-pwdchg-process=/usr/lib/librevpwdsyn.extension&WebSEAL_or
_WebPI_install_dir/etc/passwdsync.conf synch
For example, on a Solaris system this would be:
passwd-strength=/usr/lib/librevpwdchk.so&/opt/
pdweb/etc/passwdsync.conf check
post-pwdchg-process=/usr/lib/librevpwdsyn.so&/opt/
pdweb/etc/passwdsync.conf synch
Windows:
Note: On the Windows operation system, file and directory names might
contain space characters. Because WebSEAL or the Web Plug-in will
expect additional arguments for any passwd-strength and
post-pwdchg-process configuration lines separated by a space
character, you must use the 8.3 convention (truncated long
filenames), e.g.
C:\Progra~1\Tivoli\PdWeb\etc\passwdsync.conf
1. Copy the dynamic libraries revpwdchk.dll and revpwdsyn.dll from the
distribution package to the WebSEAL_or_WebPI_install_dir\bin\
directory.
2. With a text editor, open the configuration file
WebSEAL_or_WebPI_install_dir\etc\webseald-default.conf, where
default indicates your default WebSEAL domain name.
3. Modify the [authentication-mechanisms] stanza as follows (entered as
two single lines):
passwd-strength=C:\Progra~\Tivoli\pdweb\bin\
revpwdchk.dll&WebSEAL_or_WebPI_install_dir\etc\passwdsync.conf check
post-pwdchg-process=C:\Progra~\Tivoli\pdweb\bin\
revpwdsyn.dll&WebSEAL_or_WebPI_install_dir\etc\passwdsync.conf synch
Configure the Adapter to Work with the Tivoli Identity Manager Server
The Password Synchronization Adapter uses the HTTPS protocol. The Adapter
must be configured to accept the corresponding Tivoli Identity Manager service.
Configure the adapter as follows:
1. Create a Key Database file of type CMS for the adapter. This can be done using
the IBM iKeyMan tool.
2. Copy the kdb file to the keytabs directory:
UNIX:
WebSEAL_or_WebPI_install_dir/keytab-default
Windows:
WebSEAL_or_WebPI_install_dir\keytab-default
Note: This directory may not exist on some platforms for Tivoli Access
Manager 6.0. If so, put the file in the following directory:
WebSEAL_or_WebPI_install_dir/etc
Chapter 2. Adapter Installation 5
(where default indicates your default WebSEAL domain name).
3. Copy the passwdsync.conf file from the distribution package to the following
directory:
UNIX:
WebSEAL_or_WebPI_install_dir/etc/
Windows:
WebSEAL_or_WebPI_install_dir\etc\
4. Edit the passwdsync.conf file and modify the following entries:
itim-server-name
This is the URL that accesses the password strength and password sync
servlets on the Tivoli Identity Manager server. In a WebSphere
Application Server cluster environment, you need to configure SSL for
IBM HTTP Server. See the section below for instructions. If you are
using a WebSphere Application Server single-server environment you
do not need to configure SSL for IBM HTTP Server.
servlet-port
The port associated with the itim-server-name URL above. The default
HTTPS port is 9443 for a single server configuration and 443 for a
Tivoli Identity Manager cluster with HTTP SSL configured..
principal-name
An ID which has the necessary permission(s) to request the check and
synchronization operations. The best practice is to create a separate
account with appropriate permissions and use this account instead of
the ITIM manager account.
principal-password
The password for the Tivoli Identity Manager Principal Name.
service-source-dn
Holds the pseudo-distinguished name of the service (resource) issuing
the password synchronization request. This pseudo-name consists of
the attributes o, ou and dc from the Tivoli Identity Manager LDAP
organization context, and the erservicename attribute of the Tivoli
Access Manager service name, as defined in Tivoli Identity Manager.
For assistance in determining these values, see “Determining
Pseudo-Distinguished Name Values” on page 7 below.
keydatabase-file
The location and name of the Key Database file.
keydatabase-password
The password for the Key Database file.
servlet-context
The password synchronization context root on the application server.
The modified file should look like this (UNIX example):
#
# FILE NAME
# pwdsync51.conf
#
# DESCRIPTION
# Configuration file for Password Synch Module
#
# VERSION 1.0
[itim]
6 Tivoli Access Manager Password Synchronization Adapter Guide
itim-server-name=ITIM_host_name_or_IP_address
servlet-port=servlet_port
servlet-context=/passwordsynch/synch
principal-name=principal_login_name
principal-password=principal_password
service-source-dn=erservicename=TAM 6.0 Service,o=IBM,ou=IBM,dc=com
[ssl]
keydatabase-file=WebSEAL_dir/keytab-default/revpwdsync.kdb
keydatabase-password=password
5. Restart the WebSEAL server.
Determining Pseudo-Distinguished Name Values
The service-source-dn entry holds the pseudo-distinguished name of the service
issuing the password synchronization request. To assist in determining the correct
entries, this name may be considered to contain the following components, in the
order C+B+A:
Component Item Description
A ou, dc
The ou and dc parts of the service
distinguished name.
B o
The value of the o attribute of the
organization to which the service
belongs.
C erServiceName
The value of the erServiceName attribute
of the service.
For example, assume the service distinguished name is:
erglobalid=7311179187489369500,ou=services,erglobalid=
00000000000000000000,ou=IBM,dc=com
Component A equals:
ou=IBM,dc=com
Component B equals the value of the o attribute for an organization entry with the
distinguished name:
erglobalid=00000000000000000000,ou=IBM,dc=com
If the o attribute has the value International Business Machines, Component B
would have the value:
o=International Business Machines
Component C equals the value of the erServiceName attribute of the service. If this
attribute has the value TAM 6.0 Service, the component would be:
erservicename=TAM 6.0 Service
Thus, the complete pseudo-distinguished name will be:
erservicename=TAM 6.0 Service, o=International Business Machines, ou=IBM,dc=com
Chapter 2. Adapter Installation 7
Configure the Adapter to Work With a WebSphere Application Server
5.0 Cluster
In a WebSphere Application Server cluster environment, the IBM HTTP Server
must be configured for SSL. To do this:
1. Create a keyfile using the IBM HTTP Server key management utility.
a. Create a directory at a location such as $ITIM_HOME/myKeys. This directory
will be used to hold all of your SSL key files and certificates.
b. Start the Key Management Utility ikeyman. To start this utility, find and
execute gsk7ikm under gsk7 (/opt/ibm/gsk7/bin on Solaris). Click the Key
Database File menu and select New.
c. Specify settings and click OK:
v Key Database Type: CMS Key Database File,
v File Name: WebServerKeys.kdb,
v Location: the path to $ITIM_HOME/myKeys directory.d. Enter a password for your SSL key file (twice for confirmation).
e. Check the Stash the password to a file? option. Click OK. This causes a file
named WebServerKeys.sth to be created, containing an encoded form of the
password.
Note: This encoding prevents a casual viewing of the password but is not
highly secure. Therefore, operating system permissions should be
used to prevent all access to this file by unauthorized persons.
f. When you see the list of default Signer Certificates, click the Signer
Certificates menu and select Personal Certificates.
If you have a server certificate from a Certificate Authority (for example,
Verisign), you can click Import to import this certificate into your SSL key
file. You will be prompted for the type and location of the file containing the
server certificate.
If you do not have a valid server certificate from a Certificate Authority, but
want to test your system, click New Self-Signed.
You will be prompted minimally to enter a Key Label such as enrole and an
Organization, such as IBM. Choose to use the default values for other
values.
g. Click the Key Database File menu and select Close.2. Add the following lines to the bottom of your httpd.conf file (substituting
$ITIM_HOME with correct path to your myKeys directory):
LoadModule ibm_ssl_module libexec/mod_ibm_ssl_128.so
Listen 443
SSLEnable
Keyfile "$ITIM_HOME/myKeys/WebServerKeys.kdb"
# SSLClientAuth required
This causes the Web server to listen on port 443 (the default SSL port).
3. Add ports 443, and 9443 to the VirtualHost on the WebSphere Application
Server administration console of the PRIMARY (NDM), and update the Web
Server Plug-in.
4. Start your IBM HTTP Server.
Solaris:
/opt/IBMHTTPd/bin/apachectl start
8 Tivoli Access Manager Password Synchronization Adapter Guide
AIX:
/usr/HTTPServer/bin/apachectl start
5. Restart your Tivoli Identity Manager cluster server members.
6. Test your configuration from a browser by entering a URL such as:
https://localhost
If you are using a self-signed certificate, rather that a certificate issued by a
Certificate Authority such as Verisign, then your browser should prompt you to
see if you want to trust the unknown signer of the server’s certificate.
Successful Installation Check
To check that the Password Synchronization Adapter has been successfully
installed:
1. Log in to WebSEAL or the Web Plug-in as a user.
2. Go to the WebSEAL or the Web Plug-in password change page:
https://WebSEAL_or WebPI_host:port_number/pkmspasswd.html
3. Change the user password.
4. Log in to Tivoli Identity Manager using the new password from Step 3 above.
If the login attempt is successful, the Password Synchronization Adapter has been
properly installed.
Uninstallation
To remove the Password Synchronization Adapter:
1. On the machine where WebSEAL or the Web Plug-in is installed, locate the
default-webseald.conf file in the etc directory.
2. In the authentication-mechanisms stanza, comment out or edit the following
lines to remove the Password Synchronization configuration:
passwd-strength
post-pwdchg-process
3. Delete any files added during the installation process.
4. Restart the WebSEAL or the Web Plug-in server.
Troubleshooting
The following problems may be encountered during installation:
WebSEAL fails to start.
Examine the msg__notice_PID.log file (note the double underscore in the
filename) and check that dynamic libraries are in the search path.
Password Synchronization does not work and a log file is not created.
Check the path for the Password Synchronization configuration file,
passwdsync.conf. See the Windows note in the Install the Client Side
Component section above.
Log file reports error: SSL environment cannot be established.
Check the path and password for the kdb file.
WebSEAL Change Password Page reports error: Password rejected due to policy
violation and log file contains error: ITIM return message is:
com.access360.enrole.authentication.INVALID_PASSWORD.
Examine the passwdsync.conf file and check the value specified for the
Chapter 2. Adapter Installation 9
ITIM principal password. See the section above, Configure the Adapter to
Work with the Tivoli Identity Manager Server.
IBMHttpServer SSL connection fails to initialize.
If the URL https://localhost does work in the Web browser, check the
IBM HTTP Server error log for details. The path to the error log is:
/opt/IBMHttpServer/logs/error_log
10 Tivoli Access Manager Password Synchronization Adapter Guide
Appendix A. Support information
This section describes the following options for obtaining support for IBM
products:
v “Searching knowledge bases”
v “Contacting IBM Software Support”
Searching knowledge bases
If you have a problem with your IBM software, you want it resolved quickly. Begin
by searching the available knowledge bases to determine whether the resolution to
your problem is already documented.
Search the information center on your local system or
network
IBM provides extensive documentation that can be installed on your local
computer or on an intranet server. You can use the search function of this
information center to query conceptual information, instructions for completing
tasks, reference information, and support documents.
Search the Internet
If you cannot find an answer to your question in the information center, search the
Internet for the latest, most complete information that might help you resolve your
problem. To locate Internet resources for your product, open one of the following
Web sites:
v Performance and tuning information
Provides information needed to tune your production environment, available on
the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate Tivoli Identity Manager
products. Click the link for your product, and then browse the information
center for the Technical Supplements section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web address:
http://www.ibm.com/developerworks/
Contacting IBM Software Support
IBM Software Support provides assistance with product defects.
© Copyright IBM Corp. 2004, 2005, 2006 11
Before contacting IBM Software Support, your company must have an active IBM
software maintenance contract, and you must be authorized to submit problems to
IBM. The type of software maintenance contract that you need depends on the
type of product you have:
v For IBM distributed software products (including, but not limited to, Tivoli,
Lotus, and Rational products, as well as DB2 and WebSphere products that run
on Windows or UNIX operating systems), enroll in Passport Advantage in one
of the following ways:
– Online: Go to the Passport Advantage Web page
(http://www.lotus.com/services/passport.nsf/WebDocs/
Passport_Advantage_Home) and click How to Enroll
– By phone: For the phone number to call in your country, go to the IBM
Software Support Web site
(http://techsupport.services.ibm.com/guides/contacts.html) and click the
name of your geographic region.v For IBM eServer software products (including, but not limited to, DB2 and
WebSphere products that run in zSeries, pSeries, and iSeries environments), you
can purchase a software maintenance agreement by working directly with an
IBM sales representative or an IBM Business Partner. For more information
about support for eServer software products, go to the IBM Technical Support
Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).
If you are not sure what type of software maintenance contract you need, call
1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to
the contacts page of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of
your geographic region for phone numbers of people who provide support for
your location.
Follow the steps in this topic to contact IBM Software Support:
1. Determine the business impact of your problem.
2. Describe your problem and gather background information.
3. Submit your problem to IBM Software Support.
Determine the business impact of your problem
When you report a problem to IBM, you are asked to supply a severity level.
Therefore, you need to understand and assess the business impact of the problem
you are reporting. Use the following criteria:
Severity 1 Critical business impact: You are unable to use the program,
resulting in a critical impact on operations. This condition
requires an immediate solution.
Severity 2 Significant business impact: The program is usable but is
severely limited.
Severity 3 Some business impact: The program is usable with less
significant features (not critical to operations) unavailable.
Severity 4 Minimal business impact: The problem causes little impact on
operations, or a reasonable circumvention to the problem has
been implemented.
12 Tivoli Access Manager Password Synchronization Adapter Guide
Describe your problem and gather background information
When explaining a problem to IBM, be as specific as possible. Include all relevant
background information so that IBM Software Support specialists can help you
solve the problem efficiently. To save time, know the answers to these questions:
v What software versions were you running when the problem occurred?
v Do you have logs, traces, and messages that are related to the problem
symptoms? IBM Software Support is likely to ask for this information.
v Can the problem be re-created? If so, what steps led to the failure?
v Have any changes been made to the system? (For example, hardware, operating
system, networking software, and so on.)
v Are you currently using a workaround for this problem? If so, please be
prepared to explain it when you report the problem.
Submit your problem to IBM Software Support
You can submit your problem in one of two ways:
v Online: Go to the ″Submit and track problems″ page on the IBM Software
Support site (http://www.ibm.com/software/support/probsub.html). Enter
your information into the appropriate problem submission tool.
v By phone: For the phone number to call in your country, go to the contacts page
of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name
of your geographic region.
If the problem you submit is for a software defect or for missing or inaccurate
documentation, IBM Software Support creates an Authorized Program Analysis
Report (APAR). The APAR describes the problem in detail. Whenever possible,
IBM Software Support provides a workaround for you to implement until the
APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the
IBM product support Web pages daily, so that other users who experience the
same problem can benefit from the same resolutions.
For more information about problem resolution, see Searching knowledge bases.
Appendix A. Support information 13
14 Tivoli Access Manager Password Synchronization Adapter Guide
Appendix B. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2004, 2005, 2006 15
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
IBM
IBM logo
ibm.com
AIX
AS/400
DB2
Domino
Informix
iSeries
Linux
Lotus
Lotus Notes
MQSeries
Notes
OS/400
Power PC
Tivoli
16 Tivoli Access Manager Password Synchronization Adapter Guide
Tivoli logo
Universal Database
WebSphere
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation
in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
Java and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or
both.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix B. Notices 17
18 Tivoli Access Manager Password Synchronization Adapter Guide
����
Printed in USA
SC32-1756-02