A Sample Integration of IBM Tivoli Security Management Products

(1)

A Sample Integration of IBM Tivoli

Security Management Products

IBM Tivoli Identity Manager

IBM Tivoli Access Manager for e-business

IBM Tivoli Directory Server

IBM Tivoli Directory Integrator

Mantis – A Sample Open Source Application

Version number 1.05

Dated 25 October 2004

Author Lindsay C. Blanton III

IBM Tivoli WW Education lblanton@us.ibm.com

(2)

Copyright Notice

Copyright © 10/25/04 IBM Corporation, including this documentation and all software. All rights reserved. May only be used pursuant to a Tivoli Systems Software License Agreement, an IBM Software License Agreement, or Addendum for Tivoli Products to IBM Customer or License Agreement. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without prior written permission of IBM Corporation. IBM Corporation grants you limited permission to make hardcopy or other reproductions of any machine-readable documentation for your own use, provided that each such reproduction shall carry the IBM Corporation copyright notice. No other rights under copyright are granted without prior written permission of IBM Corporation. The document is not intended for production and is furnished “as is” without warranty of any kind. All warranties on this document are hereby disclaimed, including the warranties of merchantability and fitness for a particular purpose. Note to U.S. Government Users—Documentation related to restricted rights—Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corporation.

Trademarks

The following are trademarks of IBM Corporation or Tivoli Systems Inc.: IBM, Tivoli, AIX, Cross-Site, NetView, OS/2, Planet Tivoli, RS/6000, Tivoli Certified, Tivoli Enterprise, Tivoli Ready, TME. In Denmark, Tivoli is a trademark licensed from Kjøbenhavns Sommer - Tivoli A/S.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries. C-bus is a trademark of Corollary, Inc. in the United States, other countries, or both.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Lotus is a registered trademark of Lotus Development Corporation.

PC Direct is a trademark of Ziff Communications Company in the United States, other countries, or both and is used by IBM Corporation under license.

ActionMedia, LANDesk, MMX, Pentium, and ProShare are trademarks of Intel Corporation in the United States, other countries, or both.

SET and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC. For further information, see http://www.setco.org/aboutmark.html.

Other company, product, and service names may be trademarks or service marks of others.

Notices

References in this publication to Tivoli Systems or IBM products, programs, or services do not imply that they will be available in all countries in which Tivoli Systems or IBM operates. Any reference to these products, programs, or services is not intended to imply that only Tivoli Systems or IBM products, programs, or services can be used. Subject to valid intellectual property or other legally protectable right of Tivoli Systems or IBM, any functionally equivalent product, program, or service can be used instead of the referenced product, program, or service. The evaluation and verification of operation in conjunction with other products, except those expressly designated by Tivoli Systems or IBM, are the responsibility of the user. Tivoli Systems or IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, New York 10504-1785, U.S.A.

(3)

Version History

Version

Author

Description

Draft 1.0

LCB

Initial for review

Draft 1.01

LCB

Editor Proofing Comments

Draft 1.02

LCB

Editor Proofing Comments

1.03 LCB

SME

Changes

1.04 LCB

Added ITIM Supplemental CDs as

WebSphere install locations.

1.05 LCB

Clarification added for the ITIM

Access Manager Agent download as

a requirement. This was not

specifically mentioned in the

previous version of this paper.

(4)

1 Introduction and Overview

This document presents a step-by-step example of integrating four different applications in the IBM Tivoli Security Software portfolio – IBM Tivoli Identity Manager v4.5.1, IBM Tivoli Access Manager for e-business v5.1, IBM Tivoli Directory Server v5.2, and IBM Tivoli Directory Integrator v5.2. It is assumed that someone implementing the examples in this paper will have previous experience with each of these products, along with in-depth Windows 2000 and UNIX system administration skills. In addition, LDAP, DB/2 and MySQL database, and TCP/IP networking skills are required to understand the implementation concepts in this paper.

1.1 Scope

1.1.1 Overview

This example integration demonstrates developing an environment that allows for automatic and manual provisioning, and management of user accounts to the following resources:

• The Identity Manager application

• Access Manager account and group resources (WebSEAL) • Access Manager Global Sign-on resources

• An open source trouble-ticketing application called Mantis (PHP, MySQL based)

The ultimate objective is to develop an environment that can easily provision accounts to each of these resources with minimal user and administrator effort, and keep passwords synchronized between each of these resources.

1.1.2 Access Control and Management Functions

Access control and management functions will be accomplished in the following manner:

• IBM Tivoli Identity Manager will be the single point of management for all user accounts in this environment.

• IBM Tivoli Access Manager for e-business (WebSEAL) will control access to the Web space using user accounts and group profiles. Identify Manager will provide provisioning services to create, change, and delete Access Manager accounts.

• IBM Tivoli Access Manager will provide a global sign-on (GSO) resource to provide automatic forms based single sign-on to the Mantis open source trouble-ticketing application. Identity Manager will provide provisioning services to create, change, and delete these Access Manager GSO accounts.

• IBM Tivoli Directory Integrator will function as an Identity Manager endpoint, allowing for provisioning services to create, change, and delete user accounts defined in the Mantis open source application MySQL database. Mantis stores user account and password information in this MySQL database, so a custom process will be developed within Directory Integrator to pass provisioning requests to and from MySQL.

1.1.3 The Mantis Open Source Application

Mantis is a Web-based bug tracking system. It is written in the PHP scripting language and requires a MySQL database and a Web server. Mantis can be installed on Windows, MacOS, OS/2, and a variety of UNIX operating systems. Almost any Web browser should be able to function as a client. It is released under the terms of the GNU General Public License (GPL).

(7)

Mantis was chosen as an integration point for this project to emphasize the power of using IBM Tivoli Directory Integrator to integrate third-party applications into an Identity Manager framework. Mantis stores its user account and password information in a MySQL database. Typically, Mantis passwords are stored in MD5 encrypted format, however for ease of implementation we decided to configure Mantis to store passwords in clear text format. In the future, we will update this paper to discuss how to convert clear text passwords to MD5 encrypted format using JavaScript within Directory Integrator.

1.2 Physical

Architecture

1.2.1 Hardware and Software

Three machines comprise of the solution. The table below outlines the names, operating systems, and hardware used by the author to develop this scenario.

Hostname Operating

System Hardware Installed Software

tivoli1 Windows 2000 AS

w/SP 4

Pentium 4 3GHz

/ 2.5GB RAM •• IBM Tivoli Access Manager 5.1 Base IBM Tivoli Directory Server 5.2 (ITIM and ITAM LDAP)

• IBM Tivoli Directory Integrator • ITIM Access Manager Agent • ITIM Access Manager GSO Agent • DB2 8.1 UDB (ITIM RDBMS) • Microsoft Certificate Server tivoli2 Windows

2000 AS w/SP 4

Pentium 4 1.8GHz / 1GB RAM

• IBM Tivoli Identity Manager 4.5.1

• IBM Tivoli Access Manager 5.2 Web Portal Manager

• IBM Tivoli Directory Server Web Administration Tool

• IBM WebSphere Application Server 5.0.2

zeus Red Hat

Fedora Core 2 Pentium 3 800 MHz / 512 MB RAM

• IBM Tivoli Access Manager 5.1 WebSEAL • Mantis open source application

• Apache/PHP/MySQL

1.2.2 Physical Architecture Diagram

(8)

Physcial Architecture

TIVOLI1 TIVOLI2

ZEUS

Windows 2000 SP4

- IBM Tivoli Identity Manager 4.5.1 - IBM AMeb 5.1 Web Portal Manager - ITDS Directory Server Admin Tool - IBM Websphere AS 5.0.2

Windows 2000 SP4

- IBM TAMeb 5.1 Base - IBM Directory Server 5.2 - IBM Directory Integrator - ITIM Access Manager Agent - ITIM Access Manager GSO Agent - Microsoft Certificate Server

Red Hat Linux Fedora Core

- IBM AMeb 5.1 WebSEAL - Mantis Custom Application - Apache Web Server - MySQL Database Server - PHP

Web Browser PC

Note that host tivoli2 is intended to be the sole user interface for all Web-based applications that are used to manage resources in this environment. This allows the environment to be created with a single instance of the IBM WebSphere Application Server.

The following applications will be used to manage the environment from tivoli2: • IBM Tivoli Identity Manager Web Interface

• IBM Tivoli Directory Server LDAP Administration Tool • IBM Tivoli Access Manager Web Portal Manager

1.3 Provisioning Process Flow

Provisioning user accounts within the IBM Tivoli Identity Manager application will be done using two processes, automatic provisioning and manual provisioning.

The user account creation process will be subject to an identity policy (user account structure), and a password policy for both user account creation processes.

1.3.1 Automatic Provisioning

Automatic provisioning specifies that when a person entity is created in ITIM, user accounts will automatically be created for ITIM access, Access Manager, and Mantis. This will involve auto creating four separate user accounts:

• ITIM account

(9)

• GSO account for Mantis forms single sign-on (SSO) • Mantis user account in MySQL

During automatic provisioning, each of the account passwords will automatically be set to the username of the user account. If an account is manually provisioned, the administrator must specify an initial password for each account.

1.3.2 Manual Provisioning

Manual provisioning specifies when a person entity is created in ITIM, the administrator will have the ability to manually provision the following user accounts.

• ITIM account

• Access Manager account

• GSO account for Mantis forms single sign-on (SSO) • Mantis user account in MySQL

1.3.3 Provisioning Process Flow Diagram

The diagram below outlines the provisioning process flow:

Add Person to ITIM _OrgRoleDecide

Identity Policy Password Policy Identity Policy Password Policy Set Password to Username Automatic_Provisioning

Manual_Provisioning Prompt for_Password

Send to Access Manager Agent

Send to Access Manager GSO

Agent Create ITIM

Account

Sent to IDI Event Handler (For Mantis)

Create AM LDAP object and assign groups

Create AM GSO Account

- Send DSML2 request - Encode Password in Base64 format

- Receive DSML request - Decode Base64 Password

Insert account information into MySQL

Send to Access Manager Agent Send to Access Manager GSO

Agent Create ITIM

Account

Sent to IDI Event Handler (For Mantis)

Create AM LDAP object and assign groups

Create AM GSO Account

- Send DSML2 request - Encode Password in Base64 format

- Receive DSML request - Decode Base64 Password

Insert account information into MySQL

Decide Accounts

1.3.4 Authentication and Authorization Process Flow Diagram

After provisioning the necessary accounts for access, the following process occurs when authenticating and authorizing a user for access to the Mantis application.

(10)

Access Manager WebSEAL Web Browser LDAP Mantis Web Application MySQL 1 2 3 4 5 6 7

1. The Web browser initiates a request to https://zeus/apache/mantis.

2. WebSEAL intercepts the request and prompts the user for an authorized username and password, receives the response from the Web browser user, and sends on to the Access Manager environment for authentication.

3. WebSEAL and Access Manager authorize the user and build a credential for access. 4. WebSEAL then builds a global sign-on (GSO) credential for the user, intercepts the logon

page that Mantis presents, and automatically submits the GSO credentials to the Mantis logon form for authentication.

5. Mantis checks the user credentials submitted with entries in the MySQL database.

6. The resulting user credential information is passed to the Mantis application and authorized. 7. Mantis sends the application page back through WebSEAL to the requesting browser.

(11)

2 Preparing the Environment

2.1 Required Software Media and Downloads

The following CDROMs are required:

• IBM WebSphere Application Server 5.0 for Windows

• IBM DB2 8.1 UDB Enterprise for Windows (also the ITIM Supplemental CD2) • IBM Tivoli Access Manager 5.2 Directory Server for Windows

• IBM Tivoli Access Manager 5.1 Base for Windows • IBM Tivoli Access Manager 5.1 Web Security for Linux • IBM Tivoli Access Manager 5.2 Web Interfaces for Windows • IBM Tivoli Directory Integrator 5.2 for Windows

• IBM Tivoli Identity Manager 4.5.1 Base WebSphere Install for Windows 2000 • IBM Tivoli Identity Manager 4.5.1 Supplemental Vol 2 for Windows

• IBM Tivoli Identity Manager 4.5.1 Supplemental Vol 3 for Windows The following downloads are required:

• IBM Tivoli Identity Manager 4.5 Agent v4.5.10 for Access Manager on Windows NT and 2000 (c809CIE.zip)

2.2 User

Accounts

2.2.1 tivoli1 User Accounts

Username Password Explanation

Administrator object00 Windows 2000 administrator username and

password

db2admin db2admin DB2 administrator account

cn=root object00 LDAP administrator account

sec_master object00 Access Manager administrator account

2.2.2 tivoli2 User Accounts

Administrator object00 Windows 2000 administrator username and

password

enrole enrole ITIM database account

db2admin db2admin DB2 administrator account

2.2.3 zeus User Accounts

root Object00 UNIX root account

mantis mantis Mantis MySQL account (defined in MySQL

(12)

2.3 tivoli1

The tivoli1 host should be installed as a Windows 2000 Advanced Server SP4, with Internet Information Services, and the Microsoft Certificate Server. The Microsoft Certificate Server can be installed during installation as an additional windows component, or after installation using Control

Panel Æ Add Remove Programs Æ Add/Remove Windows Components. Additionally,

name your certificate authority ‘ibm’.

Set the Administrator password to object00.

You should configure the IIS Web server to listen on port 8080 instead of the default 80. This can be accomplished in the IIS configuration snap-in as shown below.

2.4 tivoli2

The tivoli2 host should be installed as a Windows 2000 Advanced Server SP4. Do not install IIS on this machine.

Set the Administrator password to object00.

In addition, add a user account called enrole with a password of enrole. Set the properties of the user account for the password to never expire.

(13)

The zeus host should be installed as a Linux host. The author used Red Hat Fedora Core 2 as the operating system (Warning: not officially supported by IBM/Tivoli).

Ensure that the following packages are installed as part of the installation: 1. Apache

2. PHP 3. MySQL

2.5.1 Configure Apache to Listen on Port 8080.

1. Log on to a shell account on zeus as root.

2. Edit the /etc/httpd/conf/httpd.conf file and change the listen entry to the following:

listen *:8080

As shown below:

3. Save the httpd.conf file and restart Apache with the following command (Red Hat Linux).

service httpd restart

2.5.2 Download and Install the Mantis Application on Zeus

1. Log on to a shell account on zeus as root.

2. Download the Mantis archive from the following location:

http://www.mantisbt.org/

(14)

3. The default html document root is /var/www/html on Red Hat Linux. Create a directory in /var/www/html called mantis, and set the permissions of the directory to 755 (chmod 755).

4. Copy the downloaded Mantis archive (in this example mantis-0.19.0.tar.gz) to the

/var/www/html/mantis directory and untar the installation file with the following

command.

tar zxvf mantis-0.19.0.tar.gz

5. Move the contents of the /var/www/html/mantis/mantis-0.19.0 directory to the

/var/www/html/mantis directory with the following command:

mv mantis-0.19.0/* .

6. Delete the old mantis-0.19.0 directory.

rm –r mantis-0.19.0

7. Create the MySQL database for Mantis with the command below. When prompted, enter the root password for zeus.

$ mysql –u root –p Enter Password: xxxxxx

(15)

8. Type exit at the mysql> prompt.

9. Change directory to /var/www/html/mantis/sql and import the MySQL SQL tables with

the command below. When prompted for a password, enter the root password for zeus.

mysql –u root –p mantis < db_generate.sql

10. Open another MySQL shell session and grant access to the user name mantis with the following commands:

$ mysql –u root –p mantis Enter Password: *****

mysql> grant all on mantis.* to mantis identified by “mantis”;

11. Verify the account was created properly by opening a MySQL shell session and logging on with the new mantis user account (password is mantis).

$ mysql –u mantis –p mantis Enter Password: mantis mysql>

Do not exit the MySQL shell yet.

12.Because we will be using clear text passwords, we will update the database table and change the password for the Administrator user to the clear text value admin with the following command:

mysql> update mantis_user_table set password=”admin” where username=”Administrator”;

Verify the password was updated properly with the following command:

(16)

13.Exit the MySQL shell by typing exit at the mysql> prompt.

14.Change directory to /var/www/html/mantis and rename the config_inc.php.sample file to config_inc.php with the following command:

$ mv config_inc.php.sample config_inc.php

15. Edit the config_inc.php file with your favorite text editor (the author chose to use vi) and update the following configuration settings to match the below:

$g_hostname = "localhost"; $g_db_username = "mantis"; $g_db_password = "mantis"; $g_database_name = "mantis";

Add the following line anywhere in the configuration file:

$g_login_method = “PLAIN”;

(17)

17.Remove the directory admin/ with the following command:

$ rm –r admin

18. Open a Web browser to the following URL:

http://zeus:8080/mantis/

19. Log on with user name Administrator with a password of admin to verify the installation of Mantis was successful.

(18)

3 Install and Configure IBM Tivoli Directory Server 5.2

3.1 Install the IBM JRE

1. Insert the IBM Tivoli Access Manager Directory Server 5.2 installation CDROM for Windows in the CD drive. Change directory to \windows\JRE and double-click install.exe to start the JRE installation.

2. Choose English as the installation language and click OK.

(19)

4. Click Yes to accept the license agreement.

5. Click Next to accept the default installation directory.

(20)

7. Click YES to install this JRE as the system JVM.

8. Click Next to start copying files.

(21)

3.2 Install Directory Server

1. With the IBM Tivoli Access Manager Directory Server 5.2 for Windows installation CDROM in the CD drive, change directory to the root directory and double-click the install_ldap_server.exe to

start the LDAP installation.

2. Choose English as the installation language and click OK to continue.

(22)

4. Click Next to accept the license agreement.

5. Click Next to accept the default installation directory for the GSK kit.

(23)

7. Click Next to accept the default installation directory for the IBM Tivoli Directory Server.

8. Enter db2admin for the DB2 administrator ID with a password of db2admin, and accept the default database home and database name parameters. Then click Next to continue.

(24)

9. Enter object00 for the Administrator ID password, and o=ibm,c=US for the user-defined suffix. Click Next to continue.

10. Enter key4ssl as the SSL key file password, accept the defaults for the rest of the parameters, and click Next.

(25)

11. Review the configuration options and click Next to start the installation.

(26)

13. After the machine reboots, log on as Administrator and the installation will continue. Choose English as the installation language and click OK.

(27)

15. Open Start Æ Programs Æ Administrative Tools Æ Services. Verify the IBM Tivoli Directory Server service startup type is set to Automatic.

16.Right-click the service entry for IBM Tivoli Directory Server and click Start to start the LDAP server. Verify the service is started in the services list.

(28)

4 Install and Configure IBM Tivoli Access Manager 5.1

4.1 Install the Access Manager Policy Server

1. Log on to tivoli1 as Administrator and place the IBM Tivoli Access Manager 5.1 Base for Windows CDROM in the CD Drive, open the root folder of the CD, and double-click install_ammgr.exe to start the policy server installation.

2. Choose English as the installation language and click OK to continue.

(29)

4. Accept the terms of the license agreement and click Next.

(30)

6. Accept the default installation directory and click Next.

(31)

8. Enter tivoli1 for the LDAP server host name, do not enable SSL, and click Next.

9. Enter object00 as the Tivoli Access Manager Administrator password, cn=root for the LDAP Administrator DN, and object00 for the LDAP Administrator password. Then click Next.

(32)

10. Review the installation options and click Next.

(33)

12. After reboot, log on as Administrator. The installation process will continue. Choose English as the installation language and click OK.

13.Verify each component was installed successfully and click Finish.

(34)

4.2 Install

WebSEAL

1. Open a shell session on zeus and log on as root. Set up your Xresource and Xdisplay variables accordingly if you are logging on remotely, as you will need an XDesktop to install the WebSEAL application.

2. Mount the Tivoli Access Manager Web Security for Linux CDROM using the following command.

$ mount –t iso9660 /dev/cdrom /mnt/cdrom

3. Change directory to the root of the CDROM by typing: cd /mnt/cdrom. 4. Install the IBM Java JRE with the following command:

rpm –ivh xSeries/IBMJava2-JRE-1.3.1.3.i386.rpm

NOTE: If using Fedora Core for this installation, do not install the IBM JRE. The Sun JRE will be required. Download the Linux Sun JRE from http://www.java.com and follow the installation instructions there before proceeding.

5. Start the WebSEAL installation by executing ./install_ameb. Choose English as your installation language and click OK.

(35)

7. Accept the terms of the license agreement and click Next.

8. Choose LDAP as the user registry and click Next.

(36)

10. Specify the policy server host name as tivoli1, and accept all the other options as their defaults.

11. Enter the LDAP server host name as tivoli1, and leave the port at the default of 389.

(37)

13. Enter the Administrator password as object00 and click Next.

14. Choose NO for enabling SSL for communications with the IBM Directory Server and click Next.

(38)

16. Accept the default port for HTTP access (80) and click Next.

17. Choose YES to allow HTTPS access and click Next.

(39)

19. Accept the default for the Web document root directory and click Next.

20. Review the configuration options and click Next to install.

The Access Manager Java Runtime and the WebSEAL server will be installed.

21. Verify that the installation was successful for all components and click Finish to complete the installation.

(40)

5 Install IBM Tivoli Identity Manager 4.5.1

5.1 DB2

Installation

5.1.1 Install the DB2 8.1 UDB Base Code

1. Log on to tivoli2 as Administrator and place the IBM DB2 UDB 8.1 for Windows CDROM in the CD Drive. Then double-click setup.exe to start the installation.

2. Click Install Products.

(41)

4. Click Next.

5. Accept the terms of the license agreement and click Next.

(42)

7. Click OK at the APPC Warning window.

8. Choose Install DB2 Enterprise Server Edition on this computer and click Next.

(43)

10. Enter db2admin as the user name and db2admin as the password, and click Next.

11.Choose Local and click Next.

(44)

13. Click Next at the Configure DB2 instances window.

14.Choose Do not prepare and click Next.

(45)

16. Click Install to start copying files.

17. When the setup is complete click Finish.

18. Click Exit First Steps to complete.

5.1.2 Install the DB2 8.1 UDB Fixpack 2

1. Log on to tivoli2 as Administrator, place the IBM Tivoli Identity Manager 4.5.1 Supplemental Volume 3 for Windows CDROM in the CD Drive, and start the update.exe executable.

(46)

2. When prompted to shutdown running DB2 processes, click YES.

3. Choose Update to install the fixpack.

4. Click Finish to complete the installation.

(47)

5.1.3 Configure DB2 for ITIM

1. Log on to tivoli2 as Administrator and open a DB2 Command Window by executing Start Æ Programs Æ IBM DB2 Æ Command Line Tools Æ Command Window.

2. Run the following commands in order to create the ITIM database and configure with the appropriate options.

db2 create db itimdb using codeset UTF-8 territory US db2 update db cfg for itimdb using applheapsz 384 db2 update db cfg for itimdb using app_ctl_heap_sz 512 db2 connect to itimdb

db2 create bufferpool enrolebp size -1 pagesize 32k db2set DB2_RR_TO_RS=YES

db2 force application all db2stop

(48)

5.2 LDAP

Configuration

5.2.1 Configure LDAP for ITIM

1. Log on to tivoli1 as Administrator and stop the IBM Tivoli Directory Server service by clicking Start Æ Programs Æ Administrative Tools Æ Services and stopping the service.

2. Open the c:\Program Files\IBM\LDAP\etc\ibmslapd.conf file in notepad.

3. Locate the line that reads: ibm-slapdSuffix: cn=localhost and add a line below that reads: ibm-slapdSuffix: dc=com

4. Save the file and exit Notepad.

5. Insert the IBM Tivoli Identity Manager 4.5 Supplemental Volume #2 for Windows CDROM into the CD Drive and open the \DelRef directory in Windows Explorer.

6. Copy the timdelref.conf file from the CDROM to the C:\Program Files\IBM\LDAP\etc

directory on tivoli1.

7. Change directory in Windows Explorer to \DelRef\nt and copy the libdelref.dll file to the C:\Program Files\IBM\LDAP\bin directory.

8. Open the c:\Program Files\IBM\LDAP\etc\ibmslapd.conf file in Notepad again.

(49)

ibm-slapdPlugin: database /bin/libback-rdbm.dll rdbm_backend_init

10. Add the following line directly under the above line:

ibm-slapdPlugin: preoperation /bin/libdelref.dll DeleteReferenceInit file="c:\Program Files\ibm\ldap\etc\timdelref.conf" dn=dc=com

11.Next, search for the following two lines in the ibmslapd.conf file.

dn: cn=Front End, cn=Configuration cn: Front End

12. Add the following line directly under the above two lines:

ibm-slapdsetenv: SLAPD_OCHANDLERS=2

13. Save the ibmslapd.conf file in Notepad and exit.

14.Click Start Æ Programs Æ Administrative Tools Æ Services and start the IBM Tivoli Directory Server 5.2 service.

15.Create a new document in Notepad with the filename suffix.ldif and save the file to the root of the

C:\ drive. The file should contain the following text:

dn: dc=com dc: com

objectclass: top objectclass: domain

16. Open a Command Window and type the following command to import the LDAP suffix.ldif

(50)

(51)

5.3 Install ITIM 4.5.1

1. On tivoli2, insert the IBM Tivoli Identity Manager 4.5.1 Base WebSphere for Windows Installation CDROM in the CD Drive, open the root of the CD drive in Windows Explorer, and double-click the

instWIN-WAS.exe file.

(52)

4. Choose a Single Server installation type and click Next.

5. Accept the default directory of C:\itim45 and click Next.

(53)

7. Click Continue at the ‘Run usejdbc2 command’ message.

8. Accept the default configuration entries for the WebSphere Application Server and click Next.

9. Click OK at the ‘Check Disk Space’ message.

(54)

11. Enter the Administrator password object00 and click Next.

12.Accept the default encryption key and click Next.

(55)

14. When prompted, insert the WebSphere Application Server 5.0 for Windows Installation CDROM in the CD Drive, and enter the drive letter and path to the installation CD image. Then click OK.

The WebSphere Application Server will be installed and the installation program will automatically apply Fixpack 02. This will take a few minutes, so be patient, very patient.

15. Enter itimdb as the database name, db2admin as the Admin ID, and db2admin as the Admin password, then click Test.

16. The database connection should be successful. Click OK.

(56)

18. The DB2 tables will now be created. When finished, you will see the following dialog box. Click OK.

19. Enter cn=root for the Principal DN, object00 as the password, tivoli1 as the host name and click Test.

20. The LDAP connection should be successful. Click OK to continue.

21. Enter IBM Tivoli WW Education as the name of your organization, IBM_TIV_WW_EDU as the default org short name, dc=com as the Identity Manager DN location, and click Continue.

(57)

23. The system configuration utility will now load. Click the Mail tab and enter mail.ibm.com as the mail server name. Then click OK to apply the changes.

24. When the install completes, click Done.

25. Open Start Æ Programs Æ Administrative Tools Æ Services. Verify the WebSphere Application Server server1 startup type is set to Automatic.

(58)

26. Reboot the tivoli2 machine.

27. After the reboot is complete, open Internet Explorer to the following URL:

http://tivoli2/enrole

(59)

6 Install and Configure the Web Interfaces

We will install both the Access Manager Web Portal Manager (WPM) and the Directory Server Web Administration Tool on tivoli2. The tivoli2 machine will be the primary Web interface host for managing all functions in this environment.

Log on to tivoli2 as Administrator and follow the instructions below.

6.1 Install the IBM JRE on tivoli2

1. Insert the IBM Tivoli Access Manager Web Interfaces for Windows CDROM in the CD drive and open the /Windows/JRE directory and double-click install.exe.

(60)

4. Click Yes to accept the license agreement.

5. Click Next to accept the default installation directory for the JRE.

(61)

7. Click Yes to install as the System JVM.

8. Click Next.

(62)

6.2 Install the IBM Tivoli Access Manager Web Portal Manager (WPM)

1. Insert the IBM Tivoli Access Manager Web Interfaces for Windows CDROM in the CD drive on tivoli2 and open the /Windows/PolicyDirector/Disk Images/Disk1 directory and

double-click Setup.exe.

2. Choose English as the install language and click Next.

(63)

4. Click Yes.

5. Choose the Access Manager Java Runtime Environment and the Access Manager Web Portal Manager and click Next.

(64)

7. Click Next. The components will now install.

8. Click OK.

9. Open Windows Explorer to the C:\Program Files\Tivoli\Policy Directory\Java\export\pdjte directory.

Copy the PD.jar file located there to the following directory:

C:\Program Files\WebSphere\AppServer\java\jre\lib\ext

(65)

10. Close Windows Explorer and open a Command Window. Change directory in the command window to c:\Program Files\Tivoli\Policy Director\sbin.

Execute the following command in the window:

pdjrtecfg –action config –interactive

11. Choose Full and click Next.

(66)

13. Enter tivoli1 as the host name and click Next. (Verify tivoli1, not tivoli2.)

14.Enable the Common Directory for logging and click Next.

15.Click OK.

16. Back in the Command Window, execute the following command:

(67)

17.Click Next.

18. Enter tivoli1 as the host name for the policy server and click Next.

19. Enter sec_master as the Administrator ID and object00 as the password and click Finish.

20. The installation will take several minutes, be patient.

(68)

22.Open Start Æ Programs – Administrative Tools Æ Services and restart both of the following services:

• IBM WebSphere Application Server V5 – server1 • IBM HTTP Server 1.3.26

23.Open Internet Explorer to the following URL:

http://tivoli2/pdadmin

Verify a logon page is received:

24. Log on with sec_master as the User Id and object00 as the password.

(69)

6.3 Install the IBM Tivoli Directory Server Web Administration Tool

1. Insert the IBM Tivoli Access Manager Web Interfaces for Windows CDROM in the CD drive and open the /Windows/Directory directory. Double-click setup.exe.

(70)

4. Click Next to accept the terms of the license agreement.

5. Click Next.

(71)

7. Choose English and click Next.

8. Choose only the Web Administration Tool 5.2 and click Next.

(72)

10.Click Next.

11.Choose Yes, restart my computer, and click Next.

12.After the tivoli2 host finishes the reboot process, open Internet Explorer while on tivoli2 to the following URL:

http://tivoli2:9090/admin

(73)

13.Click Applications Æ Install Application.

14. Enter the following parameters and click Next. Be patient as it takes a few moments to upload the war file to the Web server.

Local Path C:\Program Files\IBM\LDAP\idstools\IDSWebApp.war

Context Root IDSWebApp

15. Accept the defaults and click Next at the next four screens. 16. Click Finish at the fifth screen.

(74)

18. Click Save to save to the master configuration.

19. Click Enterprise Applications.

20. Select the check box next to IDSWebApp_war and click Start.

21. Verify the IDS Web Application starts (green arrow).

22.Open Internet Explorer to the following URL:

http://tivoli2:9080/IDSWebApp/IDSjsp/Login.jsp

(75)

23. In the left pane, click Console administration to expand, and then click Manage console servers.

24. Click Add.

(76)

26.Click Logout to log out of the administrative interface.

27.Open Internet Explorer to the following URL again:

http://tivoli2:9080/IDSWebApp/IDSjsp/Login.jsp

Choose tivoli1 as the LDAP host name, and log on with cn=root as the username and object00 as the password.

28.Click Directory Management Æ Manage Entries. Entries in the LDAP database should be displayed.

(77)

29.Click Logout to log out of the administrative interface. This completes the installation of the Web interfaces.

(78)

7 Install and Configure IBM Tivoli Identity Manager Agents

For the tasks in this section, we will be working on tivoli1 host.

7.1 Install the Access Manager ITIM Agent

1. Unzip the IBM Tivoli Identity Manager 4.5 Agent v4.5.10 for Access Manager on Windows NT and 2000 (c809CIE.zip) file into a temporary directory and open the folder in Windows Explorer. Double-click setup.exe to start the installation.

2. Click Next at the welcome screen.

(79)

4. Click Next to accept the default agent installation directory.

5. Click Next at the installation summary screen.

(80)

7. The installation of the agent will now begin. When finished, you may see the error message below referencing a JRE issue. You may ignore it. Click Finish to complete the Access Manager Agent installation.

8. Open Start Æ Programs Æ Administrative Tools Æ Services and verify the Access Manager Agent is started and is set to automatically start on boot.

(81)

7.2 Configure the Access Manager Agent

7.2.1 Configure Protocol Settings

1. Open a Command Window and change directory to c:\Tivoli\Agents\TAM4Agent\bin.

2. Enter the command agentCfg –agent TAM4Agent to start the agent configuration program. Enter agent when prompted for the configuration key.

3. At the menu, enter B to choose the protocol configuration menu.

4. Enter C to configure a protocol.

5. Enter A to configure the DAML protocol.

6. Do the following:

• Enter A and set the port to 45580

• Enter B and set the username to tam4agent • Enter C and set the password to tam4agent

(82)

7. Enter X four times to exit the agent configuration application.

8. Open Start Æ Programs Æ Administrative Tools Æ Services and restart the Access Manager Agent.

7.2.2 Certificate Installation

9. Open a Command Window and change directory to c:\Tivoli\Agents\TAM4Agent\bin.

10.Enter the command certtool –agent TAM4Agent to start the agent certificate installation program. Choose A to generate a private key and certificate request.

11. Enter the following values for the certificate request and accept the values by entering Y. • Enter the organization as ibm

(83)

• Enter the organizational unit as IBMWWEDU

12.Enter the file name to store the request as request.pem. After the file is written press the enter key to continue.

13.Open Internet Explorer to http://tivoli1:8080/certsrv. Choose Request a Certificate and click Next.

(84)

15.Leaving Internet Explorer open in the background, use Windows Explorer to open the request.pem file you just created in Notepad. The file resides in the

C:\Tivoli\Agents\TAM4Agent\bin directory.

16.Within Notepad, type CTRL-A to select all text, then select Edit Æ Copy to copy the contents of the certificate request to the clipboard.

17.Return to the Internet Explorer browser and paste the contents of the clipboard into the saved request text box by clicking in the text box and typing Ctrl-V. Then click Submit to submit the certificate request.

(85)

18. You should see the certificate pending notification. Click Home to continue.

19.Open the Certificate Authority tool by clicking Start Æ Programs Æ Administrative Tools Æ Certification Authority.

20.Click IBM Æ Pending Requests. Then right-click the pending certificate request and click All Tasks Æ Issue. This issues the certificate.

21. Return back to the home page of the Certificate Server in Internet Explorer. Choose Check on a pending certificate and click Next.

(86)

22.Click Next.

23.Choose to download the certificate in DER format, and then click Download Certificate.

24.Save the file as tam4agent.cer in the c:\Tivoli\Agents\TAM4Agent\bin directory.

25.Click Home on the Certificate Services Web page. Choose Retrieve the CA Certificate option and click Next.

(87)

26.Choose the Current CA, DER encoded, and click Download CA Certificate.

27. Save the file as ca.cer in the c:\Tivoli\Agents\TAM4Agent\bin directory.

28. Open a Command Window, change directory to c:\Tivoli\Agents\TAM4Agent\bin, and

start the agent certificate installation tool by entering the command certtool –agent TAM4Agent. Choose F to install the CA certificate.

(88)

29. Enter the name ca.cer for the certificate file, and type Y to install the CA certificate.

30. Type B at the menu prompt, and enter the certificate name to install as tam4agent.cer.

31. Type X four times to exit the certificate installation tool. You have completed the SSL certificate installation for the Access Manager Agent.

(89)

7.3 Install the Access Manager GSO Agent

1. Open the temporary directory where the Access Manager ITIM agent was unzipped to. Change directory to the TAM41-GSO-Win-4.5.2 directory and double-click setup.exe to

start the installation application.

2. Click Next at the welcome screen.

(90)

4. Click Next to accept the default installation directory.

5. Click Next at the installation summary screen.

6. Enter sec_master as the Access Manager Administrator account and object00 as the password.

(91)

7. The installation of the agent will now begin. When finished, you may see the error message below referencing a JRE issue. You may ignore it. Click Finish to complete the Access Manager GSO Agent installation.

8. Open Start Æ Programs Æ Administrative Tools Æ Services and verify the Access Manager Agent is started and the startup type is set to Automatic.

(92)

7.4 Configure the Access Manager GSO Agent

7.4.1 Configure Protocol Settings

1. Open a Command Window and change directory to c:\Tivoli\Agents\TAMGSOAgent\bin.

2. Enter the command agentCfg –agent TAMGSOAgent to start the agent configuration program. Enter agent when prompted for the configuration key.

3. At the menu, enter B to choose the protocol configuration menu.

4. Enter C to configure a protocol.

5. Enter A to configure the DAML protocol.

6. Do the following:

Enter A and set the port to 45581

Enter B and set the username to tamgsoagent Enter C and set the password to tamgsoagent

(93)

7. Enter X four times to exit the agent configuration application.

8. Open Start Æ Programs Æ Administrative Tools Æ Services and restart the Access Manager GSO Agent.

7.4.2 Certificate Installation

1. Open a Command Window and change directory to c:\Tivoli\Agents\TAMGSOAgent\bin.

2. Enter the command certtool –agent TAMGSOAgent to start the agent certificate installation program. Choose A to generate a private key and certificate request.

3. Enter the following values for the certificate request and accept the values by entering Y. • Enter the organization as ibm

(94)

4. Enter the file name to store the request as request.pem. After the file is written press the enter key to continue.

5. Open Internet Explorer to http://tivoli1:8080/certsrv. Choose Request a Certificate and click Next.

(95)

7. Leave Internet Explorer open in the background and use Windows Explorer to open the request.pem file you just created in Notepad. The file resides in the

C:\Tivoli\Agents\TAMGSOAgent\bin directory.

8. Within notepad, enter CTRL-A to select all the text, then select Edit Æ Copy to copy the contents of the certificate request to the clipboard.

9. Return to the Internet Explorer window and paste the contents of the clipboard into the Saved Request text box by clicking in the text box and typing Ctrl-V. Then click Submit to submit the certificate request.

(96)

10. You should see the certificate pending notification. Click Home to continue.

11.Open the Certificate Authority tool by clicking Start Æ Programs Æ Administrative Tools Æ Certification Authority.

12.Click IBM Æ Pending Requests. Then right-click the pending certificate request and click All Tasks Æ Issue. This issues the certificate.

13. Return back to the home page of the Certificate Server in Internet Explorer. Choose Check on a pending certificate and click Next.

(97)

14.Click Next.

15.Choose to download the certificate in DER Format, and then click Download Certificate.

(98)

17.Click Home on the Certificate Services Page. Choose Retrieve the CA Certificate option and click Next.

18.Choose the Current CA, DER encoded, and click Download CA Certificate.

(99)

20. Open a Command Window, change directory to c:\Tivoli\Agents\TAMGSOAgent\bin, and start the agent certificate information tool by entering the command certtool –agent TAMGSOAgent. Choose F to install the CA certificate.

21. Enter the name ca.cer for the certificate file, and type Y to install the CA certificate.

22. Enter B at the menu prompt, and enter the certificate name to install as tam4agent.cer.

23. Type X four times to exit the certificate installation tool. You have completed the SSL certificate installation for the Access Manager GSO Agent.

(100)

8 Configure Access Manager

8.1 Create the apache-group Group

1. Open Internet Explorer to the URL: http://tivoli2/pdadmin. 2. Log on as sec_master with a password of object00.

3. Click Group Æ Create Group.

Create the group with the following parameters: • Group Name: apache-group

• Registry GID: cn=apache-group,cn=SecurityGroups,secAuthority=Default Click Create to create the group.

(101)

8.2 Secure the Web Space

3. Click Object Space Æ Create Object Space. Create the object space with the following parameters: • Object Space Name:

/WebSEAL/[webseal-hostname]-default/apache/mantis

• Description: Mantis Object Space

Click Create to create the object space. Then click Done.

4. Click ACL Æ Create ACL.

Create the ACL with the following parameters: • ACL Name: mantis-acl

• Description: Mantis ACL

(102)

6. Click the ACL entry mantis-acl that you just created.

7. Click Create to create an ACL entry.

8. Choose Group as the entry type, and enter the name apache-group for the entry name. Select the Traverse, Read, Execute, and List Directory permissions and click Apply, then click Done.

(103)

9. Click Object Space Æ Browse Object Space, and click the link for the following location in the object space:

/WebSEAL/[webseal-hostname]-default/apache/mantis

(104)

11.Choose the mantis-acl and click Apply. Click Apply again to apply the changes.

12.Click Object Space Æ Browse Object Space, and then click Refresh. Navigate to the following location in the object space and verify the ACL was attached.

(105)

(106)

8.3 Create the Mantis GSO resource

3. Click GSO Resource Æ List GSO. Then click Create to create a new GSO resource.

4. Enter mantis as the GSO name, and click Create.

(107)

8.4 Modify the Access Manager Password policy

3. Click User Æ Show Global User Policy. Unset the following policy entries: • Minimum Password Length

• Minimum Password Alphas • Minimum Password Non-Alphas • Max Password Repeater Characters • Password Spaces Allowed

• Account Expiration Date • Time of Day Access

We are un-setting these parameters because we are going to allow ITIM to manage the password policies for this environment, and we do not want a conflict between the two.

(108)

8.5 Configure

WebSEAL

8.5.1 Configure Forms SSO for Mantis application

Single sign-on format authentication allows WebSEAL to transparently log an authenticated Tivoli Access Manager user into a back-end junctioned application server that requires authentication via an HTML form.

Single sign-on forms authentication supports existing applications that use HTML forms for authentication and cannot be modified to directly trust the authentication performed by WebSEAL. Enabling single sign-on forms authentication produces the following results:

• WebSEAL interrupts the authentication process initiated by the back-end application. • WebSEAL supplies data required by the login form and submits the login form on behalf of

the user.

• WebSEAL saves and restores all cookies and headers. • The user is unaware that a second login is taking place.

• The back-end application is unaware that the login form is not coming directly from the user.

WebSEAL must be configured to:

• Recognize and intercept the login form. • Fill in the appropriate authentication data.

We will enable forms single sign-on for the Mantis application by:

• Creating a configuration file to specify how the login form is to be recognized, completed, and processed.

• Enable forms single sign-on by adding the appropriate junction with the –S option (which specifies the location of the configuration file).

To enable forms SSO for the Mantis application, do the following on the zeus WebSEAL host. 1. Log on to a shell session on zeus.

2. Create a text file with the following configuration information and save it in the

/opt/pdweb/etc directory with file name fsso.conf.

[forms-sso-login-pages]

login-page-stanza = login-page-one [login-page-one]

login-page = /mantis/login_page.php login-form-action = login.php* gso-resource = mantis

argument-stanza = args-for-login-page-one [args-for-login-page-one]

username = gso:username password = gso:password

/opt/pdweb/etc/fsso.conf

8.5.2 Create the WebSEAL Junction

(109)

2. Type pdadmin and login with sec_master with a password of object00.

3. Enter the command server list to verify the WebSEAL instance name.

In this example default-webseald-zeus.lcblanton-int.local is the default WebSEAL instance name.

4. Enter the following command to create the junction. Note the use of the –S option to create the junction using the fsso.conf file.

server task [webseal-instance-name] create -t tcp -h zeus -P 8080 -S /opt/pdweb/etc/fsso.conf /apache

Replace [webseal-instance-name] with the default WebSEAL instance determined in step

3.

(110)

9 Configure IBM Tivoli Identity Manager

9.1 Initial

Configuration

In this section, we will configure Identity Manager with the necessary objects to provision user accounts in the environment.

To complete these tasks, log on to the ITIM Web interface by pointing your Internet Explorer browser to the following URL:

Log on with the following user name and password:

Username ITIM Manager

Password secret

You will initially be presented with a change password screen. Change the password for the ‘ITIM Manager’ account to object00 and submit the change.

(111)

9.2 Create

Organizational

Roles

An organizational role is a method of classifying users based on their role in the organization. For instance, a company may create organizational roles for the various functions that exist within each department. Depending on the nature of the organization and the complexity of the organization tree, several organizational roles can be created to suit the needs of the organization. Placing a user in an organizational role authorizes the user to have access to certain resources in the organization.

For this example, we will create two organizational roles within ITIM:

Roles Description

Auto_Provisioned_Users When created as a person in ITIM, users belonging to this role will be automatically provisioned with user accounts with no intervention by the administrator.

Manual_Provisioned_Users When created as a person in ITIM, users belonging to this role will must have each account manually provisioned by an administrator.

9.2.1 Create the Two Organizational Roles

To create the Auto_Provisioned_Users Organizational Role, follow these steps: 1. Log on to the ITIM Web interface as the itim manager.

2. Click the My Organization tab.

3. Click the IBM Tivoli WW Education entry in the organization chart, and click Manage Organizational Roles on the left toolbar, then click Add to add a new organizational role.

(112)

4. Choose a Static type of role to add and click Continue.

5. Enter the name Auto_Provisioned_Users as the name and a short description for the role, and then click Submit.

6. Following the same process as above, create the static organizational role

(113)

9.3 Create

Services

A service represents a resource that a user can subscribe to which provides a needed function to that user.

Before services can be added to IBM Tivoli Identity Manager, a service profile must be installed so the agents are recognized. A service profile is a generic description of a particular type of agent. It describes how that agent works, the attributes it supports, provides service and account forms, and so on.

In this section we will install both the Access Manager Agent profile, and the Access Manager GSO Agent profile. We will then define both agents that we installed on tivoli1 as services to ITIM.

9.3.1 Download and Install the Certificate Authority Certificate

We must install the CA Certificate from the certificate authority that we used to create the private certificates for each agent. This will ensure that the ITIM server can complete SSL communications with each of the agents.

1. On the ITIM server tivoli2, open Internet Explorer to the following URL:

http://tivoli1:8080/certsrv

2. Choose Request the CA certificate or certificate revocation list and click Next.

3. Choose the current CA Certificate, choose DER encoded, and click Download CA certificate.

(114)

4. When prompted with the File Download pop-up, choose to Save the file in the directory

c:\itim45\cert with the filename of ca.cer.

5. Verify the certificate was saved in this directory.

6. This completes the installation of the CA Certificate.

9.3.2 Install the Agent Profiles

We will be executing these instructions on the ITIM Server tivoli2. 1. Locate the ZIP file for the Access Manager ITIM agent. 2. Unzip the agent ZIP file into a temporary directory.

3. To run the Access Manager Agent Profile installation, double-click tam4profile.exe in

(115)

4. Click Next at the welcome screen, then enter c:\itim45 as the ITIM installation directory and click Next.

5. Click Next at the installation summary screen to install the Access Manager Agent profile. 6. In the same folder that you unzipped the Agent installation files in to, change directory to the TAM41-GSO-Win-4.5.2 directory and double-click tamgsoprofile.exe to install the GSO Agent profile.

7. Use the same installation instructions as the tam4agent profile installation to complete the GSO agent installation.

8. Restart the ITIM server to allow for the profile installation changes to take effect.

9.3.3 Define the Access Manager Agent Service

1. To complete these tasks, log on to the ITIM Web interface by pointing your Internet Explorer browser to the following URL:

2. Log on at the itim manager with a password of object00.

3. Click the Provisioning tab at the top, and click the Mange Services icon on the left toolbar. Then click Add.

(116)

4. Choose the TAM4Profile type and click Continue.

5. Enter the following parameters to add the service. Do not submit yet.

Name Value Explanation

Service Name tivoli1_tameb The arbitrary name of the service we

are going to create.

URL https://tivoli1:45580 The URL and port that the service is

listening on.

User Id tam4agent The user ID that ITIM will use to

connect to the agent with. This was specified when we configured the agent.

Password tam4agent The password that ITIM will use to

connect to the agent with. This was specified when we configured the agent.

CA certificate store location

c:\itim45\cert Where the certificate for the certificate authority is stored.

Add account Import or Create user entry When adding accounts, we can import from TAMeb or we can create user entry in TAMeb.

Leave user entry in registry when delete account

unchecked When deleting a person in ITIM, we

also want to delete the corresponding TAMeb account.

Certificate file location --leave blank-- If we were setting up two-way SSL we would specific these parameters. We are not using two-way SSL in this example.

Private key file location --leave blank-- If we were setting up two-way SSL we would specific these parameters. We are not using two-way SSL in this example.

A Sample Integration of IBM Tivoli Security Management Products