Tivoli Access Manager Agent for Windows Installation Guide

(1)

IBM Tivoli Identity Manager

Tivoli Access Manager Agent for Windows Installation Guide

Version 4.5.0

SC32-1165-03

(2)

(3)

IBM Tivoli Identity Manager

Tivoli Access Manager Agent for Windows Installation Guide

Version 4.5.0

SC32-1165-03

(4)

Note:

Before using this information and the product it supports, read the information in Appendix C, “Notices”, on page 43.

First Edition (August 2003)

This edition applies to version 4.5.0 of this agent and to all subsequent releases and modifications until otherwise indicated in new editions.

(5)

Preface

The IBM^®Tivoli^® Identity Manager Tivoli Access Manager v4.1 Agent for Windows^®(Tivoli Access Manager Agent) enables connectivity between the IBM Tivoli Identity Manager Server and a network of systems running the Tivoli Access Manager database. After the agent is installed and prepared, Tivoli Identity

Manager manages access to Windows NT^®or Windows 2000 non-active directory resources with your site’s security system. This manual describes how to install and prepare a Tivoli Access Manager Agent.

Who should read this book

This manual is intended for security administrators responsible for installing software on their site’s computer systems. Readers are expected to understand security administration concepts. The person completing the installation procedure should also be familiar with their site’s system standards. Readers should be able to perform routine security administration tasks.

Publications

Read the descriptions of the Tivoli Identity Manager library, and the related publications to determine which publications you might find helpful. After you determine the publications you need, refer to the instructions for accessing publications online.

Tivoli Identity Manager Agent library

The publications in the Tivoli Identity Manager Agent library are:

v Online user assistance for Tivoli Identity Manager

Provides integrated online help topics for all Tivoli Identity Manager administrative tasks.

v Tivoli Identity Manager Policy and Organization Administration Guide Provides topics for Tivoli Identity Manager administrative tasks.

v Tivoli Identity Manager Server Configuration Guide

Provides configuration information for single-server and cluster Tivoli Identity Manager configurations.

Related publications

Information related to Tivoli Identity Manager is available in the following publications:

v The Tivoli Software Library provides a variety of Tivoli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters.

The Tivoli Software Library is available on the Web at:

http://www.ibm.com/software/tivoli/library/

v The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available, in English only from the Glossary link on the left side of the Tivoli Software Library Web page:

http://www.ibm.com/software/tivoli/library

(8)

Accessing publications online

The IBM publications for this product are available online in Portable Document Format (PDF) or Hypertext Markup Language (HTML) format, or both at the Tivoli Software Library:

http://www.ibm.com/software/tivoli/library

To locate product publications in the library, click the Product manuals link on the left side of the Library page. Then, locate and click the name of the product on the Tivoli Software Information Center page.

Product publications include release notes, installation guides, user’s guides, administrator’s guides, and developer’s references.

Note: To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is available when you click File →Print).

Accessibility

The product documentation includes the following features to aid accessibility:

v Documentation is available in both HTML and convertible PDF formats to give the maximum opportunity for users to apply screen-reader software.

v All images in the documentation are provided with alternative text so that users with vision impairments can understand the contents of the images.

Contacting software support

Before contacting IBM Tivoli Software support with a problem, refer to the IBM Tivoli Software support Web site at:

http://www.ibm.com/software/sysmgmt/products/support/

If you need additional help, contact software support using the methods described in the IBM Software Support Guide at the following Web site:

http://techsupport.services.ibm.com/guides/handbook.html This guide provides the following information:

v Registration and eligibility requirements for receiving support

v Telephone numbers and e-mail addresses, depending on the country in which you are located

v A list of information you should gather before contacting customer support

Conventions used in this book

This reference uses several conventions for special terms and actions and for operating system-dependent commands and paths.

The following typeface conventions are used in this book:

Bold Bold text indicates selectable window buttons, field entries, and commands appearing in this manual except from within examples or the contents of files.

(9)

Monospace Text in monospace type indicates the contents of files or the output from commands.

italic Italic text indicates context-specific values such as:

v path names v file names v user names v group names v system parameters v environment variables

Preface vii

(10)

(11)

Chapter 1. Overview

This installation guide provides all of the basic information necessary to install and configure the Tivoli Access Manager Agent components. This chapter provides a simple overview of the installation process and a brief overview of the information in each chapter.

Basic Installation

The following lists the basic procedures necessary to install, configure, and run the agent:

v Install the agent software.

v Activate the Tivoli Access Manager Agent as a service on the agent’s system.

v Configure the agent’s communication protocols to enable the Tivoli Access Manager Agent to communicate with the Tivoli Identity Manager Server.

v Install the agent’s profile on the Tivoli Identity Manager Server.

v Configure the Tivoli Identity Manager Server to recognize the agent as a service.

Chapter Descriptions

The Tivoli Access Manager Agent Installation Guide contains information pertinent to the proper installation and configuration of the Tivoli Access Manager Agent in the following chapters and appendices:

Chapter 1, “Overview” Provides an overview of this document and the basic procedures necessary to install and configure this agent.

Chapter 2, “Agent Installation”

Contains detailed information about installing the agent. This chapter also contains additional steps required to configure the agent properly.

Chapter 3, “Agent Profile Installation”

Contains detailed information about installing the agent’s profile on the Tivoli Identity Manager Server. Installing the agent’s profile on the Tivoli Identity Manager Server allows the Tivoli Identity Manager Server to recognize the agent. If the agent profile is not installed on the Tivoli Identity Manager Server, the Tivoli Identity Manager Server will not be able to manage access to the Windows NT servers.

Chapter 4, “Agent Parameters Modification”

Contains information about using the agentCfg tool. The agentCfg tool provides an easy way to configure various properties specific to the agent, such as communication protocols, logging settings, and so on.

Chapter 5, “Certificate Installation”

Contains information about using the CertTool tool. The CertTool tool provides an easy way to request, install, and register certificates for use with the agent.

Appendix A, “Agent Variables”

Contains information about the agent variables.

Appendix B, “Additional Installation Options”

Contains additional installation options information and information about uninstalling the agent.

Appendix C, “Notices” Contains legal notices for this agent.

(12)

(13)

Chapter 2. Agent Installation

This chapter describes the procedure to install and configure the Tivoli Access Manager Agent software. Each step includes a short procedure that completes one aspect of the overall agent installation process. You must complete the steps in the order they are listed.

Requirements

The following table identifies hardware, software, and authorization requirements to install the Tivoli Access Manager Agent. Verify that all of the requirements have been met before installing the Tivoli Access Manager Agent.

Table 1. Requirements to install the agent

System The agent must be installed on a server with a 32-bit x86-based microprocessor (486 minimum), at least 256 MB of memory, and at least 300 MB of free disk space.

Operating System Windows NT 4.0 with SP6 or Windows 2000 workstation with SP2.

Tivoli Access Manager Software

Tivoli Access Manager Run-time Environment must be installed and operational on the system where the agent is installed.

The Tivoli Access Manager run-time environment requires that an LDAP client be installed on the application deployment system.

Note: The Tivoli Access Manager run-time environment installation enforces installation of the required software.

For installation instructions, see the Tivoli Access Manager Base Installation Guide for your operating system.

Tivoli Access Manager Client Tivoli Access Manager LDAP and GSKit version 4.1 must be installed and operational on the system where the agent is installed.

Network Connectivity The agent must be installed on a system that can communicate with the Tivoli Identity Manager Server through a TCP/IP network.

System Administrator Authority

The person completing the Tivoli Access Manager Agent installation procedure must have system administrator authority to complete the steps in this chapter.

Server Communication Communication between the Tivoli Identity Manager Server and the Tivoli Access Manager Agent should be tested with a low-level communication ping before installing any IBM^®software. This makes troubleshooting easier if you encounter installation problems.

Information Worksheet

Use the following worksheet to document information required to install and configure the Tivoli Access Manager Agent. Complete this worksheet before starting the installation procedure. The worksheet includes default values supplied by IBM and identifies the information you need to modify during installation.

(14)

Make a copy of the worksheet for each server where you are installing the Tivoli Access Manager Agent. For example, if you have five Windows servers where you are installing the Tivoli Access Manager Agent, you need five copies of the

worksheet.

Step 1: Installing the Agent

The Tivoli Identity Manager Tivoli Access Manager Agent installation files are available for download from IBM’s Web site. Contact your IBM account representative for the Web address and download instructions.

Install the Tivoli Access Manager Agent using the provided executable installation program. The Tivoli Access Manager Agent default destination directory is the C:\Tivoli\Agents\TAM4Agentdirectory. For more information, see “Step 1:

Installing the Agent”.

You will need the following information:

v Tivoli Access Manager v4.1 Agent administrator account ID v Tivoli Access Manager v4.1 Agent administrator account password

Step 2: Activating the Agent as a Service

Start the Tivoli Access Manager Agent as a service. For more information, see “Step 2: Activating the Agent as a Service” on page 6.

Step 3: Configuring the Agent

Configure the agent’s communication protocol to use the DAML protocol to communicate with the Tivoli Identity Manager Server. For more information, see

“Step 3: Configuring the Agent” on page 6.

Step 4: Installing the Agent’s Certificate

Install the agent’s certificate. This certificate is used by the DAML protocol during communication with the Tivoli Identity Manager Server. For more information, see

“Step 4: Installing the Agent’s Certificate” on page 6.

Step 5: Installing the Agent’s Profile

Install the agent’s profile on the Tivoli Identity Manager Server. For more information, see “Step 5: Installing the Agent’s Profile” on page 6.

Step 6: Configuring the Agent for Event Notification

Configure the Tivoli Access Manager Agent for event notification. This step is optional. For more information, see “Step 6: Configuring the Agent for Event Notification” on page 7.

Step 7: Configuring the Agent’s Forms

Configure the agent’s forms on the Tivoli Identity Manager Server. For more information, see “Step 7: Configuring the Agent’s Forms” on page 7.

Step 1: Installing the Agent

An executable installation program is provided for the Tivoli Access Manager Agent. When you run the installation program, you can accept the default settings or select new values.

(15)

The Tivoli Identity Manager Tivoli Access Manager Agent installation files are available for download from IBM’s Web site. Contact your IBM account representative for the Web address and download instructions.

To install the agent, do the following:

1. Download the Tivoli Access Manager Agent installation zip file from IBM’s Web site.

2. Extract the contents of the Tivoli Access Manager Agent installation zip file into a temporary directory.

3. Select Run... from the Start menu and type the path to the temporary directory followed by Setup.exe. For example:

C:\Temp\Setup.exe

The Welcome dialog window appears.

4. Click Next.

The License Agreement window opens.

5. Read the license agreement and decide whether to accept its terms. If you do, click Accept.

6. Click Next.

The Select Destination Directory dialog window appears.

7. Accept the default or select an alternate destination path and click Next.

The Install Summary dialog window appears.

8. Click Next.

The Access Manager Account Setup dialog is displayed.

9. Type the Tivoli Access Manager administrator account ID and password in the respective fields and click Next.

InstallShieldInstallShield

Click Next to install < > to this directory, or click Browse to install to a different directory.

agentname

Directory Name:

Installer

C:\tivoli\agents\<agentname>

Browse...

Cancel Next >

< Back

Figure 1. Select Destination Directory dialog window

Chapter 2. Agent Installation 5

(16)

The Tivoli Access Manager v4.1 Agent is installed and a completion dialog is displayed.

10. Click Finish.

Step 2: Activating the Agent as a Service

The Tivoli Access Manager Agent is installed on the Windows NT Server and automatically starts whenever the server is rebooted. However, the service is not active after installation. Select the Tivoli Access Manager Agent service to start the Tivoli Access Manager Agent software on the target platform.

Step 3: Configuring the Agent

The Tivoli Access Manager Agent uses the DAML protocol to ensure secure communication with the Tivoli Identity Manager Server. Default protocol values are provided. However, you must configure the DAML protocol for your site’s systems. Refer to “Changing Protocol Configuration Settings” on page 14 for more information.

Note: A certificate must be installed for the DAML protocol. Refer to Chapter 5,

“Certificate Installation”, on page 29 for more information about installing certificates.

Step 4: Installing the Agent’s Certificate

A certificate must also be installed for the DAML protocol. You must obtain a production certificate from a well-known Certificate Authority or create your own certificate using your own Certificate Authority. The Tivoli Access Manager Agent does not come prepackaged with a certificate. Refer to Chapter 5, “Certificate Installation”, on page 29 for more information about installing certificates.

When you install the new certificate, you will also need to install the new Certificate Authority on the Tivoli Identity Manager Server. Refer to the Tivoli Identity Manager Server Configuration Guide for more information.

Note: You must configure the DAML protocol before installing your certificate.

Stop and restart the agent after the certificate is installed.

Step 5: Installing the Agent’s Profile

Before an agent can be added as a service to the Tivoli Identity Manager Server, the server must have a service profile to recognize the agent as a service. See to Chapter 3, “Agent Profile Installation”, on page 9 for more information on installing the agent’s profile on the Tivoli Identity Manager Server.

Note: If this is an upgrade of an existing agent, the new agent schema will not be reflected immediately. The Tivoli Identity Manager system stores the agent schema in memory. However, this cache is periodically refreshed and the new agent schema will be reflected after the cache is refreshed. Re-boot the Tivoli Identity Manager system to refresh the agent schema immediately.

(17)

Step 6: Configuring the Agent for Event Notification

You can choose to configure event notification for agents configured to use the DAML protocol. Complete this step only if you want to monitor agent attributes for changes that will trigger event notifications.

Note: This step is optional. The agent can accept requests from the Tivoli Identity Manager Server whether you configure event notification or not.

To do this, identify the Tivoli Identity Manager Server.

1. Select Configure Protocol from the Agent Protocol Configuration Menu.

For more information, see “Changing Protocol Configuration Settings” on page 14.

2. Select DAML as the protocol to configure.

3. Select SRV_NODENAME.

4. Specify the IP address or fully-qualified hostname that identifies the Tivoli Identity Manager Server and press Enter.

The Protocol Properties menu reappears and displays your new settings.

5. Select SRV_PORTNUMBER.

6. Specify the port number the Tivoli Identity Manager Server uses to connect to the agent and press Enter.

7. Select SRV_USERNAME.

8. Specify the username the Tivoli Identity Manager Server uses to connect to the agent and press Enter.

9. Select SRV_PASSWORD

10. Specify the password for the username the Tivoli Identity Manager Server uses to connect to the agent and press Enter.

Step 7: Configuring the Agent’s Forms

Configure the agent’s service maintenance and account maintenance forms on the Tivoli Identity Manager Server. Refer to the Tivoli Identity Manager Policy and Organization Administration Guide for more information.

Chapter 2. Agent Installation 7

(18)

(19)

Chapter 3. Agent Profile Installation

Before an agent can be added as a service to the Tivoli Identity Manager Server, the server must have a service profile to recognize the agent as a service. The Tivoli Access Manager Agent comes with a second installation script that installs the agent’s profile on the Tivoli Identity Manager Server as a service profile.

This chapter describes the procedure to install and configure the Tivoli Access Manager Agent profile on the Tivoli Identity Manager Server. Each step includes a short procedure that completes one aspect of the overall profile installation process.

You must complete the steps in the order they are listed.

Notes:

1. If you intend to install multiple agent profiles on the Tivoli Identity Manager Server, it is important that you install them one at a time. You must wait for a single profile installation to complete before starting the next profile

installation.

2. If you are upgrading the agent software, you must also upgrade the agent profile on the Tivoli Identity Manager Server.

3. In a WebLogic Application Server cluster, the agent profile must be installed on every managed server. If the agent profile is not installed on every member of the cluster, the managed server that did not have the agent profile installed will not recognize the agent as a service if the other managed servers become unavailable.

4. In a WebSphere Application Server cluster, you should install the agent profile on the computer on which Network Deployment Manager is installed, although the agent profile can be installed on any server in the cluster. The profile information is pushed into the directory and becomes available to all cluster members.

Requirements

The following table identifies hardware, software, and authorization requirements to install the Tivoli Access Manager Agent profile on the Tivoli Identity Manager Server. Verify that all the requirements have been met before installing the Tivoli Access Manager Agent profile.

Table 2. Requirements before installing an agent profile

Server The Tivoli Identity Manager Server must be installed and running before the agent’s profile can be installed.

System Administrator Authority The person completing the Tivoli Access Manager Agent profile installation must have root access to the Tivoli Identity Manager Server to complete the procedures in this chapter.

Installing the Agent Profile

1. Log in to the Tivoli Identity Manager Server as root.

2. Download the Tivoli Access Manager Agent installation zip file from IBM’s Web site and extract the contents of the zip file into a temporary directory.

(20)

Note: Contact your IBM account representative for the Web address and download instructions for agent installation files.

3. Complete one of the following:

v For a Tivoli Identity Manager Server installed on a UNIX^®platform:

– Change the working directory to the temporary directory where you extracted the agent installation files.

# cd /tmp

where tmp is the path of the directory containing the agent installation files.

– Run the Tivoli Access Manager Agent profile installation script that is appropriate for your operating system.

# ./tam4profile_<operating system>.bin

where <operating system> is the name of your operating system, such as aix, solaris, or hpxxxx.

A graphical user interface appears.

v For Tivoli Identity Manager Servers installed on Windows:

Select Run... from the Start menu, type the path to the temporary directory where you extracted the agent installation followed by tam4profile.exe. For example:

C:\temp\tam4profile.exe

The Welcome dialog window appears.

4. Click Next.

The Select Tivoli Identity Manager Home Directory screen appears.

5. Type the Tivoli Identity Manager Server home directory in the text field and click Next. You can also select the directory by clicking Browse... and browsing to the correct directory.

You must install the agent profile in the same home directory in which the Tivoli Identity Manager Server is installed.

Note: If the installation program cannot determine whether the Tivoli Identity Manager Server home directory that you entered is correct, the ITIM Not Found dialog window is displayed.

The Install Summary dialog window appears.

6. Click Next.

The Installation Progress dialog window appears.

Upon successful installation, the Applying Schema Updates window appears, and any schema updates will be applied.

The Install Complete dialog window appears after installation is complete.

7. Click Finish to conclude the installation process.

Verifying the Agent Profile is Installed

To ensure that the agent profile installed correctly, navigate to the directory where agent profile files are installed. If the agent profile installation was successful, an agent profile directory will be created in the remote_resources folder. Examples are provided below:

(21)

For Windows:

C:\itim\data\remote_resources\nt40profile\

For UNIX:

/itim/data/remote_resources/nt40profile/

Chapter 3. Agent Profile Installation 11

(22)

(23)

Chapter 4. Agent Parameters Modification

This chapter describes how to use agentCfg, the provided agent configuration program, to view or modify Tivoli Access Manager Agent parameters. All modifications made to settings with this tool take effect immediately.

Accessing the Agent Configuration Tool Main Menu

The following procedure describes how to access the main menu of the agentCfg tool for Tivoli Access Manager Agent parameters.

1. Select Programs from the Start menu, select Accessories, and then select Command Prompt.

The DOS Command Prompt window appears.

2. Change to the agent’s bin directory.

Type the following, if the Tivoli Access Manager Agent directory is in the default location:

cd \Tivoli\Agents\TAM4Agent\bin

3. Type agentCfg -agent TAM4Agent at the prompt.

Enter configuration key for Agent ’TAM4Agent’:

You can also use agentCfg to view or change configuration settings from a remote computer. See the table in “Accessing Help and Additional Options” on page 26 for procedures on using the -hostname argument.

4. Type the configuration key for the Tivoli Access Manager Agent.

The default configuration key is agent. See “Changing Protocol Configuration Settings” on page 14 for procedures to change the configuration key.

The Main Configuration menu appears.

TAM4Agent 4.5.0 Agent Main Configuration Menu --- A. Configuration Settings.

B. Protocol Configuration.

C. Event Notification D. Change Configuration Key.

E. Activity Logging.

F. Registry Settings.

G. Advanced Settings.

H. Statistics X. Done

Select menu option:

This chapter includes a section for each of the following main functions:

v For option A, see “Viewing Configuration Settings” on page 14

v For option B, see “Changing Protocol Configuration Settings” on page 14 v For option C, see “Setting Event Notification” on page 17

v For option D, see “Changing the Configuration Key” on page 21 v For option E, see “Changing Activity Logging Settings” on page 22 v For option F, see “Changing Registry Settings” on page 24

v For option G, see “Changing Advanced Settings” on page 25

(24)

v For option H, see “Viewing Statistics” on page 26

Viewing Configuration Settings

The following procedure describes how to view the Tivoli Access Manager Agent configuration settings.

1. Type option A (Configuration Settings) at the main menu prompt.

The configuration settings for the Tivoli Access Manager Agent appear. The following is a sample of the Tivoli Access Manager Agent configuration settings.

Configuration Settings

---

Name : TAM4Agent

Version : 4.5.0 ADK Version : 4.27 ERM Version : 4.27 enRole Version : 4.0

License : NONE

Asynchronous ADD Requests : TRUE (Max.Threads:3) Asynchronous MOD Requests : TRUE (Max.Threads:3) Asynchronous DEL Requests : TRUE (Max.Threads:3) Asynchronous SEA Requests : TRUE (Max.Threads:3) Available Protocols : DAML, FTP

Configured Protocols : DAML Logging Enabled : TRUE

Logging Directory : C:\Tivoli\Agents\TAM4Agent\Log Log File Name : TAM4Agent.log

Max. log files : 3

Max.log file size (Mbytes) : 1 Debug Logging Enabled : TRUE Detail Logging Enabled : FALSE Press any key to continue

2. Press any key to return to the main menu.

Changing Protocol Configuration Settings

The agent can communicate with the Tivoli Identity Manager Server using DAML or FTP. By default, agents are configured to use DAML as the communication protocol. Procedures provided in this section contain instructions for modifying DAML protocol configuration settings. Configuring the agent to use FTP requires additional configuration not provided in this section.

The following procedure describes how to change the Tivoli Access Manager Agent protocol configuration settings. This section also describes the purpose of the provided functions.

1. Type B (Protocol Configuration) at the main menu prompt.

The Protocol Configuration menu appears. The configured and available protocols for your server display above the menu options. The DAML protocol is configured and available by default for the Tivoli Access Manager Agent.

(25)

Agent Protocol Configuration Menu --- Available Protocols: DAML, FTP Configured Protocols: DAML A. Add Protocol.

B. Remove Protocol.

C. Configure Protocol.

X. Done

Select menu option

2. See the following procedure that corresponds with the option that you want to select:

v For option A, see “Adding a Protocol”

v For option B, see “Removing a Protocol”

v For option C, see “Configuring a Protocol”

Type X to return to the main menu.

Adding a Protocol

1. Type A (Add Protocol) at the Protocol Configuration menu prompt.

The Add New Protocol menu appears and displays protocols that are available on your server. If there are no protocols to add, the Protocol Configuration menu reappears.

2. Type the menu option letter of the protocol that you want to add.

The Protocol Configuration menu reappears. The protocol that you added appears as a Configured Protocol. See the procedure for “Configuring a Protocol” to modify the default configuration settings for the protocol that you added.

Removing a Protocol

1. Type B (Remove Protocol) at the Protocol Configuration menu prompt.

The Remove Protocol menu appears and displays all protocols that have been added. If there are no protocols to remove, the Protocol Configuration menu reappears.

2. Type the menu option letter of the protocol that you want to remove.

The Protocol Configuration menu reappears and the protocol that you removed is no longer listed as a configured protocol. However, the protocol remains as an available protocol that can be added again.

Configuring a Protocol

1. Type C (Configure Protocol) at the Protocol Configuration menu prompt.

The Configure Protocol menu appears.

2. Type the menu option letter of the protocol that you want to configure.

The Protocol Properties menu for the configured protocol appears with protocol properties.

Note: The properties on your menu may be different from the ones shown.

The following is an example of the DAML protocol properties:

Chapter 4. Agent Parameters Modification 15

(26)

DAML Protocol Properties

--- A. PORTNUMBER 45580 ;Protocol Server port number.

B. USERNAME ****** ;Authorized user name.

C. PASSWORD ****** ;Authorized user password.

D. SRV_NODENAME 192.168.6.40 ;Event Notif. Server name.

E. SRV_PORTNUMBER 443 ;Event Notif. Server port number.

F. SRV_USERNAME ****** ;Event Notif. user name.

G. SRV_PASSWORD ****** ;Event Notif. Server password.

H. VALIDATE_CLIENT_CE FALSE ;Require client certificate.

X. Done

Select menu option:

3. Type the menu option letter of the protocol property that you want to configure.

See the table below for additional information about the menu options for the DAML protocol.

Table 3. Menu options for the DAML protocol

Type this Option To Accomplish this

A (PORTNUMBER) The following prompt appears:

Modify Property ’PORTNUMBER’:

Type a different port number, for example, 7004 This is the port number the Tivoli Identity Manager Server uses to connect to the agent.

B (USERNAME) The following prompt appears:

Modify Property ’USERNAME’:

Type a username, for example, admin

This is the username the Tivoli Identity Manager Server uses to connect to the agent.

C (PASSWORD) The following prompt appears:

Modify Property ’PASSWORD’:

Type a password, for example, *******

This is the password for the username the Tivoli Identity Manager Server uses to connect to the agent.

D (SRV_NODENAME) The following prompt appears:

Modify Property ’SRV_NODENAME’:

Type a server name, for example, 192.168.6.152 This is the DNS name or IP address of the Tivoli Identity Manager Server.

E (SRV_PORTNUMBER) The following prompt appears:

Modify Property ’SRV_PORTNUMBER’:

Type a different port number to access the Tivoli Identity Manager Server, for example, 7004

This is the port number the agent uses to connect to the Tivoli Identity Manager Server.

(27)

Table 3. Menu options for the DAML protocol (continued) Type this Option To Accomplish this

F (SRV_USERNAME) The following prompt appears:

Modify Property ’SRV_USERNAME’:

Type a different username, for example, admin This is the username the agent uses to connect to the Tivoli Identity Manager Server.

G (SRV_PASSWORD) The following prompt appears:

Modify Property ’SRV_PASSWORD’:

Type a different password, for example, *****

This is the password for the username the agent uses to connect to the Tivoli Identity Manager Server.

H (VALIDATE_CLIENT_CE) The following prompt appears:

Modify Property ’VALIDATE_CLIENT_CE’:

Type TRUE to require the Tivoli Identity Manager Server to send a certificate when communicating with the agent.

Type FALSE to allow the Tivoli Identity Manager Server to communicate with the agent without a certificate.

Note: You must configure options D through H of the CertTool if you set this option to TRUE.

4. Change the value and press Enter.

Note: Press Enter to return to the Protocol Properties menu without modifying the selected value.

Setting Event Notification

The following procedure describes how to set Event Notification for the Tivoli Identity Manager Server. Event Notification updates the Tivoli Identity Manager Server with changes to the Tivoli Identity Manager Server at set intervals.

Note: The example menu shows all the options displayed when Event Notification is enabled. If Event Notification is disabled, not all of the options are

displayed.

1. Type C (Event Notification) at the main menu prompt.

The Event Notification Menu appears.

(28)

Event Notification Menu

---

* Reconciliation interval : 1 day(s)

* Next Reconciliation time : 23 hour(s) 56 min(s). 23 sec(s).

* Configured Contexts : Jupiter, dd309 A. Enabled

B. Time interval between reconciliations.

C. Set Processing cache size. (currently: 50 Mbytes) D. Start event notification now.

E. Set attributes to be reconciled.

F. Reconciliation process priority. (current: 1) G. Add Event Notification Context.

H. Modify Event Notification Context.

I. Remove Event Notification Context.

J. List Event Notification Contexts.

X. Done

Select menu option:

2. Type the menu option letter of the Event Notification option that you want to change.

Note: Option A must be enabled in order for the values of the other options to take affect.

Table 4. Event notification options

A If this option is enabled, the agent updates the Tivoli Identity Manager Server with changes to the agent at regular intervals.

When the option is set to:

v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled B (Time interval

between reconciliations)

The following prompt appears:

Enter new interval ([ww:dd:hh:mm:ss]) [00:01:00:00:00]:

Type a different reconciliation interval.

Press Enter to return to the Agent Activity Logging menu without changing the value.

C (Set processing cache size)

Enter new cache size[5]:

Type a different value to change the processing cache size.

D (Start event notification now)

If this option is selected, event notification is started.

E (Set attributes to be reconciled)

The Event Notification Entry Types menu appears. See “Setting Attributes to be Reconciled” on page 19 for more information.

(29)

Table 4. Event notification options (continued) Type this Option To Accomplish this F (Reconciliation

process priority)

Enter new thread priority [1-10]:

Type a different thread value to change reconciliation process priority.

G (Add Event Notification Context)

Context name :

Type the new context name and press Enter. The new context is added.

H (Modify Event Notification Context)

A menu listing the available contexts appears. See “Modifying an Event Notification Context” on page 20 for more information.

I (Remove Event Notification Context)

The Remove Context menu appears. Select the context to remove and the following prompt appears:

Delete context context1? [no]:

Press Enter to exit without deleting the context or type Yes and press Enter to delete the context.

J (List Event

Notification Contexts)

The Event Notification Contexts are displayed in the following format:

Context Name : Context1 Target DN :

erservicename=context1,o=IBM, ou=IBM,dc=com

--- Attributes for search request --- {search attributes listed}

---

3. Press Enter if you changed the value for option B, C, E or F.

The Event Notification menu reappears and displays your new settings.

Note: The other options are changed automatically when you type the corresponding menu option letter.

Setting Attributes to be Reconciled

Setting attributes to be reconciled consists of selecting attributes that will trigger event notifications when their values change. Attributes that change frequently (password age or last successful logon, for example) can be omitted.

1. Type E (Set attributes to be reconciled) at the Event Notification Menu.

The Event Notification Entry Types menu appears.

Event Notification Entry Types

--- A. USER

B. GROUP X. Done

Select menu option:

2. Type A for attributes returned during a user reconciliation or type B for attributes returned during a group reconciliation.

(30)

The Event Notification Attribute Listing for the selected reconciliation type appears.

Note: The default setting lists all attributes the agent supports.

Event Notification Attribute Listing --- (a) ** (b) ** (c) **

(d) ** (e) ** (f) **

(g) ** (h) ** (i) **

(j) ** (k) ** (l) **

(m) ** (o) ** (q) **

(r) ** (s) ** (t) **

(p)rev page 1 of 3 (n)ext --- X. Done

Select menu option:

3. Type the letter option of the attribute to exclude from an event notification.

Attributes that are marked with the asterisks are returned during the event notification. Attributes that are not marked with asterisks are not returned during the event notification.

Modifying an Event Notification Context

1. Type H (Modify Event Notification Context) at the Event Notification menu.

The Modify Context Menu appears.

Modify Context Menu

--- A. Context1

B. Context2 C. Context3 X. Done

Select menu option:

2. Select the desired context.

The Modify Context menu for the selected context appears.

A. Set attributes for search B. Target DN:

C. Delete Baseline Database X. Done

Select menu option:

See “Adding Search Attributes for Event Notification” for option A.

See “Configuring the Target DN for Event Notification Contexts” on page 21 for option B.

See “Removing the Baseline Database for Event Notification Contexts” on page 21 for option C.

Adding Search Attributes for Event Notification

1. Type A (Set attributes for search) at the desired context’s Modify Context menu.

The Reconciliation Attribute Passed to Agent menu appears.

(31)

Reconciliation Attributes Passed to Agent for Context: Context1 ---

--- A. Add new attribute

B. Modify attribute value C. Remove attribute X. Done

Select menu option:

2. Select the desired option and complete the requested information at the prompts.

The Reconciliation Attributes Passed to Agent menu reappears with the changes displayed.

Configuring the Target DN for Event Notification Contexts

1. Type B (Target DN) at the desired context’s Modify Context menu.

Enter Target DN:

2. Type the target DN for the context and press Enter.

The target DN for the event notification context must be in the following format:

erservicename=nameofservice,o=organizationname,ou=tenantname,dc=com Each element of the DN is defined as follows:

erservicename

Name of the target service used by the product name.

o Name of the organization in the product name.

ou Name of the tenant in which the organization is located. If the product name is an enterprise installation, this is the name of the organization.

dc=com

Root of the directory tree.

The selected context’s Modify Context menu reappears with the new target DN listed.

Removing the Baseline Database for Event Notification Contexts

This option is only available after a context is created and a reconciliation is run on the context to create a Baseline Database file.

Type C (Delete Baseline Database) at the desired context’s Modify Context menu.

The selected context’s Modify Context menu reappears with the Delete Baseline Database option removed.

Changing the Configuration Key

The following procedure describes how to change the Tivoli Access Manager Agent configuration key. You use this key as a password to access the configuration tool from the selected agent.

1. Type D (Change Configuration Key) at the main menu prompt.

Enter new configuration key for Agent ’TAM4Agent 4.5.0’:

(32)

Press Enter to return to the Main Configuration menu without changing the configuration key. The default configuration key is agent.

Note: Enter a configuration key that you can easily remember.

A message appears:

Configuration key successfully changed.

The configuration program exits and the main prompt reappears.

Changing Activity Logging Settings

The following procedure describes how to change the Tivoli Access Manager Agent activity logging settings. When you enable logging, Tivoli Identity Manager

maintains a log file of all transactions in a dated archive log file, TAM4Agent.log.

1. Type E (Activity Logging) at the main menu prompt.

The Agent Activity Logging menu appears. The following sample shows the default activity logging settings.

Agent Activity Logging Menu

--- A. Activity Logging (Enabled).

B. Logging Directory (current: C:\Tivoli\Agents\TAM4Agent\Log).

C. Activity Log File Name (current: TAM4Agent.log).

D. Activity Logging Max. File Size ( 1 mbytes) E. Activity Logging Max. Files ( 3 )

F. Debug Logging (Enabled).

G. Detail Logging (Disabled).

H. Base Logging (Disabled).

X. Done

Select menu option:

2. Type the menu option letter of the activity logging option that you want to change.

Note: Option A (Activity Logging) must be enabled in order for the values of the other options to take effect.

Table 5. Event notification options

A (Activity Logging) Set this option to enabled and Tivoli Identity Manager maintains a log file of all transactions in a dated archive log file.

v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled

B (Logging Directory) Type a different value for the logging directory, for example, C:\Log. When the logging option is enabled, details about each access request are stored in the logging file that is located in this directory.

(33)

Table 5. Event notification options (continued) Type this Option To Accomplish this C (Activity Log File

Name)

Type a different value for the log file name. When the logging option is enabled, details about each access request are stored in the logging file.

D (Activity Logging Max File Size)

Type a new value, for example, 10. The oldest data is archived when the log file reaches the maximum file size. File size is measured in megabytes. Activity log file size can exceed disk capacity.

E (Activity Logging Max Files)

Type a new value up to 100, for example, 5. The agent

automatically deletes the oldest activity logs beyond the specified limit.

F (Debug Logging) If this option is set to enabled, the agent includes the debug statements in the log file of all transactions.

G (Detail Logging) If this option is set to enabled, the agent maintains a detailed log file of all transactions.

Note: The detail logging option should be used for diagnostic purposes only. When the detail logging option is on, the application’s performance can be adversely affected.

v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled H (Base Logging)

If this option is set to enabled, the agent maintains a log file of all transactions in the ADK and library files.

3. Press Enter if you changed the value for option B, C, D, or E.

The Agent Activity Logging menu reappears and displays your new settings.

Note: The other options are changed automatically when you type the corresponding menu option letter.

(34)

Changing Registry Settings

The following procedure describes how to change the Tivoli Access Manager Agent registry settings.

1. Type F (Registry Settings) at the main menu prompt.

The Registry menu appears.

TAM4Agent 4.5.0 Agent Registry Menu --- A. Modify Non-encrypted registry settings.

B. Modify encrypted registry settings.

C. Multi-instance settings.

X. Done

Select menu option:

2. See the following procedures on modifying registry settings.

Note: There are no encrypted registry settings for this agent.

Modifying Non-encrypted Registry Settings

1. Type A (Modifying Non-encrypted Registry Settings) at the Registry menu prompt.

The Non-encrypted Registry settings menu appears.

Agent Registry Items ---

01. ENROLE_Version ’4.0’

02. ExecTimeout ’6000’

03. ManageHomeDirs ’TRUE’

04. ReconBufferSize ’-1’

05. ReconHomeDirSecurity ’FALSE’

06. ReconLastLogon ’FALSE’

07. ReconLastLogonAllowErrors ’FALSE’

08. WtsEnable ’FALSE’

--- Page 1 of 1

A. Add new attribute B. Modify attribute value C. Remove attribute X. Done

Select menu option:

2. Type one of the following options:

v A) Add new attribute v B) Modify attribute value v C) Remove attribute v X) Done

3. Type the registry item name, and press Enter.

4. Type the registry item value, if you selected option A or B, and press Enter.

The non-encrypted registry settings menu reappears and displays your new setting(s).

Multi-instance Settings

This option allows you to configure multi-instance settings.

Note: This option is only valid if the agent can support multi-instances.

(35)

1. Type C (Multi-instance Settings) at the Registry Menu prompt.

The Tivoli Access Manager Agent Instance Class Menu appears.

TAM4Agent 4.5.0 Agent Instance Class Menu

--- --- A. Select instance class.

X. Done.

2. Type one of the available options.

3. Type the requested information and press Enter.

The Tivoli Access Manager Agent Instance Class Menu reappears and displays your new settings.

Changing Advanced Settings

The following procedure describes how to change the Tivoli Access Manager Agent thread count settings for the following types of requests:

v System Login Add v System Login Change v System Login Delete v Reconciliation

These settings determine the maximum number of requests that the Tivoli Access Manager Agent processes concurrently.

1. Type G (Advanced Settings) at the main menu prompt.

The Advanced Settings menu appears. The following sample shows the default thread count settings.

TAM4Agent 4.5.0 Advanced Settings Menu --- A. Single Thread Agent (current:TRUE) B. ADD max. thread count. (current:3) C. MODIFY max. thread count. (current:3) D. DELETE max. thread count. (current:3) E. SEARCH max. thread count. (current:3) F. Allow User EXEC procedures (current:FALSE) G. Archive Request Packets (current:FALSE) H. UTF8 Conversion support (current:TRUE) I. Pass search filter to agent (current:FALSE) J. Thread Priority Level (1-10) (current:4) X. Done

Select menu option:

2. Type the menu option letter of the advanced setting that you want to change.

Note: The UTF8 Conversion support setting must be set to FALSE to support Western European character sets.

Table 6. Menu options for the DAML protocol

A (Single Thread Agent) Forces the agent to allow only one request at a time.

B (ADD max. thread count) Controls how many simultaneous ADD requests can run at one time.

C (MODIFY max. thread count) Controls how many simultaneous MODIFY requests can run at one time.

(36)

Table 6. Menu options for the DAML protocol (continued) Type this Option To Accomplish this

D (DELETE max. thread count) Controls how many simultaneous DELETE requests can run at one time.

E (SEARCH max. thread count) Controls how many simultaneous SEARCH requests can run at one time.

F (Allow User EXEC procedures) Determines whether the agent allows pre- and post-exec functions. Enabling this option is a potential security risk. This option is disabled by default.

G (Archive Request Packets) Instructs the agent to retain copies of the request packets in an archive. This option is specific to the FTP protocol and is used primarily for debugging purposes. By default, request packets are deleted once they have been read unless this option is enabled.

H (UTF8 Conversion support) This option is no longer used.

I (Pass search filter to agent) Provides filtering functionality for search requests by issuing a full search to the agent and then filtering the objects as they are pipelined back to the server.

Currently, this agent does not support processing filters directly. This option should always be FALSE.

J (Thread Priority Level (1-10)) Sets the thread priority level for the agent.

The Advanced Settings menu reappears and displays your new settings.

Viewing Statistics

The following procedures describes how to view an event log for the Tivoli Access Manager Agent.

1. Type H (Statistics) at the main menu prompt.

The activity history for the agent is displayed.

TAM4Agent 4.5.0 Agent Request Statistics

---

Date Add Mod Del Ssp Res Rec

--- 11/15/02 000001 000000 000000 000000 000000 000001 --- X. Done

2. Type X to return to the Main Configuration Menu.

Accessing Help and Additional Options

The following describes how to access the agentCfg help menu and use the help arguments.

1. Return to the Tivoli Access Manager Agent bin directory by completing one of the following:

(37)

v Type X from the Main Configuration menu prompt.

v Complete procedures 1 and 2 of “Accessing the Agent Configuration Tool Main Menu” on page 13.

2. Type agentCfg -help at the prompt to view the help menu.

The following list of possible commands appears:

-version ; Show version

-hostname < value> ; Target nodename to connect to (Default:Local host IP address) -findall ; Find all agents on target node

-list ; List available agents on target node -agent <value> ; Name of agent

-tail ; Display agent’s activity log -schema ; Display agent’s attribute schema -portnumber <value>; Specified agent’s TCP/IP port number -netsearch <value> ; Lookup agents hosted on specified subnet -confidencetest ; Confidence test

-setup ; Confidence test setup -help ; Display this help screen

The following table describes the purpose of the provided arguments.

Table 7. Command argument purposes

-version Use this argument to display the agentCfg version.

-hostname <value> Use the -hostname argument with any of the following commands to specify a different host:

v -findall v -list v -tail v -agent

Enter a hostname or IP address as the value.

-findall Use this argument to search and display all possible port addresses for all agents. Must be used with the -list argument. Add the -hostname argument to search a remote host.

-list Use this argument to search and display agents found at default ports. By default, the argument searches the local host of the Tivoli Access Manager Agent. Use the -hostname argument to search a different host.

-agent <value> Use this argument to specify the agent that you want to configure. Enter an agent name as the value. Use this argument with the -hostname argument to modify the configuration setting from a remote host. You can also use this argument with the -tail argument.

-tail Use this argument with the -agent argument to display an agent’s activity log. Add the -hostname argument to display the log file for an agent on a different host.

-schema Use this argument with the -agent argument to display an agent’s attribute schema.

-portnumber <value> Use this argument with the -agent argument to specify an agent’s TCP/IP port number.

-netsearch <value> Use this argument with the -agent argument to display all agents installed on the system.

(38)

Table 7. Command argument purposes (continued)

-confidencetest Use this argument to run a test to add, modify, search and delete a request to the agent. This allows you to verify the agent connection to the managed resource without the Tivoli Identity Manager Server.

-setup Use this argument to configure the confidence test.

-help Display the help menu for agentCfg.

3. Type agentCfg and one or more of the supported arguments at the prompt.

You must type agentCfg before every argument to run the agent configuration tool.

Table 8. Arguments

Argument Syntax Argument Example

-argument For example, type agentCfg -list

This example lists all agents on the local host IP address. Note that the default node for the Tivoli Identity Manager Server is 44970.

Agent(s) installed on node ’127.0.0.1’

--- TAM4Agent (44970)

-argument <value> For example, type agentCfg -agent TAM4Agent This example displays the main menu of the agentCfg tool which is used to view or modify the Tivoli Access Manager Agent parameters.

-argument <value>

-argument or

-argument -argument <value>

For example, type agentCfg -list -hostname 192.9.200.7

This example lists agents on a host whose IP address is 192.9.200.7. Note that the default node for the Tivoli Access Manager Agent is 44970.

Agent(s) installed on node ’192.9.200.7’

--- TAM4Agent (44970)

-argument <value> -argument <value> For example, type agentCfg -agent TAM4Agent -hostname 192.9.200.7

This example displays the main menu of the agentCfg tool for a host whose IP address is 192.9.200.7. Use the menu options to view or modify the Tivoli Access Manager Agent parameters.

(39)

Chapter 5. Certificate Installation

This chapter describes how to use the provided certificate management tool (CertTool) to install and configure digital certificates for a Tivoli Identity Manager Agent. The industry-standard Secure Sockets Layer (SSL) mechanism, which uses digital certificates for authentication, is used for secure communication between the Tivoli Identity Manager Server and an Agent.

For a production environment, you must obtain and use a signed production certificate from a well-known Certificate Authority, or from your own Certificate Authority, to ensure secure communications. The agent does not come prepackaged with a certificate.

This chapter provides information for managing digital certificates on the Tivoli Identity Manager Agent only. Please refer to the″Managing Digital Certificates″

chapter in the IBM Tivoli Identity Manager System Configuration Guide for information about configuring the Tivoli Identity Manager Server for SSL.

Note: If you install, modify, or delete a certificate, you must stop and restart the agent before the changes will take affect.

Overview of SSL and Digital Certificates

A Tivoli Identity Manager deployment must consider the security of

communication between all configured components. The industry-standard Secure Sockets Layer (SSL) mechanism, which uses digital certificates for authentication, is used for secure communication in a Tivoli Identity Manager deployment.

SSL provides secure connections by allowing two applications connecting over a network connection to authenticate each other’s identity. Additionally, SSL provides encryption of the data exchanged between the applications. Authentication allows a server (one-way) to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient.

Features of SSL include the following concepts:

v SSL provides a mechanism for one application to authenticate itself to another application.

v One-way SSL allows one application to be certain of the identity of the other application.

v The application that assumes the″server″ role possesses and uses a server-side certificate to prove its identity to the client application.

v The application that is presented with a certificate must have in its possession the root certificate (or certificate chain) of the Certificate Authority (CA) that signed the certificate being presented. The root CA certificate, or chain, validates the certificate being presented.

v In client connections, the client browser alerts the user when presented with a certificate that is not issued by a recognized Certificate Authority.

Note: Although the agent supports two-way SSL, Tivoli Identity Manager no longer supports two-way authentication.

Tivoli Access Manager Agent for Windows Installation Guide

IBM Tivoli Identity Manager

Tivoli Access Manager Agent for Windows Installation Guide

Version 4.5.0

IBM Tivoli Identity Manager

Tivoli Access Manager Agent for Windows Installation Guide

Version 4.5.0

Contents

Preface

Who should read this book

Publications

Tivoli Identity Manager Agent library

Related publications

Accessing publications online

Accessibility

Contacting software support

Conventions used in this book

Chapter 1. Overview

Basic Installation

Chapter Descriptions

Chapter 2. Agent Installation

Requirements

Information Worksheet

Step 1: Installing the Agent

Step 2: Activating the Agent as a Service

Step 3: Configuring the Agent

Step 4: Installing the Agent’s Certificate

Step 5: Installing the Agent’s Profile

Step 6: Configuring the Agent for Event Notification

Step 7: Configuring the Agent’s Forms

Step 1: Installing the Agent

Step 2: Activating the Agent as a Service

Step 3: Configuring the Agent

Step 4: Installing the Agent’s Certificate

Step 5: Installing the Agent’s Profile

Step 6: Configuring the Agent for Event Notification

Step 7: Configuring the Agent’s Forms

Chapter 3. Agent Profile Installation

Requirements

Installing the Agent Profile

Verifying the Agent Profile is Installed

Chapter 4. Agent Parameters Modification

Accessing the Agent Configuration Tool Main Menu

Viewing Configuration Settings

Changing Protocol Configuration Settings

Adding a Protocol

Removing a Protocol

Configuring a Protocol

Setting Event Notification

Setting Attributes to be Reconciled

Modifying an Event Notification Context

Adding Search Attributes for Event Notification

Configuring the Target DN for Event Notification Contexts

Removing the Baseline Database for Event Notification Contexts

Changing the Configuration Key

Changing Activity Logging Settings

Changing Registry Settings

Modifying Non-encrypted Registry Settings

Multi-instance Settings

Changing Advanced Settings

Viewing Statistics

Accessing Help and Additional Options

Chapter 5. Certificate Installation

Overview of SSL and Digital Certificates