Tam611 Upgrade

Tivoli Access Manager for e-business
Version 6.1.1
Upgrade Guide
SC23-6503-01
Tivoli Access Manager for e-business
Version 6.1.1
Upgrade Guide
SC23-6503-01
Note Before using this information and the product it supports, read the information in Appendix C, Notices, on page 313.
Edition notice This edition applies to version 6, release 1, modification 1 of IBM Tivoli Access Manager (product number 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions. All rights reserved. Copyright IBM Corporation 2003, 2010. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
About this publication . . . . . . . . vii
Intended audience . . . . . . . . . . . . vii Publications . . . . . . . . . . . . . . vii IBM Tivoli Access Manager for e-business library vii Related products and publications . . . . . . ix Accessing terminology online. . . . . . . . x Accessing publications online. . . . . . . . x Ordering publications . . . . . . . . . . xi Accessibility . . . . . . . . . . . . . . xi Tivoli technical training . . . . . . . . . . xi Tivoli user groups . . . . . . . . . . . . xi Support information . . . . . . . . . . . xi Conventions used in this publication . . . . . . xii Typeface conventions . . . . . . . . . . xii Operating system-dependent variables and paths . . . . . . . . . . . . . . . xiii HP-UX on Integrity: Upgrading the policy server using a single system . . . . . . . . . . HP-UX on Integrity: Upgrading the policy server using two systems . . . . . . . . . . . HP-UX on Integrity: Retiring the original policy server . . . . . . . . . . . . . . . Linux on x86: Upgrading the policy server . . . . Linux on x86: Upgrading the policy server using a single system . . . . . . . . . . . . Linux on x86: Upgrading the policy server using two systems . . . . . . . . . . . . . Linux on x86: Retiring the original policy server Linux on System z: Upgrading the policy server . . Linux on System z: Upgrading the policy server using a single system . . . . . . . . . . Linux on System z: Upgrading the policy server using two systems . . . . . . . . . . . Linux on System z: Retiring the original policy server . . . . . . . . . . . . . . . Linux on POWER: Upgrading the policy server . . Linux on POWER: Upgrading the policy server using a single system . . . . . . . . . . Linux on POWER: Upgrading the policy server using two systems . . . . . . . . . . . Linux on POWER: Retiring the original policy server . . . . . . . . . . . . . . . Solaris: Upgrading the policy server . . . . . . Solaris: Upgrading the policy server using a single system . . . . . . . . . . . . . Solaris: Upgrading the policy server using two systems. . . . . . . . . . . . . . . Solaris: Retiring the original policy server . . . Solaris on x86_64: Upgrading the policy server . . Solaris on x86_64: Upgrading the policy server using a single system . . . . . . . . . . Solaris on x86: Upgrading the policy server using two systems . . . . . . . . . . . . . Solaris on x86_64: Retiring the original policy server . . . . . . . . . . . . . . . Windows: Upgrading the policy server . . . . . Windows: Upgrade considerations. . . . . . Windows: Upgrading the policy server using a single system . . . . . . . . . . . . . Windows: Upgrading the policy server using two systems. . . . . . . . . . . . . . . Windows: Retiring the original policy server . . 31 33 37 38 38 40 44 44 44 46 50 51 51 53 57 57 57 59 63 63 63 66 69 70 70 71 73 76
Chapter 1. Introduction . . . . . . . . 1
Scenario 1 . . . . . . . . . . . . Scenario 2 . . . . . . . . . . . . Scenario 3: Using a registry other than Tivoli Directory Server . . . . . . . . . . Conditions . . . . . . . . . . . Hardware configuration . . . . . . High-level steps . . . . . . . . . . . . . . . . . . . . . . 1 . 4 . . . . 6 6 6 7
Chapter 2. Upgrading IBM Tivoli Directory Server . . . . . . . . . . . 9

High-level steps . . . . . . . . . . . . . 9 About the client . . . . . . . . . . . . . 9 Location of migration utilities. . . . . . . . . 9 Before you upgrade . . . . . . . . . . . 10 Upgrading using the native (InstallShield) utilities on Windows systems . . . . . . . . . . . 11 Upgrading using the command line and operating system utilities . . . . . . . . . . . . . 13 Migrating WebSphere Application Server and the Web Administration Tool . . . . . . . . . 14 Migrating an instance . . . . . . . . . . 15
Chapter 3. Upgrading the policy server

UNIX and Linux: Upgrade considerations . . . AIX: Upgrading the policy server . . . . . . AIX: Upgrading the policy server using a single system . . . . . . . . . . . . . . AIX: Upgrading the policy server using two systems. . . . . . . . . . . . . . AIX: Retiring the original policy server . . . HP-UX: Upgrading the policy server . . . . . HP-UX: Upgrading the policy server using a single system . . . . . . . . . . . . HP-UX: Upgrading the policy server using two systems. . . . . . . . . . . . . . HP-UX: Retiring the original policy server . . HP-UX on Integrity: Upgrading the policy server.
Copyright IBM Corp. 2003, 2010
17
. 17 . 18 . 18 . 20 . 24 . 24 . 24 . 27 . 31 . 31
Chapter 4. Upgrading the authorization server . . . . . . . . . . . . . . . 79

Upgrade considerations . . . . . . . . . AIX: Upgrading the authorization server . . . HP-UX: Upgrading the authorization server . . HP-UX on Integrity: Upgrading the authorization server . . . . . . . . . . . . . . . Linux on x86: Upgrading the authorization server . 79 . 80 . 82 . 84 86
iii
Linux on System z: Upgrading the authorization server . . . . . . . . . . . . . . Linux on POWER: Upgrading the authorization server . . . . . . . . . . . . . . Solaris: Upgrading the authorization server. . Solaris on x86_64: Upgrading the authorization server . . . . . . . . . . . . . . Windows: Upgrading the authorization server .
. . . . .
. 88 . 90 . 92 . 94 . 96
Chapter 5. Upgrading WebSEAL . . . . 99

Upgrade considerations . . . . . . . . AIX: Upgrading WebSEAL . . . . . . . AIX: Upgrading WebSEAL . . . . . . HP-UX: Upgrading WebSEAL . . . . . . HP-UX: Upgrading WebSEAL . . . . . HP-UX on Integrity: Upgrading WebSEAL. . HP-UX on Integrity: Upgrading WebSEAL. Linux on x86: Upgrading WebSEAL . . . . Linux on x86: Upgrading WebSEAL . . . Linux on System z: Upgrading WebSEAL . . Linux on System z: Upgrading WebSEAL . Solaris: Upgrading WebSEAL . . . . . . Solaris: Upgrading WebSEAL . . . . . Solaris on x86_64: Upgrading WebSEAL . . Solaris on x86_64: Upgrading WebSEAL . Windows: Upgrading WebSEAL . . . . . Windows: Upgrading WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 101 101 106 106 110 111 115 115 120 120 124 125 130 130 135 135
HP-UX on Integrity: Upgrading the policy proxy server . . . . . . . . . . . . . . . . Linux on x86_64: Upgrading policy proxy servers Linux on System z: Upgrading policy proxy servers . . . . . . . . . . . . . . . Linux on POWER: Upgrading policy proxy servers Solaris: Upgrading the policy proxy server . . . Solaris on x86_64: Upgrading the policy proxy server . . . . . . . . . . . . . . . . Windows: Upgrading the policy proxy server . .
180 182 184 186 189 191 193
Chapter 9. Upgrading the development system . . . . . . . . 197

Upgrade considerations . . . . . . . . . AIX: Upgrading the development system . . . HP-UX: Upgrading the development system . . HP-UX on Integrity: Upgrading the development system . . . . . . . . . . . . . . Linux on x86: Upgrading the development ADK Linux on System z: Upgrading the development system . . . . . . . . . . . . . . Linux on POWER: Upgrading the development system . . . . . . . . . . . . . . Solaris: Upgrading the development system . . Solaris on x86_64: Upgrading the development system . . . . . . . . . . . . . . Windows: Upgrading the development system . . 197 . 198 . 200 . 201 203 . 205 . 207 . 209 . 212 . 213
Chapter 6. Upgrading the runtime

Upgrade considerations . . . . . . . AIX: Upgrading the runtime . . . . . HP-UX: Upgrading the runtime . . . . HP-UX on Integrity: Upgrading the runtime Linux on x86: Upgrading the runtime . . Linux on System z: Upgrading the runtime Linux on POWER: Upgrading the runtime Solaris: Upgrading the runtime . . . . Solaris on x86_64: Upgrading the runtime . Windows: Upgrading the runtime . . . . . . . . . . . . .
. . 141
. . . . . . . . . . . . . . . . . . . . 141 142 143 145 147 149 151 153 155 157
Chapter 10. Upgrading the session management server . . . . . . . . 217

Upgrade considerations . . . . . . . . . . Upgrade scenarios. . . . . . . . . . . . Single server upgrade from version 6.1 . . . . Single server upgrade from version 6.0 . . . . Side-by-side cluster upgrade from SMS 6.0 or 6.1 . . . . . . . . . . . . . . . . In-place cluster upgrade from version 6.0 or 6.1: Upgrading the session management server . . . AIX: Upgrading the session management server HP-UX: Upgrading the session management server . . . . . . . . . . . . . . . Linux on x86: Upgrading the session management server . . . . . . . . . . Linux on System z: Upgrading the session management server . . . . . . . . . . Solaris: Upgrading the session management server . . . . . . . . . . . . . . . Windows: Upgrading the session management server . . . . . . . . . . . . . . . 217 218 218 219 219 221 222 222 225 227 229 232 234
Chapter 7. Upgrading the runtime for Java . . . . . . . . . . . . . . . 159

Upgrade considerations . . . . . . . . . . AIX: Upgrading the runtime for Java . . . . . HP-UX: Upgrading the runtime for Java . . . . HP-UX on Integrity: Upgrading the runtime for Java . . . . . . . . . . . . . . . . Linux on x86: Upgrading the runtime for Java . . Linux on System z: Upgrading the runtime for Java Linux on POWER: Upgrading the runtime for Java Solaris: Upgrading the runtime for Java . . . . Solaris on x86_64: Upgrading the runtime for Java Windows: Upgrading the runtime for Java . . . 159 159 161 163 164 166 167 169 170 172
Chapter 11. Upgrading the session management command line . . . . . 237

Upgrade considerations . . . . . . . . . AIX: Upgrading the session management command line . . . . . . . . . . . . HP-UX: Upgrading the session management command line . . . . . . . . . . . . Linux on x86: Upgrading the session management command line . . . . . . . . . . . . . 237 . 237 . 240 . 242
Chapter 8. Upgrading the policy proxy server . . . . . . . . . . . . . . 175

Upgrade considerations . . . . . . . . AIX: Upgrading the policy proxy server . . HP-UX: Upgrading the policy proxy server . . . . . 175 . 176 . 178
iv
Upgrade Guide
Linux on System z: Upgrading the session management command line . . . . . . . Solaris: Upgrading the session management command line . . . . . . . . . . . . Windows: Upgrading the session management command line . . . . . . . . . . . .
. 243 . 245 . 248
Linux on System z: Restoring WebSEAL Solaris: Restoring WebSEAL . . . . Solaris on x86_64: Restoring WebSEAL . Windows: Restoring WebSEAL . . .
. . . .
. . . .
. . . .
274 275 276 277
Appendix A. Upgrade utilities . . . . 281

Reading syntax statements adschema_update . . . idsimigr . . . . . . ivrgy_tool . . . . . pdbackup . . . . . pdconfig . . . . . . pdjrtecfg . . . . . . smscfg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 282 283 287 290 294 295 299
Chapter 12. Upgrading the session management Web interface . . . . . 251 Chapter 13. Upgrading a plug-in for Web servers . . . . . . . . . . . . 253 Chapter 14. Upgrading Web Portal Manager . . . . . . . . . . . . . 257 Chapter 15. Restoring a system to its prior level . . . . . . . . . . . . . 259
Restoring the policy server . . . . . . . . . AIX: Restoring the policy server . . . . . . HP-UX: Restoring the policy server . . . . . HP-UX on Integrity: Restoring the policy server Linux on x86: Restoring the policy server . . . Linux on System z: Restoring the policy server Linux on POWER: Restoring the policy server Solaris: Restoring the policy server . . . . . Solaris on x86_64: Restoring the policy server Windows: Restoring the policy server . . . . Restoring WebSEAL . . . . . . . . . . . AIX: Restoring WebSEAL . . . . . . . . HP-UX: Restoring WebSEAL . . . . . . . HP-UX on Integrity: Restoring WebSEAL . . . Linux on x86 Restoring WebSEAL . . . . . 259 259 260 261 262 263 264 265 266 267 269 269 270 271 272
Appendix B. Support information . . . 307

Searching knowledge bases . . . . . . . . . Searching information centers . . . . . . . Searching the Internet . . . . . . . . . Obtaining fixes . . . . . . . . . . . . . Registering with IBM Software Support . . . . Receiving weekly software updates . . . . . . Contacting IBM Software Support . . . . . . Determining the business impact . . . . . . Describing problems and gathering information Submitting problems . . . . . . . . . . 307 307 307 307 308 308 309 309 310 310
Appendix C. Notices . . . . . . . . 313

Trademarks . . . . . . . . . . . . . . 315
Glossary . . . . . . . . . . . . . 317 Index . . . . . . . . . . . . . . . 327
Contents
vi
Upgrade Guide
About this publication

IBM Tivoli Access Manager is the base software that is required to run applications in the Access Manager product suite. It enables the integration of Access Manager applications that provide a wide range of authorization and management solutions. Sold as an integrated solution, these products provide an access control management solution that centralizes network and application security policy for e-business applications. This guide explains how to upgrade Tivoli Access Manager for e-business from a previous level to version 6.1.1.
Intended audience
This guide is for system administrators responsible for the upgrade of Tivoli Access Manager. Readers should be familiar with the following: v Microsoft Windows and Linux and UNIX operating systems v Database architecture and concepts v Security management v Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and Telnet v Lightweight Directory Access Protocol (LDAP) and directory services v Authentication and authorization If you are enabling secure communication, you also should be familiar with secure communication protocols, key exchange (public and private), digital signatures, cryptographic algorithms, and certificate authorities.
Publications
This section lists publications in the IBM Tivoli Access Manager for e-business library and related documents. The section also describes how to access Tivoli publications online and how to order Tivoli publications.
IBM Tivoli Access Manager for e-business library

The following documents are in the Tivoli Access Manager for e-business library: v IBM Tivoli Access Manager for e-business: Quick Start Guide, GI11-9333 Provides steps that summarize major installation and configuration tasks. v IBM Tivoli Access Manager for e-business: Release Notes, GC23-6501 Provides information about installing and getting started, system requirements, and known installation and configuration problems. v IBM Tivoli Access Manager for e-business: Installation Guide, GC23-6502 Explains how to install and configure Tivoli Access Manager for e-business. v IBM Tivoli Access Manager for e-business: Upgrade Guide, SC23-6503 Upgrade from version 5.0, 6.0, or 6.1 to version 6.1.1. v IBM Tivoli Access Manager for e-business: Administration Guide, SC23-6504
vii
Describes the concepts and procedures for using Tivoli Access Manager. Provides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin utility. v IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide, SC23-6505 Provides background material, administrative procedures, and reference information for using WebSEAL to manage the resources of your secure Web domain. v IBM Tivoli Access Manager for e-business: Plug-in for Edge Server Administration Guide, SC23-6506 Provides instructions for integrating Tivoli Access Manager with the IBM WebSphere Edge Server application. v IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide, SC23-6507 Provides procedures and reference information for securing your Web domain using a Web server plug-in. v IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide, SC23-6509 Provides deployment considerations and operational instructions for the session management server. v IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide, SC23-6510 Provides information for enabling SSL communication in the Tivoli Access Manager environment. v IBM Tivoli Access Manager for e-business: Auditing Guide, SC23-6511 Provides information about configuring and managing audit events using the native Tivoli Access Manager approach and the Common Auditing and Reporting Service. You can also find information about installing and configuring the Common Auditing and Reporting Service. Use this service for generating and viewing operational reports. v IBM Tivoli Access Manager for e-business: Command Reference, SC23-6512 Provides reference information about the commands, utilities, and scripts that are provided with Tivoli Access Manager. v IBM Tivoli Access Manager for e-business: Administration C API Developer Reference, SC23-6513 Provides reference information about using the C language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks. v IBM Tivoli Access Manager for e-business: Administration Java Classes Developer Reference, SC23-6514 Provides reference information about using the Java language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks. v IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference, SC23-6515 Provides reference information about using the C language implementation of the authorization API to enable an application to use Tivoli Access Manager security. v IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer Reference, SC23-6516
viii
Upgrade Guide
Provides reference information about using the Java language implementation of the authorization API to enable an application to use Tivoli Access Manager security. v IBM Tivoli Access Manager for e-business: Web Security Developer Reference, SC23-6517 Provides programming and reference information for developing authentication modules. v IBM Tivoli Access Manager for e-business: Troubleshooting Guide, GC27-2717 Provides problem determination information. v IBM Tivoli Access Manager for e-business: Error Message Reference, GI11-8157 Provides explanations and recommended actions for the messages and return code. v IBM Tivoli Access Manager for e-business: Performance Tuning Guide, SC23-6518 Provides performance tuning information for an environment consisting of Tivoli Access Manager with the IBM Tivoli Directory Server as the user registry.
Related products and publications

This section lists the IBM products that are related to and included with a Tivoli Access Manager solution.
IBM Global Security Kit

Tivoli Access Manager provides data encryption through the use of the Global Security Kit (GSKit), version 7.0. GSKit is included on the IBM Tivoli Access Manager Base CD for your particular platform, as well as on the IBM Tivoli Access Manager Web Security CDs, the IBM Tivoli Access Manager Shared Session Management CDs, and the IBM Tivoli Access Manager Directory Server CDs. The GSKit package provides the iKeyman key management utility, gsk7ikm, which creates key databases, public-private key pairs, and certificate requests. The IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide is available on the Tivoli Information Center Web site in the same section as the Tivoli Access Manager product documentation.
IBM Tivoli Directory Server

IBM Tivoli Directory Server, version 6.1, is included on the IBM Tivoli Access Manager Directory Server set of CDs for the required operating system. You can find additional information about Tivoli Directory Server at: http://www.ibm.com/software/tivoli/products/directory-server/
IBM Tivoli Directory Integrator

IBM Tivoli Directory Integrator, version 6.1.1, is included on the IBM Tivoli Directory Integrator CD for the required operating system. You can find additional information about IBM Tivoli Directory Integrator at: http://www-306.ibm.com/software/tivoli/products/directory-integrator/
IBM DB2 Universal Database

IBM DB2 Universal Database Enterprise Server Edition, version 9.1, is provided on the IBM Tivoli Access Manager Directory Server set of CDs and is installed with the Tivoli Directory Server software. DB2 is required when using Tivoli Directory
ix
Server or z/OS LDAP servers as the user registry for Tivoli Access Manager. For z/OS LDAP servers, you must separately purchase DB2. You can find additional information about DB2 at: http://www.ibm.com/software/data/db2
IBM WebSphere Application Server

WebSphere Application Server, version 6.1, is included on the IBM Tivoli Access Manager WebSphere Application Server set of CDs for the required operating system. WebSphere Application Server enables the support of the following applications: v Web Portal Manager interface, which administers Tivoli Access Manager. v Web Administration Tool, which administers Tivoli Directory Server. v Common Auditing and Reporting Service, which processes and reports on audit events. v Session management server, which manages shared session in a Web security server environment. v Attribute Retrieval Service. You can find additional information about WebSphere Application Server at: http://www.ibm.com/software/webservers/appserv/infocenter.html
Accessing terminology online

The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available at the following Tivoli software library Web site: http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm The IBM Terminology Web site consolidates the terminology from IBM product libraries in one convenient location. You can access the Terminology Web site at http://www.ibm.com/software/globalization/terminology .
Accessing publications online

The documentation CD contains the publications that are in the product library. The format of the publications is PDF, HTML, or both. Refer to the readme file on the CD for instructions on how to access the documentation. The product CD contains the publications that are in the product library. The format of the publications is PDF, HTML, or both. To access the publications using a Web browser, open the infocenter.html file. The file is in the appropriate publications directory on the product CD. IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli Documentation Central Web site at http://www.ibm.com/tivoli/documentation. Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your local paper.
Upgrade Guide
Ordering publications
You can order many Tivoli publications online at http:// www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss. You can also order by telephone by calling one of these numbers: v In the United States: 800-879-2755 v In Canada: 800-426-4968 In other countries, contact your software account representative to order Tivoli publications. To locate the telephone number of your local representative, perform the following steps: 1. Go to http://www.ibm.com/e-business/linkweb/publications/servlet/pbi.wss. 2. Select your country from the list and click Go. 3. Click About this site in the main panel to see an information page that includes the telephone number of your local representative.
Accessibility
Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive technologies to hear and navigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. Visit the IBM Accessibility Center at http://www.ibm.com/alphaworks/topics/ accessibility/ for more information about IBM's commitment to accessibility. For additional information, see the Accessibility Appendix in IBM Tivoli Access Manager for e-business Installation Guide.
Tivoli technical training

For Tivoli technical training information, refer to the following IBM Tivoli Education Web site at http://www.ibm.com/software/tivoli/education.
Tivoli user groups

Tivoli user groups are independent, user-run membership organizations that provide Tivoli users with information to assist them in the implementation of Tivoli Software solutions. Through these groups, members can share information and learn from the knowledge and experience of other Tivoli users. Tivoli user groups include the following members and groups: v 23,000+ members v 144+ groups Access the link for the Tivoli Users Group at http://www.tivoli-ug.org/.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: Online Access the Tivoli Software Support site at http://www.ibm.com/software/
xi
sysmgmt/products/support/index.html?ibmprd=tivman. Access the IBM Software Support site at http://www.ibm.com/software/support/ probsub.html . IBM Support Assistant The IBM Support Assistant is a free local software serviceability workbench that helps you resolve questions and problems with IBM software products. The Support Assistant provides quick access to support-related information and serviceability tools for problem determination. To install the Support Assistant software, go to http://www.ibm.com/software/ support/isa. Troubleshooting Guide For more information about resolving problems, see the IBM Tivoli Access Manager for e-business Installation Guide.
Conventions used in this publication

This publication uses several conventions for special terms and actions, operating system-dependent commands, and paths.
Typeface conventions
This publication uses the following typeface conventions: Bold v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) v Keywords and parameters in text Italic v Citations (examples: titles of publications, diskettes, and CDs v Words defined in text (example: a nonswitched line is called a point-to-point line) v Emphasis of words and letters (words as words example: "Use the word that to introduce a restrictive clause."; letters as letters example: "The LUN address must start with the letter L.") v New terms in text (except in a definition list): a view is a frame in a workspace that contains data. v Variables and values you must provide: ... where myname represents.... Monospace v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options
xii
Upgrade Guide
Operating system-dependent variables and paths

This publication uses the UNIX convention for specifying environment variables and for directory notation. When using the Windows command line, replace $variable with % variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. The names of environment variables are not always the same in the Windows and UNIX environments. For example, %TEMP% in Windows environments is equivalent to $TMPDIR in UNIX environments. Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions.
xiii
xiv
Upgrade Guide
Chapter 1. Introduction
The process of upgrading Tivoli Access Manager to version 6.1.1 requires you to consider the interdependencies among the various Tivoli Access Manager components and other software components on which the system depends. For example, a user logging in to WebSEAL might interact with the WebSEAL component directly. For the authentication to complete, WebSEAL must be able to communicate with the registry server (for example, the LDAP server). Being mindful of this interdependency helps to maintain service continuity during the upgrade. This guide takes a system-level approach to the upgrade process by considering the interaction of the various components that are present in a production environment. While there are many different ways to deploy Tivoli Access Manager components, this guide presents specific scenarios, which account for a large proportion of Tivoli Access Manager deployments. No additional hardware is required. However, in some cases, additional machines can reduce the risks involved in the upgrade. Carefully review the scenarios and determine the one that best matches your deployment. If your environment does not exactly match a scenario, you can mix and match among scenarios, using the procedures that correspond to your configuration. Create your own custom upgrade guide based on the procedures in this guide and enhance it with the details of your own environment. Your custom upgrade guide should include enough detail to complete the upgrade and should be thoroughly verified in a test environment before applied in a production environment. The following list provides suggestions for the type of information to include in your custom upgrade guide: v Host names and IP addresses of servers v Components installed on the servers v Networking devices, such as firewalls and load balancers v How to add and remove WebSEAL servers to and from load balancers v Exact commands to run for each step of each procedure Note: The C API for Tivoli Access Manager 6.1.1 behaves differently from the C API for Tivoli Access Manager 5.1, depending on how you use the API. To maintain compatibility between the two API's, use the appropriate header files.
Scenario 1
The key issue to consider in this scenario involves a single system that functions as both the policy server and the primary LDAP server (Tivoli Directory Server). Rather than impact the active policy server, the two server upgrade procedure installs a new 6.1.1 policy server on an LDAP server peer. If you do not want to use an LDAP server peer for this purpose, you can introduce an additional server to act as the new registry server. The peer or second server in this scenario is named the ldap_host2 system.
In Tivoli Directory Server 6.1, clients can coexist on the same machine with a client that is version 5.1, 5.2, or 6.0. The Tivoli Directory Server 6.1 server requires that the version 6.1 client and the Java client also be installed. In addition, the server can coexist on the same machine with another client that is version 5.1, 5.2 or 6.0, or with a version of the 6.0 server. If you install any Tivoli Access Manager 6.1.1 component on the same machine, you must also install a Tivoli Directory Server 6.1 client. For example, if you keep the LDAP server at version 5.2 but install any Tivoli Access Manager 6.1.1 component, you can also have coexisting Tivoli Directory Server 5.2 and Tivoli Directory Server 6.1 clients.
Conditions
The following conditions apply to this scenario: 1. Service must remain available during migration. 2. The number of Tivoli Access Manager user accounts are in the millions. 3. Must be able to fall back to a previous version in the event of failure with minimal downtime. This condition precludes restoring from tape backup. 4. If absolutely necessary, provide additional hardware to support the upgrade process.
Hardware configuration
webseal_host1 ldap_host1
WebSEAL
LDAP primary server Policy server
webseal_host2
ldap_host2
WebSEAL
LDAP server peer
webseal_host3
ldap_host3
WebSEAL
LDAP server peer
In this scenario: LDAP primary server Indicates the primary LDAP server against which the policy server is configured. This system also provides authentication services for the WebSEAL servers. LDAP server peers Indicates the backup LDAP servers for the policy server. Also provides authentication services for the WebSEAL servers.
High-level steps
Complete the following high-level steps: 1. Upgrade Tivoli Directory Server on ldap_host2.
Upgrade Guide
a. Upgrade Tivoli Directory Server. For instructions, see Chapter 2, Upgrading IBM Tivoli Directory Server, on page 9. Then return to these high-level steps and continue with step 1b b. Test that Tivoli Directory Server is up and running by using the following command:
idsldapsearch -h ldap_host2 -s base p port objectclass=*
If the last line from the output from the ldapsearch command (ibm-slapdisconfigurationmode) is set to TRUE, there was a problem during the migration and the server started in configuration mode. Examine the ibmslapd.log file for errors. If no specific error is given, try restarting Tivoli Directory Server. c. Verify that replication still works by creating a new Tivoli Access Manager user on the LDAP primary server (ldap_host1) and verify that it is replicated to this LDAP server peer (ldap_host2). 2. Upgrade the policy server using the two system approach. Make ldap_host2 the new system and ldap_host1 the original system. For instructions on upgrading the policy server for your appropriate platform using the two system approach, see Chapter 3, Upgrading the policy server, on page 17. After the upgrade is complete, ldap_host2 hosts Tivoli Directory Server 6.1 and Tivoli Access Manager policy server 6.1.1. The other servers still have the older versions of the software. Note: Maintain the original policy server until the other Tivoli Access Manager components are upgraded. This approach provides the option of restoring the original version should the need arise. At this time, it is important to note that any policy modification that results in an update on one policy server must also be made on the other one. This means that new ACLs and other policy-related configurations should be performed on both the new and the old policy servers while the two systems are running in parallel. 3. Upgrade the WebSEAL servers (webseal_host1, webseal_host2, webseal_host3). The WebSEAL servers are still configured to use the policy server residing on ldap_host1. However, because there is backward compatibility between the 6.1.1 policy server and previous versions of WebSEAL, you can configure the three WebSEAL servers to use the new policy server. This approach offers a low-risk way of moving over to the new policy server. If for some reason a WebSEAL server does not function properly with the new policy server, point it back to the old one. Changing the policy server that WebSEAL uses involves changing the master-host entry in the WebSEAL configuration file. Another item to consider concerns the user activity on the system during your upgrade. If you plan to upgrade WebSEAL while users are trying to access the system, you must isolate each WebSEAL server before you upgrade it. To do so, change the port on which the WebSEAL server listens or configure your load balancer so that it does not route traffic to the WebSEAL server. The following steps should be applied to each WebSEAL server in succession: a. If required, isolate the WebSEAL server from use by changing the listening port or by reconfiguring the load balancer. b. Upgrade WebSEAL. For instructions, see Chapter 5, Upgrading WebSEAL, on page 99. c. If you took measures to isolate the WebSEAL server from use, reverse those measures and restart WebSEAL.
Note: Do not change the WebSEAL configuration file to refer to the new policy server before you complete step 3b on page 3. 4. Retire the original policy server. After the WebSEAL servers are upgraded, you have at least one instance of each Tivoli Access Manager component running the new version of the software. You can keep this configuration up and running until you feel that the new version is stable. When you are ready to make the switch, retire the original policy server (ldap_host1). For information about how to retire the original policy server, refer to the procedure for your platform in Chapter 3, Upgrading the policy server, on page 17. 5. Upgrade Tivoli Directory Server. Upgrade Tivoli Directory Server on ldap_host1 and ldap_host3. For instructions on upgrading, see Chapter 2, Upgrading IBM Tivoli Directory Server, on page 9.
Scenario 2
The key feature seen in this configuration is the lack of redundancy in the servers, which favors handling occasional outages due to failure over maintaining additional servers. Similar to Scenario 1 on page 1, this scenario requires the use of existing hardware to the maximum advantage. However, unlike the large user base scenario, there is no redundancy in the servers (no peer or second server) so downtime must be scheduled with the users of the system. This scenario involves a variety of Tivoli Access Manager components, but does not service as many users as in Scenario 1 on page 1.
Conditions
The following conditions apply to this scenario: 1. Service outage for upgrade can be scheduled. 2. The number of Tivoli Access Manager servers is minimal. 3. The number of Tivoli Access Manager user accounts is in the tens of thousands. 4. Must be able to fall back to the previous version in the event of failure. 5. Not willing to purchase additional hardware to support migration.
webseal_host ldap_host
WebSEAL
LDAP server Policy server
plugin_host
authzn_host
IIS with Access Manager plug-in
Authorization server
app_host
AznAPI application
Upgrade Guide
In this scenario: LDAP primary server Indicates the primary LDAP server against which the policy server is configured, and there is no backup LDAP server for the policy server. This system also provides authentication services for the WebSEAL servers.
High-level steps:
Complete the following high-level steps: 1. Do one of the following: v If you have scheduled downtime for the upgrade, proceed to step 2 without installing a second authorization server. v If you want your AznAPI application to have minimal downtime, you must install a second authorization server to ensure that your AznAPI application can continue to make authorization decisions during the upgrade process. To install the second authorization server, follow these steps: a. Install another instance of the authorization server on app_host. This should be the same software version of the authorization server that is running on authzn_host, just running on a different machine. b. Edit your AznAPI application configuration file on app_host, comment out the replica entry for the original authorization server, and add a new replica line for the new authorization server. c. Restart the AznAPI application on app_host and verify that it functions properly. 2. Unconfigure and uninstall the Access Manager Authorization Server and the Access Manager Runtime packages on authzn_host. If you have the command line extension to the SMS installed and configured, unconfigure and uninstall the command line extension. 3. Install a new Access Manager Policy Server on authzn_host for the second policy server in addition to the policy server on ldap_host. Use the two system upgrade procedure as instructed for your specific operating system in Chapter 3, Upgrading the policy server, on page 17. After completing this step, you have a policy server running on ldap_host (the original server) and on authzn_host (new server). 4. Confirm that the policy server is running on authzn_host:
pd_start status
5. Install and configure a version 6.1.1 authorization server on authzn_host. For instructions, see the IBM Tivoli Access Manager for e-business: Installation Guide. When using a Tivoli Directory Server registry, set [ldap] auth-using-compare to no in ivacld.conf after installing the 6.1.1 authorization server. 6. Upgrade WebSEAL on webseal_host. For instructions, see Chapter 5, Upgrading WebSEAL, on page 99. Because there is only one WebSEAL server, there is a period of time when the WebSEAL service is unavailable. 7. Confirm that the WebSEAL server is running and functioning properly. 8. Upgrade the plug-in for Web Servers on plugin_host. For instructions, see Chapter 13, Upgrading a plug-in for Web servers, on page 253. 9. Upgrade the AznAPI application by completing these procedures: v Upgrade the Tivoli Access Manager components such as the development system. See Chapter 9, Upgrading the development system, on page 197. v Install a new version of your AznAPI application based on the 6.1.1 API.
To deploy a new version of your application, build and test a new version of your code in your 6.1.1 test environment. The build and test activities should take place before the scheduled upgrade of the production servers. To upgrade the production server, perform the following steps on app_host: a. Stop the AznAPI application. b. Unconfigure and uninstall the aznAPI application on app_host. c. Back up your AznAPI application by moving it out of the Tivoli Access Manager directory hierarchy and storing it elsewhere. d. Edit pd.conf (the configuration file for the Tivoli Access Manager Runtime component) and aznapi.conf (the configuration file for the authorization API application) so as to change the master-host entry to the value of authzn_host. This directs the Tivoli Access Manager runtime and your application to use the 6.1.1 policy server that is running on authzn_host. e. Upgrade Access Manager Runtime according to the instructions in Chapter 6, Upgrading the runtime, on page 141. f. Copy the newly built 6.1.1 version of your AznAPI application to the same location where you stored the previous version. g. Start your AznAPI application. 10. Retire the existing policy server. After sufficient time has passed with the new Tivoli Access Manager servers in production (for example, two weeks), you can retire the existing policy server. For information about retiring the original policy server, see information for your appropriate platform in Chapter 3, Upgrading the policy server, on page 17. 11. Upgrade Tivoli Directory Server. For instructions on upgrading, see Chapter 2, Upgrading IBM Tivoli Directory Server, on page 9.
Scenario 3: Using a registry other than Tivoli Directory Server

This scenario concerns the use of Tivoli Access Manager with a registry server other than Tivoli Directory Server. Microsoft Active Directory was chosen for this example.
Conditions
The following conditions apply to this scenario: 1. Service outage for migration can be scheduled for short interval. 2. 3. 4. 5. 6. The number of Tivoli Access Manager servers is minimal. The number of Tivoli Access Manager user accounts is in the tens of thousands. Must be able to fall back to the previous version in the event of failure. Not willing to purchase additional hardware to support migration. Uses a non-IBM user registry server.
Similar to Scenario 1 on page 1, this scenario requires using the existing hardware to maximum advantage. However, unlike the large user base scenario, there is redundancy only in the WebSEAL servers, so downtime must be scheduled with the users of the system during the policy server upgrade. Scheduled downtime primarily affects policy management, not WebSEAL authentication.
Upgrade Guide
High-level steps
Complete the following high-level steps: 1. Upgrade the Web Portal Manager system. Because Web Portal Manager does not have its own database to manage (it retrieves its data from Tivoli Access Manager), uninstall the old version and install the latest version. For instructions, see the IBM Tivoli Access Manager for e-business: Installation Guide. 2. Upgrade the policy server using the single system approach only. Note: The two-system approach is supported for LDAP-based registries only. You must schedule downtime to upgrade the policy server, because there will be a period of time during the upgrade when the policy server is not available. The policy server not being available affects the management of policy information, such as access control lists. The WebSEAL servers continues to provide service. For instructions on upgrading the policy server for your appropriate platform using a single system, see Chapter 3, Upgrading the policy server, on page 17. 3. Verify that the WebSEAL servers can communicate with the policy server. 4. Upgrade WebSEAL on the servers. To do so, follow these steps: a. If you plan to upgrade WebSEAL on a server while users are trying to access the system, you must isolate each WebSEAL server before you upgrade it. To do so, change the port on which the WebSEAL server listens or configure your load balancer so that it does not route traffic to the WebSEAL server. b. Upgrade WebSEAL. For instructions, see Chapter 5, Upgrading WebSEAL, on page 99. c. If you took measures to isolate the WebSEAL server, you can reverse those measures and restart WebSEAL.
Upgrade Guide
Chapter 2. Upgrading IBM Tivoli Directory Server

Upgrading from a previous version of IBM Directory Server, or IBM Tivoli Directory Server is necessary to preserve the data, to preserve the changes that were made to the schema definitions, and to preserve the directory server configuration. Use the procedures in this chapter when you are upgrading an existing directory server on the same physical computer from a previous version of IBM Directory Server, or Tivoli Directory Server. This chapter describes: v High-level steps v About the client v Location of migration utilities v Before you upgrade on page 10 v IBM Tivoli Directory Server: Upgrading using the native (InstallShield) utilities on Windows systems on page 11 v IBM Tivoli Directory Server:Upgrading using the command line and operating system utilities on page 13
High-level steps
The following list contains the order in which you upgrade software and migrate data: 1. Prepare the database for migration by backing up and stopping the database. 2. Back up the configuration and schema files for a previous version of IBM Directory Server or Tivoli Directory Server. 3. Upgrade the operating system, if necessary. 4. Upgrade DB2 if necessary. 5. If the version of IBM Tivoli Directory Server you are upgrading is before 6.0, uninstall IBM Tivoli Directory Server or IBM Directory Server. 6. Install Tivoli Directory Server 6.1. 7. Migrate schema and configuration files 8. Create a migrated Tivoli Directory Server instance from your previous instance. 9. Migrate database instances and the databases.
About the client

If you have only a client installed, migration is not necessary. Clients from releases 5.1, 5.2, and 6.0 can coexist with Tivoli Access Manager 6.1.1 clients and servers.
Location of migration utilities

The migbkup and idswmigr utilities are used during the upgrade process. These utilities are found on the second Tivoli Directory Server CD for all platforms; for example: IBM Tivoli Access Manager Directory Server for Windows (2 of 3). The migration utilities are located in the following directory on the CD:
platform/itds-tools
where platform is the operating system.
Before you upgrade

Before you upgrade your Tivoli Directory Server to version 6.1, perform the following steps: 1. If you are upgrading Tivoli Directory Server from version 5.2 to 6.0 or 6.1, starting the Tivoli Directory Server instance after the upgrade displays a segmentation error. To resolve this problem when upgrading from version 5.2 to 6.1, install Tivoli Directory Server fix pack 6.1 0002. To resolve this problem when upgrading from Tivoli Directory Server version 5.2 to 6.0, install Tivoli Directory Server fix pack 6.0 0007. 2. Upgrade your operating system to the minimum supported level. For information about minimum supported levels, see IBM Tivoli Access Manager for e-business: Release Notes. 3. Be sure that the server you plan to migrate to IBM Tivoli Directory Server 6.1 can be successfully started. (If the server is not a proxy server, be sure that the database is configured.) If the server cannot be started successfully, whether it is a proxy server or a full directory server, the upgrade is not supported. Note: You must not remove the directory server instance that you want to upgrade and, for a full directory server instance, you must not unconfigure the database. If you do either of these, upgrade is not supported. 4. Back up the databases and DB2 settings. See the Tivoli Directory Server Administration Guide for your release of IBM Directory Server or IBM Tivoli Directory Server for information about backing up databases using DB2 commands, the dbback or idsdbback command, or the Configuration Tool. Take an offline database backup for each local database on the server. (You can do this step now or after step 5.) 5. Back up the configuration files and schema files by using the migbkup utility. See Location of migration utilities on page 9 for the location of this utility. Type the following at a command prompt: v For Windows systems:
migbkup.bat install_location backup_directory
v For AIX, Linux, Solaris, and HP-UX systems:

migbkup install_location backup_directory
This utility backs up the server configuration file (slapd32.conf on 4.1 systems and ibmslapd.conf on 5.1, 5.2 and 6.0 systems) and all standard schema files that are supplied with IBM Tivoli Directory Server from the install_location\etc directory to a temporary directory, specified by backup_directory. install_location is the directory where IBM Directory Server is installed. backup_directory is the temporary directory where the backed up files are copied. The following is a partial list of files of which the command creates backup copies: v slapd32.conf (only on IBM Directory Server 4.1 systems) or ibmslapd.conf v v v v v V3.ibm.at V3.ibm.oc V3.system.at V3.system.oc V3.user.at
10
Upgrade Guide
v V3.user.oc v V3.modifiedschema In addition, for backups on version 6.0, the command backs up the following files: v V3.config.at v V3.config.oc v V3.ldapsyntaxes v V3.matchingrules v ibmslapdcfg.ksf v ibmslapddir.ksf v ibmdiradmService.cmd v ibmslapdService.cmd The command also creates the db2info file. If you have additional schema files that you used in your previous release, copy them manually to the backup_directory also. When you migrate the configuration and schema files during instance creation, these files will not be migrated, but they will be copied to the new directory server instance location for use by the directory server instance. 6. Be sure that the operating system on which you will install Tivoli Directory Server 6.1 is supported. See IBM Tivoli Directory Server Version 6.1 Release Notes for information about supported levels. If the operating system is not supported, install a supported version. 7. If your current version of DB2 is a version not supported for IBM Tivoli Directory Server 6.1 such as DB2 version 7 or v8.1 ESE (32-bit), you must first upgrade your DB2 version or FixPack level to a level supported by IBM Tivoli Directory Server 6.1. See IBM Tivoli Directory Server Version 6.1 Release Notes for information about supported DB2 versions. See http://www-1.ibm.com/support/docview.wss?uid=swg21200005 for information about upgrading your DB2 version. You might also need to upgrade the bit-width of the database using DB2 commands. 8. To upgrade on an AIX, Linux, Solaris, or HP-UX system using operating system utilities and commands, use the information in Upgrading using the command line and operating system utilities on page 13. To upgrade on Windows operating systems, use the information in Upgrading using the native (InstallShield) utilities on Windows systems.
Upgrading using the native (InstallShield) utilities on Windows systems

If you have a server from IBM Directory Server 4.1 or 5.1 or IBM Tivoli Directory Server 5.2 or 6.0, you can use the InstallShield GUI to install Tivoli Directory Server 6.1 without uninstalling the previous version first. If the server is a 4.1, 5.1 or 5.2 server, it will be automatically upgraded to version 6.1 and the previous version of Tivoli Directory Server will be uninstalled. (Servers before the 6.0 release cannot coexist on a system with Tivoli Directory Server 6.1.) A 6.0 directory server instance can coexist with a 6.1 directory server instance; if you have a 6.0 directory server instance, it will not be automatically upgraded when you install Tivoli Directory Server 6.1, but you can migrate the directory
11
server instance to 6.1 at the end of installation if you choose to. You can keep the 6.0 directory server instance and also create one or more 6.1 directory server instances. During Tivoli Directory Server installation, the following upgrade activity occurs: On systems that had a 4.1, 5.1, or 5.2 version of Tivoli Directory Server, during installation: v The old version of Tivoli Directory Server is automatically uninstalled and Tivoli Directory Server version 6.1 is installed. Your previous directory server is migrated to a 6.1 directory server instance with the name, location, and encryption seed you specified in step 4. v Your previous configuration and schema files are migrated to 6.1 versions. v If your previous database was 32-bit and the new database is 64-bit, the database is expanded to 64-bit. When the server is started for the first time, the directory data is migrated. v If you installed a server, the Instance Administration Tool automatically starts. You can use this tool to view information about the 6.1 directory server instance. If the upgrade was successful, the directory server instance is created and configured and does not need any further setup. On systems that had Tivoli Directory Server 6.0 installed, during installation: v Tivoli Directory Server 6.1 is installed and Tivoli Directory Server 6.0 is left on the system. v If you installed a server, the Instance Administration Tool automatically starts so that you can migrate your 6.0 directory server instance to 6.1 or create and configure a new 6.1 directory server instance. To create a new directory server instance, see the IBM Tivoli Access Manager for e-business: Installation Guide. To migrate a 6.0 directory server instance to 6.1, see Migrating an instance on page 15. Note: If the previous version on your system is Tivoli Directory Server 6.0, directory server instances are not upgraded automatically. To upgrade Tivoli Directory Server: 1. Be sure that you have followed the instructions in Before you upgrade on page 10. 2. Stop the previous version server and the administration server. 3. Install Tivoli Directory Server 6.1 using native utilities. See the IBM Tivoli Access Manager for e-business: Installation Guide for complete installation information. 4. If your previous version of Tivoli Directory Server is 4.1, 5.1, or 5.2, after you begin the install, a window is displayed requesting information about the 6.1 directory server instance to which your previous server is being upgraded: v In the User/Instance Name field, accept the user ID listed or provide a new user ID. v In the Instance location field, type the location where the directory server instance files will be stored. Be sure that you have at least 30 MB of free disk space in this location. This information is required. This location is a drive, such as C:. The directory instance files will be stored on the drive you specify in the \idsslapd-instance_name directory. (instance_name is the name of the directory server instance.)
12
Upgrade Guide
v In the Encryption seed string field, type a string of characters that will be used as an encryption seed. The encryption seed must contain only printable ISO-8859-1 ASCII characters with values in the range of 33 to 126, and must be a minimum of 12 and a maximum of 1016 characters in length. This encryption seed is used to generate a set of Advanced Encryption Standard (AES) secret key values. These values are stored in the directory server instances directory key stash file and used to encrypt and decrypt directory stored password and secretkey attributes. Record the encryption seed in a secure location. v Optionally, type a description of the directory server instance in the Instance description field. This description is displayed in other windows to help identify the instance. Click Next. The upgrade of Tivoli Directory Server takes place during installation.
Upgrading using the command line and operating system utilities

To upgrade to Tivoli Directory Server 6.1 using operating system utilities on AIX, Linux, Solaris, or HP-UX systems: 1. Be sure that you have followed the instructions in Before you upgrade on page 10. 2. Stop the previous version server and the administration server. 3. If the version of IBM Tivoli Directory Server you are upgrading is before 6.0, uninstall IBM Tivoli Directory Server or IBM Directory Server. Leave the database configured, however, unless the server is a proxy server. If the version is 6.0, do not uninstall IBM Tivoli Directory Server 6.0 or the upgrade will fail. If you want to uninstall IBM Tivoli Directory Server 6.0, you can do it after step 5. 4. If you upgraded DB2 as described in step 7 on page 11 of the Before you upgrade on page 10 section, then omit the steps related to DB2. Install Tivoli Directory Server 6.1 using operating system utilities for your operating system. See the IBM Tivoli Access Manager for e-business: Installation Guide for information. Note: If you are upgrading from IBM Directory Server 5.1 or IBM Tivoli Directory Server 5.2 on a Solaris system, recreate the operating system group ldap, which is deleted when you uninstall IBM Directory Server 5.1 or IBM Tivoli Directory Server 5.2. If you do not create this group before running the idsimigr command, the command fails. 5. Use the idsimigr command to migrate the schema and configuration files from the earlier release to IBM Tivoli Directory Server 6.1 versions of these files and to create a Tivoli Directory Server 6.1 directory server instance with the migrated information. This directory server instance is the upgraded version of your previous server. In the process, the idsdbmigr command is called and DB2 can be upgraded, or the database might be converted from a 32-bit to a 64-bit database if needed. (Database internal data migration occurs when the Tivoli Directory Server 6.1 directory server instance is started for the first time.) For example, you want to migrate from IBM Tivoli Directory Server 5.2 to IBM Tivoli Directory Server 6.1 and: v You saved the configuration and schema files in a directory named /tmp/ITDS52
13
v You want to create an instance called myinst with an encryption seed of my_secret_key! and an encryption salt of mysecretsalt. Use the following command:
idsimigr I myinst u /tmp/ITDS52 e my_secret_key! -g mysecretsalt
Attention: When you create a new directory server instance, be aware of the information that follows. a. If you want to use replication, use a distributed directory, or import and export LDIF data between server instances, you must cryptographically synchronize the server instances to obtain the best performance. See the IBM Tivoli Directory Server: Installation and Configuration Guide for instructions on how to synchronize server instances. If you are creating a directory server instance that must be cryptographically synchronized with an existing directory server instance, you must synchronize the server instances before you do either of the following: v Start the second server instance v Run the idsbulkload or idsldif2db command from the second server instance b. After you create a directory server instance and configure the database, use the idsdbback utility to create a backup of the directory server instance. The configuration and directory key stash files are archived along with the associated configuration and directory data. You can then use the idsdbrestore utility to restore the key stash files if necessary. (You can also use the idsdbback utility after you load data into the database.) Note: If you upgraded from IBM Directory Server 5.1 to IBM Tivoli Directory Server 6.1, the server will take longer than usual to start the very first time. After the server has been started for the first time, it will start more quickly.
Migrating WebSphere Application Server and the Web Administration Tool

You can use the idswmigr command-line utility to migrate an earlier version of WebSphere Application Server to the 6.1 version and deploy the 6.1 version of the Web Administration Tool into it. The idswmigr tool does the following: v Saves the configuration files for the previous version of the Web Administration Tool v Undeploys the previous version of the Web Administration Tool from the earlier version of WebSphere Application Server v Backs up the configuration for the earlier version of WebSphere Application Server to a temporary location that you specify v Restores the configuration for the earlier version of WebSphere Application Server to the new location v Deploys the 6.1 version of the Web Administration Tool into WebSphere Application Server 6.1. v Migrates the previous Web Administration Tool configuration files and restores these files into the new WebSphere Application Server Before you use the idswmigr command, do the following:
14
Upgrade Guide
1. Uninstall the version of the Web Administration Tool that you have installed. (This is the IDSWebApp.war file in the idstools directory.) However, leave WebSphere Application Server installed, and leave the Web Administration Tool deployed into it. 2. Install the new version of the Web Administration Tool. 3. Install the new version of WebSphere Application Server. (Do not deploy the Web Administration Tool into WebSphere Application Server. The idswmigr command will do this.) To use the idswmigr command-line utility to upgrade WebSphere Application Server and the Web Administration Tool and deploy the Web Administration Tool into WebSphere Application Server, type the following at a command prompt:
idswmigr [-l temp_path] [-s source_path -t target_path -r profile_name -a app_name -v -i prev_dir -o ports_path]
where: -s source_path Specifies the source location for the previous version of WebSphere Application Server. -t target_path Specifies the target location where the new WebSphere Application Server has been installed. -r profile_name Specifies the profile name associated with the application. Defaults to TDSWebAdminProfile if not specified. -l temp_path Specifies a location for the temporary files. -v Displays the command syntax.
-i prev_dir On Windows systems only, specifies the directory where the previous version of IBM Directory Server or IBM Tivoli Directory Server is installed. -a app_name -a is the application name. Defaults to IDSWebApp.war if not specified. -o ports_path Specifies the fully qualified path of the ports definition file. If not specified, defaults to C:\Program Files\IBM\LDAP\V6.1\idstools\ TDSWEBPortDef.props on Windows systems or /opt/ibm/ldap/V6.1/ idstools/TDSWEBPortDef.props on AIX, Linux, Solaris, and HP-UX systems.
Migrating an instance
You can migrate a directory server instance from a previous version of IBM Tivoli Directory Server to a 6.1 directory server instance. If you are migrating from a version that is before 6.0, you must have already backed up the configuration and schema files. See Before you upgrade on page 10. v To migrate a 6.0 directory server instance: 1. If the Instance Administration Tool is not started, start it: Windows
15
C:\Program Files\IBM\LDAP\V6.1\sbin\idsxinst
On Windows systems, you also can click Start Programs IBM Tivoli Directory Server 6.1 Instance Administration Tool. AIX, Solaris, and HP-UX systems:
/opt/IBM/ldap/V6.1/sbin/idsxinst
Linux
/opt/ibm/ldap/V6.1/sbin/idsxinst
2. Select the 6.0 directory server instance you want to migrate in the list, and click Migrate. 3. In the Migrate directory server instance window, click Migrate. Messages are displayed while the directory server instance is being migrated. A completion message is displayed when migration is complete. Click OK to remove the message. Click Close to close the window and return to the main window of the Instance Administration Tool. If you have finished using the Instance Administration Tool, click Close to exit the tool. v To migrate a directory server instance from a version before 6.0: 1. If the Instance Administration Tool is not started, start it: Windows
C:\Program Files\IBM\LDAP\V6.1\sbin\idsxinst
On Windows systems, you also can click Start Programs IBM Tivoli Directory Server 6.1 Instance Administration Tool. AIX, Solaris, and HP-UX systems:
/opt/IBM/ldap/V6.1/sbin/idsxinst
Linux
/opt/ibm/ldap/V6.1/sbin/idsxinst
2. Click Create. 3. Click Migrate from a previous version of directory server. Then type the path where you backed up the configuration and schema files from the previous version and click Next. Messages are displayed while the directory server instance is being migrated. A completion message is displayed when migration is complete. Click OK to remove the message. 4. Click Close to close the window and return to the main window of the Instance Administration Tool. If you have finished using the Instance Administration Tool, click Close to exit the tool.
16
Upgrade Guide

Tivoli Access Manager supports an upgrade of the policy server to 6.1.1 either on the same policy server system, or on two systemsyour current policy server system and a second, clean system for the new 6.1.1 policy server. The two-system approach is supported for LDAP-based registries only. This approach provides the ability to keep your current policy server functioning as you set up and test a second 6.1.1 policy server system. If you encounter a problem when upgrading using two systems, take the 6.1.1 server offline. The two-system approach requires additional hardware. The following platform-specific instructions are provided: v v v v v v v AIX on page 18 HP-UX on page 24 HP-UX on Integrity on page 31 Linux on x86 on page 38 Linux on System z on page 44 Linux on POWER on page 51 Solaris on page 57
v Solaris on x86_64 on page 63 v Windows on page 70
UNIX and Linux: Upgrade considerations

Before upgrading the policy server to 6.1.1, review the following considerations: v Upgrade your operating system to the minimum supported level. For information about minimum supported levels, see IBM Tivoli Access Manager for e-business: Release Notes. v As a standard precaution when upgrading, make sure to back up your registry data and all Tivoli Access Manager servers before you begin. If you are upgrading Tivoli Directory Server, see Chapter 2, Upgrading IBM Tivoli Directory Server, on page 9; otherwise, consult the documentation that was shipped with your supported registry server. v In Tivoli Directory Server 6.1, clients can coexist on the same machine with a client that is version 5.1, 5.2, or 6.0. The Tivoli Directory Server 6.1 server requires that the version 6.1 client and the Java client also be installed. In addition, the server can coexist on the same machine with another client that is version 5.1, 5.2 or 6.0, or with a version of the 6.0 server. v You are not required to upgrade all Tivoli Access Manager components in your secure domain to a 6.1.1 level. However, if you upgrade any Tivoli Access Manager component in your secure domain to a 6.1.1 level, you must install Tivoli Directory Server client 6.1 on that system. For a list of components that are compatible with Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. v In general, if Tivoli Directory Server is your registry server and is located on a different machine from any Tivoli Access Manager component, you can upgrade the registry server at any timebefore or after the upgrade of the Tivoli Access Manager 6.1.1 component.
17
v v v
However, when the server package of Tivoli Directory Server is installed on the same machine as any Tivoli Access Manager 6.1.1 component and if you choose to install the server package of Tivoli Directory Server 6.1, it is recommended that you install the Tivoli Directory Server 6.1 client and server packages at the same time as you install the Tivoli Access Manager 6.1.1 component on that machine. The upgrade process does not support changing your configuration, such as your registry type. For example, you cannot upgrade from an LDAP registry to a Domino registry. The default temporary directory is /tmp. The default installation paths for UNIX and Linux are /opt/PolicyDirector and /var/PolicyDirector. If you are upgrading and using a language other than English, remember to upgrade your language package. Refer to the IBM Tivoli Access Manager for e-business: Installation Guide to install the language package. However, when upgrading the IBM Tivoli Directory Server language packages, you must use the upgrade (-U) option for Linux operating systems.
For the Windows operating system, see Windows: Upgrade considerations on page 70.
AIX: Upgrading the policy server AIX: Upgrading the policy server using a single system
To upgrade the policy server system on AIX, complete the following instructions. Note: If you encounter a problem when migrating the policy server to 6.1.1 using this single-system approach, you can restore the system to its previous level. For instructions, see AIX: Restoring the policy server on page 259. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. Note: The AIX operating system requires version 8.0.0.x of the xlC fileset. Check your current version by using the lslpp command and upgrade, if necessary. 4. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
6. Confirm that all Tivoli Access Manager services and applications are stopped:
pd_start status
If any Tivoli Access Manager service or application is still running, issue the kill command:
kill 9 daemon_process_id
7. Use the pdbackup utility to back up critical Tivoli Access Manager information:
/opt/PolicyDirector/bin/pdbackup -action backup -list fullpath_to_backup_listfile -path path -file filename
18
Upgrade Guide
where: list fullpath_to_backup_listfile Specifies the fully qualified path to the backup list file. For example:
/opt/PolicyDirector/etc/pdbackup.lst
path path Specifies the path where you want the backed up files to be stored. For example:
/var/PolicyDirector/pdbackup
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 8. Install the Global Security Kit (GSKit):
installp -acgYXd cd_mount_pt/usr/sys/inst.images gskta.rte
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located. 9. Install the client packages of Tivoli Directory Server:
installp -acgYXd cd_mount_pt/usr/sys/inst.images packages
where cd_mount_pt is the directory where the CD is mounted and where packages are the names of the Tivoli Directory Server client packages:
Client base package Client package (32-bit) (no SSL) Client package (32-bit) (SSL) idsldap.cltbase61 idsldap.clt32bit61 idsldap.clt_max_crypto32bit61
Note: All client packages requires the base client package. 10. Ensure that your registry server is running. 11. Install or upgrade Tivoli Security Utilities:
installp -acgYXd cd_mount_pt/usr/sys/inst.images TivSec.Utl
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and TivSec.Utl is the Tivoli Security Utilities package. Note: If you are upgrading from Tivoli Access Manager 5.1, Tivoli Security Utilities is installed. If you are upgrading from Tivoli Access Manager 6.0, the Tivoli Security Utilities is upgraded. 12. Install or upgrade Access Manager License:
installp -acgYXd cd_mount_pt/usr/sys/inst.images PD.lic
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.lic is the Access Manager License package. Note: If you are upgrading from Tivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, Access Manager License is upgraded. 13. Upgrade Access Manager Runtime:
installp -acgYXd cd_mount_pt/usr/sys/inst.images PD.RTE
19
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.RTE is the Access Manager Runtime package. 14. Upgrade Access Manager Policy Server:
installp -acgYXd cd_mount_pt/usr/sys/inst.images PD.Mgr
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.Mgr is the Access Manager Policy Server package. 15. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v if you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v if you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
ivrgy_tool -d -h ldap_host -p port -D ldap_admin -w pwd schema
For more information about the ivrgy_tool utility, see the reference information for ivrgy_tool on page 287. 16. Start the policy server daemon (pdmgrd):
pd_start start
17. Confirm that the policy server is running:

pd_start status
18. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
pdadmin -a sec_master -p password pdadmin sec_master> acl list
The upgrade of the policy server on AIX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
AIX: Upgrading the policy server using two systems

Follow these steps to set up a new 6.1.1 policy server on a second system while allowing your original policy server system to continue functioning with minimal downtime. Note: This two-system approach is supported for LDAP-based registries only. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it on the original policy server. 4. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
20
Upgrade Guide
cd_mount_pt/usr/sys/inst.images/migrate/migxxto611.lst
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and where xx is the version of software that you are migrating from. The name of the backup list file would be as follows: For 6.1 mig61to611.lst For 6.0 mig60to611.lst For 5.1 mig51to611.lst path path Specifies the path where you want the backed up files to be stored. For example:
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 7. Restart the policy server daemon (pdmgrd) on the original policy server:
pd_start start
8. Copy the archive produced by the pdbackup utility from the original policy server to the new 6.1.1 policy server. Note: The new 6.1.1 policy server must be a clean system. Do not reuse an existing policy server system. 9. On the new system, install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. Note: The AIX operating system requires version 8.0.0.x of the xlC fileset. Check your current version by using the lslpp command and upgrade, if necessary. 10. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it on the new system. 11. Install the Global Security Kit (GSKit) on the new system:
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located. 12. Install the Tivoli Directory Server client packages on the new system:
21
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are installed and where packages are the names of the Tivoli Directory Server client packages:
Note: The 32-bit client package requires the base client package. 13. Install Tivoli Security Utilities on the new system:
installp -acgYXd cd_mount_pt/usr/sys/inst.images TivSecUtl
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and TivSecUtl is the Tivoli Security Utilities package. 14. Install Access Manager License on the new system:
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.lic is the Access Manager License package. 15. Install Access Manager Runtime on the new system:
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.RTE is the Access Manager Runtime package. 16. Install Access Manager Policy Server on the new system:
installp -acgYXd cd_mount_pt/usr/sys/inst.images PD.Mgr
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.Mgr is the Access Manager Policy Server package. 17. Use the pdbackup utility on the new system to extract data to the new 6.1.1 policy server:
/opt/PolicyDirector/bin/pdbackup -action extract -path restore_directory -file archive_name
where: path restore_directory Specifies a temporary directory on the new 6.1.1 policy server in which you want to extract your archive data. file archive_name Specifies the fully qualified path to the archive that came from the original policy server. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281.
22
Upgrade Guide
Caution If there is a configuration problem, do not unconfigure this system. If you unconfigure the system, critical data that is needed by the original policy server will be destroyed. Follow instructions in AIX: Retiring the original policy server on page 24 with the new server. The new system is a clone of the original policy server system. This means that the placement of critical files, such as certificate files, must be identical to the original system. For example, if a certificate file is in the /certs directory on the original policy server, it must be located in the /certs directory on the new system. 18. Ensure that the LDAP server the original Policy Server is using is running. 19. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
For more information about the ivrgy_tool utility, see the reference information for ivrgy_tool on page 287. 20. Use the pdconfig utility to configure Access Manager Runtime on the new 6.1.1 policy server. When prompted for an LDAP server, specify the name of the LDAP server that is used by the original policy server. 21. Use the pdconfig utility to configure the new 6.1.1 policy server. a. When prompted if you want to configure the policy for migration purposes, select yes. b. When prompted if you want to use this policy server for standby, select no. c. Enter the restore_directory specified by the path option in step 18 on page 42. 22. Confirm that the new policy server is running:
pd_start status
23. Your system is ready. Run pdadmin and query both the ACL database and the registry to verify their status. For example:
pdadmin a sec_master -p password pdadmin sec_master> acl list pdadmin sec_master> user list s* 10
24. If you have made updates or changes to your database during the migration process, perform the following steps: a. Stop the new policy server daemon (pdmgrd):
pd_start stop
b. Copy the database files from the original policy server to the new 6.1.1 policy server. The default location of the files to copy is as follows:
/var/PolicyDirector/db
23
c. Start the new policy server daemon (pdmgrd):

pd_start start
The upgrade of the policy server for AIX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. Upgrade other Tivoli Access Manager systems to 6.1.1 (in the order specified in Chapter 1, Introduction, on page 1). Ensure that the host name of the new policy server is specified in the Tivoli Access Manager components' configuration files, including the pd.conf file in the install_path/etc directory, as well as any AZN application configuration files. To do this, on each system on which you want to use the new policy server, ensure that the master-host value in the [manager] stanza of the configuration file contains the server host name of the new policy server. See the IBM Tivoli Access Manager for e-business: Administration Guide for more information about the master-host key value. After you have updated all your Tivoli Access Manager systems, complete the procedure in AIX: Retiring the original policy server to retire your original policy server.
AIX: Retiring the original policy server

If you upgraded the policy server using the two system approach, retire the original policy server after its data and the Tivoli Directory Server client and server are successfully migrated to the 6.1.1 policy server system.
Caution Do not unconfigure the original policy server or the new policy server at any time during the upgrade process. Unconfiguration of the original policy server or the new policy server will destroy critical data needed by the policy server. The destruction of critical data will result in a nonworking Tivoli Access Manager environment. Follow these steps to retire the original policy server: 1. Stop the policy server. 2. From the original policy server, enter:
/opt/PolicyDirector/sbin/pdmgr_ucf
3. Uninstall your previous version of Tivoli Access Manager. For uninstallation procedures, see the documentation for that version of Tivoli Access Manager.
HP-UX: Upgrading the policy server HP-UX: Upgrading the policy server using a single system
To upgrade the policy server system on HP-UX, complete the following instructions.
24
Upgrade Guide
Note: If you encounter a problem when migrating the policy server to 6.1.1 using this single-system approach, you can restore the system to its previous level. For instructions, see HP-UX: Restoring the policy server on page 260. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for HP-UX CD. 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
mount -F cdfs -o rr /dev/dsk/c0t0d0 /cd-rom
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and cd-rom specifies the mount point. 6. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
/opt/Policy Director/etc/pdbackup.lst
swinstall -s /cd-rom/hp gsk7bas
where cd-rom is the directory where the installation images are located. 10. Install the client packages of Tivoli Directory Server:
swinstall -s /cd-rom/h packages
where /cd-rom/hp is the directory where the installation images are located and packages are as follows:
25
Base client package Client package (32-bit) (no SSL)
idsldap.cltbase61 idsldap.clt32bit61
Note: The 32-bit client package requires the base client package. 11. Ensure that your registry server is running. 12. Install or upgrade Tivoli Security Utilities:
swinstall -s /cd-rom/hp TivSecUtl
where /cd-rom/hp is the directory where the installation images are located and TivSecUtl is the Tivoli Security Utilities package. Note: If you are upgrading from Tivoli Access Manager 5.1, Tivoli Security Utilities is installed. If you are upgrading from Tivoli Access Manager 6.0, the Tivoli Security Utilities is upgraded. 13. Install or upgrade the Access Manager License:
swinstall -s /cd-rom/hp PDlic
where /cd-rom/hp is the directory where the installation images are located and PDlic is the Access Manager License package. Note: If you are upgrading from Tivoli Access Manager 5.1, install the Access Manager License. If you are upgrading from Tivoli Access Manager 6.0, upgrade the Access Manager License 14. Upgrade Access Manager Runtime:
swinstall -s /cd-rom/hp PDRTE
where /cd-rom/hp is the directory where the installation images are located and PDRTE is the Access Manager Runtime package. 15. Upgrade Access Manager Policy Server:
swinstall -s /cd-rom/hp PDMgr
where /cd-rom/hp is the directory where the installation images are located and PDMgr is the Access Manager Policy Server package. 16. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
pd_start start

pd_start status
26
Upgrade Guide
The upgrade of the policy server for HP-UX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. Upgrade other Tivoli Access Manager systems to 6.1.1 (in the order specified in Chapter 1, Introduction, on page 1). Ensure that the host name of the new policy server is specified in the Tivoli Access Manager components' configuration files, including the pd.conf file in the install_path/etc directory, as well as any AZN application configuration files. To do this, on each system on which you want to use the new policy server, ensure that the master-host value in the [manager] stanza of the configuration file contains the server host name of the new policy server. See the IBM Tivoli Access Manager for e-business: Administration Guide for more information about the master-host key value. After you have updated all your Tivoli Access Manager systems, complete the procedure in HP-UX: Retiring the original policy server on page 31 to retire your original policy server.
HP-UX: Upgrading the policy server using two systems

Follow these steps to set up a new 6.1.1 policy server on a second system while allowing your original policy server system to continue functioning with minimal downtime. Note: This two-system approach is supported for LDAP-based registries only. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Insert the IBM Tivoli Access Manager Base for HP-UX CD. 4. Mount the CD on the original policy server using the HP-UX mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and cd-rom specifies the mount point. 5. Stop all Tivoli Access Manager applications and services on the original Policy Serer:
pd_start stop
pd_start status
27
cd-rom/hp/migrate/migxxto611.lst
where xx is the version of software that you are migrating from. The name of the backup list file would be as follows: For 6.1 mig61to611.lst For 6.0 mig60to611.lst For 5.1 mig51to611.lst path path Specifies the path where you want the backed up files to be stored. For example:
pd_start start
9. Copy the archive produced by the pdbackup utility from the original policy server to the new 6.1.1 policy server. Note: The new 6.1.1 policy server must be a clean system. Do not reuse an existing policy server system. 10. On the new system, install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 11. Insert the IBM Tivoli Access Manager Base for HP-UX CD on the new system. 12. Mount the CD on the new system using the HP-UX mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and cd-romcd-rom specifies the mount point. 13. Install the Global Security Kit (GSKit) on the new system:
where /cd-rom/hp is the directory where the installation images are located and gsk7bas is the name of the GSKit package. 14. Install the client packages of Tivoli Directory Server on the new system:
swinstall -s /cd-rom/hp packages
Base client package Client package (32-bit) (no SSL) idsldap.cltbase61 idsldap.clt32bit61
where /cd-rom/hp is the directory where the installation images are located and TivSecUtl is the Tivoli Security Utilities package.
28
Upgrade Guide
16. Install Access Manager License on the new system:

where /cd-rom/hp is the directory where the installation images are located and PDlic is the Access Manager License package. 17. Install Access Manager Runtime on the new system:
where /cd-rom/hp is the directory where the installation images are located and PDRTE is the Access Manager Runtime package. 18. Install Access Manager Policy Server on the new system:
swinstall -s /cd-rom/hp PDMgr
where /cd-rom/hp is the directory where the installation images are located and PDMgr is the Access Manager Policy Server package. 19. Use the pdbackup utility on the new system to extract data to the new 6.1.1 policy server:
where: path restore_directory Specifies a temporary directory on the new 6.1.1 policy server in which you want to extract your archive data. file archive_name Specifies the fully qualified path to the archive file that came from the original policy server. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281.
Caution If there is a configuration problem, do not unconfigure this system. If you unconfigure the system, critical data that is needed by the original policy server will be destroyed. Follow instructions in HP-UX: Retiring the original policy server on page 31 with the new server. The new system is a clone of the original policy server system. This means that the placement of critical files, such as certificate files, must be identical to the original system. For example, if a certificate file is in the /certs directory on the original policy server, it must be located in the /certs directory on the new system. 20. Ensure that your LDAP server the original Policy Server uses is running. 21. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
29
For more information about the ivrgy_tool utility, see the reference information for ivrgy_tool on page 287. 22. Use the pdconfig utility to configure Access Manager Runtime on the new 6.1.1 policy server. When prompted for an LDAP server, specify the name of the LDAP server that is used by the original policy server. 23. Use the pdconfig utility to configure the new 6.1.1 policy server. a. When prompted if you want to configure the policy for migration purposes, select yes. b. When prompted if you want to use this policy server for standby, select no. c. Enter the restore_directory specified by the path option in step 19 on page 29. 24. Confirm that the policy server is running on the new system:
pd_start status
25. Make sure that you can contact the policy server on the new system. For example, run pdadmin and query both the ACL database and the registry to verify their status. For example:
pd_start stop
/opt/PolicyDirector/db

pd_start start
The upgrade of the policy server for HP-UX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. Upgrade other Tivoli Access Manager systems to 6.1.1 (in the order specified in Chapter 1, Introduction, on page 1). Ensure that the host name of the new policy server is specified in the Tivoli Access Manager components' configuration files, including the pd.conf file in the install_path/etc directory, as well as any AZN application configuration files. To do this, on each system on which you want to use the new policy server, ensure that the master-host value in the [manager] stanza of the configuration file contains the server host name of the new policy server. See the IBM Tivoli Access Manager for e-business: Administration Guide for more information about the master-host key value. After you have updated all your Tivoli Access Manager systems, complete the procedure in HP-UX: Retiring the original policy server on page 31 to retire your original policy server.
30
Upgrade Guide
HP-UX: Retiring the original policy server

Caution Do not unconfigure the original policy server or the new policy server at any time during the upgrade process. Unconfiguration of the original policy server or new policy server will destroy critical data needed by the policy server. This will result in a non-working Tivoli Access Manager environment. Follow these steps to retire the original policy server: 1. Stop the policy server. 2. From the original policy server, enter:
HP-UX on Integrity: Upgrading the policy server HP-UX on Integrity: Upgrading the policy server using a single system
To upgrade the policy server system on HP-UX on Integrity, complete the following instructions. Note: If you encounter a problem when migrating the policy server to 6.1.1 using this single-system approach, you can restore the system to its previous level. For instructions, see HP-UX on Integrity: Restoring the policy server on page 261. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for HP-UX on Integrity CD. 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
pd_start stop
pd_start status
31
swinstall -s /cd-rom/hp_ia64 gsk7bas
where cd-rom/hp_ia64 is the directory where the installation images are located and gsk7bas is the Global Security Kit packages. 10. Install the client packages of Tivoli Directory Server:
swinstall -s /cd-rom/hp_ia64 packages
where /cd-rom/hp_ia64 is the directory where the installation images are located and packages are as follows:
Note: The 32-bit client package requires the base client package. 11. Ensure that your registry server is running. 12. Upgrade Tivoli Security Utilities:
swinstall -s /cd-rom/hp_ia64 TivSecUtl
where /cd-rom/hp_ia64 is the directory where the installation images are located and TivSecUtl is the Tivoli Security Utilities package. 13. Upgrade the Access Manager License:
swinstall -s /cd-rom/hp_ia64 PDlic
where /cd-rom/hp_ia64 is the directory where the installation images are located and PDlic is the Access Manager License package. 14. Upgrade Access Manager Runtime:
swinstall -s /cd-rom/hp_ia64 PDRTE
where /cd-rom/hp_ia64 is the directory is the directory where the installation images are located and PDRTE is the Access Manager Runtime package. 15. Upgrade Access Manager Policy Server:
32
Upgrade Guide
swinstall -s /cd-rom/hp_ia64 PDMgr
where /cd-rom/hp_ia64 is the directory is the directory where the installation images are located and PDMgr is the Access Manager Policy Server package. 16. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
pd_start start

pd_start status
The upgrade of the policy server for HP-UX on Integrity is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. Upgrade other Tivoli Access Manager systems to 6.1.1 (in the order specified in Chapter 1, Introduction, on page 1). Ensure that the host name of the new policy server is specified in the Tivoli Access Manager components' configuration files, including the pd.conf file in the install_path/etc directory, as well as any AZN application configuration files. To do this, on each system on which you want to use the new policy server, ensure that the master-host value in the [manager] stanza of the configuration file contains the server host name of the new policy server. See the IBM Tivoli Access Manager for e-business: Administration Guide for more information about the master-host key value. After you have updated all your Tivoli Access Manager systems, complete the procedure in HP-UX on Integrity: Retiring the original policy server on page 37 to retire your original policy server.
HP-UX on Integrity: Upgrading the policy server using two systems

Follow these steps to set up a new 6.1.1 policy server on a second system while allowing your original policy server system to continue functioning with minimal downtime. Note: This two-system approach is supported for LDAP-based registries only.
33
1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Insert the IBM Tivoli Access Manager Base for HP-UX on Integrity CD into the original policy server system. 4. Mount the CD on the original policy server using the HP-UX mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and cd-rom specifies the mount point. 5. Stop all Tivoli Access Manager applications and services on the original policy server system:
pd_start stop
pd_start status
7. Use the pdbackup utility to back up critical Tivoli Access Manager information on the original policy server system:
cd-rom/hp_ia64/migrate/migxxto611.lst
where xx is the version of software that you are migrating from. The name of the backup list file would be as follows: For 6.1 mig61to611.lst For 6.0 mig60to611.lst path path Specifies the path where you want the backed up files to be stored. For example:
pd_start start
9. Copy the archive produced by the pdbackup utility from the original policy server to the new 6.1.1 policy server. Note: The new 6.1.1 policy server must be a clean system. Do not reuse an existing policy server system.
34
Upgrade Guide
10. On the new system, install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 11. Insert the IBM Tivoli Access Manager Base for HP-UX on Integrity CD into the new system. 12. Mount the CD on the new system using the HP-UX mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and cd-rom specifies the mount point. 13. Install the Global Security Kit (GSKit) on the new system:
where /cd-rom/hp_ia64 is the directory where the GSKit installation images are located and gsk7bas is the name of the GSKit package. 14. Install theTivoli Directory Server packages on the new system:
where /cd-rom/hp_ia64 is the directory where the installation images are located and TivSecUtl is the Tivoli Security Utilities package. 16. Install Access Manager License on the new system:
where /cd-rom/hp_ia64 is the directory where the installation images are located and PDlic is the Access Manager License package. 17. Install Access Manager Runtime on the new system:
where /cd-rom/hp_ia64 is the directory where the installation images are located and PDRTE is the Access Manager Runtime package. 18. Install Access Manager Policy Server on the new system:
swinstall -s /cd-rom/hp_ia64 PDMgr
where /cd-rom/hp_ia64 is the directory where the installation images are located and PDMgr is the Access Manager Policy Server package. 19. Use the pdbackup utility to extract data to the new 6.1.1 policy server:
where: path restore_directory Specifies a temporary directory on the new 6.1.1 policy server in which you want to extract your archive data.
35
file archive_name Specifies the fully qualified path to the archive file that came from the original policy server. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281.
Caution If there is a configuration problem, do not unconfigure this system. If you unconfigure the system, critical data that is needed by the original policy server will be destroyed. Follow instructions in HP-UX on Integrity: Retiring the original policy server on page 37 with the new server. The new system is a clone of the original policy server system. This means that the placement of critical files, such as certificate files, must be identical to the original system. For example, if a certificate file is in the /certs directory on the original policy server, it must be located in the /certs directory on the new system. 20. Ensure that the LDAP server used by the previous policy server is running. 21. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
pd_start status
25. Make sure that you can contact the policy server on the new system. For example, run pdadmin and query both the ACL database and the registry to verify their status. For example:
36
Upgrade Guide
pd_start stop
/opt/PolicyDirector/db

pd_start start
The upgrade of the policy server for HP-UX on Integrity is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. Upgrade other Tivoli Access Manager systems to 6.1.1 (in the order specified in Chapter 1, Introduction, on page 1). Ensure that the host name of the new policy server is specified in the Tivoli Access Manager components' configuration files, including the pd.conf file in the install_path/etc directory, as well as any AZN application configuration files. To do this, on each system on which you want to use the new policy server, ensure that the master-host value in the [manager] stanza of the configuration file contains the server host name of the new policy server. See the IBM Tivoli Access Manager for e-business: Administration Guide for more information about the master-host key value. After you have updated all your Tivoli Access Manager systems, complete the procedure in HP-UX on Integrity: Retiring the original policy server to retire your original policy server.
HP-UX on Integrity: Retiring the original policy server

Caution Do not unconfigure the original policy server or the new policy server at any time during the upgrade process. Unconfiguration of the original policy server or new policy server will destroy critical data needed by the policy server. This will result in a non-working Tivoli Access Manager environment. Follow these steps to retire the original policy server: 1. Stop the policy server. 2. From the original policy server, enter:
37
Linux on x86: Upgrading the policy server Linux on x86: Upgrading the policy server using a single system
To upgrade the policy server for Linux on x86, complete the following instructions. Note: If you encounter a problem when migrating the policy server to 6.1.1 using this single-system approach, you can restore the system to its previous level. For instructions, see Linux on x86: Restoring the policy server on page 262. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Linux on x86 CD on the x86 system and mount it. 5. Change to the following directory:
cd cd_mount_pt/linux_i386/
where cd_mount_pt is where the CD is mounted. 6. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 9. Install or upgrade IBM Global Security Kit (GSKit) to the version 7 and the latest fix pack:
38
Upgrade Guide
v If you have a version of GSKit older than version 7 installed or if you do not have GSKit installed, install GSKit 7 using the rpm -i gsk7bas-<version and fix pack>.i386.rpm file: v If you have an earlier version of GSKit 7 installed, upgrade to the latest fix pack of GSKit 7 using the rpm -U gsk7bas-<version and fix pack>.i386.rpm file. 10. Install the Tivoli Directory Server client packages:
rpm -i packages
where packages are as follows:

Base client package 32-bit client package idsldap-cltbase61-6.1.0-6.i386.rpm idsldap-clt32bit61-6.1.0-6.i386.rpm
Note: The 32-bit client package requires the base client package. For example, enter:
rpm -i idsldap-cltbase61-6.1.0-6.i386.rpm idsldap-clt32bit61-6.1.0-6.i386.rpm
11. Do one of the following: v If you are upgrading from Tivoli Access Manager 5.1, install Tivoli Security Utilities:
rpm -i TivSecUtil-TivSec-6.1.1-0.i386.rpm
where TivSecUtil-TivSec-6.1.1-0.i386.rpm is the Tivoli Security Utilities package. v If you are upgrading from Tivoli Access Manager 6.0, upgrade Tivoli Security Utilities:
rpm -U TivSecUtil-TivSec-6.1.1-0.i386.rpm
where TivSecUtil-TivSec-6.1.1-0.i386.rpm is the Tivoli Security Utilities package. 12. Ensure that your registry server is running. 13. Do one of the following: v If you are upgrading from Tivoli Access Manager 5.1, install Access Manager License:
rpm -i PDlic-PD-6.1.1-0.i386.rpm
where PDlic-PD-6.1.1-0.i386.rpm is the Access Manager License package. v If you are upgrading from Tivoli Access Manager 6.0, upgrade Access Manager License:
rpm -U PDlic-PD-6.1.1-0.i386.rpm
where PDlic-PD-6.1.1-0.i386.rpm is the Access Manager License package. 14. Upgrade Access Manager Runtime:
rpm -U PDRTE-PD-6.1.1-0.i386.rpm
where PDRTE-PD-6.1.1-0.i386.rpm is the Access Manager Runtime package. 15. Upgrade Access Manager Policy Server:
rpm -U PDMgr-PD-6.1.1-0.i386.rpm
where PDMgr-PD-6.1.1-0.i386.rpm is the Access Manager Policy Server package. 16. If your Tivoli Directory Server version is 6.1, you do not have to perform this step. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema:
39
v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2, or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
pd_start start

pd_start status
The upgrade of the policy server for Linux on x86 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. Note: If necessary, edit the ldap.conf files for the Policy server and WebSEAL to add the replica entry for an alternate LDAP.
Linux on x86: Upgrading the policy server using two systems

Follow these steps to set up a new 6.1.1 policy server on a second system while allowing your original policy server to continue functioning with minimal downtime. Note: This two-system approach is supported for LDAP-based registries only. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Insert the IBM Tivoli Access Manager Base for Linux on x86 CD into the original system and mount it. 4. Stop all Tivoli Access Manager applications and services on the original system:
pd_start stop
5. Confirm that all Tivoli Access Manager services and applications are stopped on the original system:
pd_start status
6. Use the pdbackup utility to back up critical Tivoli Access Manager information on the original system:
where:
40
Upgrade Guide
list fullpath_to_backup_listfile Specifies the fully qualified path to the backup list file. For example:
cd_mount_pt/linux_i386/migrate/migxxto611.lst
where cd_mount_pt is where the CD is mounted and xx is the version of software that you are migrating from. The name of the backup list file would be as follows: For 6.1 mig61to611.lst For 6.0 mig60to611.lst For 5.1 mig51to611.lst path path Specifies the path where you want the backed up files to be stored. For example:
pd_start start
8. Copy the archive produced by the pdbackup utility from the original policy server to the new 6.1.1 policy server. Note: The new 6.1.1 policy server must be a clean system. Do not reuse an existing policy server system. 9. On the new system, install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 10. Insert the IBM Tivoli Access Manager Base for Linux on x86 CD into the new system and mount it. 11. Change to the following directory:
cd cd_mount_pt/linux_i386/
where cd_mount_pt is where the CD is mounted. 12. Install or upgrade IBM Global Security Kit (GSKit) to the version 7 and the latest fix pack: v If you have a version of GSKit older than version 7 installed or if you do not have GSKit installed, install GSKit 7 using the rpm -i gsk7bas-<version and fix pack>.i386.rpm file: v If you have an earlier version of GSKit 7 installed, upgrade to the latest fix pack of GSKit 7 using the rpm -U gsk7bas-<version and fix pack>.i386.rpm file. 13. Install the Tivoli Directory Server client packages on the new system:
rpm -i packages

41
14. Install Tivoli Security Utilities on the new system:

where TivSecUtil-TivSec-6.1.1-0.i386.rpm is the Tivoli Security Utilities package. 15. Install Access Manager License on the new system:
where PDlic-PD-6.1.1-0.i386.rpm is the Access Manager License package. 16. Install Access Manager Runtime on the new system:
rpm -i PDRTE-PD-6.1.1-0.i386.rpm
where PDRTE-PD-6.1.1-0.i386.rpm is the Access Manager Runtime package. 17. Install Access Manager Policy Server on the new system:
rpm -i PDMgr-PD-6.1.1-0.i386.rpm
where PDMgr-PD-6.1.1-0.i386.rpm is the Access Manager Policy Server package. 18. Use the pdbackup utility to extract data to the new 6.1.1 policy server:
Caution If there is a configuration problem, do not unconfigure the policy server. Unconfiguring the policy server destroys critical data that is needed by the original policy server. Follow instructions in Linux on x86: Retiring the original policy server on page 44 with the new server. The new system is a clone of the original policy server system. This means that the placement of critical files, such as certificate files, must be identical to the original system. For example, if a certificate file is in the /certs directory on the original policy server, it must be located in the /certs directory on the new system. 19. Ensure that the LDAP server used by the original policy server is running. 20. If your Tivoli Directory Server version is 6.1, you do not have to perform this step. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server.
42
Upgrade Guide
v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2, or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
For more information about the ivrgy_tool utility, see the reference information for ivrgy_tool on page 287. 21. Use the pdconfig utility to configure Access Manager Runtime on the new 6.1.1 policy server. When prompted for an LDAP server, specify the name of the LDAP server that is used by the original policy server. 22. Use the pdconfig utility to configure the new 6.1.1 policy server. a. At the prompt, Would you like to configure a second policy server to this LDAP server (y/n) [No]?, specify yes. b. When prompted if you want to use this policy server for standby, select no. c. Enter the restore_directory specified by the path option in step 18 on page 42. 23. Confirm that the policy server is running:
pd_start status
24. Your system is ready. Run pdadmin and query both the ACL database and the registry to verify their status. For example:
pd_start stop

pd_start start
The upgrade of the policy server for Linux on x86 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. Upgrade other Tivoli Access Manager systems to 6.1.1 (in the order specified in Chapter 1, Introduction, on page 1). Ensure that the host name of the new policy server is specified in the Tivoli Access Manager components' configuration files, including the pd.conf file in the install_path/etc directory, as well as any AZN application configuration files. To do this, on each system on which you want to use the new policy server, ensure that the master-host value in the [manager] stanza of the configuration file contains the server host name of the new policy server. See the IBM Tivoli Access Manager for e-business: Administration Guide for more information about the master-host key value.
43
After you have updated all your Tivoli Access Manager systems, complete the procedure in Linux on x86: Retiring the original policy server to retire your original policy server.
Linux on x86: Retiring the original policy server

Caution Do not unconfigure the original policy server or the new policy server at any time during the upgrade process. Unconfiguration of the original policy server or new policy server will destroy critical data needed by the policy server. The destruction of critical data will result in a nonworking Tivoli Access Manager environment. Follow these steps to retire the original policy server: 1. Stop the policy server. 2. From the original policy server, enter:
Linux on System z: Upgrading the policy server Linux on System z: Upgrading the policy server using a single system
To upgrade the policy server for Linux on System z, complete the following instructions. Note: If you encounter a problem when migrating the policy server to 6.1.1 using this single-system approach, you can restore the system to its previous level. For instructions, see Linux on System z: Restoring the policy server on page 263. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Obtain access to the IBM Tivoli Access Manager Base for Linux on System z CD image on the System z system. The .rpm files are located in the /cd_mount_pt/linux_s390 directory. 5. Change to the following directory:
cd cd_mount_pt/linux_s390
44
Upgrade Guide
pd_start stop
pd_start status
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 9. Install or upgrade IBM Global Security Kit(GSKit). If you have a version of Global Security Kit prior to GSKit 7 installed or if you do not have a version of GSKit installed at all, install GSKit 7:
rpm -i gsk7bas-7.0-4.28.s390.rpm
Or, if you have an earlier version of GSKit 7 installed, upgrade to GSKit 7.0-4.28:
rpm -U gsk7bas-7.0-4.28.s390.rpm
10. Install the client packages of Tivoli Directory Server:

rpm -i packages

Base client package 32-bit client package idsldap-cltbase61-6.1.0-6.s390.rpm idsldap-clt32bit61-6.1.0-6.s390.rpm
rpm -i idsldap-cltbase61-6.1.0-6.s390.rpm idsldap-clt32bit61-6.1.0-6.s390.rpm
11. Ensure that your registry server is running. 12. Do one of the following v If you are upgrading from Tivoli Access Manager 5.1, install Tivoli Security Utilities.
rpm -i TivSecUtil-TivSec-6.1.1-0.s390.rpm
v If you are upgrading from Tivoli Access Manager 6.0, upgrade Tivoli Security Utilities:
45
rpm -U TivSecUtil-TivSec-6.1.1-0.s390.rpm
where TivSecUtil-TivSec-6.1.1-0.s390.rpm is the Tivoli Security Utilities package. 13. Do one of the following v If you are upgrading from Tivoli Access Manager 5.1, install Access Manager License:
rpm -i PDlic-PD-6.1.1-0.s390.rpm
v If you are upgrading from Tivoli Access Manager 6.0, upgrade Access Manager License:
rpm -U PDlic-PD-6.1.1-0.s390.rpm
where PDlic-PD-6.1.1-0.s390.rpm is the Access Manager License package. 14. Upgrade Access Manager Runtime:
rpm -U PDRTE-PD-6.1.1-0.s390.rpm
where PDRTE-PD-6.1.1-0.s390.rpm is the Access Manager Runtime package. 15. Upgrade Access Manager Policy Server:
rpm -U PDMgr-PD-6.1.1-0.s390.rpm
where PDMgr-PD-6.1.1-0.s390.rpm is the Access Manager Policy Server package. 16. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
pd_start start

pd_start status
The upgrade of the policy server for Linux on System z is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on System z: Upgrading the policy server using two systems

Follow these steps to set up a new 6.1.1 policy server on a second system while allowing your original policy server to continue functioning with minimal downtime. Note: This two-system approach is supported for LDAP-based registries only.
46
Upgrade Guide
1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Obtain access to the IBM Tivoli Access Manager Base for Linux on System z CD on the original system. 4. Stop all Tivoli Access Manager applications and services on the original system:
pd_start stop
pd_start status
6. Use the pdbackup utility on the original system to back up critical Tivoli Access Manager information:
cd cd_mount_pt/linux_s390/migrate/migxxto611.lst
/opt/PolicyDirector/pdbackup
pd_start start
8. Copy the archive produced by the pdbackup utility from the original policy server to the new 6.1.1 policy server. Note: The new 6.1.1 policy server must be a clean system. Do not reuse an existing policy server system. 9. On the new system, install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes.
47
10. Obtain access to the IBM Tivoli Access Manager Base for Linux on System z image on the System z system. 11. Change to the following directory:
where cd_mount_pt is where the CD is mounted. 12. Install or upgrade IBM Global Security Kit (GSKit) on the new system. v If you have a version of GSKit older than version 7 installed or if you do not have GSKit installed, install GSKit 7 using the rpm -i gsk7bas-<version and fix pack>.s390.rpm file. v If you have an earlier version of GSKit 7 installed, upgrade to the latest fix pack of GSKit 7 using the rpm -U gsk7bas-<version and fix pack>.s390.rpm file. 13. Install the Tivoli Directory Server client packages on the new system:
rpm -i packages


where TivSecUtil-TivSec-6.1.1-0.s390.rpm is the Tivoli Security Utilities package. 15. Install Access Manager License on the new system:
where PDlic-PD-6.1.1-0.s390.rpm is the Access Manager License package. 16. Install Access Manager Runtime on the new system:
rpm -i PDRTE-PD-6.1.1-0.s390.rpm
where PDRTE-PD-6.1.1-0.s390.rpm is the Access Manager Runtime package. 17. Install Access Manager Policy Server on the new system:
rpm -i PDMgr-PD-6.1.1-0.s390.rpm
where PDMgr-PD-6.1.1-0.s390.rpm is the Access Manager Policy Server package. 18. Use the pdbackup utility to extract data to the new 6.1.1 policy server:
48
Upgrade Guide
Caution If there is a configuration problem, do not unconfigure this system. If you unconfigure the system, critical data that is needed by the original policy server will be destroyed. Follow instructions in Linux on System z: Retiring the original policy server on page 50 with the new server. The new system is a clone of the original policy server system. This means that the placement of critical files, such as certificate files, must be identical to the original system. For example, if a certificate file is in the /certs directory on the original policy server, it must be located in the /certs directory on the new system. 19. Ensure that the LDAP server used by the original policy server is running. 20. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
For more information about the ivrgy_tool utility, see the reference information for ivrgy_tool on page 287. 21. Use the pdconfig utility to configure Access Manager Runtime on the new 6.1.1 policy server. When prompted for an LDAP server, specify the name of the LDAP server that is used by the original policy server. 22. Use the pdconfig utility to configure the new 6.1.1 policy server. a. When prompted if you want to configure the policy for migration purposes, select yes. b. When prompted if you want to use this policy server for standby, select no. c. Enter the restore_directory specified by the path option in step 18 on page 48. 23. Confirm that the new policy server is running on the new system:
pd_start status
24. Your system policy server is ready. Run pdadmin and query both the ACL database and the registry to verify their status on the new system. For example:
pd_start stop
49
After copying the files, verify that the owning user and owning group are both ivmgr. c. Start the new policy server daemon (pdmgrd):
pd_start start
The upgrade of the policy server for Linux on System z is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. Upgrade other Tivoli Access Manager systems to 6.1.1 (in the order specified in Chapter 1, Introduction, on page 1). Ensure that the host name of the new policy server is specified in the Tivoli Access Manager components' configuration files, including the pd.conf file in the install_path/etc directory, as well as any AZN application configuration files. To do this, on each system on which you want to use the new policy server, ensure that the master-host value in the [manager] stanza of the configuration file contains the server host name of the new policy server. See the IBM Tivoli Access Manager for e-business: Administration Guide for more information about the master-host key value. After you have updated all your Tivoli Access Manager systems, complete the procedure in Linux on System z: Retiring the original policy server to retire your original policy server.
Linux on System z: Retiring the original policy server

3. Uninstall your previous version of the Tivoli Access Manager Policy Server. For uninstallation procedures, see the documentation for that version of Tivoli Access Manager.
50
Upgrade Guide
Linux on POWER: Upgrading the policy server Linux on POWER: Upgrading the policy server using a single system
To upgrade the policy server for Linux on POWER, complete the following instructions. Note: If you encounter a problem when migrating the policy server to 6.1.1 using this single-system approach, you can restore the system to its previous level. For instructions, see Linux on POWER: Retiring the original policy server on page 57. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Linux on POWER CD and mount it. 5. Change to the following directory:
cd cd_mount_pt/linux_ppc/
pd_start stop
pd_start status
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281.
51
9. Install or upgrade IBM Global Security Kit (GSKit) to the version 7 and the latest fix pack: v If you have a version of GSKit older than version 7 installed or if you do not have GSKit installed, install GSKit 7 using the rpm -i gsk7bas-<version and fix pack>.ppc.rpm file. v If you have an earlier version of GSKit 7 installed, upgrade to the latest fix pack of GSKit 7 using the rpm -U gsk7bas-<version and fix pack>.ppc.rpm file. 10. Install the client packages of Tivoli Directory Server:
rpm -i packages

Base client package 32-bit client package idsldap-cltbase61-6.1.0-6.ppc.rpm idsldap-clt32bit61-6.1.0-6.ppc.rpm
rpm -i idsldap-cltbase61-6.1.0-6.ppc.rpm idsldap-clt32bit61-6.1.0-6.ppc.rpm
11. Ensure that your registry server is running. 12. Do one of the following: v If you are upgrading from Tivoli Access Manager 6.0, upgrade the Tivoli Security Utilities:
rpm -U TivSecUtil-TivSec-6.1.1-0.ppc.rpm
where TivSecUtil-TivSec-6.1.1-0.ppc.rpm is the Tivoli Security Utilities package. v If you are upgrading from Tivoli Access Manager 5.1, install the Tivoli Security Utilities:
rpm -i TivSecUtil-TivSec-6.1.1-0.ppc.rpm
where TivSecUtil-TivSec-6.1.1-0.ppc.rpm is the Tivoli Security Utilities package. 13. Do one of the following: v If you are upgrading from Tivoli Access Manager 5.1, install Access Manager License:
rpm -i PDlic-PD-6.1.1-0.ppc.rpm
where PDlic-PD-6.1.1-0.ppc.rpm is the Access Manager License package. v If you are upgrading from Tivoli Access Manager 6.0, upgrade Access Manager License:
rpm -U PDlic-PD-6.1.1-0.ppc.rpm
where PDlic-PD-6.1.1-0.ppc.rpm is the Access Manager License package. 14. Upgrade Access Manager Runtime:
rpm -U PDRTE-PD-6.1.1-0.ppc.rpm
where PDRTE-PD-6.1.1-0.ppc.rpm is the Access Manager Runtime package. 15. Upgrade Access Manager Policy Server:
rpm -U PDMgr-PD-6.1.1-0.ppc.rpm
where PDMgr-PD-6.1.1-0.ppc.rpm is the Access Manager Policy Server package. 16. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema:
52
Upgrade Guide
v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
pd_start start

pd_start status
The upgrade of the policy server for Linux on POWER is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on POWER: Upgrading the policy server using two systems

Follow these steps to set up a new 6.1.1 policy server on a second system while allowing your original policy server to continue functioning with minimal downtime. Note: This two-system approach is supported for LDAP-based registries only. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Insert the IBM Tivoli Access Manager Base for Linux on POWER CD and mount it on the original system. 4. Change to the following directory:
where cd_mount_pt is where the CD is mounted. 5. Stop all Tivoli Access Manager applications and services on the original system:
pd_start stop
pd_start status
53
cd_mount_pt/linux_ppc/migrate/migxxto611.lst
pd_start start
9. Copy the archive produced by the pdbackup utility from the original policy server to the new 6.1.1 policy server. Note: The new policy server 6.1.1 must be a clean system. Do not reuse an existing policy server system. 10. On the new system, install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 11. Insert the IBM Tivoli Access Manager Base for Linux on POWER CD and mount it on the new system. 12. Change to the following directory on the new system:
where cd_mount_pt is where the CD is mounted. 13. Install or upgrade IBM Global Security Kit (GSKit) on the new system. If you have a version of Global Security Kit prior to GSKit 7 installed or if you do not have a version of GSKit installed at all, install GSKit 7:
rpm -i gsk7bas-7.0-4.28.ppc.rpm
rpm -U gsk7bas-7.0-4.28.ppc.rpm
14.
Install the Tivoli Directory Server client packages on the new system:
rpm -i packages
54
Upgrade Guide
Base client package 32-bit client package
idsldap-cltbase61-6.1.0-6.ppc.rpm idsldap-clt32bit61-6.1.0-6.ppc.rpm

where TivSecUtil-TivSec-6.1.1-0.ppc.rpm is the Tivoli Security Utilities package. 16. Install Access Manager License on the new system:
where PDlic-PD-6.1.1-0.ppc.rpm is the Access Manager License package. 17. Install Access Manager Runtime on the new system:
rpm -i PDRTE-PD-6.1.1-0.ppc.rpm
where PDRTE-PD-6.1.1-0.ppc.rpm is the Access Manager Runtime package. 18. Install Access Manager Policy Server on the new system:
rpm -i PDMgr-PD-6.1.1-0.ppc.rpm
where PDMgr-PD-6.1.1-0.ppc.rpm is the Access Manager Policy Server package. 19. Use the pdbackup utility to extract data to the new 6.1.1 policy server:
Caution If there is a configuration problem, do not unconfigure this system. If you unconfigure the system, critical data that is needed by the original policy server will be destroyed. Follow instructions in Linux on POWER: Retiring the original policy server on page 57 with the new server. The new system is a clone of the original policy server system. This means that the placement of critical files, such as certificate files, must be identical to the original system. For example, if a certificate file is in the /certs directory on the original policy server, it must be located in the /certs directory on the new system. 20. Ensure that the LDAP server used by the original policy server is running.
55
21. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
pd_start status
25. Your new Policy Server system is ready. Run pdadmin and query both the ACL database and the registry to verify their status on the new system. For example:
pd_start stop

pd_start start
The upgrade of the policy server for Linux on POWER is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. Upgrade other Tivoli Access Manager systems to 6.1.1 (in the order specified in Chapter 1, Introduction, on page 1). Ensure that the host name of the new policy server is specified in the Tivoli Access Manager components' configuration files, including the pd.conf file in the install_path/etc directory, as well as any AZN application configuration files. To do this, on each system on which you want to use the new policy server, ensure that the master-host value in the [manager] stanza of the configuration file contains the
56
Upgrade Guide
server host name of the new policy server. See the IBM Tivoli Access Manager for e-business: Administration Guide for more information about the master-host key value. After you have updated all your Tivoli Access Manager systems, complete the procedure in Linux on POWER: Retiring the original policy server to retire your original policy server.
Linux on POWER: Retiring the original policy server

Solaris: Upgrading the policy server Solaris: Upgrading the policy server using a single system
To upgrade the policy server system on Solaris, complete the following instructions. Note: If you encounter a problem when migrating the policy server to 6.1.1 using this single-system approach, you can restore the system to its previous level. For instructions, see Solaris: Restoring the policy server on page 265. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Solaris CD. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
57
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault gsk7bas
where /cdrom/cdrom0/solaris specifies the location of the package. Note: During installation, you are asked if you want to use /opt as the root directory. If space permits, use /opt as the root installation directory. To accept /opt as the root directory, press Enter. 9. Install the client packages of the Tivoli Directory Server:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault packages
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and packages are as follows:
Base client package 32-bit client package IDSlbc61 IDSl32c61
Note: The 32-bit client package requires the base client package. 10. Ensure that your registry server is running. 11. Install or upgrade Tivoli Security Utilities: Note: If you are upgrading from Tivoli Access Manager 5.1, Tivoli Security Utilities is installed. If you are upgrading from Tivoli Access Manager 6.0, the Tivoli Security Utilities is upgraded.
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault TivSecUtl
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and TivSecUtl is the Tivoli Security Utilities package. 12. Install or upgrade the Access Manager License:
58
Upgrade Guide
Note: If you are upgrading from Tivoli Access Manager 5.1, install the Access Manager License. If you are upgrading from Tivoli Access Manager 6.0, upgrade the Access Manager License
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDlic
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDlic is the Access Manager Access Manager License package. 13. Upgrade Access Manager Runtime:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDRTE
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDRTE is the Access Manager Runtime package. 14. Upgrade Access Manager Policy Server:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDMgr
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDMgr is the Access Manager Policy Server package. 15. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
pd_start start

pd_start status
The upgrade of the policy server on Solaris is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Solaris: Upgrading the policy server using two systems

Follow these steps to set up a new 6.1.1 policy server on a second system while allowing your original policy server system to continue functioning with minimal downtime. Note: This two-system approach is supported for LDAP-based registries only. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17.
59
2. Log in as root. 3. On the original policy server, insert the IBM Tivoli Access Manager Base for Solaris CD. 4. Stop all Tivoli Access Manager applications and services on the original system:
pd_start stop
pd_start status
cd-rom/solaris/migrate/migXXto611.lst
pd_start start
8. Copy the archive produced by the pdbackup utility from the original policy server to the new 6.1.1 policy server. Note: The new 6.1.1 policy server must be a clean system. Do not reuse an existing policy server system. 9. On the new system, install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 10. Insert the IBM Tivoli Access Manager Base for Solaris CD into the new system. 11. Change to the /cdrom/cdrom0/solaris directory. 12. Install the Global Security Kit (GSKit) on the new system:
60
Upgrade Guide
where /cdrom/cdrom0/solaris specifies the location of the package and /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script. Note: During installation, you are asked if you want to use /opt as the root directory. If space permits, use /opt as the root installation directory. To accept /opt as the root directory, press Enter. 13. Install the Tivoli Directory Server client packages on the new system:
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and TivSecUtl is the Tivoli Security Utilities package. 15. Install Access Manager License on the new system:
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDlic is the Access Manager Access Manager License package. 16. Install Access Manager Runtime on the new system:
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDRTE is the Access Manager Runtime package. 17. Install Access Manager Policy Server on the new system:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDMgr
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDMgr is the Access Manager Policy Server package. 18. Use the pdbackup utility on the new system to extract data to the new 6.1.1 policy server:
where: path restore_directory Specifies a temporary directory on the new 6.1.1 policy server in which you want to extract your archive data. file archive_name Specifies the fully qualified path to the archive that came from the original policy server.
61
For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281.
Caution If there is a configuration problem, do not unconfigure this system. If you unconfigure the system, critical data that is needed by the original policy server will be destroyed. Follow instructions in Solaris: Retiring the original policy server on page 63 with the new server. The new system is a clone of the original policy server system. This means that the placement of critical files, such as certificate files, must be identical to the original system. For example, if a certificate file is in the /certs directory on the original policy server, it must be located in the /certs directory on the new system. 19. Ensure that the LDAP used by the original policy server is running. 20. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
For more information about the ivrgy_tool utility, see the reference information for ivrgy_tool on page 287. 21. Use the pdconfig utility to configure Access Manager Runtime on the new 6.1.1 policy server. When prompted for an LDAP server, specify the name of the LDAP server that is used by the original policy server. 22. Use the pdconfig utility to configure the new 6.1.1 policy server. v When prompted if you want to configure the policy for migration purposes, select yes. v When prompted if you want to use this policy server for standby, select no. v Enter the restore_directory specified by the path option in step 18 on page 61. 23. Confirm that the policy server is running on the new system:
pd_start status
24. Your new system policy server is ready. Run pdadmin and query both the ACL database and the registry to verify their status on the new system. For example:
pd_start stop
62
Upgrade Guide

pd_start start
The upgrade of the policy server on Solaris is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. Upgrade other Tivoli Access Manager systems to 6.1.1 (in the order specified in Chapter 1, Introduction, on page 1). Ensure that the host name of the new policy server is specified in the Tivoli Access Manager components' configuration files, including the pd.conf file in the install_path/etc directory, as well as any AZN application configuration files. To do this, on each system on which you want to use the new policy server, ensure that the master-host value in the [manager] stanza of the configuration file contains the server host name of the new policy server. See the IBM Tivoli Access Manager for e-business: Administration Guide for more information about the master-host key value. After you have updated all your Tivoli Access Manager systems, complete the procedure in Solaris: Retiring the original policy server to retire your original policy server.
Solaris: Retiring the original policy server

Solaris on x86_64: Upgrading the policy server Solaris on x86_64: Upgrading the policy server using a single system
To upgrade the policy server system on Solaris on x86_64, complete the following instructions.
63
Note: If you encounter a problem when migrating the policy server to 6.1.1 using this single-system approach, you can restore the system to its previous level. For instructions, see Solaris on x86_64: Restoring the policy server on page 266. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Solaris on x86_64 CD. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault gsk7bas
where /cdrom/cdrom0/solaris_x86 specifies the location of the package and /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script. Note: During installation, you are asked if you want to use /opt as the root directory. If space permits, use /opt as the root installation directory. To accept /opt as the root directory, press Enter. 9. Install the client packages of the Tivoli Directory Server:
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault packages
64
Upgrade Guide
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and packages are as follows:
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault TivSecUtl
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and TivSecUtl is the Tivoli Security Utilities package. 12. Upgrade the Access Manager License:
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault PDlic
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDlic is the Access Manager Access Manager License package. 13. Upgrade Access Manager Runtime:
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault PDRTE
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDRTE is the Access Manager Runtime package. 14. Upgrade Access Manager Policy Server:
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault PDMgr
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDMgr is the Access Manager Policy Server package. 15. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
pd_start start

pd_start status
65
The upgrade of the policy server on Solaris on x86_64 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Solaris on x86: Upgrading the policy server using two systems

Follow these steps to set up a new 6.1.1 policy server on a second system while allowing your original policy server system to continue functioning with minimal downtime. Note: This two-system approach is supported for LDAP-based registries only. 1. Before upgrading the policy server to 6.1.1, review UNIX and Linux: Upgrade considerations on page 17. 2. Log in as root. 3. On the original policy server, insert the IBM Tivoli Access Manager Base for Solaris on x86_64 CD. 4. Stop all Tivoli Access Manager applications and services on the original system:
pd_start stop
pd_start status
cd-rom/solaris/migrate/migXXto611.lst
where xx is the version of software that you are migrating from. The name of the backup list file would be as follows For 6.1 mig61to611.lst For 6.0 mig60to611.lst path path Specifies the path where you want the backed up files to be stored. For example:
66
Upgrade Guide
pd_start start
8. Copy the archive produced by the pdbackup utility from the original policy server to the new 6.1.1 policy server. Note: The new 6.1.1 policy server must be a clean system. Do not reuse an existing policy server system. 9. On the new system, install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 10. Insert the IBM Tivoli Access Manager Base for Solaris on x86_64 CD. 11. Install the Global Security Kit (GSKit) on the new system:
where /cdrom/cdrom0/solaris_x86 specifies the location of the package and /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script. Note: During installation, you are asked if you want to use /opt as the root directory. If space permits, use /opt as the root installation directory. To accept /opt as the root directory, press Enter. 12. Install the Tivoli Directory Server client packages on the new system:
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and TivSecUtl is the Tivoli Security Utilities package. 14. Install or upgrade Access Manager License on the new system:
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDlic is the Access Manager Access Manager License package. 15. Install Access Manager Runtime on the new system:
67
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDRTE is the Access Manager Runtime package. 16. Install Access Manager Policy Server on the new system:
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault PDMgr
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDMgr is the Access Manager Policy Server package. 17. Use the pdbackup utility on the new system to extract data to the new 6.1.1 policy server:
Caution If there is a configuration problem, do not unconfigure this system. If you unconfigure the system, critical data that is needed by the original policy server will be destroyed. Follow instructions in Solaris on x86_64: Retiring the original policy server on page 69 with the new server. The new system is a clone of the original policy server system. This means that the placement of critical files, such as certificate files, must be identical to the original system. For example, if a certificate file is in the /certs directory on the original policy server, it must be located in the /certs directory on the new system. 18. Ensure that the LDAP server used by the original policy server is running. 19. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
For more information about the ivrgy_tool utility, see the reference information for ivrgy_tool on page 287.
68
Upgrade Guide
20. Use the pdconfig utility to configure Access Manager Runtime on the new 6.1.1 policy server. When prompted for an LDAP server, specify the name of the LDAP server that is used by the original policy server. 21. Use the pdconfig utility to configure the new 6.1.1 policy server. v When prompted if you want to configure the policy for migration purposes, select yes. v When prompted if you want to use this policy server for standby, select no. v Enter the restore_directory specified by the path option in step 17 on page 68. 22. Confirm that the policy server is running on the new system:
pd_start status
23. Your new policy server system is ready. Run pdadmin and query both the ACL database and the registry to verify their status on the new system. For example:
pd_start stop

pd_start start
The upgrade of the policy server on Solaris on x86_64 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. Upgrade other Tivoli Access Manager systems to 6.1.1 (in the order specified in Chapter 1, Introduction, on page 1). Ensure that the host name of the new policy server is specified in the Tivoli Access Manager components' configuration files, including the pd.conf file in the install_path/etc directory, as well as any AZN application configuration files. To do this, on each system on which you want to use the new policy server, ensure that the master-host value in the [manager] stanza of the configuration file contains the server host name of the new policy server. See the IBM Tivoli Access Manager for e-business: Administration Guide for more information about the master-host key value. After you have updated all your Tivoli Access Manager systems, complete the procedure in Solaris on x86_64: Retiring the original policy server to retire your original policy server.
Solaris on x86_64: Retiring the original policy server

69
Windows: Upgrading the policy server Windows: Upgrade considerations

Before upgrading the policy server to 6.1.1, review the following considerations: v Install IBM JRE 1.5 or higher. v Upgrade your operating system to the minimum supported level. For information about minimum supported levels, see IBM Tivoli Access Manager for e-business: Release Notes. v As a standard precaution when upgrading, make sure to back up your registry data and all Tivoli Access Manager servers before you begin. If you are upgrading Tivoli Directory Server, see Chapter 2, Upgrading IBM Tivoli Directory Server, on page 9; otherwise, consult the documentation that was shipped with your supported registry server. v In version Tivoli Directory Server 6.1, clients can coexist on the same machine with a client that is version 5.1, 5.2, or 6.0. The Tivoli Directory Server 6.1 server requires that the version 6.1 client and the Java client also be installed. In addition, the server can coexist on the same machine with another client that is version 5.1, 5.2 or 6.0, or with a version of the 6.0 server. v You are not required to upgrade all Tivoli Access Manager components in your secure domain to a 6.1.1 level. However, if you upgrade any Tivoli Access Manager component in your secure domain to a 6.1.1 level, you must install Tivoli Directory Server client 6.1 on that system. For a list of components that are compatible with Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. v In general, if Tivoli Directory Server is your registry server and is located on a different machine from any Tivoli Access Manager component, you can upgrade the registry server at any timebefore or after the upgrade of the Tivoli Access Manager 6.1.1 component. However, when the server package of Tivoli Directory Server is installed on the same machine as any Tivoli Access Manager 6.1.1 component and if you choose to install the server package of Tivoli Directory Server 6.1, it is recommended that you install the Tivoli Directory Server 6.1 client and server packages at the same time as you install the Tivoli Access Manager 6.1.1 component on that machine.
70
Upgrade Guide
v If you are upgrading and using a language other than English, remember to upgrade your language package. Refer to the IBM Tivoli Access Manager for e-business: Installation Guide to install the language package. v The upgrade process does not support changing your configuration, such as your registry type. For example, you cannot upgrade from an LDAP registry to a Domino registry. v Log in to the system as a user with administrator privileges. v The default temporary directory is the value specified by the TMP environment variable. If the TMP variable does not exist, the value specified by the TEMP environment variable is used. If neither of these variables are set, the system directory is the temporary directory. v The installation path varies and is dependent on the directory specified during the installation. v If you are planning to upgrade a policy server currently running on a Windows NT or or Windows 2000 platform, you must upgrade your operating system to one of the following supported Windows platforms before upgrading the policy server: Windows 2003 Standard Server and Enterprise Server Windows 2003 64-bit AMD/EMT For operating systems other than Windows, see UNIX and Linux: Upgrade considerations on page 17.
Windows: Upgrading the policy server using a single system

To upgrade the policy server system on Windows, complete the following instructions. Note: If you encounter a problem when migrating the policy server to 6.1.1 using this single-system approach, you can restore the system to its previous level. For instructions, see Windows: Restoring the policy server on page 267. 1. Before upgrading the policy server to 6.1.1, review Windows: Upgrade considerations on page 70. 2. Log in as a user with administrative privileges. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Windows CD. 5. Exit all running programs. During the upgrade process, you are prompted to restart your Windows system periodically. 6. Stop all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and stop all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Disabled. 7. Use the pdbackup utility, located in the C:\Program Files\Tivoli\Policy Director\bin directory, to back up critical Tivoli Access Manager information:
"C:\Program Files\Tivoli\Policy Director\bin\pdbackup" -action backup -list fullpath_to_backup_listfile -path path -file filename
where:
71
Installed_Dir\etc\pdbackup.lst
"C:\Program Files\Tivoli\Policy Director\pdbackup"
file filename Specifies a file name other than the list_date.time [.dar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 8. Install the Global Security Kit (GSKit). To do so, change to the \windows\GSKit directory on the drive where the CD is located and enter:
setup policydirector
Follow the online instructions to complete the installation. 9. If you are using an LDAP server as your registry, install the Tivoli Directory Server client by running the install_tds.bat script in \windows\tds (if necessary). Select to install C Client 6.1 and follow the online instructions to complete the installation. Note: If you are using Domino or Active Directory as your registry and the Tivoli Access Manager systems in your domain are Windows-based, the Tivoli Directory Server client is not required. 10. Ensure that your registry server is running. 11. Install the security utilities by running the setup.exe script in the \windows\TivsecUtl\Disk Images\Disk1 directory. Follow the online instructions to complete the installation. 12. Install the components by running the setup.exe script in the \windows\PolicyDirector\Disk Images\Disk1 directory. Select to install the following components in this sequence: v Access Manager License v Access Manager Runtime v Access Manager Policy Server Follow the online instructions to complete the installation. Note: You are prompted to restart your system during this process. 13. Update either the schema or the data model, depending on your registry server. If you are using a supported LDAP server as your registry server: Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
72
Upgrade Guide
For more information about the ivrgy_tool utility, see the reference information for ivrgy_tool on page 287. If you are using Active Directory as your registry server: Update the schema from the previous release to Tivoli Access Manager 6.1.1 as follows:
adschema_update f schema_file u active_directory_administrator_id p active_directory_administrator_pwd
For more information about the adschema_update utility, see the reference information for adschema_update on page 282. 14. Start the policy server service (pdmgrd). For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon. 15. Confirm that the policy server is running. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon to verify if the service is running. 16. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
The upgrade of the policy server on Windows is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Windows: Upgrading the policy server using two systems

Follow these steps to set up a new 6.1.1 policy server on a second system while allowing your original policy server system to continue functioning with minimal downtime. Note: This two-system approach is supported for LDAP-based registries only. If you are using a non-LDAP registry, such as Active Directory, follow instructions in Windows: Upgrading the policy server using a single system on page 71. 1. Before upgrading the policy server to 6.1.1, review Windows: Upgrade considerations on page 70. 2. Log in as a user with administrative privileges. 3. From the original policy server, insert the IBM Tivoli Access Manager Base for Windows CD. 4. Exit all running programs on the original system. During the upgrade process, you are prompted to restart your Windows system periodically. 5. Stop all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and stop all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Disabled. 6. Use the pdbackup utility on the original system to back up critical Tivoli Access Manager information:
"C:\Tivoli\Policy Director\bin\pdbackup" -action backup -list fullpath_to_backup_listfile -path path -file filename
73
cd_drive\windows\migrate\migXXto611.lst
file filename Specifies a file name other than the list_date.time [.dar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 7. Restart the policy server service (pdmgrd) on the original policy server. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and start the service. 8. Copy the archive file and all of its contents (produced by the pdbackup utility) from the original policy server to the new 6.1.1 policy server. Note: The new 6.1.1 policy server must be a clean system. Do not reuse an existing policy server system. 9. On the new system, install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 10. Insert the IBM Tivoli Access Manager Base for Windows CD into the new system. 11. Install the Global Security Kit (GSKit) on the new system. To do so, change to the \windows\GSKit directory on the drive where the CD is located and enter:
Follow the online instructions to complete the installation. 12. If you are using an LDAP server as your registry, install the Tivoli Directory Server client by running the install_tds.exe script in windows\tds. Select to install C Client 6.1 and follow the online instructions to complete the installation. Note: If you are using Domino or Active Directory as your registry and the Tivoli Access Manager systems in your domain are Windows-based, the Tivoli Directory Server client is not required. 13. Install the security utilities on the new system by running the setup.exe script in the \windows\TivsecUtl\Disk Images\Disk1 directory. Follow the online instructions to complete the installation. 14. Install the following Access Manager components on the new systems by running the setup.exe script in the \windows\PolicyDirector\Disk Images\Disk1 directory. Select to install the following components in this sequence:
74
Upgrade Guide
v Access Manager License v Access Manager Runtime v Access Manager Policy Server Follow the online instructions to complete the installation. 15. Use the pdbackup utility on the new system to extract data to the new 6.1.1 policy server:
C:\Program Files\Tivoli\Policy Director\bin\pdbackup.exe -action extract -path restore_directory -file archive_name
Caution If there is a configuration problem, do not unconfigure this system. If you unconfigure the system, critical data that is needed by the original policy server will be destroyed. Follow instructions in Windows: Retiring the original policy server on page 76 with the new server. The new system is a clone of the original policy server system. This means that the placement of critical files, such as certificate files, must be identical to the original system. For example, if a certificate file is in the \certs directory on the original policy server, it must be located in the \certs directory on the new system. 16. Ensure that your LDAP server is running. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools and then double-click the Services icon to verify if the service is started. 17. Tivoli Access Manager schema definitions are added automatically during the installation of the server package of Tivoli Directory Server 6.1. Update the schema: v If you are using a supported LDAP server other than IBM Tivoli Directory Server as your registry server. v If you want to continue using your previous version of IBM Tivoli Directory Server (5.1, 5.2 or 6.0) and you do not want to upgrade the server to IBM Directory Server version 6.1. Update the schema using the ivrgy_tool as follows:
For more information about the ivrgy_tool utility, see the reference information for ivrgy_tool on page 287. 18. Use the pdconfig utility to configure the runtime on the new 6.1.1 policy server. When prompted for an LDAP server, specify the name of the LDAP server that is used by the original policy server.
75
19. Use the pdconfig utility to configure the new 6.1.1 policy server. When prompted if you want to configure the policy for migration purposes, select yes and enter the restore_directory specified by the path option in step 15 on page 75. 20. Confirm that the policy server is running on the new system. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon to verify if the service is running. 21. Your new policy server system is ready. Run pdadmin on the new system and query both the ACL database and the registry to verify their status. For example:
22. If you have made updates or changes to your database during the migration process, perform the following steps: v Stop the policy server daemon; for example, on a Windows 2003 system: Click Start Control Panel Administrative Tools. Double click the Services icon and stop the service. v Copy the database files from the original policy server to the new 6.1 policy server. The default location of the files to copy is as follows:
C:\Program Files \Tivoli\PolicyDirector\db
v Start the policy server (pdmgrd); for example on a Windows 2003 system: Click Start Control Panel Administrative Tools. Double click the Services icon and start the service. The upgrade of the policy server on Windows is now complete. Upgrade other Tivoli Access Manager systems to 6.1.1 (in the order specified in Chapter 1, Introduction, on page 1). Ensure that the host name of the new policy server is specified in the Tivoli Access Manager components' configuration files, including the pd.conf file in the install_path\etc directory, as well as any AZN application configuration files. To do this, on each system on which you want to use the new policy server, ensure that the master-host value in the [manager] stanza of the configuration file contains the server host name of the new policy server. See the IBM Tivoli Access Manager for e-business: Administration Guide for more information about the master-host key value. After you have updated all your Tivoli Access Manager systems, complete the procedure in Windows: Retiring the original policy server to retire your original policy server.
Windows: Retiring the original policy server

If you upgraded the policy server using the two system approach, follow these steps to retire the original policy server after its data and the Tivoli Directory Server client and server are successfully migrated to the 6.1.1 policy server system.
76
Upgrade Guide
Caution Do not unconfigure the original policy server or the new policy server at any time during the upgrade process. Unconfiguration of the original policy server or new policy server will destroy critical data needed by the policy server. The destruction of critical data will result in a nonworking Tivoli Access Manager environment. 1. Stop the policy server. 2. From the original policy server, run:
C:\Program Files\Tivoli\Policy Director\sbin\pdmgr_ucf.exe
77
78
Upgrade Guide
Chapter 4. Upgrading the authorization server

Tivoli Access Manager supports an upgrade of an authorization server to version 6.1.1. The following platform-specific instructions are provided: v AIX on page 80 v HP-UX on page 82 v HP-UX on Integrity on page 84 v Linux on x86 on page 86 v Linux on System z on page 88 v v v v Linux on POWER on page 90 Solaris on page 92 Solaris on x86_64 on page 94 Windows on page 96
Upgrade considerations
Before upgrading the authorization server to 6.1.1, review the following considerations: v Upgrade your operating system to the minimum supported level. For information about minimum supported levels, see IBM Tivoli Access Manager for e-business: Release Notes. v In Tivoli Directory Server version 6.1, clients can coexist on the same machine with a client that is version 5.1, 5.2, or 6.0. The Tivoli Directory Server 6.1 server requires that the version 6.1 client and the Java client also be installed. In addition, the server can coexist on the same machine with another client that is version 5.1, 5.2 or 6.0, or with a version of the 6.0 server. v You are not required to upgrade all Tivoli Access Manager components in your secure domain to a 6.1.1 level. However, if you upgrade any Tivoli Access Manager component in your secure domain to a 6.1.1 level, you must install Tivoli Directory Server client 6.1 on that system. For a list of components that are compatible with Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. v In general, if Tivoli Directory Server is your registry server and is located on a different machine from any Tivoli Access Manager component, you can upgrade the registry server at any timebefore or after the upgrade of the Tivoli Access Manager 6.1.1 component. However, when the server package of Tivoli Directory Server is installed on the same machine as any Tivoli Access Manager 6.1.1 component and if you choose to install the server package of Tivoli Directory Server 6.1, it is recommended that you install the Tivoli Directory Server 6.1 client and server packages at the same time as you install the Tivoli Access Manager 6.1.1 component on that machine. If you are upgrading and using a language other than English, remember to upgrade your language package. Refer to the IBM Tivoli Access Manager for e-business: Installation Guide to install the language package. However, when upgrading IBM Tivoli Directory Server language packages, you must use the upgrade (-U) option for Linux operating systems.
79
AIX: Upgrading the authorization server

To upgrade an authorization server system on AIX, complete the following instructions: 1. Before upgrading the authorization server to 6.1.1, review the considerations in Upgrade considerations on page 79. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. Note: The AIX operating system requires version 8.0.0.x of the xlC fileset. Check your current version by using the lslpp command and upgrade, if necessary. 4. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and where packages are the names of the Tivoli Directory Server client packages:
80
Upgrade Guide
Client base package Client package (32-bit) (no SSL) Client package (32-bit) (SSL)
idsldap.cltbase61 idsldap.clt32bit61 idsldap.clt_max_crypto32bit61
Note: The 32-bit client package requires the base client package. 10. Ensure that your registry server and policy server are running. 11. Install or upgrade Tivoli Security Utilities: Note: If you are upgrading from Tivoli Access Manager 5.1, Tivoli Security Utilities is installed. If you are upgrading from Tivoli Access Manager 6.0, the Tivoli Security Utilities is upgraded.
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and TivSec.Utl is the Tivoli Security Utilities package. 12. Install or upgrade Access Manager License: Note: If you are upgrading from Tivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, Access Manager License is upgraded.
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.lic is the Access Manager License package. 13. Upgrade Access Manager Runtime:
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.RTE is the Access Manager Runtime package. 14. Upgrade Access Manager Authorization Server:
installp -acgYXd cd_mount_pt/usr/sys/inst.images PD.Acld
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.Acld is the Access Manager Authorization Server. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime
/opt/PolicyDirector/etc/pd.conf
v Access Manager Authorization Server

/opt/PolicyDirector/etc/ivacld.conf
16. Start the authorization server daemon (pdacld):

pd_start start
17. Confirm that the authorization server is running:

pd_start status
18. Make sure that you can contact the authorization server. For example, log in to the pdadmin interface and run a command:
81
The upgrade of the authorization server on AIX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
HP-UX: Upgrading the authorization server

To upgrade an authorization server system on HP-UX, complete the following instructions: 1. Before upgrading the authorization server to 6.1.1, review the considerations in Upgrade considerations on page 79. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for HP-UX CD. 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
pd_start stop
pd_start status
where /cd-rom/hp is the directory where the GSKit installation images are located and gsk7bas is the name of the GSKit package.
82
Upgrade Guide

where /cd-rom/hp is the directory where the installation images are located and TivSecUtl is the Tivoli Security Utilities package. 13. Install or upgrade Access Manager License: Note: If you are upgrading from Tivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, Access Manager License is upgraded.
where /cd-rom/hp is the directory where the installation images are located and PDlic is the Access Manager License package. 14. Upgrade Access Manager Runtime:
where /cd-rom/hp is the directory where the installation images are located and PDRTE is the Access Manager Runtime package. 15. Upgrade Access Manager Authorization Server:
swinstall -s /cd-rom/hp PDAcld
where /cd-rom/hp is the directory where the installation images are located and PDAcld is the Access Manager Authorization Server package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime


pd_start start

pd_start status
83
The upgrade of the authorization server on HP-UX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
HP-UX on Integrity: Upgrading the authorization server

To upgrade an authorization server system on HP-UX on Integrity, complete the following instructions: 1. Before upgrading the authorization server to 6.1.1, review the considerations in Upgrade considerations on page 79. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for HP-UX on Integrity. 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
pd_start stop
pd_start status
where /cd-rom/hp_ia64 is the directory where the GSKit installation images are located and gsk7bas is the name of the GSKit package.
84
Upgrade Guide

Note: The 32-bit client package requires the base client package. 11. Ensure that your registry server and policy server running. 12. Upgrade Tivoli Security Utilities:
where /cd-rom/hp_ia64 is the directory where the installation images are located and TivSecUtl is the Tivoli Security Utilities package. 13. Upgrade Access Manager License:
where /cd-rom/hp_ia64 is the directory where the installation images are located and PDRTE is the Access Manager Runtime package. 15. Upgrade Access Manager Authorization Server:
swinstall -s /cd-rom/hp_ia64 PDAcld
where /cd-rom/hp_ia64 is the directory where the installation images are located and PDAcld is the Access Manager Authorization Server package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime


pd_start start

pd_start status
The upgrade of the authorization server on HP-UX on Integrity is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
85
Linux on x86: Upgrading the authorization server

To upgrade an authorization server system for Linux on x86, complete the following instructions: 1. Before upgrading the authorization server to 6.1.1, review the considerations in Upgrade considerations on page 79. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Linux on x86 CD and mount it. 5. Change to the following directory:
cd cd_mount_pt/linux_i386
pd_start stop
pd_start status
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 9. Install or upgrade IBM Global Security Kit (GSKit). If you have a version of Global Security Kit prior to GSKit 7 installed or if you do not have a version of GSKit installed at all, install GSKit 7:
rpm -i gsk7bas-7.0-4.28.i386.rpm
rpm -U gsk7bas-7.0-4.28.i386.rpm
86
Upgrade Guide
rpm -i packages

11. Ensure that your registry server and policy server are running. 12. Do one of the following: v If you are upgrading from Tivoli Access Manager 6.0, upgrade the Tivoli Security Utilities:
rpm -U TivSecUtl-TivSec-6.1.1-0.i386.rpm
where TivSecUtil-TivSec-6.1.1-0.i386.rpm is the Tivoli Security Utilities package. v If you are upgrading from Tivoli Access Manager 5.1, install the Tivoli Security Utilities:
rpm -i TivSecUtl-TivSec-6.1.1-0.i386.rpm
where TivSecUtil-TivSec-6.1.1-0.i386.rpm is the Tivoli Security Utilities package. 13. Do one of the following v If you are upgrading from Tivoli Access Manager 6.0, upgrade the Access Manager License:
where PDlic-PD-6.1.1-0.i386.rpm is the Access Manager License package. v If you are upgrading from Tivoli Access Manager 5.1, install the Access Manager License:
where PDRTE-PD-6.1.1-0.i386.rpm is the Access Manager Runtime package. 15. Upgrade Access Manager Authorization Server:
rpm -U PDAcld-PD-6.1.1-0.i386.rpm
where PDAcld-PD-6.1.1-0.i386.rpm is the Access Manager Authorization Server package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime


pd_start start

pd_start status
87
The upgrade of the authorization server for Linux on x86 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on System z: Upgrading the authorization server

To upgrade an authorization server system for Linux on System z, complete the following instructions: 1. Before upgrading the authorization server to 6.1.1, review the considerations in Upgrade considerations on page 79. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Obtain access to the IBM Tivoli Access Manager Base for Linux on System z CD image on the System z system. 5. Change to the following directory:
pd_start stop
pd_start status
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281.
88
Upgrade Guide
9. Install or upgrade Global Security Kit (GSKit). If you have a version of Global Security Kit prior to GSKit 7 installed or if you do not have a version of GSKit installed at all, install GSKit 7:

rpm -i packages

11. Ensure that your registry server and policy server are running. 12. Do one of the following: v If you are upgrading from Tivoli Access Manager 6.0, upgrade the Access Manager License:
where PDlic-PD-6.1.1-0.s390.rpm is the Access Manager License package. v If you are upgrading from Tivoli Access Manager 5.1, install the Access Manager License:
rpm -i PDlic-6.1.1-0.s390.rpm
where PDlic-PD-6.1.1-0.s390.rpm is the Access Manager License package. 13. Do one of the following: : v If you are upgrading from Tivoli Access Manager 6.0, upgrade the Tivoli Security Utilities:
rpm -U TivSecUtl-TivSec-6.1.1-0.s390.rpm
where TivSecUtil-TivSec-6.1.1-0.s390.rpm is the Tivoli Security Utilities package. v If you are upgrading from Tivoli Access Manager 5.1, install the Tivoli Security Utilities:
rpm -i TivSecUtl-TivSec-6.1.1-0.s390.rpm
where TivSecUtil-TivSec-6.1.1-0.s390.rpm is the Tivoli Security Utilities package. 14. Upgrade Access Manager Runtime:
where PDRTE-PD-6.1.1-0.s390.rpm is the Access Manager Runtime package. 15. Upgrade Access Manager Authorization Server:
rpm -U PDAcld-PD-6.1.1-0.s390.rpm
where PDAcld-PD-6.1.1-0.s390.rpm is the Access Manager Authorization Server package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Edit the master-host entry in each of the following configuration files:
89
v Access Manager Runtime



pd_start start

pd_start status
The upgrade of the authorization server for Linux on System z is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on POWER: Upgrading the authorization server

To upgrade an authorization server system for Linux on POWER, complete the following instructions: 1. Before upgrading the authorization server to 6.1.1, review the considerations in Upgrade considerations on page 79. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Linux on POWER CD and mount it. 5. Change to the following directory:
cd cd_mount_pt/linux_ppc
Where cd_mount_pt is where the CD is mounted. 6. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
90
Upgrade Guide

rpm -i packages

11. Ensure that your registry server and policy server are running. 12. Do one of the following: v If you are upgrading from Tivoli Access Manager 6.0, upgrade the Access Manager License:
where PDlic-PD-6.1.1-0.ppc.rpm is the Access Manager License package. v If you are upgrading from Tivoli Access Manager 5.1, install the Access Manager License:
where PDlic-PD-6.1.1-0.ppc.rpm is the Access Manager License package. 13. Do one of the following: v If you are upgrading from Tivoli Access Manager 6.0, upgrade the Tivoli Security Utilities:
rpm -U TivSecUtl-TivSec-6.1.1-0.ppc.rpm
where TivSecUtil-TivSec-6.1.1-0.ppc.rpm is the Tivoli Security Utilities package. v If you are upgrading from Tivoli Access Manager 5.1, install the Tivoli Security Utilities:
rpm -i TivSecUtl-TivSec-6.1.1-0.ppc.rpm
where TivSecUtil-TivSec-6.1.1-0.ppc.rpm is the Tivoli Security Utilities package.

91
14. Upgrade Access Manager Runtime:

where PDRTE-PD-6.1.1-0.i386.rpm is the Access Manager Runtime package. 15. Upgrade Access Manager Authorization Server:
rpm -U PDAcld-PD-6.1.1-0.ppc.rpm
where PDAcld-PD-6.1.1-0.ppc.rpm is the Access Manager Authorization Server package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime


pd_start start

pd_start status
The upgrade of the authorization server for Linux on POWER is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Solaris: Upgrading the authorization server

To upgrade an authorization server system on Solaris, complete the following instructions: 1. Before upgrading the authorization server to 6.1.1, review the considerations in Upgrade considerations on page 79. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Solaris CD. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
92
Upgrade Guide
where /cdrom/cdrom0/solaris specifies the location of the package and /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script. Note: During installation, you are asked if you want to use /opt as the root directory. If space permits, use /opt as the root installation directory. To accept /opt as the root directory, press Enter. 9. Install the client packages of the Tivoli Directory Server:
Note: The 32-bit client package requires the base client package. 10. Ensure that your registry server and policy server are running. 11. Install or upgrade Access Manager License: Note: If you are upgrading from Tivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, Access Manager License is upgraded.
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDlic is the Access Manager Access Manager License package. 12. Install or upgrade Tivoli Security Utilities: Note: If you are upgrading from Tivoli Access Manager 5.1, Tivoli Security Utilities is installed. If you are upgrading from Tivoli Access Manager 6.0, the Tivoli Security Utilities is upgraded.
93
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and TivSecUtl is the Tivoli Security Utilities package. 13. Upgrade Access Manager Runtime:
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDRTE is the Access Manager Runtime package. 14. Upgrade Access Manager Authorization Server:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDAcld
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDAcld is the Access Manager Authorization Server package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime


pd_start start

pd_start status
The upgrade of the authorization server for Solaris is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Solaris on x86_64: Upgrading the authorization server

To upgrade an authorization server system on Solaris on x86_64, complete the following instructions: 1. Before upgrading the authorization server to 6.1.1, review the considerations in Upgrade considerations on page 79. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Solaris on x86_64 CD. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
94
Upgrade Guide
Note: The 32-bit client package requires the base client package. 10. Ensure that your registry server and policy server are running. 11. Upgrade Tivoli Security Utilities:
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and TivSecUtl is the Tivoli Security Utilities package. 12. Upgrade Access Manager License:
95
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDRTE is the Access Manager Runtime package. 14. Upgrade Access Manager Authorization Server:
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault PDAcld
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDAcld is the Access Manager Authorization Server package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime


pd_start start

pd_start status
The upgrade of the authorization server for Solaris on x86_64 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Windows: Upgrading the authorization server

To upgrade an authorization server system on Windows, complete the following instructions: 1. Before upgrading the authorization server to 6.1.1, review the considerations in Upgrade considerations on page 79. 2. Log in as a user with administrative privileges. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Windows CD.
96
Upgrade Guide
5. Exit all running programs. During the upgrade process, you are prompted to restart your Windows system periodically. 6. Stop all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and stop all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Disabled. 7. Use the pdbackup utility to back up critical Tivoli Access Manager information:
"C:\Program Files\Tivoli\Policy Director\etc\pdbackup.lst"
Follow the online instructions to complete the installation. 9. If you are using an LDAP server as your registry, install the Tivoli Directory Server client by running the install_tds.exe script in windows\tds (if necessary). Select to install C Client 6.1 and follow the online instructions to complete the installation. Note: If you are using Domino or Active Directory as your registry and the Tivoli Access Manager systems in your domain are Windows-based, the Tivoli Directory Server client is not required. 10. Ensure that your registry server and policy server are running. 11. Install the security utilities by running the setup.exe script in the \windows\TivSecUtl\Disk Images\Disk1 directory. Select to install Tivoli Security Utilities, and follow the online instructions to complete the installation. 12. Upgrade components by running the setup.exe script in the \windows\PolicyDirector\Disk Images\Disk1 directory. Select to install the following components in this sequence: v Access Manager License v Access Manager Runtime v Access Manager Authorization Server Follow the online instructions to complete the installation.
97
Note: You are prompted to restart your system to complete this process. 13. Start all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools, and then double-click the Services icon. Start all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Automatic. 14. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime
install_path\etc\pd.conf

install_path\etc\ivacld.conf
15. Start the authorization server service (pdacld). To do so, for example on Windows 2003, click Start Control Panel Administrative Tools. Double-click the Services icon, and start the service. 16. Confirm that the authorization server is running. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon to verify if the service is running. 17. Make sure that you can contact the authorization server. For example, log in to the pdadmin interface and run a command:
The upgrade of the authorization server on Windows is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
98
Upgrade Guide
Chapter 5. Upgrading WebSEAL

Upgrade steps are identical regardless of whether you are upgrading WebSEAL using LDAP, Domino, or Active Directory registries. The following platform-specific instructions are provided: v AIX on page 101 v HP-UX on page 106 v v v v v v HP-UX on Integrity on page 110 Linux on x86 on page 115 Linux on System z on page 120 Solaris on page 124 Solaris on x86_64 on page 130 Windows on page 135
v When WebSEAL is installed, a directory named html.tivoli is installed in the pdweb directory. The html.tivoli directory contains the default versions of the various files used in the instances, including files such as the login and error pages. These files are copied to the directories for the individual instances when the instances are created. When upgrading from a previous version of WebSEAL, the latest versions of the files provided with the new version of WebSEAL will be installed in the html.tivoli directory and new instances that are created after the upgrade will make use of these files. However, existing instances will not be modified and corresponding files of the same names as those found in the html.tivoli directory will not be overwritten when the upgrade is performed. The reason for this is that you may have customized these files. It is recommended that you review your existing files in the existing instances and consider whether you want to modify them to incorporate the new versions of the files contained in the html.tivoli directory. v Upgrade your operating system to the minimum supported level. For information about minimum supported levels, see IBM Tivoli Access Manager for e-business: Release Notes. v In Tivoli Directory Server version 6.1, clients can coexist on the same machine with a client that is version 5.1, 5.2, or 6.0. The Tivoli Directory Server 6.1 server requires that the version 6.1 client and the Java client also be installed. In addition, the server can coexist on the same machine with another client that is version 5.1, 5.2 or 6.0, or with a version of the 6.0 server. v You are not required to upgrade all Tivoli Access Manager components in your secure domain to a 6.1.1 level. However, if you upgrade any Tivoli Access Manager component in your secure domain to a 6.1.1 level, you must install Tivoli Directory Server client 6.1 on that system. For a list of components that are compatible with Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes.
99
v In general, if Tivoli Directory Server is your registry server and is located on a different machine from any Tivoli Access Manager component, you can upgrade the registry server at any timebefore or after the upgrade of the Tivoli Access Manager 6.1.1 component. However, when the server package of Tivoli Directory Server is installed on the same machine as any Tivoli Access Manager 6.1.1 component and if you choose to install the server package of Tivoli Directory Server 6.1, it is recommended that you install the Tivoli Directory Server 6.1 client and server packages at the same time as you install the Tivoli Access Manager 6.1.1 component on that machine. v If there is only one WebSEAL server in your production environment, you must schedule downtime to upgrade the WebSEAL server. v If there is a WebSEAL instance server in your production environment, follow the upgrading instructions in AIX: Upgrading WebSEAL on page 101 to upgrade one of the WebSEAL servers to 6.1.1 while the other continues to provide service. v If you modified WebSEAL libraries, such as libcdmf.a or any CDAS libraries, you must back up these files to preserve your updates. To do so, manually copy the files to another location. After you install the WebSEAL 6.1.1 package, you can restore the backed up files before starting WebSEAL. v During the upgrade of a WebSEAL instance to 6.1.1, existing symbolic links that were created during the initial configuration are retained. When you configure new WebSEAL instances with 6.1.1, no symbolic links are created. Before 6.1.1, the configuration process created symbolic links. Starting with 6.1.1, the configuration process no longer creates symbolic links. For consistency, consider removing symbolic links from WebSEAL instances. v If you are upgrading and using a language other than English, remember to upgrade your language package. Refer to the IBM Tivoli Access Manager for e-business: Installation Guide to install the language package. However, when upgrading the IBM Tivoli Directory Server language packages, you must use the upgrade (-U) option for Linux operating systems. v For AIX systems only: If you are planning to upgrade WebSEAL that is currently running on AIX 3.1, AIX 4.3.3 or AIX 5.1.0, you must upgrade the operating system to AIX 5.2.0 or AIX 5.3.0 before upgrading WebSEAL. v For Windows systems only: If you are planning to upgrade WebSEAL that is currently running on a Windows NT or Windows 2000 platform, you must upgrade the operating system to one of the following Windows platforms before upgrading WebSEAL: - Windows 2003 Standard Server and Enterprise Server - Windows 2003 64-bit AMD/EMT Before upgrading, stop all Tivoli Access Manager services running on the local system, including applications such as WebSEAL. Also, for each WebSEAL instance, change the startup type for Access Manager Auto-Start Service and Auto Trace Runtime to Manual. After upgrading, change the startup type back to Automatic. During the upgrade process, if you receive a message stating that files are locked by a process, click Ignore. This message does not adversely affect the upgrade process. If you are upgrading and using a language other than English, remember to upgrade your language package. Refer to the IBM Tivoli Access Manager for e-business: Installation Guide to install the language package. However, when
100
Upgrade Guide
upgrading the IBM Tivoli Directory Server language packages, you must use the upgrade (-U) option for Linux operating systems. v On AIX, HP-UX, Linux on x86, Linux on System z, Solaris and Windows systems only: Upgrade the session management server before upgrading WebSEAL and Web Plug-in servers. See Chapter 10, Upgrading the session management server, on page 217 for more information.
AIX: Upgrading WebSEAL

This section describes an upgrade of WebSEAL on AIX to version 6.1.1. In addition, you can use this section to upgrade the Access Manager Web Security Application Development Kit (Web Security ADK) and the Access Manager Application Development Kit (ADK) at the same time that you upgrade WebSEAL.
AIX: Upgrading WebSEAL

To upgrade WebSEAL on AIX, complete the following instructions: 1. Before upgrading WebSEAL to 6.1.1, review the considerations in Upgrade considerations on page 99. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. Note: The AIX operating system requires version 8.0.0.x of the xlC fileset. Check your current version by using the lslpp command and upgrade, if necessary. 4. Ensure that the policy server for the secure domain is upgraded to version 6.1.1. For instructions, see Chapter 3, Upgrading the policy server, on page 17. 5. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
If you cannot log in, do not proceed with the WebSEAL upgrade. Resolve the login problem before continuing. If you upgraded the policy server using two systems, step 11a on page 103 might help you resolve your login problem. 6. Insert the IBM Tivoli Access Manager Web Security for AIX CD and mount it. 7. Stop WebSEAL and any Tivoli Access Manager service that is running on the system. To stop applications and services, use the pd_start utility:
pdweb stop
pdweb status
9. If you have not backed up your Access Manager Runtime information, see step 7 on page 142 to use the pdbackup utility to back up the information. 10. Perform these steps: v Run the following command:
101
sed "s/instance/webs01/g" <mount_point>/<operating system>/migrate/migXXto61instanceweb.lst.template > /tmp/migXXto61webs01.lst
An example of the operating system is linux_i386. This command creates a new file called /tmp/migXXto61webs01.lst and substitutes every occurrence of "instance" with "webs0" in the file. This newly created file is the file you must use with the pdbackup command. v Use the pdbackup utility to back up WebSEAL information:
/tmp/migxxto61instanceweb.lst
where xx is the version of software that you are migrating from and instanceweb is the name of the Web server. The names of the backup list files would be as follows:
Version 6.0 5.1 Instance server list file mig60to61instanceweb.lst.template mig51to61instanceweb.lst.template
Because there is no list file for the default instance for version 5.1, you can copy and rename the mig51to61instanceweb.lst.template to the name of your Web server list file. For example, if your Web server is named webs01, you would copy and rename it to mig51to61webs01.lst. See 10 on page 101 for instructions on how to copy and rename the mig51to61instanceweb.lst.template to the name of your Web server list file. Note: If you have more than one instance, make sure you back up all the instances. path path Specifies the path where you want the backed up files to be stored. For example:
file filename Specifies a file name other than the list_date.time [.tar] default file name. You can use the pdbackup utility to copy and restore data. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 11. Do one of the following: v If you upgraded the policy server on one system, skip to step 12 on page 103. v If you upgraded the policy server using two systems, perform the following steps:
102
Upgrade Guide
a. Manually configure WebSEAL to use the new policy server. To do so, edit the webseald-instance.conf and pd.conf files and change the master-host entry in the [manager] stanza to the following:
master-host=host_name
where host_name is the fully-qualified host name of the version 6.1.1 policy server for the domain to which WebSEAL belongs. For example:
master-host=server1.austin.ibm.com
b. Start WebSEAL:
pdweb start default
c. Confirm that WebSEAL can contact the new policy server. To do so, run a sample pdadmin command. For example:
d. Stop WebSEAL:
pdweb stop instance
12. Do one of the following: v To upgrade WebSEAL using the installation wizard, follow these steps: a. Ensure that IBM Java Runtime 1.5.0 SR5 is installed. To install this package, enter:
installp -acgYXd cd_mount_pt/usr/sys/inst.images Java5.sdk
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and Java5.sdk is the IBM Java Runtime package. You must set the PATH environment variable:
export PATH=jre_path:$PATH
For example:
export PATH=/usr/Java15/jre/bin:$PATH
b. Run the install_amweb program, located in the root directory on the IBM Tivoli Access Manager Web Security for AIX CD. This program installs or upgrades the following required components: Global Security Kit Tivoli Directory Server client Tivoli Security Utilities Access Manager License Access Manager Runtime Access Manager Web Security Runtime Access Manager WebSEAL v To upgrade WebSEAL using a native installation utility, such as installp, follow these steps: a. Install the Global Security Kit (GSKit):
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located. b. Install the client packages of Tivoli Directory Server:
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and packages are the names of the Tivoli Directory Server client packages:
103
Note: The 32-bit client package requires the base client package. c. Ensure that your registry server is running. d. Install or upgrade Tivoli Security Utilities: Note: If you are upgrading from Tivoli Access Manager 5.1, Tivoli Security Utilities is installed. If you are upgrading from Tivoli Access Manager 6.0, the Tivoli Security Utilities is upgraded.
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and TivSec.Utl is the Tivoli Security Utilities package. e. Install or upgrade Access Manager License: Note: If you are upgrading from Tivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, Access Manager License is upgraded.
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.lic is the Access Manager License package. f. Upgrade Access Manager Runtime:
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.RTE is the Access Manager Runtime package. g. Ensure that Access Manager Runtime is working, and that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
h. Upgrade Access Manager Web Security Runtime:

installp -acgNXd cd_mount_pt/usr/sys/inst.images PDWeb.RTE
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PDWeb.Web is the Access Manager Web Security Runtime package. i. Upgrade Access Manager WebSEAL:
installp -acgNXd cd_mount_pt/usr/sys/inst.images PDWeb.Web
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PDWeb.Web is the Access Manager WebSEAL package. 13. If you modified WebSEAL libraries, such as libcdmf.a or any CDAS libraries and if you manually copied the files to another location to preserve your updates before upgrading, after you install the WebSEAL 6.1.1 package, then move back the copied files before starting WebSEAL. 14. Start the WebSEAL daemon (webseald) manually in the foreground, which causes WebSEAL to migrate the configuration files.
104
Upgrade Guide
/opt/pdweb/bin/webseald -config etc/webseald-default.conf foreground
Note: Ignore any messages that are displayed. These are not errors. For example, you might encounter [failover-attribute] or [webseal-config] stanza messages. 15. Confirm that WebSEAL started successfully. To do so, use a browser to access the WebSEAL URL (https://servername) and log in to WebSEAL. Note: The splash screen that appears might still display a previous version number. This is a known limitation and can be ignored. 16. Press the Ctrl+C keys to stop the WebSEAL process (webseald) running in the foreground. 17. Start WebSEAL:
pdwebstart instance
Where instance is the name of the instance you need to configure. 18. Optional: Upgrade WebSEAL instances. a. For the WebSEAL instance server, start the server manually in the foreground. This command causes WebSEAL to migrate the configuration files.
/opt/pdweb/bin/webseald -config etc/webseald-instance.conf -foreground
Where instance is the name of the instance you want to upgrade. Note: Ignore any messages that are displayed. These are not errors. For example, you might encounter stanza messages. b. Confirm that the WebSEAL instance server started successfully. To do so, use a browser to access the WebSEAL URL (https://instance_servername) and log in to WebSEAL. Note: The splash screen that appears might still display a previous version number. This is a known limitation and can be ignored. c. Press the Ctrl+C keys to stop the WebSEAL (webseald) process running in the foreground. d. Start the WebSEAL instance server:
pdweb start instance-name
e. Repeat these steps for each instance. The upgrade of WebSEAL on AIX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. 19. Optional: To upgrade the Access Manager Web Security Application Development Kit (Web security ADK) on your WebSEAL system, enter:
installp -acgNXd cd_mount_pt/usr/sys/inst.images PD.AuthADK PDWeb.ADK
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located, PD.AuthADK is the Access Manager Application Development Kit (Access Manager ADK), and PDWeb.ADK is the Access Manager Web Security Application Development Kit package. Note: The Web security ADK has a dependency on the Access Manager ADK component. Both ADK packages are included on the IBM Tivoli Access Manager Web Security for AIX CD.
105
You do not need to run pdconfig to configure components. For version 5.1 or later, the original webseald.conf configuration file is renamed to webseald-default.conf and your custom configuration settings are preserved and updated with version 6.1.1 stanzas and parameters. For an instance server, the configuration file is always named webseald-instance.conf.
HP-UX: Upgrading WebSEAL

This section describes an upgrade of WebSEAL on HP-UX to version 6.1.1. In addition, you can use this section to upgrade the Access Manager Web Security Application Development Kit (Web Security ADK) and the Access Manager Application Development Kit (ADK) at the same time that you upgrade WebSEAL.
HP-UX: Upgrading WebSEAL

To upgrade a WebSEAL system on HP-UX, complete the following instructions: 1. Before upgrading WebSEAL to 6.1.1, review the considerations in Upgrade considerations on page 99. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Ensure that the policy server for the secure domain is upgraded to version 6.1.1. For instructions, see Chapter 3, Upgrading the policy server, on page 17. 5. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
If you cannot log in, do not proceed with the WebSEAL upgrade. Resolve the login problem before continuing. If you upgraded the policy server using two systems, step 11a on page 107 might help you resolve your login problem. 6. Insert the IBM Tivoli Access Manager Web Security for HP-UX CD. 7. Mount the CD using the HP-UX mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and cd-rom specifies the mount point. 8. Stop WebSEAL and any Tivoli Access Manager service that is running on the system. To stop applications and services, use the pdweb utility:
pdweb stop
sed "s/instance/webs01/g" cd_mount_pt/usr/sys/inst.images/migrate/migXXto61instanceweb.lst.template > /tmp/migXXto61webs01.lst
106
Upgrade Guide
This command creates a new file called /tmp/migXXto61webs01.lst and substitutes every occurrance of "instance" with "webs0" in the file. This newly created file is the file you must use with the pdbackup command. v Use the pdbackup utility to back up the WebSEAL information:
file filename Specifies a file name other than the list_date.time [.tar] default file name. You can use the pdbackup utility to both back up and restore data. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 11. Do one of the following: v If you upgraded the policy server on one system, skip to step 12 on page 108. v If you upgraded the policy server using two systems, perform the following steps: a. Manually configure WebSEAL to use the new policy server. To do so, edit the webseald-instance.conf and the pd.conf files and change the master-host entry in the [manager] stanza to the following:
107
b. Start WebSEAL:
pdweb start default
d. Stop WebSEAL:
pdweb stop instance
12. Do one of the following: v To upgrade WebSEAL using the installation wizard, follow these steps: a. Ensure that IBM Java Runtime 1.5 SR5 is installed. To install this package, enter: 1) Enter: mkdir -p /usr/java15 2) Enter: cd /usr/java15 3) Enter: zcat cd-rom/hp/hpuxdevhybrid-20070511a-sdk.tar.Z | tar -xvf where cd-rom is the CD mount point, /cd-rom/hp is the directory where the installation images are located, and hpuxdevhybrid20070511a-sdk.tar.Z is the IBM Java Runtime package. Note that you must have both the zcat file uncompress and the tar file extraction utilities. Also, the directories for both utilities must be defined by your PATH environment variable. You must set the PATH environment variable:
PATH=java_path:$PATH
b. Run the install_amweb program, located in the root directory on the IBM Tivoli Access Manager Web Security for HP-UX CD. This program installs or upgrades the following required components: Global Security Kit Tivoli Directory Server client Access Manager License Tivoli Security Utilities Access Manager Runtime Access Manager Web Security Runtime Access Manager WebSEAL v To upgrade WebSEAL using a native installation utility, such as swinstall, follow these steps: a. Install the Global Security Kit (GSKit):
where /cd-rom/hp is the directory where the installation images are located. b. Install the client packages of Tivoli Directory Server client:
108
Upgrade Guide
Note: The 32-bit client package requires the base client package. c. Ensure that your registry server is running. d. Install or upgrade Tivoli Security Utilities: Note: If you are upgrading fromTivoli Access Manager 5.1, Tivoli Security Utilities is installed. If you are upgrading from Tivoli Access Manager 6.0, Tivoli Security Utilities is upgraded.
where /cd-rom/hp is the directory where the installation images are located and TivSecUtl is the Tivoli Security Utilities package. e. Install or upgrade Access Manager License: Note: If you are upgrading from Tivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, the Access Manager License is upgraded.
where /cd-rom/hp is the directory where the installation images are located and PDlic is the Access Manager License package. f. Upgrade Access Manager Runtime:
where /cd-rom/hp is the directory where the installation images are located and PDRTE is the Access Manager Runtime package. g. Ensure that Access Manager Runtime is working, and that you can contact the policy server. For example, log in to the pdadmin interface and run a command:

swinstall -s /cd-rom/hp PDWebRTE
where cd-rom/hp is the location where the installation images are located. i. Upgrade Access Manager WebSEAL:
swinstall -s /cd-rom/hp PDWebWeb
where cd-rom/hp is the location where the installation images are located. 13. If you modified WebSEAL libraries, such as libcdmf.sl or any CDAS libraries and if you manually copied the files to another location to preserve your updates before upgrading, after you install the WebSEAL 6.1.1 package, then move back the copied files before starting WebSEAL. 14. Start the WebSEAL daemon (webseald) manually in the foreground, which causes WebSEAL to migrate the configuration files.
Note: Ignore any messages that are displayed. These are not errors. For example, you might encounter stanza messages. 15. Confirm that WebSEAL started successfully. To do so, use a browser to access the WebSEAL URL (https://servername) and log in to WebSEAL. Note: The splash screen that appears might still display a previous version. This is a known limitation and can be ignored.
109
16. Press the Ctrl+C keys to stop the WebSEAL process (webseald) running in the foreground. 17. Start WebSEAL:
pdweb start instance
18. Optional: Upgrade any WebSEAL instance servers: a. For the WebSEAL instance server, start the server manually in the foreground. This command causes WebSEAL to migrate the configuration files.
where instance is the name of the instance you need to configure. Note: Ignore any messages that are displayed. These are not errors. For example, you might encounter stanza messages. b. Confirm that WebSEAL instance server started successfully. To do so, use a browser to access the WebSEAL URL (https://instance_servername) and log in to WebSEAL. Note: The splash screen that appears might still display a previous version number. This is a known limitation and can be ignored. c. Press the Ctrl+C keys to stop the WebSEAL (webseald) process running in the foreground. d. Start the WebSEAL instance server:
pdweb start instance_servername
e. Repeat these steps for each instance. The upgrade of WebSEAL on HP-UX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. 19. Optional: To install the Web Security application development kit (Web security ADK) on your WebSEAL system, enter:
swinstall -s /cd-rom/hp PDAuthADK PDWebADK
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located, PD.AuthADK is the Access Manager Application Development Kit (Access Manager ADK), and PDWeb.ADK is the Web Security Application Development Kit package. Note: The Web security ADK has a dependency on the Tivoli Access Manager ADK component. Both ADK packages are included on the IBM Tivoli Access Manager Web Security for HP-UX CD. You do not need to run pdconfig to configure components. For version 5.1 or later, the original webseald.conf configuration file is renamed to webseald-default.conf and your custom configuration settings are preserved and updated with version 6.1.1 stanzas and parameters. For an instance server, the configuration file is always named webseald-instance.conf.
HP-UX on Integrity: Upgrading WebSEAL

This section describes an upgrade of WebSEAL on HP-UX on Integrity to version 6.1.1.
110
Upgrade Guide
In addition, you can use this section to upgrade the Access Manager Web Security Application Development Kit (Web Security ADK) and the Access Manager Application Development Kit (ADK) at the same time that you upgrade WebSEAL.
HP-UX on Integrity: Upgrading WebSEAL

To upgrade a WebSEAL system on HP-UX on Integrity, complete the following instructions: 1. Before upgrading WebSEAL to 6.1.1, review the considerations in Upgrade considerations on page 99. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Ensure that the policy server for the secure domain is upgraded to version 6.1.1. For instructions, see Chapter 3, Upgrading the policy server, on page 17. 5. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
If you cannot log in, do not proceed with the WebSEAL upgrade. Resolve the login problem before continuing. If you upgraded the policy server using two systems, step 11a on page 112 might help you resolve your login problem. 6. Insert the IBM Tivoli Access Manager Web Security for HP-UX on Integrity CD. 7. Mount the CD using the HP-UX mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and cd-rom specifies the mount point. 8. Stop WebSEAL and any Tivoli Access Manager service that is running on the system. To stop applications and services, use the pdweb utility:
pdweb stop
sed "s/instance/webs01/g" cd_mount_pt/usr/sys/inst.images/migrate/mig60to61instanceweb.lst.template > /tmp/mig60to61webs01.lst
This command creates a new file called /tmp/mig60to61webs01.lst and substitutes every occurrance of "instance" with "webs0" in the file. This newly created file is the file you must use with the pdbackup command. v Use the pdbackup utility to back up the WebSEAL information:
111
Version 6.0 Instance server list file mig60to61instanceweb.lst.template
Note: If you have more than one instance, make sure you back up all the instances. path path Specifies the path where you want the backed up files to be stored. Y For example:
file filename Specifies a file name other than the list_date.time [.tar] default file name. You can use the pdbackup utility to both back up and restore data. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 11. Do one of the following: v If you upgraded the policy server on one system, skip to step 12. v If you upgraded the policy server using two systems, perform the following steps: a. Manually configure WebSEAL to use the new policy server. To do so, edit the webseald-instance.conf and the pd.conf files and change the master-host entry in the [manager] stanza to the following:
b. Start WebSEAL:
pdweb start default
d. Stop WebSEAL:
pdweb stop instance
12. Do one of the following: v To upgrade WebSEAL using the installation wizard, follow these steps: a. Ensure that IBM Java Runtime 1.5 SR5 is installed. To install this package, enter: 1) Enter: mkdir -p /usr/java15 2) Enter: cd /usr/java15 3) Enter: zcat cd-rom/hp_ia64/hpia32devhybrid-20070511-sdk.tar.Z | tar -xvf -
112
Upgrade Guide
where cd-rom is the CD mount point, /cd-rom/hp_ia64 is the directory where the installation images are located, and hpuxdevhybrid-20070511a-sdk.tar.Z is the IBM Java Runtime package. Note that you must have both the zcat file uncompress and the tar file extraction utilities. Also, the directories for both utilities must be defined by your PATH environment variable. You must set the PATH environment variable:
PATH=java_path:$PATH
b. Run the install_amweb program, located in the root directory on the IBM Tivoli Access Manager Web Security for HP-UX on Integrity CD. This program installs or upgrades the following required components: Global Security Kit Tivoli Directory Server client Access Manager License Tivoli Security Utilities Access Manager Runtime Access Manager Web Security Runtime Access Manager WebSEAL v To upgrade WebSEAL using a native installation utility, such as swinstall, follow these steps: a. Install the Global Security Kit (GSKit):
where /cd-rom/hp_ia64 is the directory where the installation images are located. b. Install the client packages of Tivoli Directory Server client:
Note: The 32-bit client package requires the base client package. c. Ensure that your registry server is running. d. Upgrade Tivoli Security Utilities:
where /cd-rom/hp_ia64 is the directory where the installation images are located and TivSecUtl is the Tivoli Security Utilities package. e. Upgrade Access Manager License:
where /cd-rom/hphp_ia64 is the directory where the installation images are located and PDlic is the Access Manager License package. f. Upgrade Access Manager Runtime:
where /cd-rom/hp_ia64 is the directory where the installation images are located and PDRTE is the Access Manager Runtime package.
113
g. Ensure that Access Manager Runtime is working, and that you can contact the policy server. For example, log in to the pdadmin interface and run a command:

swinstall -s /cd-rom/hp_ia64 PDWebRTE
where cd-rom/hp_ia64 is the directory where the installation images are located. i. Upgrade Access Manager WebSEAL:
swinstall -s /cd-rom/hp_ia64 PDWebWeb
where cd-rom/hp_ia64 is the directory where the installation images are located. 13. If you modified WebSEAL libraries, such as libcdmf.sl or any CDAS libraries and if you manually copied the files to another location to preserve your updates before upgrading, after you install the WebSEAL 6.1.1 package, then move back the copied files before starting WebSEAL. 14. Start the WebSEAL daemon (webseald) manually in the foreground, which causes WebSEAL to migrate the configuration files.
15. Confirm that WebSEAL started successfully. To do so, use a browser to access the WebSEAL URL (https://servername) and log in to WebSEAL. Note: The splash screen that appears might still display a previous version number. This is a known limitation and can be ignored. 16. Press the Ctrl+C keys to stop the WebSEAL process (webseald) running in the foreground. 17. Start WebSEAL:
18. Upgrade WebSEAL instance servers: a. For the WebSEAL instance server, start the server manually in the foreground. This command causes WebSEAL to migrate the configuration files.
pdweb start instance_servername
e. Repeat steps these steps for each instance.
114
Upgrade Guide
The upgrade of WebSEAL on HP-UX on Integrity is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. 19. Optional: To upgrade the Web Security application development kit (Web security ADK) on your WebSEAL system, enter:
swinstall -s /cd-rom/hp_ia64 PDAuthADK PDWebADK
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located, PDAuthADK is the Access Manager Application Development Kit (Access Manager ADK), and PDWebADK is the Web Security Application Development Kit package. Note: The Web security ADK has a dependency on the Tivoli Access Manager ADK component. Both ADK packages are included on the IBM Tivoli Access Manager Web Security for HP-UX on Integrity CD. You do not need to run pdconfig to configure components. For version 5.1 or later, the original webseald.conf configuration file is renamed to webseald-default.conf and your custom configuration settings are preserved and updated with version 6.1.1 stanzas and parameters. For an instance server, the configuration file is always named webseald-instance.conf.
Linux on x86: Upgrading WebSEAL

This section describes an upgrade of WebSEAL for Linux on x86 to version 6.1.1. In addition, you can use this section to upgrade the Access Manager Web Security Application Development Kit (Web Security ADK) and the Access Manager Application Development Kit (ADK) at the same time that you upgrade WebSEAL.
Linux on x86: Upgrading WebSEAL

To upgrade a WebSEAL system for Linux on x86, complete the following instructions: 1. Before upgrading WebSEAL to 6.1.1, review the considerations in Upgrade considerations on page 99. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Ensure that the policy server for the secure domain is upgraded to version 6.1.1. For instructions, see Chapter 3, Upgrading the policy server, on page 17. 5. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
If you cannot log in, do not proceed with the WebSEAL upgrade. Resolve the login problem before continuing. If you upgraded the policy server using two systems, step 11a on page 117 might help you resolve your login problem. 6. Insert the IBM Tivoli Access Manager Web Security for Linux on x86 CD image and mount it 7. Change to the following directory:
115
where cd_mount_pt/linux_i386 is where the CD is mounted. 8. Stop WebSEAL and any Tivoli Access Manager service that is running on the system. To stop applications and services, use the pdweb utility:
pdweb stop
9. If you have not backed up your Access Manager Runtime information, see step 8 on page 148 to use the pdbackup utility to back up the information. 10. Run the following command:
sed "s/instance/webs01/g" cd_mount_pt/<operating system>/migrate/migXXto61instanceweb.lst.template > /tmp/migXXto61webs01.lst
This command creates a new file called /tmp/migXXto61webs01.lst and substitutes every occurrance of "instance" with "webs0" in the file. This newly created file is the file you must use with the pdbackup command Use the pdbackup utility to back up the WebSEAL information:
Because there is no list file for the default instance for version 5.1, you can copy and rename the mig51to61instanceweb.lst.template to the name of your Web server list file. For example, if your Web server is named webs01, you would copy and rename it to mig51to61webs01.lst. See 10 for instructions on how to copy and rename the mig51to61instanceweb.lst.template to the name of your Web server list file. Note: If you have more than one instance, make sure you back up all the instances. path path Specifies the path where you want the backed up files to be stored. For example:
file filename Specifies a file name other than the list_date.time [.tar] default file name. You can use the pdbackup utility to both back up and restore data. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281.
116
Upgrade Guide
11. Do one of the following: v If you upgraded the policy server on one system, skip to step 12. v If you upgraded the policy server using two systems, perform the following steps: a. Manually configure WebSEAL to use the new policy server. To do so, edit the webseald-instance.conf and pd.conf files and change the master-host entry in the [manager] stanza to the following:
For the location of the webseald-instance.conf file, see the WebSEAL configuration file section of the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide. b. Start WebSEAL:
pdweb start default
d. Stop WebSEAL:
pdweb stop instance
12. Do one of the following: v To upgrade WebSEAL using the installation wizard, follow these steps: a. Ensure that IBM Java Runtime 1.5 SR5 is installed. To install this package, enter the following for a 32-bit system:
rpm -i ibm-java2-i386-sdk-5.0-5.0.i386.rpm
Ensure that the JRE is accessible through the PATH environment variable:
export PATH=jre_path:$PATH
b. Run the install_amweb program, located in the root directory on the IBM Tivoli Access Manager Web Security for Linux on x86 CD. This program installs or upgrades the following required components: Global Security Kit Tivoli Directory Server client Access Manager License Tivoli Security Utilities Access Manager Runtime Access Manager Web Security Runtime Access Manager WebSEAL v To upgrade WebSEAL using a native installation utility, such as rpm, follow these steps: a. Install or upgrade IBM Global Security Kit (GSKit). If you have a version of Global Security Kit prior to GSKit 7 installed or if you do not have a version of GSKit installed at all, install GSKit 7:
117
b. Install the Tivoli Directory Server client packages:

rpm -i packages

Note: The 32-bit client package requires the base client package. c. Ensure that your registry server is running. d. Do one of the following: If you are upgrading from Tivoli Access Manager 5.1, install the Tivoli Security Utilities:
where TivSecUtil-TivSec-6.1.1-0.i386.rpm is the Tivoli Security Utilities package. If you are upgrading from Tivoli Access Manager 6.0, upgrade the Tivoli Security Utilities:
where TivSecUtil-TivSec-6.1.1-0.i386.rpm is the Tivoli Security Utilities package. e. Do one of the following: If you are upgrading from Tivoli Access Manager 5.1, install Access Manager License:
where PDlic-PD-6.1.1-0.i386.rpm is the Access Manager License package. If you are upgrading from Tivoli Access Manager 6.0, upgrade Access Manager License:
where PDlic-PD-6.1.1-0.i386.rpm is the Access Manager License package. f. Upgrade Access Manager Runtime:
where PDRTE-PD-6.1.1-0.i386.rpm is the Access Manager Runtime package. g. Ensure that Access Manager Runtime is working, and that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
h. Upgrade Access Manager Web Security Runtime using the rpm replacefiles option:
rpm -U --replacefiles PDWebRTE-PD-6.1.1-0.i386.rpm
i. Upgrade Access Manager WebSEAL:

rpm -U --replacefiles PDWeb-PD-6.1.1-0.i386.rpm
118
Upgrade Guide
13. If you modified WebSEAL libraries, such as libcdmf.so or any CDAS libraries and if you manually copied the files to another location to preserve your updates before upgrading, after you install the WebSEAL 6.1.1 package, then move back the copied files before starting WebSEAL. 14. Start the WebSEAL daemon (webseald) manually in the foreground, which causes WebSEAL to migrate the configuration files:
18. Upgrade WebSEAL instance servers: a. For the WebSEAL instance server, start the server manually in the foreground. This command causes WebSEAL to migrate the configuration files.
pdweb start instance-servername
e. Repeat these steps for each instance. The upgrade of WebSEAL for Linux on x86 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. 19. Optional: To upgrade the Web Security Application Development Kit (Web security ADK) on your version 6.1.1 WebSEAL system, enter:
rpm -U PDADK-PD-6.1.1-0.i386.rpm PDWebADK-PD-6.1.1-0.i386.rpm
Note: The Web Security Application Development Kit has a dependency on the Tivoli Access Manager Application Development Kit component. Both Application Development Kit packages are included on the IBM Tivoli Access Manager Web Security for Linux on x86 CD. You do not need to run pdconfig to configure components. For version 5.1 or later, the original webseald.conf configuration file is renamed to webseald-default.conf
119
and your custom configuration settings are preserved and updated with version 6.1.1 stanzas and parameters. For an instance server, the configuration file is always named webseald-instance.conf.
Linux on System z: Upgrading WebSEAL

This section describes an upgrade of WebSEAL for Linux on System z to version 6.1.1. In addition, you can use this section to upgrade the Access Manager Web Security Application Development Kit (Web Security ADK) and the Access Manager Application Development Kit (ADK) at the same time that you upgrade WebSEAL.
Linux on System z: Upgrading WebSEAL

To upgrade a WebSEAL system on System z, complete the following instructions: 1. Before upgrading WebSEAL to 6.1.1, review the considerations in Upgrade considerations on page 99. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Ensure that the policy server for the secure domain is upgraded to version 6.1.1. For instructions, see Chapter 3, Upgrading the policy server, on page 17. 5. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
If you cannot log in, do not proceed with the WebSEAL upgrade. Resolve the login problem before continuing. If you upgraded the policy server using two systems, step 11a on page 121 might help you resolve your login problem. 6. Obtain access to the IBM Tivoli Access Manager Web Security for Linux on System z CD image on the System z system. 7. Change to the following directory:
Where cd_mount_pt is where the CD is mounted. 8. Stop WebSEAL and any Tivoli Access Manager service that is running on the system. To stop applications and services, use the pdweb utility:
pdweb stop
120
Upgrade Guide
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 11. Do one of the following: v If you upgraded the policy server on one system, skip to step 12 on page 122. v If you upgraded the policy server using two systems, perform the following steps: a. Manually configure WebSEAL to use the new policy server. To do so, edit the webseald-instance.conf and pd.conf files and change the master-host entry in the [manager] stanza to the following:
b. Start WebSEAL:
pdweb start default
121
d. Stop WebSEAL:
pdweb stop instance
12. Do one of the following: v To upgrade WebSEAL using the installation wizard, follow these steps: a. Ensure that IBM Java Runtime 1.5 SR5 is installed. To install this package, obtain the Java Runtime Environment rpm from the IBM Tivoli Access Manager Web Security for Linux on System z CD from the /cd_mount_pt/linux_s390 directory, where cd_mount_pt is the mount point for your CD. To install the JRE 1) Enter:
rpm -i ibm-java2-s390-sdk-5.0-5.0.s390.rpm
2) Ensure that the JRE is accessible through the PATH environment variable:
export PATH=/opt/ibm/java2-s390-50/jre/bin:$PATH
b. Run the install_amweb program, located in the root directory on the IBM Tivoli Access Manager Web Security for Linux on System z CD. This program installs or upgrades the following required components: Global Security Kit Tivoli Directory Server client Access Manager License Tivoli Security Utilities Access Manager Runtime Access Manager Web Security Runtime Access Manager WebSEAL v To upgrade WebSEAL using a native installation utility, such as rpm, follow these steps: a. Install or upgrade IBM Global Security Kit (GSKit). If you have a version of Global Security Kit prior to GSKit 7 installed or if you do not have a version of GSKit installed at all, install GSKit 7:
b. Install the client packages of Tivoli Directory Server:

rpm -i packages

Note: The 32-bit client package requires the base client package. c. Ensure that your registry server is running. d. Do one of the following:
122
Upgrade Guide
If you are upgrading from Tivoli Access Manager 5.1, install the Tivoli Security Utilities:
where TivSecUtil-TivSec-6.1.1-0.s390.rpm is the Tivoli Security Utilities package. If you are upgrading from Tivoli Access Manager 6.0, upgrade the Tivoli Security Utilities:
where TivSecUtil-TivSec-6.1.1-0.s390.rpm is the Tivoli Security Utilities package. e. Do one of the following: If you are upgrading from Tivoli Access Manager 5.1, install Access Manager License:
where PDlic-PD-6.1.1-0.s390.rpm is the Access Manager License package. If you are upgrading from Tivoli Access Manager 6.0, upgrade Access Manager License:
where PDlic-PD-6.1.1-0.s390.rpm is the Access Manager License package. f. Upgrade Access Manager Runtime:
where PDRTE-PD-6.1.1-0.s390.rpm is the Access Manager Runtime package. g. Ensure that Access Manager Runtime is working, and that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
h. Upgrade Access Manager Web Security Runtime using the rpm --replacefiles option:
rpm -U --replacefiles PDWebRTE-PD-6.1.1-0.s390.rpm
i. Upgrade Access Manager WebSEAL:

rpm -U --replacefiles PDWeb-PD-6.1.1-0.s390.rpm
13. If you modified WebSEAL libraries, such as libcdmf.so or any CDAS libraries and if you manually copied the files to another location to preserve your updates before upgrading, after you install the WebSEAL 6.1.1 package, then move back the copied files before starting WebSEAL. 14. Start the WebSEAL daemon (webseald) manually in the foreground, which causes WebSEAL to migrate the configuration files:
123
The upgrade of WebSEAL for Linux on System z is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. 18. Upgrade each WebSEAL instance server: a. For each WebSEAL instance server, start the server manually in the foreground. This command causes WebSEAL to migrate the configuration files.
e. Repeat these steps for each instance. The upgrade of WebSEAL for Linux on System z is now complete.Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. 19. Optional: To upgrade the Web security application development kit (Web security ADK) on your version 6.1.1 WebSEAL system, enter the following:
rpm -U PDAuthADK-PD-6.1.1-0.s390.rpm PDWebADK-PD-6.1.1-0.s390.rpm
where PDAuthADK is the Access Manager Application Development Kit (Access Manager ADK), and PDWebADK is the Web Security Application Development Kit package. Note: The Web security ADK has a dependency on the Tivoli Access Manager ADK component. Both ADK packages are included on the IBM Tivoli Access Manager Web Security for Linux on System z CD. You do not need to run pdconfig to configure components. For version 5.1 or later, the original webseald.conf configuration file is renamed to webseald-default.conf and your custom configuration settings are preserved and updated with version 6.1.1 stanzas and parameters. For an instance server, the configuration file is always named webseald-instance.conf.
Solaris: Upgrading WebSEAL

This section describes an upgrade of WebSEAL on Solaris to version 6.1.1. In addition, you can use this section to upgrade the Access Manager Web Security Application Development Kit (Web Security ADK) and the Access Manager Application Development Kit (ADK) at the same time that you upgrade WebSEAL.
124
Upgrade Guide
Solaris: Upgrading WebSEAL

To upgrade a WebSEAL system on Solaris, complete the following instructions: 1. Before upgrading WebSEAL to 6.1.1, review the considerations in Upgrade considerations on page 99. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Ensure that the policy server for the secure domain is upgraded to version 6.1.1. For instructions, see Chapter 3, Upgrading the policy server, on page 17. 5. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
If you cannot log in, do not proceed with the WebSEAL upgrade. Resolve the login problem before continuing. If you upgraded the policy server using two systems, step 10a on page 126 might help you resolve your login problem. 6. Insert the IBM Tivoli Access Manager Web Security for Solaris CD. 7. Stop WebSEAL and any Tivoli Access Manager service that is running on the system. To stop applications and services, use the pd_start utility:
pdweb stop
125
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 10. Do one of the following: v If you upgraded the policy server on one system, skip to step 11. v If you upgraded the policy server using two systems, perform the following steps: a. Manually configure WebSEAL to use the new policy server. To do so, edit the webseald-instance.conf and pd.conf files and change the master-host entry in the [manager] stanza to the following:
b. Start WebSEAL:
pdweb start default
d. Stop WebSEAL:
pdweb stop instance
11. Do one of the following: v To upgrade WebSEAL using the installation wizard, follow these steps: a. Change to the /cdrom/cdrom0/solaris directory. where /cdrom/cdrom0/solaris is the directory where the JRE package is located. b. Ensure that IBM Java Runtime 1.5.0 SR5 is installed. To install this package: 1) Enter: mkdir -p /usr/java15 2) Enter: cd /usr/java15 3) Enter:
126
Upgrade Guide
zcat cd_mount_pt/solaris/soldevhybrid-20070511-sdk.tar.Z | tar -xvf where cd_mount_pt is the CD mount point, /cd_mount_pt/solaris is the directory where the installation images are located, and soldevhybrid-20070511-sdk.tar.Z is the IBM Java Runtime package. Note that you must have both the zcat file uncompress and the tar file extraction utilities. Also, the directories for both utilities must be defined by your PATH environment variable. 4) You must set the PATH environment variable:
PATH=jre_path:$PATH export PATH
c. Run the install_amweb program, located in the root directory on the IBM Tivoli Access Manager Web Security for Solaris CD . This program installs or upgrades the following required components: Global Security Kit Tivoli Directory Server client Access Manager License Tivoli Security Utilities Access Manager Runtime Access Manager Web Security Runtime Access Manager WebSEAL v To upgrade WebSEAL using a native installation utility, such as pkgadd, follow these steps: a. Change to the /cdrom/cdrom0/solaris directory. b. Install the Global Security Kit (GSKit):
where /cdrom/cdrom0/solaris specifies the location of the package and /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script. Note: During installation, you are asked if you want to use /opt as the root directory. If space permits, use /opt as the root installation directory. To accept /opt as the root directory, press Enter. c. Install the Tivoli Directory Server client packages :
d. Ensure that your registry server is running. e. Install or upgrade Tivoli Security Utilities: Note: If you are upgrading from Tivoli Access Manager 5.1, Tivoli Security Utilities is installed. If you are upgrading from v 6.0, the Tivoli Security Utilities is upgraded.
127
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and TivSecUtl is the Tivoli Security Utilities package. f. Install or upgrade Access Manager License: Note: If you are upgrading from Tivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, the Access Manager License is upgraded.
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDlic is the Access Manager Access Manager License package. g. Upgrade Access Manager Runtime:
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDRTE is the Tivoli Security Utilities package. h. Ensure that Access Manager Runtime is working, and that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
i. Upgrade Access Manager Web Security Runtime:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDWebRTE
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDWebRTE is the Access Manager Web Security Runtime package. j. Upgrade Access Manager WebSEAL:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDWeb
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDWeb is the Access Manager WebSEAL package. 12. If you modified WebSEAL libraries, such as libcdmf.so or any CDAS libraries and if you manually copied the files to another location to preserve your updates before upgrading, after you install the WebSEAL 6.1.1 package, then move back the copied files before starting WebSEAL. 13. Start the WebSEAL daemon (webseald) manually in the foreground, which causes WebSEAL to migrate the configuration files:
128
Upgrade Guide
Note: Ignore any messages that are displayed. These are not errors. For example, you might encounter [failover-attribute] or [webseal-config] stanza messages. 14. Confirm that WebSEAL started successfully. To do so, use a browser to access the WebSEAL URL (https://servername) and log in to WebSEAL. Note: The splash screen that appears might still display an older version number. This is a known limitation and can be ignored. 15. Press the Ctrl+C keys to stop the WebSEAL process (webseald) running in the foreground. 16. Start WebSEAL:
Note: Ignore any messages that are displayed. These are not errors. For example, you might encounter stanza messages. 17. Optional: Upgrade each WebSEAL instance server: a. For the WebSEAL instance server, start the server manually in the foreground. This command causes WebSEAL to migrate the configuration files.
e. Repeat these steps for each instance. The upgrade of WebSEAL on Solaris is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. 18. Optional: To upgrade the Access Manager Web Security Application Development Kit (Web security ADK) on your version 6.1.1 WebSEAL system, enter:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDAuthADK PDWebADK
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, PDauthADK is the Access Manager Application Development Kit (Access Manager ADK) package, and PDWebADK is the Access Manager Web Security ADK package:
129
Note: The Web security ADK has a dependency on the Access Manager ADK component. Both ADK packages are included on the IBM Tivoli Access Manager Web Security for Solaris CD. You do not need to run pdconfig to configure components. For version 5.1 or later, the original webseald.conf configuration file is renamed to webseald-default.conf and your custom configuration settings are preserved and updated with version 6.1.1 stanzas and parameters. For an instance server, the configuration file is always named webseald-instance.conf.
Solaris on x86_64: Upgrading WebSEAL

This section describes an upgrade of WebSEAL on Solaris on x86_64 to version 6.1.1. In addition, you can use this section to upgrade the Access Manager Web Security Application Development Kit (Web Security ADK) and the Access Manager Application Development Kit (ADK) at the same time that you upgrade WebSEAL.
Solaris on x86_64: Upgrading WebSEAL

To upgrade a WebSEAL system on Solaris on x86_64, complete the following instructions: 1. Before upgrading WebSEAL to 6.1.1, review the considerations in Upgrade considerations on page 99. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Ensure that the policy server for the secure domain is upgraded to version 6.1.1. For instructions, see Chapter 3, Upgrading the policy server, on page 17. 5. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
If you cannot log in, do not proceed with the WebSEAL upgrade. Resolve the login problem before continuing. If you upgraded the policy server using two systems, step 10a on page 131 might help you resolve your login problem. 6. Insert the IBM Tivoli Access Manager Web Security for Solaris on x86_64 CD. 7. Stop WebSEAL and any Tivoli Access Manager service that is running on the system. To stop applications and services, use the pd_start utility:
pdweb stop
sed "s/instance/webs01/g" cd_mount_pt/usr/sys/inst.images/migrate/mig60to61instanceweb.lst.template > /tmp/mig60to61webs01.lst
This command creates a new file called /tmp/mig60to61webs01.lst and substitutes every occurrence of "instance" with "webs0" in the file. This newly created file is the file you must use with the pdbackup command.
130
Upgrade Guide
v Use the pdbackup utility to back up the WebSEAL information:

Version 6.0 Instance server list file mig60to61instanceweb.lst.template
Note: If you have more than one instance, make sure you back up all the instances. path path Specifies the path where you want the backed up files to be stored. For example:
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 10. Do one of the following: v If you upgraded the policy server on one system, skip to step 11. v If you upgraded the policy server using two systems, perform the following steps: a. Manually configure WebSEAL to use the new policy server. To do so, edit the webseald-instance.conf and pd.conf files and change the master-host entry in the [manager] stanza to the following:
b. Start WebSEAL:
pdweb start default
d. Stop WebSEAL:
pdweb stop instance
11. Do one of the following: v To upgrade WebSEAL using the installation wizard, follow these steps: a. Change to the /cdrom/cdrom0/solaris_x86 directory.
131
where /cdrom/cdrom0/solaris_x86 is the directory where the JRE package is located. b. Ensure that IBM Java Runtime 1.5 SR5 is installed. To install this package: 1) Enter: mkdir -p /usr/java15 2) Enter: cd /usr/java15 3) Enter: zcat cd_mount_pt/solaris_x86/solx64devhybrid-20070511sdk.tar.Z | tar -xvf where cd_mount_pt is the CD mount point, /cd_mount_pt/ solaris_x86 is the directory where the installation images are located, and solx64devhybrid-20070511-sdk.tar.Z is the IBM Java Runtime package. Note that you must have both the zcat file uncompress and the tar file extraction utilities. Also, the directories for both utilities must be defined by your PATH environment variable. 4) You must set the PATH environment variable:
PATH=jre_path:$PATH export PATH
c. Run the install_amweb program, located in the root directory on the IBM Tivoli Access Manager Web Security for Solaris on x86_64 CD. This program installs or upgrades the following required components: Global Security Kit Tivoli Directory Server client Access Manager License Tivoli Security Utilities Access Manager Runtime Access Manager Web Security Runtime Access Manager WebSEAL v To upgrade WebSEAL using a native installation utility, such as pkgadd, follow these steps: a. Change to the /cdrom/cdrom0/solaris_x86 directory. b. Install the Global Security Kit (GSKit):
where /cdrom/cdrom0/solaris_x86 specifies the location of the package and /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script. Note: During installation, you are asked if you want to use /opt as the root directory. If space permits, use /opt as the root installation directory. To accept /opt as the root directory, press Enter. c. Install the client packages of the Tivoli Directory Server:
Base client package IDSlbc61
132
Upgrade Guide
32-bit client package
IDSl32c61
Note: The 32-bit client package requires the base client package. d. Ensure that your registry server is running. e. Upgrade Tivoli Security Utilities:
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and TivSecUtl is the Tivoli Security Utilities package. f. Upgrade Access Manager License:
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDlic is the Access Manager Access Manager License package. g. Upgrade Access Manager Runtime:
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDRTE is the Tivoli Security Utilities package. h. Ensure that Access Manager Runtime is working, and that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
i. Upgrade Access Manager Web Security Runtime:

pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault PDWebRTE
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDWebRTE is the Access Manager Web Security Runtime package. j. Upgrade Access Manager WebSEAL:
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault PDWeb
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDWeb is the Access Manager WebSEAL package. 12. If you modified WebSEAL libraries, such as libcdmf.so or any CDAS libraries and if you manually copied the files to another location to preserve your updates before upgrading, after you install the WebSEAL 6.1.1 package, then move back the copied files before starting WebSEAL. 13. Start the WebSEAL daemon (webseald) manually in the foreground, which causes WebSEAL to migrate the configuration files:
133
Note: Ignore any messages that are displayed. These are not errors. For example, you might encounter [failover-attribute] or [webseal-config] stanza messages. 14. Confirm that WebSEAL started successfully. To do so, use a browser to access the WebSEAL URL (https://servername) and log in to WebSEAL. Note: The splash screen that appears might still display a previous version number. This is a known limitation and can be ignored. 15. Press the Ctrl+C keys to stop the WebSEAL process (webseald) running in the foreground. 16. Start WebSEAL:
17. Optional: Upgrade each WebSEAL instance server: a. For the WebSEAL instance server, start the server manually in the foreground. This command causes WebSEAL to migrate the configuration files.
e. Repeat these steps through for each instance. The upgrade of WebSEAL on Solaris on x86_64 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. 18. Optional: To upgrade the Access Manager Web Security Application Development Kit (Web security ADK) on your version 6.1.1 WebSEAL system, enter:
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault PDAuthADK PDWebADK
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, PDauthADK is the Access Manager Application Development Kit (Access Manager ADK) package, and PDWebADK is the Access Manager Web Security ADK package: Note: The Web security ADK has a dependency on the Access Manager ADK component. Both ADK packages are included on the IBM Tivoli Access Manager Web Security for Solaris on x86_64 CD.
134
Upgrade Guide
You do not need to run pdconfig to configure components. For version 5.1 or later, the original webseald.conf configuration file is renamed to webseald-default.conf and your custom configuration settings are preserved and updated with version 6.1.1 stanzas and parameters. For an instance server, the configuration file is always named webseald-instance.conf.
Windows: Upgrading WebSEAL

This section describes an upgrade of WebSEAL on Windows to version 6.1.1. In addition, you can use this section to upgrade the Access Manager Web Security Application Development Kit (Web Security ADK) and the Access Manager Application Development Kit (ADK) at the same time that you upgrade WebSEAL.
Windows: Upgrading WebSEAL

To upgrade a WebSEAL system on Windows, complete the following instructions: 1. Before upgrading WebSEAL to 6.1.1, review the considerations in Upgrade considerations on page 99. 2. Log in as a user with administrator privileges. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Ensure that the policy server for the secure domain is upgraded to version 6.1.1. For instructions, see Chapter 3, Upgrading the policy server, on page 17. 5. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
6. 7.
8. 9.
If you cannot log in, do not proceed with the WebSEAL upgrade. Resolve the login problem before continuing. If you upgraded the policy server using two systems, step 10a on page 136 might help you resolve your login problem. Insert the IBM Tivoli Access Manager Web Security for Windows CD. Stop WebSEAL and any Tivoli Access Manager service that is running on the system. To do so, select Start Control Panel Administrative Tools and double-click the Services icon. If you have not backed up your Access Manager Runtime information, see step 7 on page 153 to use the pdbackup utility to back up the information. Perform these steps: v Copy and move the appropriate instance template file to a directory where you have write permission (for example, \mytmpdir). For example, you might copy the mig60to61instanceweb.lst.template file provided with Tivoli Access Manager and rename the instance server list file to mig60to61wsinstance.lst, where wsinstance is the name of your instance (\mytmpdir\mig60to61wsinstance.lst). v Use the pdbackup utility, located in the install_dir\bin directory, to back up the WebSEAL information:
where:
135
tmp\migxxto61instanceweb.lst
Because there is no list file for the default instance for version 5.1, you can copy and rename the mig51to61instanceweb.lst.template to the name of your Web server list file. For example, if your Web server is named webs01, you would copy and rename it to mig51to61webs01.lst. See 9 on page 135 for instructions on how to copy and rename an instance template file to the name of your Web server list file. Note: If you have more than one instance, make sure you back up all the instances. path path Specifies the path where you want the backed up files to be stored. For example:
file filename Specifies a file name other than the list_date.time [.dar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 10. Do one of the following: v If you upgraded the policy server on one system, skip to step 11 on page 137. v If you upgraded the policy server using two systems, perform the following steps: a. Manually configure WebSEAL to use the new policy server. To do so, edit the webseald-instance.conf and pd.conf files and change the master-host entry in the [manager] stanza to the following:
b. Start the WebSEAL service. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and start the service. c. Confirm that WebSEAL can contact the new policy server. To do so, run a sample pdadmin command. For example:
136
Upgrade Guide
d. Stop the WebSEAL service. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and stop the service. 11. Ensure that IBM Java Runtime 1.5 SR5 is installed. To install this JRE, enter:
cd_drive\windows\JDK\ibm-java2-sdk-50-win-i386.exe
Follow the instructions on the screen. When installation has completed, click Finish. You must set the PATH environment variable:
set PATH=install_dir;%PATH%
For example, enter the following if you installed using the default installation directory:
set PATH=C:\Program Files\IBM\Java50\jre\bin;%PATH%
12. Do one of the following: v To upgrade WebSEAL using the InstallShield wizard: a. Run the install_amweb.exe program, located in the root directory on the IBM Tivoli Access Manager Web Security for Windows CD. This program installs or upgrades the following required components: Global Security Kit Tivoli Directory Server client Access Manager License Tivoli Security Utilities Access Manager Runtime Access Manager Web Security Runtime Access Manager WebSEAL Note: The InstallShield wizard does not configure these components. The components are configured later in the upgrade process. b. Reboot the system. v To upgrade WebSEAL using a native installation utility, follow these steps: a. Install the Global Security Kit (GSKit). To do so, change to the \windows\GSKit directory on the drive where the CD is located and enter:
Follow the online instructions to complete the installation. b. If you are using an LDAP server as your registry, install the Tivoli Directory Server client by running the install_tds.exe file in windows\tds. Select to install C Client 6.1 and follow the online instructions to complete the installation. Note: If you are using Domino or Active Directory as your registry and the Tivoli Access Manager systems in your domain are Windows-based, the Tivoli Directory Server client is not required. c. Upgrade the security utilities by running the setup.exe script in the \windows\TivsecUtl\Disk Images\Disk1 directory. Select to install Tivoli Security Utilities, and follow the online instructions to complete the installation. d. Install components by running the setup.exe file in the \windows\PolicyDirector\Disk Images\Disk1 directory. Select to install the following components in this sequence:
137
Access Access Access Access
Manager Manager Manager Manager
License Runtime Web Security Runtime WebSEAL
Follow the online instructions to complete the installation. e. Ensure that Access Manager Runtime is working, and that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
13. If you modified WebSEAL libraries, such as cdmf.dll or any CDAS libraries and if you manually copied the files to another location to preserve your updates before upgrading, after you install the WebSEAL 6.1.1 package, then move back the copied files before starting WebSEAL. 14. Start the WebSEAL service (webseald) manually in the foreground, which causes WebSEAL to migrate the configuration files by typing the following on one line:
C:\Program Files\Tivoli\pdweb\bin\webseald -config etc\webseald-instance.conf -foreground
where instance is the name of the instance you need to configure. Note: Ignore any messages that are displayed. These are not errors. For example, you might encounter stanza messages. 15. Confirm that WebSEAL started successfully. To do so, use a browser to access the WebSEAL URL (https://servername) and log in to WebSEAL Note: The splash screen that appears might still display a previous version number. This is a known limitation and can be ignored. . 16. Press the Ctrl+C keys to stop the WebSEAL process (webseald) running in the foreground. 17. Start WebSEAL. To do so, select Start Control Panel Administrative Tools and double-click the Services icon. 18. Optional: Upgrade each WebSEAL instance server: a. For the WebSEAL instance server, start the server manually in the foreground. This command causes WebSEAL to migrate the configuration files.
C:\Program Files\Tivoli\pdweb\bin\webseald -config etc\webseald-instance.conf -foreground
Where instance is the name of the instance you are going to configure Note: Ignore any messages that are displayed. These are not errors. For example, you might encounter stanza messages. b. Confirm that WebSEAL instance server started successfully. To do so, use a browser to access the WebSEAL URL (https://instance_servername) and log in to WebSEAL. Note: The splash screen that appears might still display a previous version number. This is a known limitation and can be ignored.
138
Upgrade Guide
c. Press the Ctrl+C keys to stop the WebSEAL (webseald) process running in the foreground. d. Start the WebSEAL instance server. To do so, select Start Control Panel Administrative Tools and double-click the Services icon. e. Repeat these steps for each instance. The upgrade of WebSEAL on Windows is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications. 19. Optional: To upgrade the Web security application development kit (Web security ADK) on your version 6.1.1 WebSEAL system, run the setup.exe file in the \windows\PolicyDirector\Disk Images\Disk1 directory. Select to install the Access Manager Application Development Kit followed by the Web Security Application Development Kit. Follow the online instructions to complete the installation. Note: The Web security ADK has a dependency on the Tivoli Access Manager ADK component. Both ADK packages are included on the IBM Tivoli Access Manager Web Security for Windows CD. You do not need to run pdconfig to configure components. For version 5.1 or later, the original webseald.conf configuration file is renamed to webseald-default.conf and your custom configuration settings are preserved and updated with version 6.1.1 stanzas and parameters. For an instance server, the configuration file is always named webseald-instance.conf.
139
140
Upgrade Guide

Tivoli Access Manager supports an upgrade of Access Manager Runtime system to version 6.1.1. The following platform-specific instructions are provided: v AIX on page 142 v HP-UX on page 143 v v v v v v HP-UX on Integrity on page 145 Linux on x86 on page 147 Linux on System z on page 149 Linux on POWER on page 151 Solaris on page 153 Solaris on x86_64 on page 155
v Windows on page 157
Before upgrading Access Manager Runtime to 6.1.1, review the following considerations: v Upgrade your operating system to the minimum supported level. For information about minimum supported levels, see IBM Tivoli Access Manager for e-business: Release Notes. v In Tivoli Directory Server version 6.1, clients can coexist on the same machine with a client that is version 5.1, 5.2, or 6.0. The Tivoli Directory Server 6.1 server requires that the version 6.1 client and the Java client also be installed. In addition, the server can coexist on the same machine with another client that is version 5.1, 5.2 or 6.0, or with a version of the 6.0 server. v You are not required to upgrade all Tivoli Access Manager components in your secure domain to a 6.1.1 level. However, if you upgrade any Tivoli Access Manager component in your secure domain to a 6.1.1 level, you must install Tivoli Directory Server client 6.1 on that system. For a list of components that are compatible with Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. v In general, if Tivoli Directory Server is your registry server and is located on a different machine from any Tivoli Access Manager component, you can upgrade the registry server at any timebefore or after the upgrade of the Tivoli Access Manager 6.1.1 component. However, when the server package of Tivoli Directory Server is installed on the same machine as any Tivoli Access Manager 6.1.1 component and if you choose to install the server package of Tivoli Directory Server 6.1, it is recommended that you install the Tivoli Directory Server 6.1 client and server packages at the same time as you install the Tivoli Access Manager 6.1.1 component on that machine. v If you are upgrading and using a language other than English, remember to upgrade your language package. Refer to the IBM Tivoli Access Manager for e-business: Installation Guide to install the language package. However, when upgrading the IBM Tivoli Directory Server language packages, you must use the upgrade (-U) option for Linux operating systems.
141
AIX: Upgrading the runtime

To upgrade an Access Manager Runtime system on AIX, complete the following instructions: 1. Before upgrading the runtime to 6.1.1, review the considerations in Upgrade considerations on page 141. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. Note: The AIX operating system requires version 8.0.0.x of the xlC fileset. Check your current version by using the lslpp command and upgrade, if necessary. 4. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
142
Upgrade Guide
Note: The 32-bit client package requires the base client package. 10. Ensure that your registry server is running. 11. Install or upgrade Tivoli Security Utilities: Note: If you are upgrading from 5.1, Tivoli Access Manager Tivoli Security Utilities is installed. If you are upgrading from Tivoli Access Manager 6.0, the Tivoli Security Utilities is upgraded.
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.RTE is the Access Manager Runtime package. 14. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf 15. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
The upgrade of an Access Manager Runtime system on AIX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
HP-UX: Upgrading the runtime

To upgrade an Access Manager Runtime system on HP-UX, complete the following instructions: 1. Before upgrading the runtime to 6.1.1, review the considerations in Upgrade considerations on page 141.
143
2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for HP-UX CD. 5. Mount the CD using the HP-UX mount command. For example, enter the following command: For HP-UX:
pd_start stop
pd_start status
file filename Specifies a file name other than the list_date.time [.tar] default file name. For example:
/opt/PolicyDirector/bin/pdbackup action backup list /opt/PolicyDirector/etc/pdbackup.lst path /tmp file pdbackupdata
For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 9. Install the Global Security Kit (GSKit):
where /cd-rom/hp is the directory where the GSKit installation images are located and gsk7bas is the name of the GSKit package. 10. Install the Tivoli Directory Server client packages:
144
Upgrade Guide
Base client package Client package (32-bit) (no SSL)
idsldap.cltbase61 idsldap.clt32bit61
where /cd-rom/hp is the directory where the installation images are located and PDRTE is the Access Manager Runtime package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf 16. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
The upgrade of an Access Manager Runtime system on HP-UX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
HP-UX on Integrity: Upgrading the runtime

To upgrade an Access Manager Runtime system on HP-UX on Integrity, complete the following instructions: 1. Before upgrading the runtime to 6.1.1, review the considerations in Upgrade considerations on page 141. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes.
145
4. Insert the IBM Tivoli Access Manager Base for HP-UX on Integrity CD. 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
pd_start stop
pd_start status
where /cd-rom/hp_ia64 is the directory where the GSKit installation images are located and gsk7bas is the name of the GSKit package. 10. Install the client packages of Tivoli Directory Server:
where /cd-rom/hp_ia64 is the directory where the installation packages are installed and packages are as follows:
Note: The 32-bit client package requires the base client package.
146
Upgrade Guide
11. Ensure that your registry server is running. 12. Upgrade Tivoli Security Utilities:
where /cd-rom/hp_ia64 is the directory where the installation packages are installed and TivSecUtl is the Tivoli Security Utilities package. 13. Upgrade Access Manager License:
where /cd-rom/hp_ia64 is the directory where the installation packages are installed and PDlic is the Access Manager License package. 14. Upgrade Access Manager Runtime:
where /cd-rom/hp_ia64 is the directory where the installation packages are installed and PDRTE is the Access Manager Runtime package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf 16. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
The upgrade of an Access Manager Runtime system on HP-UX on Integrity is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on x86: Upgrading the runtime

To upgrade an Access Manager Runtime system for Linux on x86, complete the following instructions: 1. Before upgrading the runtime to 6.1.1, review the considerations in Upgrade considerations on page 141. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Linux on x86 CD and mount it. 5. Change to the following directory:
6. Stop all Tivoli Access Manager applications and services:

pd_start stop
pd_start status
147
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 9. Install or upgrade IBM Global Security Kit (GSKit) to the version 7 and the latest fix pack: v If you have a version of GSKit older than version 7 installed or if you do not have GSKit installed, install GSKit 7 using the rpm -i gsk7bas-<version and fix pack>.i386.rpm file. v If you have an earlier version of GSKit 7 installed, upgrade to the latest fix pack of GSKit 7 using the rpm -U gsk7bas-<version and fix pack>.i386.rpm file. 10. Install the client packages of Tivoli Directory Server:
rpm -i packages

Base client package 32-bit client package rpm -i idsldap-cltbase61-6.1.0-6.i386.rpm rpm -i idsldap-clt32bit61-6.1.0-6.i386.rpm
11. Ensure that your registry server is running. 12. Do one of the following: v If you are upgrading from Tivoli Access Manager 5.1, install Tivoli Security Utilities:
where TivSecUtil-TivSec-6.1.1-0.i386.rpm is the Tivoli Security Utilities package. 13. Do one of the following:
148
Upgrade Guide
v If you are upgrading from Tivoli Access Manager 5.1, install Access Manager License:
where PDRTE-PD-6.1.1-0.i386.rpm is the Access Manager Runtime package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf 16. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
The upgrade of an Access Manager Runtime system for Linux on x86 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on System z: Upgrading the runtime

To upgrade an Access Manager Runtime system for Linux on System z, complete the following instructions: 1. Before upgrading the runtime to 6.1.1, review the considerations in Upgrade considerations on page 141. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Obtain access to the IBM Tivoli Access Manager Base for Linux on System z CD image on the System z system. The .rpm files are located in the /cd_mount_pt/linux_s390 directory: 5. Change to the following directory:

pd_start stop
pd_start status
149
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 9. Install or upgrade IBM Global Security Kit (GSKit) to the version 7 and the latest fix pack: v If you have a version of GSKit older than version 7 installed or if you do not have GSKit installed, install GSKit 7 using the rpm -i gsk7bas-<version and fix pack>.s390.rpm file. v If you have an earlier version of GSKit 7 installed, upgrade to the latest fix pack of GSKit 7 using the rpm -U gsk7bas-<version and fix pack>.s390.rpm file. 10. Install the client packages of Tivoli Directory Server:
rpm -i packages

where TivSecUtil-TivSec-6.1.1-0.s390.rpm is the Tivoli Security Utilities package. v If you are upgrading from Tivoli Access Manager 6.0, upgrade Tivoli Security Utilities:
where TivSecUtil-TivSec-6.1.1-0.s390.rpm is the Tivoli Security Utilities package. 13. Do one of the following: v If you are upgrading from Tivoli Access Manager 5.1, install Access Manager License:
150
Upgrade Guide
where PDlic-PD-6.1.1-0.s390.rpm is the Access Manager License package. v If you are upgrading from Tivoli Access Manager 6.0, upgrade Access Manager License:
where PDRTE-PD-6.1.1-0.s390.rpm is the Access Manager Runtime package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyServer/etc/pd.conf 16. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
The upgrade of an Access Manager Runtime system for Linux on System z is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on POWER: Upgrading the runtime

To upgrade an Access Manager Runtime system for Linux on POWER, complete the following instructions: 1. Before upgrading the runtime to 6.1.1, review the considerations in Upgrade considerations on page 141. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Linux on POWER CD and mount it. 5. Change to the following directory:

pd_start stop
pd_start status
151

rpm -i packages

where TivSecUtil-TivSec-6.1.1-0.ppc.rpm is the Tivoli Security Utilities package. v If you are upgrading from Tivoli Access Manager 6.0, upgrade Tivoli Security Utilities:
where PDlic-PD-6.1.1-0.ppc.rpm is the Access Manager License package.
152
Upgrade Guide
v If you are upgrading from Tivoli Access Manager 6.0, upgrade Access Manager License:
where PDRTE-PD-6.1.1-0.ppc.rpm is the Access Manager Runtime package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf 16. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
The upgrade of an Access Manager Runtime system for Linux on POWER is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Solaris: Upgrading the runtime

To upgrade an Access Manager Runtime system on Solaris, complete the following instructions: 1. Before upgrading the runtime to 6.1.1, review the considerations in Upgrade considerations on page 141. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Solaris CD. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
153
where /cdrom/cdrom0/solaris specifies the location of the package and /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script. Note: During installation, you are asked if you want to use /opt as the root directory. If space permits, use /opt as the root installation directory. To accept /opt as the root directory, press Enter. 9. Install the Tivoli Directory Server client packages:
pkgadd -d /cdrom/cdrom0/solaris \ -a /cdrom/cdrom0/solaris/pddefault packages
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and TivSecUtl is the Tivoli Security Utilities package. 12. Install or upgradeAccess Manager License: Note: If you are upgrading from Tivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, Access Manager License is upgraded.
154
Upgrade Guide
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDRTE is the Access Manager Runtime package. 14. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf 15. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
The upgrade of an Access Manager Runtime system on Solaris is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Solaris on x86_64: Upgrading the runtime

To upgrade an Access Manager Runtime system on Solaris on x86_64, complete the following instructions: 1. Before upgrading the runtime to 6.1.1, review the considerations in Upgrade considerations on page 141. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Solaris on x86_64 CD. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
155
where /cdrom/cdrom0/solaris_x86 specifies the location of the package and /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script. Note: During installation, you are asked if you want to use /opt as the root directory. If space permits, use /opt as the root installation directory. To accept /opt as the root directory, press Enter. 9. Install the Tivoli Directory Server client packages:
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and TivSecUtl is the Tivoli Security Utilities package. 12. UpgradeAccess Manager License:
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault/cdrom/cdrom0/solaris_x86 specifies the location of the installation administration script, and PDRTE is the Access Manager Runtime package. 14. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server.
156
Upgrade Guide
Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf 15. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
The upgrade of an Access Manager Runtime system on Solaris on x86_64 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Windows: Upgrading the runtime

To upgrade an Access Manager Runtime system on Windows, complete the following instructions: 1. Before upgrading the runtime to 6.1.1, review the considerations in Upgrade considerations on page 141. 2. Log in as a user with administrative privileges. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Windows CD. 5. Exit all running programs. During the upgrade process, you are prompted to restart your Windows system periodically. 6. Stop all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and stop all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Disabled. 7. Use the pdbackup utility, located in the cd_drive\windows\migration directory, to back up critical Tivoli Access Manager information:
157
Follow the online instructions to complete the installation. 9. If you are using an LDAP server as your registry, install the Tivoli Directory Server client by running the install_tds.exe script in windows\tds (if necessary). Select to install C Client 6.1 and follow the online instructions to complete the installation. Note: If you are using Domino or Active Directory as your registry and the Tivoli Access Manager systems in your domain are Windows-based, the Tivoli Directory Server client is not required. 10. Ensure that your registry server is running. 11. Install the security utilities by running the setup.exe script in the \windows\TivSecUtl\Disk Images\Disk1 directory. Follow the online instructions to complete the installation. 12. Install the components by running the setup.exe script in the \windows\PolicyDirector\Disk Images\Disk1 directory. Select to install the following components in this sequence: v Access Manager License v Access Manager Runtime Follow the online instructions to complete the installation. Note: You are prompted to restart your system during this process. 13. Start all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools, and then double-click the Services icon. Start all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Automatic. 14. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: install_path/etc/pd.conf 15. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
The upgrade of an Access Manager Runtime system on Windows is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
158
Upgrade Guide
Chapter 7. Upgrading the runtime for Java

Tivoli Access Manager supports an upgrade of an Access Manager Runtime for Java system to version 6.1.1. Note: For Tivoli Access Manager 6.0, the runtime for Java component is renamed to Access Manager Runtime for Java. Access Manager Runtime for Java requires the Java Virtual Machine (JVM) it is deployed into to be IBM Java Runtime 1.5 SR5 The following platform-specific instructions are provided: v AIX on page 159 v HP-UX on page 161 v HP-UX on Integrity on page 163 v Linux on x86 on page 164 v Linux on System z on page 166 v Linux on POWER on page 167 v Solaris on page 169 v Solaris on x86_64 on page 170 v Windows on page 172
Before upgrading Access Manager Runtime for Java to 6.1.1, review the following considerations: v Upgrade your operating system to the minimum supported level. For information about minimum supported levels, see IBM Tivoli Access Manager for e-business: Release Notes. v Access Manager Runtime for Java requires the JVM it is deployed into to be IBM Java Runtime 1.5 SR5. v If the previous version of JVM that you have configured is not IBM Java Runtime 1.5 SR5, you must deploy a new Access Manager Runtime for Java 6.1.1 into a copy of IBM Java Runtime 1.5 SR5. v You are not required to upgrade all Tivoli Access Manager components in your secure domain to a 6.1.1 level. However, if you upgrade any Tivoli Access Manager component in your secure domain to a 6.1.1 level, you must install Tivoli Directory Server client 6.1 on that system. For a list of components that are compatible with Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. v If you are upgrading and using a language other than English, remember to upgrade your language package. Refer to the IBM Tivoli Access Manager for e-business: Installation Guide to install the language package. However, when upgrading the IBM Tivoli Directory Server language packages, you must use the upgrade (-U) option for Linux operating systems.
AIX: Upgrading the runtime for Java

To upgrade an Access Manager Runtime for Java system on AIX, complete the following instructions:
159
1. Before upgrading the runtime for Java to Access Manager Runtime for Java 6.1.1, review the considerations in Upgrade considerations on page 159. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. Note: The AIX operating system requires version 8.0.0.x of the xlC fileset. Check your current version by using the lslpp command and upgrade, if necessary. 4. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it. 5. If Access Manager Runtime is not installed, skip to step 6. If Access Manager Runtime is installed, do the following: a. Stop all Tivoli Access Manager applications and services:
pd_start stop
b. Confirm that all Tivoli Access Manager services and applications are stopped:
pd_start status
c. Use the pdbackup utility to back up critical Tivoli Access Manager information:
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 6. Ensure that your registry server and policy server are running. 7. Install or upgrade Access Manager License:
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.lic is the Access Manager License package. Note: If you are upgrading from Tivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, Access Manager License is upgraded.
160
Upgrade Guide
8. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, stop the WebSphere Application Server and the IBM HTTP Server. 9. Upgrade Access Manager Runtime for Java:
installp -acgYXd cd_mount_pt/usr/sys/inst.images PDJ.rte
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PDJ.rte is the Access Manager Runtime for Java package. 10. If the two-system upgrade option was used for the policy server, update the PD.properties file in each configured Java Virtual Machine (JVM) to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. 11. Ensure that the configured JRE is at level 1.5 SR5 or later and is the first in the PATH statement. a. To install the JRE, enter the following:
installp -acgYXd cd_mount_pt/usr/sys/inst.images Java5.sdk
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located. b. Do one of the following: v Set the PATH environmental variable. For example:
export PATH=/usr/java150/jre/bin:$PATH
Note: To display whether the JRE is already in the path, use the java version command. v Set the JAVA_HOME environmental variable to the path where you installed JRE 1.5.0 SR5. For example, using the Korn shell, enter the following to define JAVA_HOME:
export JAVA_HOME=/usr/java150/jre
12. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, restart the WebSphere Application Server and the IBM HTTP Server. The upgrade of an Access Manager Runtime for Java system on AIX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
HP-UX: Upgrading the runtime for Java

To upgrade an Access Manager Runtime for Java system on HP-UX, complete the following instructions: 1. Before upgrading the runtime for Java to Access Manager Runtime for Java 6.1.1, review the considerations in Upgrade considerations on page 159. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for HP-UX CD. 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
161
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and cd-rom specifies the mount point. 6. If Access Manager Runtime is not installed, skip to step 7. If Access Manager Runtime is installed, do the following: a. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 7. Ensure that your registry server is running. 8. Install or upgrade Access Manager License: Note: If you are upgrading from Tivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, Access Manager License is upgraded.
where /cd-rom/hp is the directory where the installation images are located and PDlic is the Access Manager License package. 9. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, stop the WebSphere Application Server and the IBM HTTP Server. 10. Upgrade Access Manager Runtime for Java:
swinstall -s /cd-rom/hp PDJrte
where /cd-rom/hp is the directory where the installation images are located and PDJrte is the Access Manager Runtime for Java package.
162
Upgrade Guide
11. If the two-system upgrade option was used for the policy server, update the PD.properties file in each configured Java Virtual Machine (JVM) to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. 12. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, restart the WebSphere Application Server and the IBM HTTP Server. The upgrade of an Access Manager Runtime for Java system on HP-UX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
HP-UX on Integrity: Upgrading the runtime for Java

To upgrade an Access Manager Runtime for Java system on HP-UX on Integrity, complete the following instructions: 1. Before upgrading the runtime for Java to Access Manager Runtime for Java 6.1.1, review the considerations in Upgrade considerations on page 159. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for HP-UX on Integrity CD. 5. Mount the CD using the HP-UX on Integrity mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and cd-rom specifies the mount point. 6. If Access Manager Runtime is not installed, skip to step 7 on page 164. If Access Manager Runtime is installed, do the following: a. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
163
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 7. Ensure that your registry server is running. 8. Upgrade Access Manager License:
where /cd-rom/hp_ia64 is the directory where the installation images are installed and PDlic is the Access Manager License package. 9. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, stop the WebSphere Application Server and the IBM HTTP Server. 10. Upgrade Access Manager Runtime for Java:
swinstall -s /cd-rom/hp_ia64 PDJrte
where /cd-rom/hp_ia64 is the directory where the installation images are located and PDJrte is the Access Manager Runtime for Java package. 11. If the two-system upgrade option was used for the policy server, update the PD.properties file in each configured Java Virtual Machine (JVM) to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. 12. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, restart the WebSphere Application Server and the IBM HTTP Server. The upgrade of an Access Manager Runtime for Java system on HP-UX on Integrity is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on x86: Upgrading the runtime for Java

To upgrade an Access Manager Runtime for Java system for Linux on x86, complete the following instructions: 1. Before upgrading the runtime for Java to Access Manager Runtime for Java 6.1.1, review the considerations in Upgrade considerations on page 159. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Linux on x86 CD and mount it. 5. Change to the following directory:
Where /cd-rom/linux_i386 is the directory where the installation images are installed
164
Upgrade Guide
6. If Access Manager Runtime is not installed, skip to step 7. If Access Manager Runtime is installed, do the following: a. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 7. Ensure that your registry server is running. 8. Do one of the following: v If you are upgrading from Tivoli Access Manager 5.1, install Access Manager License:
where PDlic-PD-6.1.1-0.i386.rpm is the Access Manager License package. 9. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, stop the WebSphere Application Server and the IBM HTTP Server. 10. Upgrade Access Manager Runtime for Java:
rpm -U PDJrte-PD-6.1.1-0.i386.rpm
where PDJrte-PD-6.1.1-0.i386.rpm is the Access Manager Runtime for Java package. 11. If the two-system upgrade option was used for the policy server, update the PD.properties file in each configured Java Virtual Machine (JVM) to point to the new policy server.
165
Note: The two-system upgrade option can only be used if the registry server is an LDAP server. 12. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, restart the WebSphere Application Server and the IBM HTTP Server. The upgrade of an Access Manager Runtime for Java system for Linux on x86 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on System z: Upgrading the runtime for Java

To upgrade an Access Manager Runtime for Java system for Linux on System z, complete the following instructions: 1. Before upgrading the runtime for Java to Access Manager Runtime for Java 6.1.1, review the considerations in Upgrade considerations on page 159. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Obtain access to the IBM Tivoli Access Manager Base for Linux on System z CD image on the System z system. The .rpm files are located in the /cd_mount_pt/linux_s390 directory: 5. Change to the following directory:
Where cd_mount_pt/linux_s390 is where the installation images are located. 6. If Access Manager Runtime is not installed, skip to step 7 on page 167. If Access Manager Runtime is installed, do the following: a. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
166
Upgrade Guide
where PDlic-PD-6.1.1-0.i386.rpm is the Access Manager License package. 9. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, stop the WebSphere Application Server and the IBM HTTP Server. 10. Upgrade Access Manager Runtime for Java:
rpm -U PDJrte-PD-6.1.1-0.s390.rpm
where PDJrte-PD-6.1.1-0.s390.rpm is the Access Manager Runtime for Java package. The rpm command using the U flag runs a script to automatically upgrade the Access Manager Runtime for Java in the Java Runtime Environment where it is installed. If unsuccessful, a message will be displayed with instructions to run the pdjrteupg utility manually. In this case, the utility must be run using the p flag. For example:
/opt/PolicyDirector/sbin # ./pdjrteupg -p
11. If the two-system upgrade option was used for the policy server, update the PD.properties file in each configured Java Virtual Machine (JVM) to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. 12. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, restart the WebSphere Application Server and the IBM HTTP Server. The upgrade of an Access Manager Runtime for Java system for Linux on System z is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on POWER: Upgrading the runtime for Java

To upgrade an Access Manager Runtime for Java system for Linux on POWER, complete the following instructions: 1. Before upgrading the runtime for Java to Access Manager Runtime for Java 6.1.1, review the considerations in Upgrade considerations on page 159. 2. Log in as root.
167
3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Linux on POWER CD and mount it. 5. Change to the following directory:
where cd_mount_pt/linux_ppc is where the CD is mounted. 6. If Access Manager Runtime is not installed, skip to step 7. If Access Manager Runtime is installed, do the following: a. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
where PDlic-PD-6.1.1-0.i386.rpm is the Access Manager License package.
168
Upgrade Guide
9. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, stop the WebSphere Application Server and the IBM HTTP Server. 10. Upgrade Access Manager Runtime for Java:
rpm -U PDJrte-PD-6.1.1-0.ppc.rpm
where PDJrte-PD-6.1.1-0.ppc.rpm is the Access Manager Runtime for Java package. 11. If the two-system upgrade option was used for the policy server, update the PD.properties file in each configured Java Virtual Machine (JVM) to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. 12. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, restart the WebSphere Application Server and the IBM HTTP Server. The upgrade of an Access Manager Runtime for Java system for Linux on POWER is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Solaris: Upgrading the runtime for Java

To upgrade an Access Manager Runtime for Java system on Solaris, complete the following instructions: 1. Before upgrading the runtime for Java to Access Manager Runtime for Java 6.1.1, review the considerations in Upgrade considerations on page 159. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Solaris CD. 5. If Access Manager Runtime is not installed, skip to step 6 on page 170. If Access Manager Runtime is installed, do the following: a. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
169
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 6. Ensure that your registry server is running. 7. Install or upgrade Access Manager License: Note: If you are upgrading fromTivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, Access Manager License is upgraded.
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDlic is the Access Manager Access Manager License package. 8. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, stop the WebSphere Application Server and the IBM HTTP Server. 9. Upgrade Access Manager Runtime for Java:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDJrte
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDJrte is the Access Manager Runtime for Java package. 10. If the two-system upgrade option was used for the policy server, update the PD.properties file in each configured Java Virtual Machine (JVM) to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. 11. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, restart the WebSphere Application Server and the IBM HTTP Server. The upgrade of an Access Manager Runtime for Java system on Solaris is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Solaris on x86_64: Upgrading the runtime for Java

To upgrade an Access Manager Runtime for Java system on Solaris on x86_64, complete the following instructions: 1. Before upgrading the runtime for Java to Access Manager Runtime for Java 6.1.1, review the considerations in Upgrade considerations on page 159. 2. Log in as root.
170
Upgrade Guide
3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Solaris on x86_64 CD. 5. If Access Manager Runtime is not installed, skip to step 6. If Access Manager Runtime is installed, do the following: a. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 6. Ensure that your registry server is running. 7. Upgrade Access Manager License:
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDlic is the Access Manager Access Manager License package. 8. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, stop the WebSphere Application Server and the IBM HTTP Server. 9. Upgrade Access Manager Runtime for Java:
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault PDJrte
171
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDJrte is the Access Manager Runtime for Java package. 10. If the two-system upgrade option was used for the policy server, update the PD.properties file in each configured Java Virtual Machine (JVM) to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. 11. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, restart the WebSphere Application Server and the IBM HTTP Server. The upgrade of an Access Manager Runtime for Java system on Solaris on x86_64 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Windows: Upgrading the runtime for Java

To upgrade an Access Manager Runtime for Java system on Windows, complete the following instructions: 1. Before upgrading the runtime for Java to Access Manager Runtime for Java 6.1.1, review the considerations in Upgrade considerations on page 159. 2. Log in as a user with administrative privileges. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Windows CD. 5. If Access Manager Runtime is not installed, skip to step 6 on page 173. If Access Manager Runtime is installed, do the following: a. Exit all running programs. During the upgrade process, you are prompted to restart your Windows system periodically. b. Stop all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and stop all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Disabled. c. Use the pdbackup utility, located in the install_dir\bin directory, to back up critical Tivoli Access Manager information:
"C:\Program Files\Tivoli\PolicyDirector\bin\pdbackup" -action backup -list fullpath_to_backup_listfile -path path -file filename
path path Specifies the path where you want the backed up files to be stored.
172
Upgrade Guide
For example:
file filename Specifies a file name other than the list_date.time [.dar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 6. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, stop the WebSphere Application Server and the IBM HTTP Server. 7. Upgrade the Access Manager Runtime for Java component by running the setup.exe script in the \windows\PolicyDirector\Disk Images\Disk1 directory. Select to install the following components in this sequence: v Access Manager License v Access Manager Runtime Follow online instructions to complete installation. Note: You are prompted to restart your system to complete this process. 8. Start all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools, and then double-click the Services icon. Start all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Automatic. 9. If the two-system upgrade option was used for the policy server, update the PD.properties file in each configured Java Virtual Machine (JVM) to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. 10. If the IBM Access Manager Runtime for Java is configured into the JVM for IBM WebSphere Application Server, restart the WebSphere Application Server and the IBM HTTP Server. The upgrade of an Access Manager Runtime for Java system on Windows is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
173
174
Upgrade Guide
Chapter 8. Upgrading the policy proxy server

Tivoli Access Manager supports an upgrade of the policy proxy server to 6.1.1. The following platform-specific instructions are provided: v AIX on page 176 v HP-UX on page 178 v HP-UX on Integrity on page 180 v Linux on x86 on page 182 v Linux on System z on page 184 v Solaris on page 189 v Solaris on x86_64 on page 191 v Windows on page 193
Before upgrading the policy proxy server system to 6.1.1, review the following considerations: v Upgrade your operating system to the minimum supported level. For information about minimum supported levels, see IBM Tivoli Access Manager for e-business: Release Notes. v In Tivoli Directory Server version 6.1, clients can coexist on the same machine with a client that is version 5.1, 5.2, or 6.0. The Tivoli Directory Server 6.1 server requires that the version 6.1 client and the Java client also be installed. In addition, the server can coexist on the same machine with another client that is version 5.1, 5.2 or 6.0, or with a version of the 6.0 server. v You are not required to upgrade all Tivoli Access Manager components in your secure domain to a 6.1.1 level. However, if you upgrade any Tivoli Access Manager component in your secure domain to a 6.1.1 level, you must install Tivoli Directory Server client 6.1 on that system. For a list of components that are compatible with Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. v In general, if Tivoli Directory Server is your registry server and is located on a different machine from any Tivoli Access Manager component, you can upgrade the registry server at any timebefore or after the upgrade of the Tivoli Access Manager 6.1.1 component. However, when the server package of Tivoli Directory Server is installed on the same machine as any Tivoli Access Manager 6.1.1 component and if you choose to install the server package of Tivoli Directory Server 6.1, it is recommended that you install the Tivoli Directory Server 6.1 client and server packages at the same time as you install the Tivoli Access Manager 6.1.1 component on that machine. v If you are upgrading and using a language other than English, remember to upgrade your language package. Refer to the IBM Tivoli Access Manager for e-business: Installation Guide to install the language package. However, when upgrading the IBM Tivoli Directory Server language packages, you must use the upgrade (-U) option for Linux operating systems.
175
AIX: Upgrading the policy proxy server

To upgrade the policy proxy server system on AIX, complete the following instructions. 1. Before upgrading the policy proxy server system to 6.1.1, review the considerations in Upgrade considerations on page 175. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. Note: The AIX operating system requires version 8.0.0.x of the xlC fileset. Check your current version by using the lslpp command and upgrade, if necessary. 4. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
/opt/PolicyDirector/bin/pdbackup -action backup -list /opt/PolicyDirector/etc/pdbackup.lst -path path -file filename
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located. 9. Install the Tivoli Directory Server client packages:
176
Upgrade Guide
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.RTE is the Access Manager Runtime package. 14. Upgrade Access Manager Policy Proxy Server:
installp -acgYXd cd_mount_pt/usr/sys/inst.images PD.MgrProxy
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.MgrProxy is the Access Manager Policy Proxy Server package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime
v Access Manager Policy Proxy Server

/opt/PolicyDirector/etc/pdmgrpxoxyd.conf
16. Start the policy proxy server daemon (pdmgrproxyd):

pd_start start
17. Ensure that policy proxy server is running:

pd_start status
177
The upgrade of the policy proxy server on AIX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
HP-UX: Upgrading the policy proxy server

To upgrade the policy proxy server system on HP-UX, complete the following instructions. 1. Before upgrading the policy proxy server system to 6.1.1, review the considerations in Upgrade considerations on page 175. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for HP-UX CD. 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
pd_start stop
pd_start status
file filename Specifies a file name other than the list_date.time [.tar] default file name.
178
Upgrade Guide
where /cd-rom/hp is the directory where the GSKit installation images are located and gsk7bas is the name of the GSKit package. 10. Install the client packages of Tivoli Directory Server:
where /cd-rom/hp is the directory where the installation images are located and TivSecUtl is the Tivoli Security Utilities package. 13. Install or upgrade Access Manager License:
where /cd-rom/hp is the directory where the installation images are located and PDlic is the Access Manager License package. 14. Upgrade Access Manager Runtime: Note: If you are upgrading from Tivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, Access Manager License is upgraded.
where /cd-rom/hp is the directory where the installation images are located and PDRTE is the Access Manager Runtime package. 15. Upgrade Access Manager Policy Proxy Server:
swinstall -s /cd-rom/hp PDMgrProxy
where /cd-rom/hp is the directory where the installation images are located and PDMgrProxy is the Access Manager Policy Proxy Server package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime

/opt/PolicyDirector/etc/pdmgrproxyd.conf
179

pd_start start
18. Confirm that the policy proxy server is running:

pd_start status
The upgrade of the policy proxy server on HP-UX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
HP-UX on Integrity: Upgrading the policy proxy server

To upgrade the policy proxy server system on HP-UX on Integrity, complete the following instructions. 1. Before upgrading the policy proxy server system to 6.1.1, review the considerations in Upgrade considerations on page 175. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for HP-UX on Integrity CD. 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
pd_start stop
pd_start status
180
Upgrade Guide
where /cd-rom/hp_ia64 is the directory where the GSKit installation images are located and gsk7bas is the name of the GSKit package. 10. Install the Tivoli Directory Server client packages:
where /cd-rom/hp_ia64 is the directory where the installation images are located and PDRTE is the Access Manager Runtime package. 15. Upgrade Access Manager Policy Proxy Server:
swinstall -s /cd-rom/hp_ia64 PDMgrProxy
where /cd-rom/hp_ia64 is the directory where the installation images are located and PDMgrProxy is the Access Manager Policy Proxy Server package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime


pd_start start

181
pd_start status
The upgrade of the policy proxy server on HP-UX on Integrity is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on x86_64: Upgrading policy proxy servers

Before upgrading the policy proxy server system to 6.1.1, review the considerations in Upgrade considerations on page 175. To upgrade the policy proxy server system for Linux on x86_64, complete the following instructions. 1. Log in as root. 2. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 3. Insert the IBM Tivoli Access Manager Base for Linux on x86 CD and mount it. 4. Change to the following directory:
Where cd_mount_pt/linux_i386 is the directory where the installation images are located. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
182
Upgrade Guide
For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 8. Install or upgrade Global Security Kit (GSKit). IBM If you have a version of Global Security Kit prior to GSKit 7 installed or if you do not have a version of GSKit installed at all, install GSKit 7:
9. Install the Tivoli Directory Server client packages:

rpm -i packages

Base client package 32-bit client package Java client package idsldap-cltbase61-6.1.0-6.i386.rpm idsldap-clt32bit61-6.1.0-6.i386.rpm idsldap-cltjava61-6.1.0-6.i386.rpm
10. Ensure that your registry server and policy server are running. 11. Do one of the following: v If you are upgrading from Tivoli Access Manager 5.1, install Tivoli Security Utilities:
rpm -U TivSecUtil-TivSec-6.1.1-0.i386.rpm
where TivSecUtil-TivSec-6.1.1-0.i386.rpm is the Tivoli Security Utilities package. 12. Do one of the following: v If you are upgrading from Tivoli Access Manager 5.1, install Access Manager License:
where PDRTE-PD-6.1.1-0.i386.rpm is the Access Manager Runtime package. 14. Upgrade Access Manager Policy Proxy Server:
rpm -U PDMgrPrxy-PD-6.1.1-0.i386.rpm
183
where PDMgrPrxy-PD-6.1.1-0.i386 is the Access Manager Policy Proxy Server package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime


pd_start start

pd_start status
The upgrade of the policy proxy server for Linux on x86 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on System z: Upgrading policy proxy servers

Before upgrading the policy proxy server system to 6.1.1, review the considerations in Upgrade considerations on page 175. To upgrade the policy proxy server system for Linux on System z, complete the following instructions. 1. Log in as root. 2. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 3. Obtain access to the IBM Tivoli Access Manager Base for Linux on System z CD image on the System z system. The .rpm files are located in the /cd_mount_pt/linux_s390 directory: 4. Change to the following directory:
where cd_mount_pt/linux_s390 is the directory where the installation images are located. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
184
Upgrade Guide

rpm -i packages

Base client package 32-bit client package Java client package idsldap-cltbase61-6.1.0-6.s390.rpm idsldap-clt32bit61-6.1.0-6.s390.rpm idsldap-cltjava61-6.1.0-6.s390.rpm
rpm -U TivSecUtil-TivSec-6.1.1-0.s390.rpm
where TivSecUtil-TivSec-6.1.1-0.s390.rpm is the Tivoli Security Utilities package.

185
12. Do one of the following: v If you are upgrading from Tivoli Access Manager 5.1, install Access Manager License:
where PDRTE-PD-6.1.1-0.s390.rpm is the Access Manager Runtime package. 14. Upgrade Access Manager Policy Proxy Server:
rpm -U PDMgrPrxy-PD-6.1.1-0.s390.rpm
where PDMgrPrxy-PD-6.1.1-0.s390 is the Access Manager Policy Proxy Server package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime


pd_start start

pd_start status
The upgrade of the policy proxy server for Linux on System z is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on POWER: Upgrading policy proxy servers

Before upgrading the policy proxy server system to 6.1.1, review the considerations in Upgrade considerations on page 175. To upgrade the policy proxy server system for Linux on POWER, complete the following instructions. 1. Log in as root. 2. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes.
186
Upgrade Guide
3. Insert the IBM Tivoli Access Manager Base for Linux on POWER CD and mount it. 4. Change to the following directory:
Where cd_mount_pt/linux_ppc is the directory where the installation images are located. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 8. Install or upgrade Global Security Kit (GSKit). If you have a version of Global Security Kit prior to GSKit 7 installed or if you do not have a version of GSKit installed at all, install GSKit 7:

rpm -i packages

Base client package 32-bit client package Java client package idsldap-cltbase61-6.1.0-6.ppc.rpm idsldap-clt32bit61-6.1.0-6.ppc.rpm idsldap-cltjava61-6.1.0-6.ppc.rpm
187
rpm -U TivSecUtil-TivSec-6.1.1-0.ppc.rpm
where PDRTE-PD-6.1.1-0.ppc.rpm is the Access Manager Runtime package. 14. Upgrade Access Manager Policy Proxy Server:
rpm -U PDMgrPrxy-PD-6.1.1-0.ppc.rpm
where PDMgrPrxy-PD-6.1.1-0.ppc is the Access Manager Policy Proxy Server package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime


pd_start start

pd_start status
188
Upgrade Guide
The upgrade of the policy proxy server for Linux on POWER is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Solaris: Upgrading the policy proxy server

To upgrade the policy proxy server system on Solaris, complete the following instructions. 1. Before upgrading the policy proxy server system to 6.1.1, review the considerations in Upgrade considerations on page 175. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Solaris CD. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
where /cdrom/cdrom0/solaris specifies the location of the package and /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script. Note: During installation, you are asked if you want to use /opt as the root directory. If space permits, use /opt as the root installation directory. To accept /opt as the root directory, press Enter. 9. Install the Tivoli Directory Server client packages of the :
189
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and where packages are as follows:
Base client package 32-bit client package Java client package IDSlbc61 IDSl32c61 IDSljc61
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and TivSecUtl is the Tivoli Security Utilities package. 12. Install or upgrade Access Manager License: Note: If you are upgrading from Tivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, Access Manager License is upgraded.
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDRTE is the Access Manager Runtime package. 14. Upgrade Access Manager Policy Proxy Server:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDMgrProxy
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDMgrProxy is the Access Manager Policy Proxy Server package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime
190
Upgrade Guide


pd_start start

pd_start status
The upgrade of the policy proxy server on Solaris is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Solaris on x86_64: Upgrading the policy proxy server

To upgrade the policy proxy server system on Solaris on x86_64, complete the following instructions. 1. Before upgrading the policy proxy server system to 6.1.1, review the considerations in Upgrade considerations on page 175. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Solaris on x86_64 CD. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
191

pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86s/pddefault TivSecUtl
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDRTE is the Access Manager Runtime package. 14. Upgrade Access Manager Policy Proxy Server:
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault PDMgrProxy
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDMgrProxy is the Access Manager Policy Proxy Server package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server.
192
Upgrade Guide
Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime


pd_start start

pd_start status
The upgrade of the policy proxy server on Solaris on x86_64 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Windows: Upgrading the policy proxy server

To upgrade the policy proxy server system on Windows, complete the following instructions. 1. Before upgrading the policy proxy server system to 6.1.1, review the considerations in Upgrade considerations on page 175. 2. Log in as a user with administrative privileges. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Windows CD. 5. Exit all running programs. During the upgrade process, you are prompted to restart your Windows system periodically. 6. Stop all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and stop all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Disabled. 7. Use the pdbackup utility, located in the install_dir\bin directory, to back up critical Tivoli Access Manager information:
"C:\Program Files\bin\pdbackup" -action backup -list C:\Program Files\Policy Director\etc\pdbackup.lst -path path -file filename
193
Follow online instructions to complete installation. 9. If you are using an LDAP server as your registry, install the Tivoli Directory Server client by running the install_tds script in windows\tds (if necessary). Select to install C Client 6.1 and follow the online instructions to complete the installation. Note: If you are using Domino or Active Directory as your registry and the Tivoli Access Manager systems in your domain are Windows-based, the Tivoli Directory Server client is not required. 10. Ensure that your registry server is running. 11. Install the security utilities by running the setup.exe script in the \windows\TivsecUtl\Disk Images\Disk1 directory. Follow the online instructions to complete the installation. 12. Install the components by running the setup.exe script in the \windows\PolicyDirector\Disk Images\Disk1 directory. Select to install the following components in this sequence: v Access Manager License v Access Manager Runtime v Access Manager Policy Proxy Server Follow online instructions to complete installation. Note: You are prompted to restart your system during this process. 13. Start all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools, and then double-click the Services icon. Start all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Automatic. 14. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime
install_path/etc/pd.conf

install_path/etc/pdmgrproxyd.conf
194
Upgrade Guide
15. Start the policy proxy server service (pdmgrproxyd). To do so, select Start Control Panel Administrative Tools. Double-click the Services icon, and start the service. 16. Confirm that the policy proxy server is running:
pd_start status
17. Ensure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
The upgrade of the policy proxy server on Windows is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
195
196
Upgrade Guide
Chapter 9. Upgrading the development system

Tivoli Access Manager supports an upgrade of a development (ADK) system to version 6.1.1. The following platform-specific instructions are provided: v AIX on page 198 v HP-UX on page 200 v v v v v v HP-UX on Integrity on page 201 Linux on x86 on page 203 Linux on POWER on page 207 Linux on System z on page 205 Solaris on page 209 Solaris on x86_64 on page 212
v Windows on page 213
Before upgrading the development ADK system to 6.1.1, review the following considerations: v The C API for Tivoli Access Manager 6.1.1 behaves differently from the C API for Tivoli Access Manager 5.1, depending on how you use the API. To maintain compatibility between the two API's, use the appropriate header files. v Ensure that you have IBM JRE 1.5 or higher installed on your system. v Upgrade your operating system to the minimum supported level. For information about minimum supported levels, see IBM Tivoli Access Manager for e-business: Release Notes. v In Tivoli Directory Server version 6.1, clients can coexist on the same machine with a client that is version 5.1, 5.2, or 6.0. The Tivoli Directory Server 6.1 server requires that the version 6.1 client and the Java client also be installed. In addition, the server can coexist on the same machine with another client that is version 5.1, 5.2 or 6.0, or with a version of the 6.0 server. v You are not required to upgrade all Tivoli Access Manager components in your secure domain to a 6.1.1 level. However, if you upgrade any Tivoli Access Manager component in your secure domain to a 6.1.1 level, you must install Tivoli Directory Server client 6.1 on that system. For a list of components that are compatible with Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. v In general, if Tivoli Directory Server is your registry server and is located on a different machine from any Tivoli Access Manager component, you can upgrade the registry server at any timebefore or after the upgrade of the Tivoli Access Manager 6.1.1 component. However, when the server package of Tivoli Directory Server is installed on the same machine as any Tivoli Access Manager 6.1.1 component and if you choose to install the server package of Tivoli Directory Server 6.1, it is recommended that you install the Tivoli Directory Server 6.1 client and server packages at the same time as you install the Tivoli Access Manager 6.1.1 component on that machine. v If you are upgrading and using a language other than English, remember to upgrade your language package. Refer to the IBM Tivoli Access Manager for
197
e-business: Installation Guide to install the language package. However, when upgrading the IBM Tivoli Directory Server language packages, you must use the upgrade (-U) option for Linux operating systems.
AIX: Upgrading the development system

To upgrade a development (ADK) system on AIX, complete the following instructions: 1. Before upgrading the development system to 6.1.1, review the considerations in Upgrade considerations on page 197. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. Note: The AIX operating system requires version 8.0.0.x of the xlC fileset. Check your current version by using the lslpp command and upgrade, if necessary. 4. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and gskta.rte are the Global Security Kit package. 9. Install the client packages of Tivoli Directory Server:
198
Upgrade Guide
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.RTE is the Access Manager Runtime package. 14. Upgrade Access Manager Application Development Kit:
installp -acgYXd cd_mount_pt/usr/sys/inst.images PD.AuthADK
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.AuthADK is the Access Manager Application Development Kit. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf The upgrade of a development system on AIX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
199
HP-UX: Upgrading the development system

To upgrade a development (ADK) system on HP-UX, complete the following instructions: 1. Before upgrading the development system to 6.1.1, review the considerations in Upgrade considerations on page 197. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for HP-UX CD. 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
pd_start stop
pd_start status
where /cd-rom/hp is the directory where the GSKit installation images are located and gsk7bas is the name of the GSKit package.
200
Upgrade Guide

where /cd-rom/hp is the directory where the installation images are located and PDRTE is the Access Manager Runtime package. 15. Upgrade Access Manager Application Development Kit:
swinstall -s /cd-rom/hp PDAuthADK
where /cd-rom/hp is the directory where the installation images are located and PDAuthADK is the Access Manager Application Development Kit package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf The upgrade of a development system on HP-UX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
HP-UX on Integrity: Upgrading the development system

To upgrade a development (ADK) system on HP-UX on Integrity, complete the following instructions:
201
1. Before upgrading the development system to 6.1.1, review the considerations in Upgrade considerations on page 197. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for HP-UX on Integrity CD. 5. Mount the CD using the HP-UX on Integrity mount command. For example, enter the following command:
pd_start stop
pd_start status
where /cd-rom/hp_ia64 is the directory where the GSKit installation images are located and gsk7bas is the name of the GSKit package. 10. Install the Tivoli Directory Server client packages:
202
Upgrade Guide
where /cd-rom/hp_ia64 is the directory where the installation images are located and PDRTE is the Access Manager Runtime package. 15. Upgrade Access Manager Application Development Kit:
swinstall -s /cd-rom/hp_ia64 PDAuthADK
where /cd-rom/hp_ia64 is the directory where the installation images are located and PDAuthADK is the Access Manager Application Development Kit package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf The upgrade of a development system on HP-UX on Integrity is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on x86: Upgrading the development ADK

To upgrade a development (ADK) system for Linux on x86, complete the following instructions: 1. Before upgrading the development system to 6.1.1, review the considerations in Upgrade considerations on page 197. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Linux on x86 CD and mount it. 5. Change to the following directory:
203
pd_start stop
pd_start status
file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 9. Install or upgrade the IBM Global Security Kit (GSKit). If you have a version of Global Security Kit prior to GSKit 7 installed or if you do not have a version of GSKit installed at all, install GSKit 7:

rpm -i packages

11. Ensure that your registry server and policy server are running. 12. Do one of the following:
204
Upgrade Guide
v If you are upgrading from Tivoli Access Manager 5.1, install Tivoli Security Utilities:
where TivSecUtil-TivSec-6.1.1-0.i386.rpm is the Tivoli Security Utilities package. 13. Do one of the following: v If you are upgrading from Tivoli Access Manager 5.1, install Access Manager License:
where PDRTE-PD-6.1.1-0.i386.rpm is the Access Manager Runtime package. 15. Upgrade Access Manager Application Development Kit:
rpm -U PDAuthADK-PD-6.1.1-0.i386.rpm
where PDAuthADK-PD-6.1.1-0.i386.rpm is the Access Manager Application Development Kit package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf The upgrade of a development system for Linux on x86 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on System z: Upgrading the development system

To upgrade a development (ADK) system for Linux on System z, complete the following instructions: 1. Before upgrading the development system to 6.1.1, review the considerations in Upgrade considerations on page 197. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes.
205
4. Obtain access to the IBM Tivoli Access Manager Base for Linux on System z CD image on the System z system. The .rpm files are located in the /cd_mount_pt/linux_s390 directory: 5. Change to the following directory:
pd_start stop
pd_start status

rpm -i packages

Base client package 32-bit client package Java client package idsldap-cltbase61-6.1.0-6.s390.rpm idsldap-clt32bit61-6.1.0-6.s390.rpm idsldap-cltjava61-6.1.0-6.s390.rpm
206
Upgrade Guide
where TivSecUtil-TivSec-6.1.1-0.s390.rpm is the Tivoli Security Utilities package. 13. Do one of the following: v If you are upgrading from Tivoli Access Manager 5.1, install Access Manager License:
where PDRTE-PD-6.1.1-0.s390.rpm is the Access Manager Runtime package. 15. Upgrade Access Manager Application Development Kit:
rpm -U PDAuthADK-PD-6.1.1-0.s390.rpm
where PDAuthADK-PD-6.1.1-0.s390.rpm is the Access Manager Application Development Kit package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf The upgrade of a development system for Linux on System z is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on POWER: Upgrading the development system

To upgrade a development (ADK) system for Linux on POWER, complete the following instructions: 1. Before upgrading the development system to 6.1.1, review the considerations in Upgrade considerations on page 197. 2. Log in as root.
207
3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Linux on POWER CD and mount it. 5. Change to the following directory:
pd_start stop
pd_start status

rpm -i packages

Base client package 32-bit client package Java client package idsldap-cltbase61-6.1.0-6.ppc.rpm idsldap-clt32bit61-6.1.0-6.ppc.rpm idsldap-cltjava61-6.1.0-6.ppc.rpm
208
Upgrade Guide
rpm -i idsldap-cltbase61-6.1.0-6.ppcrpm idsldap-clt32bit61-6.1.0-6.ppc.rpm
where PDRTE-PD-6.1.1-0.ppc.rpm is the Access Manager Runtime package. 15. Upgrade Access Manager Application Development Kit:
rpm -U PDAuthADK-PD-6.1.1-0.ppc.rpm
where PDAuthADK-PD-6.1.1-0.ppc.rpm is the Access Manager Application Development Kit package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf The upgrade of a development system for Linux on POWER is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Solaris: Upgrading the development system

To upgrade a development (ADK) system on Solaris, complete the following instructions:
209
1. Before upgrading the development system to 6.1.1, review the considerations in Upgrade considerations on page 197. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Solaris CD. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
Base client package IDSlbc61
210
Upgrade Guide
32-bit client package Java client package
IDSl32c61 IDSljc61
10. Ensure that your registry server and policy server are running. 11. Install or upgrade Tivoli Security Utilities: Note: If you are upgrading from Tivoli Access Manager 5.1, Tivoli Security Utilities is installed. If you are upgrading from Tivoli Access Manager 6.0, the Tivoli Security Utilities is upgraded.
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and TivSecUtl is the Tivoli Security Utilities package. 12. Install or upgrade Access Manager License: Note: If you are upgrading from Tivoli Access Manager 5.1, Access Manager License is installed. If you are upgrading from Tivoli Access Manager 6.0, Access Manager License is upgraded.
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDRTE is the Access Manager Runtime package. 14. Upgrade Access Manager Application Development Kit:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDAuthADK
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDAuthADK is the Access Manager Application Development Kit package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf The upgrade of a development system on Solaris is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
211
Solaris on x86_64: Upgrading the development system

To upgrade a development (ADK) system on Solaris on x86_64, complete the following instructions: 1. Before upgrading the development system to 6.1.1, review the considerations in Upgrade considerations on page 197. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Solaris on x86_64. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
212
Upgrade Guide
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDRTE is the Access Manager Runtime package. 14. Upgrade Access Manager Application Development Kit:
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault PDAuthADK
where /cdrom/cdrom0/solaris_x86 specifies the location of the package, /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script, and PDAuthADK is the Access Manager Application Development Kit package. 15. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: /opt/PolicyDirector/etc/pd.conf The upgrade of a development system on Solaris on x86_64 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Windows: Upgrading the development system

To upgrade a development (ADK) system on Windows, complete the following instructions:
213
1. Before upgrading the development system to 6.1.1, review the considerations in Upgrade considerations on page 197. 2. Log in as a user with administrative privileges. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Base for Windows CD. 5. Exit all running programs. During the upgrade process, you are prompted to restart your Windows system periodically. 6. Stop all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and stop all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Disabled. 7. Use the pdbackup utility to back up critical Tivoli Access Manager information:
Follow online instructions to complete installation. 9. If you are using an LDAP server as your registry, install the Tivoli Directory Server client by running the install_tds.exe file in windows\tds (if necessary). Select to install C Client 6.1 and follow the online instructions to complete the installation. Note: If you are using Domino or Active Directory as your registry and the Tivoli Access Manager systems in your domain are Windows-based, the Tivoli Directory Server client is not required. 10. Install the security utilities by running the setup.exe script in the \windows\TivSecUtl\Disk Images\Disk1 directory. Follow the online instructions to complete the installation.
214
Upgrade Guide
11. Install the components by running the setup.exe script in the \windows\PolicyDirector\Disk Images\Disk1 directory. Select to install the following components in this sequence: v Access Manager License v Access Manager Runtime v Access Manager Application Development Kit If you have Java applications installed on your system, ensure that you have installed the appropriate JRE.Follow online instructions to complete installation. Note: You are prompted to restart your system during this process. 12. Start all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools, and then double-click the Services icon. Start all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Automatic. 13. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following Access Manager Runtime configuration file: install_path/etc/pd.conf The upgrade of a development system on Windows is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
215
216
Upgrade Guide
Chapter 10. Upgrading the session management server

This chapter provides information about upgrading a Tivoli Access Manager session management server (SMS) system to from version 6.0 or 6.1 to version 6.1.1. To upgrade a session management server, extract the Tivoli Access Manager 6.0 or 6.1 session management server instance configuration, edit it as required, and then apply the updated configuration to the Tivoli Access Manager 6.1.1 session management server instance. Tivoli Access Manager supports an upgrade of the session management server to 6.1.1 on existing application server systems, or on a new set of application server systems: v Upgrade considerations v Upgrade scenarios on page 218 v Upgrading the session management server on page 222
v Upgrade your operating system to the minimum supported level. For information about minimum supported levels, see IBM Tivoli Access Manager for e-business: Release Notes. v If upgrading from SMS 6.1, the session management server may be upgraded before or after the Web security servers (WebSEAL and the Plug-in for Web Servers) and before or after upgrading the policy server and authorization servers. v If upgrading from SMS 6.0, the session management server must be upgraded before the Web security servers (WebSEAL or Plug-in for Web Servers). v Tivoli Access Manager 6.1.1 session management server runs on WebSphere Application Server 6.1 or 7.0 only v The Tivoli Access Manager WebSEAL and Web Plug-in servers for versions 6.1 and 6.1.1 run against Tivoli Access Manager session management server 6.1 and 6.1.1 only. Tivoli Access Manager WebSEAL and Web Plug-in servers for version 6.0 run against session management server 6.0, 6.1, or 6.1.1. v When running in a clustered environment, version 6.1.1 of the session management server requires WebSphere eXtreme Scale version 7.0, which replaces ObjectGrid version 6.1 as used by version 6.1.0. As these products cannot coexist, version 6.1.1 of the session management server must be installed on a separate WebSphere Application Server cell, or else version 6.1.0 of the session management server must be uninstalled before version 6.1.1 can be installed. v User sessions are not retained across the upgrade, and some downtime is necessary. One way to reduce the downtime involved is to reconfigure the WebSEAL or Plug-in for Web Servers instances so as to disable usage of the session management server at the beginning of the process. This allows the servers to continue processing user sessions while the upgrade is taking place, albeit with reduced functionality.
217
v The login history database does not need to be modified during the upgrade, as the 6.1 and 6.1.1 SMS instances can use the same database. Last login data can therefore be preserved.
Upgrade scenarios
This section lists three upgrade scenarios: a single server upgrade, a side-by-side cluster upgrade, and an in-place cluster upgrade. The basic processes for these scenarios are documented below, ignoring operating system specifics. The other viable option is to upgrade by installing a separate version of WAS on the same set of machines. This works the same way as the 'side by side' cluster upgrade below.
Single server upgrade from version 6.1

1. Log in as root. 2. Source the setupCmdLine script for the WAS profile. 3. Insert and mount the SMS installation CD. For more details on specific operating system tasks, see Upgrading the session management server on page 222. 4. Install the 6.1.1 packages on the target system. 5. Run the extract command:
smscfg -action extract -instance oldinstance -record sms_upgrade.rsp
6. Check the values in the recorded response file to ensure that they are correct for the 6.1.1 install. 7. Deploy the 6.1.1 instance:
smscfg -action deploy -instance newinstance
8. Configure the 6.1.1 instance:

smscfg -action config -instance newinstance -rsp_file sms_upgrade.rsp
9. If possible, test the 6.1.1 instance with a single Web security server instance. 10. Stop the Web security server processes on all WebSEAL or Web Plug-in machines. 11. On each Web security server machine: a. Update the Web security server configuration to specify the new SMS URL (replace oldinstance with newinstance). b. Start the Web security server processes (pdweb start / pdwebpi_start). 12. Unconfigure the 6.1 instance:
smscfg -action unconfig -instance oldinstance
13. Undeploy the 6.1 instance:

smscfg -action undeploy -instance oldinstance
The SMS ISC module may be upgraded before or after this process. To do this: 1. 2. 3. 4. Log in as root. Ensure the SMS 6.1.1 packages are installed on the system. Source the setupCmdLine script for the WAS profile. Uninstall the SMS ISC module:
smscfg -action undeploy -instance ISC
5. Install the updated SMS ISC module version:

smscfg -action deploy -instance ISC
218
Upgrade Guide
The SMS CLI must be re-configured to point to the new SMS instance:
pdsmsclicfg -action config -instances newinstance
Single server upgrade from version 6.0

1. Log in as root. 2. Source the setupCmdLine script for the WAS profile. 3. Insert and mount the SMS installation CD. For more details on specific operating system tasks, see Upgrading the session management server on page 222. 4. Install the 6.1.1 packages on the target system. 5. Run the extract command:
smscfg -action extract -instance TAM60_SMS -record sms_upgrade.rsp
6. Check the values in the recorded response file to ensure that they are correct for the 6.1.1 install. 7. Unconfigure the SMS 6.0 instance:
smscfg -action unconfig -instance TAM60_SMS
8. Uninstall the SMS 6.0 instance by uninstalling the DSess and DSessConfig applications: a. Open the WebSphere Application Server administrative console. For example, enter this URL from a supported Web browser:
http://host name:9060/ibm/console
where host name specifies the name or IP address of the system where the IBM WebSphere Application Server is installed. b. Log in to the console using a valid user ID and, if applicable, password. c. Click Applications Enterprise Applications in the console navigation tree. d. Select the DSess and DSessConfig applications. e. Click Uninstall. f. Save the changes. 9. If the Web Portal Manager is installed, unconfigure it:
amwpmcfg -action unconfig -interactive
10. Upgrade to WAS 6.1 or 7.0 and install the required WAS fixpack levels 11. Deploy the 6.1.1 instance:
smscfg -action deploy -instance newinstance
12. Configure the 6.1.1 instance:

smscfg -action config -instance newinstance -rsp_file sms_upgrade.rsp
13. If possible, test the 6.1.1 instance with a single Web security server instance. 14. Stop the Web security server processes on all WebSEAL or Web Plug-in machines. 15. On each Web security server machine: a. Update the Web security server configuration to specify the new SMS URL (replace oldinstance with newinstance). b. Start the Web security server processes (pdweb start or pdwebpi_start).
Side-by-side cluster upgrade from SMS 6.0 or 6.1

This scenario assumes the cluster for 6.1.1 is already configured, and has the appropriate WebSphere Application Server fix packs installed.
219
1. Log in to the 6.0 or 6.1 deployment manager machine as root. 2. If upgrading from SMS 6.0: a. Insert and mount the SMS installation CD. b. Install the SMS 6.1.1 packages. 3. Source the setupCmdLine script from the deployment manager profile. 4. Extract the 6.0 or 6.1 configuration:
smscfg -action extract -instance instance -record sms_upgrade.rsp
5. Check the values in the recorded response file to ensure they are correct for the new environment. 6. For each machine in the 6.1.1 environment (including the deployment manager): a. Log in as root. b. Insert and mount the WebSphere eXtreme Scale installation CD. c. Stop all WAS processes in all WAS profiles that will be used to host the 6.1.1 SMS instance. d. Run the WebSphere eXtreme Scale 7.0 installer, ensuring the path for the correct WAS installation is specified and that all appropriate profiles are augmented. Both the client and server components must be installed, but none of the optional components are required. e. Start all WAS processes that were stopped previously. 7. Log in to the deployment manager machine for the 6.1.1 install as root. 8. Transfer the recorded response file from the 6.1 deployment manager machine. 9. Source the setupCmdLine script from the deployment manager profile. 10. Insert and mount the SMS installation CD. 11. Install the SMS 6.1.1 packages. 12. Deploy the SMS 6.1.1 instance:
smscfg -action deploy -instance instance
13. Configure the SMS 6.1.1 instance:

smscfg -action config -instance instance -rsp_file sms_upgrade.rsp
14. If required, install the SMS ISC module:

smscfg -action deploy -instance ISC
15. Stop the Web security servers on all machines (pdweb stop or pdwebpi_start stop). 16. Update the Web security server configuration to specify the new SMS URL(s). 17. Start the Web security servers on all machines (pdweb start or pdwebpi_start). 18. Log in to the 6.0 or 6.1 deployment manager machine as root. 19. Source the setupCmdLine script from the deployment manager profile. 20. Unconfigure the old SMS instance:
smscfg -action unconfig -instance instance
21. Uninstall the SMS 6.0 instance by uninstalling the DSess and DSessConfig applications: a. Open the WebSphere Application Server administrative console. For example, enter this URL from a supported Web browser:
http://host name:9060/ibm/console
where host name specifies the name or IP address of the system where the IBM WebSphere Application Server is installed. b. Log in to the console using a valid user ID and, if applicable, password.
220
Upgrade Guide
c. Click Applications Enterprise Applications in the console navigation tree. d. Select the DSess and DSessConfig applications. e. Click Uninstall. f. Save the changes. 22. If the SMS ISC module was installed, uninstall it:
23. Remove the old SMS packages from the system. 24. For each machine in the SMS 6.1 environment: a. Log in as root. b. Source the setupCmdLine script from any profile. c. Shut down all WAS processes. d. Uninstall ObjectGrid 6.1:
cd $WAS_HOME/uninstall_objectgrid ; java -cp og_install.jar run
e. Start WAS processes as necessary The SMS CLI must also be re-configured to point to the new SMS instance:
pdsmsclicfg -action config -instances newinstance
In-place cluster upgrade from version 6.0 or 6.1:

It is very unlikely that you would implement this scenario, unless you are willing to run without SMS for the duration. It involves significant downtime and does not provide a failsafe way to go back to 6.1 if anything goes wrong during installation of the 6.1.1 instance. 1. Stop all Web security servers (pdweb stop or pdwebpi_start stop). 2. Log in to the deployment manager machine as root. 3. Source the setupCmdLine script for the deployment manager profile. 4. Insert and mount the SMS 6.1.1 installation CD. 5. Upgrade the SMS packages to version 6.1.1 6. Extract the existing SMS configuration:
smscfg -action extract -instance instance -record sms_upgrade.rsp
where instance is TAM60_SMS for SMS 6.0. 7. Check that the details in the recorded response file are correct and will still apply in the new environment. 8. Unconfigure the SMS 6.1 instance:
smscfg -action unconfig -instance instance
9. Undeploy the SMS 6.1 instance:

smscfg -action undeploy -instance instance
10. If upgrading from SMS 6.1, and the SMS ISC module is installed, uninstall it:
11. If upgrading from SMS 6.0, uninstall the Web Portal Manager, if installed. 12. Stop all WAS processes. 13. If upgrading from SMS 6.1, uninstall ObjectGrid 6.1:
14. If upgrading from SMS 6.0, install WAS 6.1 or 7.0. 15. Install any WebSphere Application Server fix packs required to run SMS 6.1.1.
221
16. Insert and mount the WebSphere eXtreme Scale 7.0 installation CD. 17. Install WebSphere eXtreme Scale 7.0 from the CD. Both the client and server components must be installed, but none of the optional components are required. 18. Restart all WAS processes. 19. For all other WAS machines in the SMS cluster: a. Log in as root. b. Source the setupCmdLine script from the managed node profile. c. Stop all WAS processes. d. If upgrading from SMS 6.1, uninstall ObjectGrid 6.1:
e. Install any WebSphere Application Server fix packs required to run SMS 6.1.1. f. Insert and mount the WebSphere eXtreme Scale installation CD. g. Install WebSphere eXtreme Scale 7.0 from the CD. Both the client and server components must be installed, but none of the optional components are required. h. Restart all WAS processes. 20. Log in to the deployment manager machine as root. 21. Source the setupCmdLine script from the deployment manager profile. 22. Deploy the SMS 6.1.1 instance:
smscfg -action deploy -instance instance
23. Configure the SMS 6.1.1 instance:

smscfg -action config -instance instance -rsp_file sms_upgrade.rsp
24. Restart all Web security servers. No changes to the Web security server configuration are required. The SMS CLI may be upgraded before or after the rest of this process. No configuration changes are required.
Upgrading the session management server

Tivoli Access Manager supports an upgrade of the session management server to 6.1.1 on new and existing application server systems. v v v v v AIX on 222 HP-UX on 225 Linux on x86 on 227 Linux on System z on 229 Solaris on 232
v Windows on 234
AIX: Upgrading the session management server

1. Before upgrading, make sure you've read Upgrade considerations on page 217 2. Log in as root. 3. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system
222
Upgrade Guide
requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. If you are upgrading on an existing system: a. If the 6.0 session management server will run on a 6.1 WebSphere Application Server at any point during the upgrade, install Session Management Server FixPack 4 (FixPack 6.0.0-TIV-SMS-FP0004) on your deployment manager (for network deployment) or application server machine (for single servers). Apply FixPack 4 to the SMS 6.0 installation according to the instructions in the FixPack README. See IBM Support for more information about Tivoli Access Manager FixPacks: http://www.ibm.com/software/support b. Upgrade Websphere Application Server to 6.1. See the WebSphere documentation for upgrade instructions: http://www-306.ibm.com/ software/webservers/appserv/was/library/ 6. Insert the IBM Tivoli Access Manager Shared Session Management for AIX CD and mount it. 7. Install the following Tivoli Access Manager packages:
installp -acgYXd cd_mount_point/usr/sys/inst.images packages
where cd_mount_point is the directory where the CD is mounted and where packages are as follows: PD.lic Specifies the Access Manager License package. PD.SMS Specifies the Access Manager Session Management Server package. 8. Prior to running smscfg run the WebSphere 6.0 setupCmdLine.bat or setupCmdLine.sh script for the deployment manager file, depending on your operating system. 9. Deploy the instance:
smscfg -action deploy -instance new_instance
where new_instance is the name of the new instance. The new instance name you specify should be short and use ASCII characters only. 10. Extract the Tivoli Access Manager 6.0 session management server configuration information into a response file:
Where sms_upgrade.rsp is the name of the response file. The response file is created in the same directory from which smscfg is invoked. 11. Edit the configuration settings in the response file to ensure compatibility with Tivoli Access Manager 6.1 session management server. Required changes might include updated values for the following configuration options: v WebSphere Application Server deployment targets: These settings identify new server or cluster names. If you are deploying to a new set of application servers, and the new server or cluster names are different, you will need to update the names in the response file:
223
clustered was_cluster was_node was_server v Tivoli Access Manager environment server settings: These settings identify the 6.1 Tivoli Access Manager policy and authorization servers used by the session management server. policysvr_host policysvr_port authzsvr These settings are examples only. You must decide which settings need to be updated for your particular scenario. See the IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide for a complete list of configuration settings. 12. Apply the updated configuration information to the session management server 6.1 instance:
smscfg -action config -instance new_instance -rsp_file sms_upgrade.rsp
Where sms_upgrade.rsp is the name of the response file. 13. If you are upgrading on an existing system, update the configuration of the Web server to use the new session management server 6.1 instance: a. Stop the server: v WebSEAL:
pdweb stop
v Plug-in for Web Servers:

pdwebpi_start stop
b. Change the value for dsess-url in the webseald.conf and pdwebpi.conf files to the new session management server web service URL. The new URL is: http://server:port/new_instance/services/DSess where: v server:port describes either the application server hosting the SMS instance, or the load balancing proxy in front of the application server. v new_instance is the instance name specified in step 9 on page 223. c. Start the server. 14. Unconfigure the session management server 6.0 instance:
smscfg -action unconfigure -instance TAM60_SMS -admin_id sec_master -admin_pwd sec_master_password -remove_last_login_db no -interactive no
15. Remove the instance by uninstalling the DSess and DSessConfig applications using the WebSphere Administration Console: a. Click Applications > Enterprise Applications in the administrative console navigation tree to access the Enterprise Applications page. b. Uninstall the applications: 1) Select the DSess and DSessConfig applications. 2) Click Uninstall. c. Save changes made to the administrative configuration.
224
Upgrade Guide
The upgrade of the Session Management Server on AIX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
HP-UX: Upgrading the session management server

1. Before upgrading, make sure you've read Upgrade considerations on page 217 2. Log in as root. 3. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. If you are upgrading on an existing system: a. If the 6.0 session management server will run on a 6.1 WebSphere Application Server at any point during the upgrade, install Session Management Server FixPack 4 (FixPack 6.0.0-TIV-SMS-FP0004) on your deployment manager (for network deployment) or application server machine (for single servers). Apply FixPack 4 to the SMS 6.0 installation according to the instructions in the FixPack README. See IBM Support for more information about Tivoli Access Manager FixPacks: http://www.ibm.com/software/support b. Upgrade Websphere Application Server to 6.1. See the WebSphere documentation for upgrade instructions:http://www-306.ibm.com/ software/webservers/appserv/was/library/. 6. Insert the IBM Tivoli Access Manager Shared Session Management for HP-UX CD. 7. Mount the CD using the HP-UX mount command. For example, enter the following:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 8. Install the following Tivoli Access Manager packages:
where /cd-rom/hp is the directory where the installation images are installed and where packages are as follows: PDlic Specifies the Access Manager License package.
PDSMS Specifies the Access Manager Session Management Server package. 9. Prior to running smscfg run the WebSphere 6.0 setupCmdLine.bat or setupCmdLine.sh script for the deployment manager file, depending on your operating system. 10. Deploy the instance:
225
Where sms_upgrade.rsp is the name of the response file. The response file is created in the same directory from which smscfg is invoked. 12. Edit the configuration settings in the response file to ensure compatibility with Tivoli Access Manager 6.1 session management server. Required changes might include updated values for the following configuration options: v WebSphere Application Server deployment targets: These settings identify new server or cluster names. If you are deploying to a new set of application servers, and the new server or cluster names are different, you will need to update the names in the response file: clustered was_cluster was_node was_server v Tivoli Access Manager environment server settings: These settings identify the 6.1 Tivoli Access Manager policy and authorization servers used by the session management server. policysvr_host policysvr_port authzsvr These settings are examples only. You must decide which settings need to be updated for your particular scenario. See the IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide for a complete list of configuration settings. 13. Apply the updated configuration information to the session management server 6.1 instance:
Where sms_upgrade.rsp is the name of the response file. 14. If you are upgrading an existing application server system, update the configuration of the Web server to use the new session management server 6.1 instance: a. Stop the server: v WebSEAL:
pdweb stop

pdwebpi_start stop
b. Change the value for dsess-url in the webseald.conf and pdwebpi.conf files to the new session management server web service URL. The new URL is: http://server:port/new_instance/services/DSess where:
226
Upgrade Guide
v server:port describes either the application server hosting the SMS instance, or the load balancing proxy in front of the application server. v new_instance is the instance name specified in step 9 on page 223. c. Start the server. 15. Remove the session management server 6.0 instance:
16. Remove the instance by uninstalling the DSess and DSessConfig applications using the WebSphere Administration Console: a. Click Applications > Enterprise Applications in the administrative console navigation tree to access the Enterprise Applications page. b. Uninstall the applications: 1) Select the DSess and DSessConfig applications. 2) Click Uninstall. c. Save changes made to the administrative configuration. The upgrade of the Session Management Server on HP-UX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on x86: Upgrading the session management server

1. Before upgrading, make sure you've read Upgrade considerations on page 217 2. Log in as root. 3. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. If you are upgrading on an existing system: a. If the 6.0 session management server will run on a 6.1 WebSphere Application Server at any point during the upgrade, install Session Management Server FixPack 4 (FixPack 6.0.0-TIV-SMS-FP0004) on your deployment manager (for network deployment) or application server machine (for single servers). Apply FixPack 4 to the SMS 6.0 installation according to the instructions in the FixPack README. See IBM Support for more information about Tivoli Access Manager FixPacks: http://www.ibm.com/software/support b. Upgrade Websphere Application Server to 6.1. See the WebSphere documentation for upgrade instructions:http://www-306.ibm.com/ software/webservers/appserv/was/library/. 6. Insert the IBM Tivoli Access Manager Shared Session Management for Linux on x86 CD and mount it. 7. Change to the following directory:
227
where cd_mount_pt/linux_i386 is where the installation images are located. 8. Install the following Tivoli Access Manager packages:
rpm -ihv packages
where packages are as follows: PDlic-PD-6.1.1-0.i386.rpm Specifies the Access Manager License package. PDSMS-PD-6.1.1-0.i386.rpm Specifies the Access Manager Session Management Server package. 9. Prior to running smscfg run the WebSphere 6.0 setupCmdLine.bat or setupCmdLine.sh script for the deployment manager file, depending on your operating system. 10. Deploy the instance:
Where sms_upgrade.rsp is the name of the response file.
228
Upgrade Guide
14. If you are upgrading an existing application server system, update the configuration of the Web server to use the new session management server 6.1 instance: a. Stop the server: v WebSEAL:
pdweb stop

pdwebpi_start stop
b. Change the value for dsess-url in the webseald.conf and pdwebpi.conf files to the new session management server web service URL. The new URL is: http://server:port/new_instance/services/DSess where: v server:port describes either the application server hosting the SMS instance, or the load balancing proxy in front of the application server. v new_instance is the instance name specified in step 9 on page 223. c. Start the server. 15. Remove the session management server 6.0 instance:
16. Remove the instance by uninstalling the DSess and DSessConfig applications using the WebSphere Administration Console: a. Click Applications > Enterprise Applications in the administrative console navigation tree to access the Enterprise Applications page. b. Uninstall the applications: 1) Select the DSess and DSessConfig applications. 2) Click Uninstall. c. Save changes made to the administrative configuration. The upgrade of the Session Management Server on Linux on x86 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on System z: Upgrading the session management server

1. Before upgrading, make sure you've read Upgrade considerations on page 217 2. Log in as root. 3. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. If the 6.0 session management server will run on a 6.1 WebSphere Application Server at any point during the upgrade, install Session Management Server
229
FixPack 4 (FixPack 6.0.0-TIV-SMS-FP0004) on your deployment manager (for network deployment) or application server machine (for single servers). Apply FixPack 4 to the SMS 6.0 installation according to the instructions in the FixPack README. See IBM Support for more information about Tivoli Access Manager FixPacks: http://www.ibm.com/software/support 6. Upgrade Websphere Application Server to 6.1. See the WebSphere documentation for upgrade instructions:http://www-306.ibm.com/software/ webservers/appserv/was/library/. 7. Obtain access to the IBM Tivoli Access Manager Shared Session Management for Linux on System z CD image on the System z system. 8. Change to the following directory:
where cd_mount_pt/linux_s390 is where the installation images are located. 9. Install the following Tivoli Access Manager packages:
rpm -ihv packages
where packages are as follows: PDlic-PD-6.1.1-0.s390.rpm Specifies the Access Manager License package. PDSMS-PD-6.1.1-0.s390.rpm Specifies the Access Manager Session Management Server package. 10. Prior to running smscfg run the WebSphere 6.0 setupCmdLine.bat or setupCmdLine.sh script for the deployment manager file, depending on your operating system. 11. Deploy the instance:
Where sms_upgrade.rsp is the name of the response file. The response file is created in the same directory from which smscfg is invoked. 13. Edit the configuration settings in the response file to ensure compatibility with Tivoli Access Manager 6.1 session management server. Required changes might include updated values for the following configuration options: v WebSphere Application Server deployment targets: These settings identify new server or cluster names. If you are deploying to a new set of application servers, and the new server or cluster names are different, you will need to update the names in the response file: clustered was_cluster was_node was_server
230
Upgrade Guide
v Tivoli Access Manager environment server settings: These settings identify the 6.1 Tivoli Access Manager policy and authorization servers used by the session management server. policysvr_host policysvr_port authzsvr These settings are examples only. You must decide which settings need to be updated for your particular scenario. See the IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide for a complete list of configuration settings. 14. Apply the updated configuration information to the session management server 6.1 instance:
Where sms_upgrade.rsp is the name of the response file. 15. If you are upgrading on an existing application server system, update the configuration of the Web server to use the new session management server 6.1 instance: a. Stop the server: v WebSEAL:
pdweb stop

pdwebpi_start stop
b. Change the value for dsess-url in the webseald.conf and pdwebpi.conf files to the new session management server web service URL. The new URL is: http://server:port/new_instance/services/DSess where: v server:port describes either the application server hosting the SMS instance, or the load balancing proxy in front of the application server. v new_instance is the instance name specified in step 9 on page 223. c. Start the server. 16. Remove the session management server 6.0 instance:
17. Remove the instance by uninstalling the DSess and DSessConfig applications using the WebSphere Administration Console: a. Click Applications > Enterprise Applications in the administrative console navigation tree to access the Enterprise Applications page. b. Uninstall the applications: 1) Select the DSess and DSessConfig applications. 2) Click Uninstall. c. Save changes made to the administrative configuration. The upgrade of the Session Management Server on Linux on System z is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
231
Solaris: Upgrading the session management server

1. Before upgrading, make sure you've read Upgrade considerations on page 217 2. Log in as root. 3. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. If you are upgrading on an existing system: a. If the 6.0 session management server will run on a 6.1 WebSphere Application Server at any point during the upgrade, install Session Management Server FixPack 4 (FixPack 6.0.0-TIV-SMS-FP0004) on your deployment manager (for network deployment) or application server machine (for single servers). Apply FixPack 4 to the SMS 6.0 installation according to the instructions in the FixPack README. See IBM Support for more information about Tivoli Access Manager FixPacks: http://www.ibm.com/software/support b. Upgrade Websphere Application Server to 6.1. See the WebSphere documentation for upgrade instructions:http://www-306.ibm.com/ software/webservers/appserv/was/library/. 6. Upgrade Websphere Application Server to 6.1. See the WebSphere documentation for upgrade instructions. http://publib.boulder.ibm.com/ infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ ae/ae/welc6topmigrating.html 7. Insert the IBM Tivoli Access Manager Shared Session Management for Solaris CD and mount it. 8. Install the following Tivoli Access Manager packages:
where /cdrom/cdrom0/solaris is where the installation images are located, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script and packages are as follows: PDlic Specifies the Access Manager License package.
PDSMS Specifies the Access Manager Session Management Server package. When the installation process is complete for each package, the following message is displayed:
Installation of package successful.
9. Prior to running smscfg run the WebSphere 6.0 setupCmdLine.bat or setupCmdLine.sh script for the deployment manager file, depending on your operating system. 10. Deploy the instance:
232
Upgrade Guide
Where sms_upgrade.rsp is the name of the response file. 14. If you are upgrading on an existing application server, update the configuration of the Web server to use the new session management server 6.1 instance: a. Stop the server: v WebSEAL:
pdweb stop

pdwebpi_start stop
b. Change the value for dsess-url in the webseald.conf and pdwebpi.conf files to the new session management server web service URL. The new URL is: http://server:port/new_instance/services/DSess where:
233
v server:port describes either the application server hosting the SMS instance, or the load balancing proxy in front of the application server. v new_instance is the instance name specified in step 9 on page 223. c. Start the server. 15. Remove the session management server 6.0 instance:
16. Remove the instance by uninstalling the DSess and DSessConfig applications using the WebSphere Administration Console: a. Click Applications > Enterprise Applications in the administrative console navigation tree to access the Enterprise Applications page. b. Uninstall the applications: 1) Select the DSess and DSessConfig applications. 2) Click Uninstall. c. Save changes made to the administrative configuration. The upgrade of the Session Management Server on Solaris is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Windows: Upgrading the session management server

1. Before upgrading, make sure you've read Upgrade considerations on page 217 2. Log in as an administrator. 3. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. If you are upgrading on an existing system: a. If the 6.0 session management server will run on a 6.1 WebSphere Application Server at any point during the upgrade, install Session Management Server FixPack 4 (FixPack 6.0.0-TIV-SMS-FP0004) on your deployment manager (for network deployment) or application server machine (for single servers). Apply FixPack 4 to the SMS 6.0 installation according to the instructions in the FixPack README. See IBM Support for more information about Tivoli Access Manager FixPacks: http://www.ibm.com/software/support b. Upgrade Websphere Application Server to 6.1. See the WebSphere documentation for upgrade instructions:http://www-306.ibm.com/ software/webservers/appserv/was/library/. 6. Insert the IBM Tivoli Access Manager Shared Session Management for Windows CD and mount it. 7. Install the Access Manager Session Management Server package. To do so, run the setup.exe program located in the following directory:
\windows\PolicyDirector\Disk Images\Disk1
234
Upgrade Guide
Follow the online instructions and select to install the following packages: v Access Manager License v Access Manager Session Management Server 8. Prior to running smscfg run the WebSphere 6.0 setupCmdLine.bat or setupCmdLine.sh script for the deployment manager file, depending on your operating system. 9. Deploy the instance:
Where sms_upgrade.rsp is the name of the response file. The response file is created in the same directory from which smscfg is invoked. 11. WebSphere Application Server deployment targets: These settings identify new server or cluster names. If you are deploying to a new set of application servers, and the new server or cluster names are different, you will need to update the names in the response file: v clustered v was_cluster v was_node v was_server 12. Tivoli Access Manager environment server settings: These settings identify the 6.1 Tivoli Access Manager policy and authorization servers used by the session management server. v policysvr_host v policysvr_port v authzsvr 13. Apply the updated configuration information to the session management server 6.1 instance:
Where sms_upgrade.rsp is the name of the response file. 14. If you are upgrading on an existing application server, update the configuration of the Web server to use the new session management server 6.1 instance: a. Stop the WebSEAL and Plug-in Web Server services; for example, on a Windows 2003 system: v Click Start Control Panel Administrative Tools v Double-click the Services icon and stop the services for the WebSEAL and Plug-in for Web Servers services. b. Change the value for dsess-url in the webseald.conf and pdwebpi.conf files to the new session management server web service URL. The new URL is: http://server:port/new_instance/services/DSess
235
where: v server:port describes either the application server hosting the SMS instance, or the load balancing proxy in front of the application server. v new_instance is the instance name specified in step 9 on page 223. c. Start the server. 15. Remove the session management server 6.0 instance:
16. Remove the instance by uninstalling the DSess and DSessConfig applications using the WebSphere Administration Console: a. Click Applications > Enterprise Applications in the administrative console navigation tree to access the Enterprise Applications page. b. Uninstall the applications: 1) Select the DSess and DSessConfig applications. 2) Click Uninstall. c. Save changes made to the administrative configuration. The upgrade of the Session Management Server on Windows is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
236
Upgrade Guide
Chapter 11. Upgrading the session management command line

Tivoli Access Manager supports an upgrade of the session management command line to version 6.1.1. The following platform-specific instructions are provided: v AIX on 237 v HP-UX on 240 v Linux on x86 on 242 v Linux on System z on 243 v Solaris on 245 v Windows on248
Before you upgrade the Tivoli Access Manager session management command line interface, you must perform the following tasks (as required). v Upgrade your operating system to the minimum supported level. For information about minimum supported levels, see IBM Tivoli Access Manager for e-business: Release Notes. v In Tivoli Directory Server version 6.1, clients can coexist on the same machine with a client that is version 5.1, 5.2, or 6.0. The Tivoli Directory Server 6.1 server requires that the version 6.1 client and the Java client also be installed. In addition, the server can coexist on the same machine with another client that is version 5.1, 5.2 or 6.0, or with a version of the 6.0 server. v You are not required to upgrade all Tivoli Access Manager components in your secure domain to a 6.1.1 level. However, if you upgrade any Tivoli Access Manager component in your secure domain to a 6.1.1 level, you must install Tivoli Directory Server client 6.1 on that system. For a list of components that are compatible with Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. v In general, if Tivoli Directory Server is your registry server and is located on a different machine from any Tivoli Access Manager component, you can upgrade the registry server at any timebefore or after the upgrade of the Tivoli Access Manager 6.1.1 component. However, when the server package of Tivoli Directory Server is installed on the same machine as any Tivoli Access Manager 6.1.1 component and if you choose to install the server package of Tivoli Directory Server 6.1, it is recommended that you install the Tivoli Directory Server 6.1 client and server packages at the same time as you install the Tivoli Access Manager 6.1.1 component on that machine. v If you are upgrading and using a language other than English, remember to upgrade your language package. Refer to the IBM Tivoli Access Manager for e-business: Installation Guide to install the language package. However, when upgrading the IBM Tivoli Directory Server language packages, you must use the upgrade (-U) option for Linux operating systems.
AIX: Upgrading the session management command line

To upgrade the session management command line system on AIX, complete the following instructions:
237
1. Before upgrading the command line system to 6.1.1, review the considerations in Upgrade considerations on page 237. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. Note: The AIX operating system requires version 8.0.0.x of the xlC fileset. Check your current version by using the lslpp command and upgrade, if necessary. 4. Insert the IBM Tivoli Access Manager Shared Session Management for AIX CD and mount it. 5. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
7. Use the pdbackup utility to back up critical information:

where: list fullpath_to_backup_listfile Where fullpath_to_backup_listfile specifies the fully qualified path to the list file. There are two backup list files to back up: the Tivoli Access Manager backup list file and the Session Management Server Command Line backup list file. For example: v The Tivoli Access Manager backup list file:
v The Session Management Server Command Line backup list file:

/opt/pdsms/etc/pdinfo-pdsmscli.lst
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and gskta.rte are the Global Security Kit package. 9. Install the Tivoli Directory Server client packages:
238
Upgrade Guide
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and TivSec.Utl is the Tivoli Security Utilities package. 12. Upgrade Access Manager License:
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.RTE is the Access Manager Runtime package. 14. Upgrade Access Manager Authorization Server package:
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.Acld is the Access Manager Authorization Server package. 15. Upgrade the Access Manager Session Management Command Line package:
installp -acgYXd cd_mount_pt/usr/sys/inst.images PD.SMSCLI
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.SMSCLI is the Access Manager Authorization Server package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following configuration files: v /opt/PolicyDirector/etc/pd.conf v /opt/PolicyDirector/etc/ivacld.conf The upgrade of the session management command line on AIX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
239
HP-UX: Upgrading the session management command line

To upgrade the session management command line system on HP-UX, complete the following instructions: 1. Before upgrading the session management command line to 6.1.1, review the considerations in Upgrade considerations on page 237. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Shared Session Management for HP-UX CD. 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
pd_start stop
pd_start status
v the Session Management Server Command Line backup list file:

240
Upgrade Guide
where /cd-rom/hp is the directory where the GSKit installation images are located and gsk7bas is the name of the GSKit package. 10. Install the Tivoli Directory Server client packages:
where /cd-rom/hp is the directory where the installation images are located and TivSecUtl is the Tivoli Security Utilities package. 13. Upgrade Access Manager License:
where /cd-rom/hp is the directory where the installation images are located and PDRTE is the Access Manager Runtime package. 15. Upgrade Access Manager Authorization Server package:
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.Acld is the Access Manager Authorization Server package. 16. Upgrade the Access Manager Session Management Command Line package:
installp -acgYXd cd_mount_pt/usr/sys/inst.images PD.SMSCLI
where cd_mount_pt/usr/sys/inst.images is the directory where the installation images are located and PD.SMSCLI is the Access Manager Authorization Server package. 17. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following configuration files: v /opt/PolicyDirector/etc/pd.conf v /opt/PolicyDirector/etc/ivacld.conf
241
The upgrade of a development system on HP-UX is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on x86: Upgrading the session management command line

To upgrade a session management command line system for Linux on x86, complete the following instructions: 1. Before upgrading the session management command line to 6.1.1, review the considerations in Upgrade considerations on page 237. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Shared Session Management for Linux on x86 CD and mount it. 5. Change to the following directory:
pd_start stop
pd_start status
v The Session Management Server Command Line backup list file:

242
Upgrade Guide
For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 9. Upgrade the IBM Global Security Kit (GSKit):

rpm -i packages

where TivSecUtil-TivSec-6.1.1-0.i386.rpm is the Tivoli Security Utilities package. 13. Upgrade Access Manager License:
where PDRTE-PD-6.1.1-0.i386.rpm is the Access Manager Runtime package. 15. Upgrade Access Manager Authorization Server package:
rpm -U PDAcld-PD-6.1.1-0.i386.rpm
16. Upgrade the Access Manager Session Management Command Line package:
rpm -U PDSMS-CLI-6.1.1-0.i386.rpm
17. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following configuration files: v /opt/PolicyDirector/etc/pd.conf v /opt/PolicyDirector/etc/ivacld.conf The upgrade of a development system for Linux on x86 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Linux on System z: Upgrading the session management command line

To upgrade a session management command line system for Linux on x86, complete the following instructions: 1. Before upgrading the session management command line to 6.1.1, review the considerations in Upgrade considerations on page 237.
243
2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Obtain access to the IBM Tivoli Access Manager Base for Linux on System z CD image on the System z system. The .rpm files are located in the /cd_mount_pt/linux_s390 directory: 5. Change to the following directory:
pd_start stop
pd_start status

file filename Specifies a file name other than the list_date.time [.tar] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 9. Upgrade the IBM Global Security Kit (GSKit):

rpm -i packages

Base client package idsldap-cltbase61-6.1.0-6.s390.rpm
244
Upgrade Guide
32-bit client package Java client package
idsldap-clt32bit61-6.1.0-6.s390.rpm idsldap-cltjava61-6.1.0-6.s390.rpm
11. Ensure that your registry server is running. 12. Upgrade Tivoli Security Utilities: To upgrade:
where TivSecUtil-TivSec-6.1.1-0.s390.rpm is the Tivoli Security Utilities package. 13. Upgrade Access Manager License:
where PDRTE-PD-6.1.1-0.s390.rpm is the Access Manager Runtime package. 15. Upgrade Access Manager Authorization Server package:
rpm -U PDAcld-PD-6.1.1-0.s390.rpm
where PDAcld-PD-6.1.1-0.s390.rpm is the Access Manager Runtime package. 16. Upgrade the Access Manager Session Management Command Line package:
rpm -U PDSMS-CLI-6.1.1-0.s390.rpm
where PDSMS-CLI-6.1.1-0.s390.rpm is the Access Manager Runtime package. 17. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following configuration files: v /opt/PolicyDirector/etc/pd.conf v /opt/PolicyDirector/etc/ivacld.conf The upgrade of a session management command line for Linux on x86 is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Solaris: Upgrading the session management command line

To upgrade a session management command line on Solaris, complete the following instructions: 1. Before upgrading the session management command line to 6.1.1, review the considerations in Upgrade considerations on page 237. 2. Log in as root. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Shared Session Management for Solaris CD.
245

pd_start stop
pd_start status

246
Upgrade Guide
Java client package
IDSljc61
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and TivSecUtl is the Tivoli Security Utilities package. 12. Upgrade Access Manager License:
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDRTE is the Access Manager Runtime package. 14. Upgrade the Access Manager Authorization Server package:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDAcld
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDAcld is the Access Manager Application Development Kit package. 15. Upgrade the session management command line package:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDSMSCLI
where /cdrom/cdrom0/solaris specifies the location of the package, /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script, and PDSMSCLI is the Access Manager Application Development Kit package. 16. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following configuration files: v /opt/PolicyDirector/etc/pd.conf v /opt/PolicyDirector/etc/ivacld.conf The upgrade of a session management command line system on Solaris is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
247
Windows: Upgrading the session management command line

To upgrade a session management command line system on Windows, complete the following instructions: 1. Before upgrading the session management command line to 6.1.1, review the considerations in Upgrade considerations on page 237. 2. Log in as a user with administrative privileges. 3. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 4. Insert the IBM Tivoli Access Manager Shared Session Management for Windows CD. 5. Exit all running programs. During the upgrade process, you are prompted to restart your Windows system periodically. 6. Stop all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and stop all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Disabled. 7. Use the pdbackup utility to back up critical Tivoli Access Manager information:
"C:\Program Files\bin\pdbackup" -action backup -list fullpath_to_backup_listfile -path path -file filename

"C:\Program Files\Tivoli\pdsms\etc\pdinfo-pdsmscli.lst"
list fullpath_to_backup_listfile Specifies the fully qualified path to the backup list file. For example: path path Specifies the path where you want the backed up files to be stored. For example:
248
Upgrade Guide
Follow online instructions to complete installation. 9. If you are using an LDAP server as your registry, install the Tivoli Directory Server client by running the install_tds.exe file in windows\tds (if necessary). Select to install C Client 6.1 and follow the online instructions to complete the installation. Note: If you are using Domino or Active Directory as your registry and the Tivoli Access Manager systems in your domain are Windows-based, the Tivoli Directory Server client is not required. 10. Install the security utilities by running the setup.exe script in the \windows\TivSecUtl\Disk Images\Disk1 directory. Follow the online instructions to complete the installation. 11. Install the components by running the setup.exe script in the \windows\PolicyDirector\Disk Images\Disk1 directory. Select to install the following components in this sequence: v Access Manager License v Access Manager Runtime v Access Manager Authorization Server v Access Manager Session Management Command Line Follow online instructions to complete installation. Note: You are prompted to restart your system during this process. 12. Start all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools, and then double-click the Services icon. Start all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Automatic. 13. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in the following configuration files: v install_path/etc/pd.conf v install_path/etc/ivacld.conf The upgrade of a development system on Windows is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
249
250
Upgrade Guide
Chapter 12. Upgrading the session management Web interface

The session management server Integrated Solutions Console replaces the session management Web interface in Tivoli Access Manager 6.1. There is no upgrade path for the session management Web interface. The session management server Integrated Solutions Console is a graphical user interface that resides on the WebSphere Application Server, and is installed as an extension to the WebSphere ISC. See IBM Tivoli Access Manager for e-business: Installation Guide and IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide for more information about the session management server Integrated Solutions Console.
251
252
Upgrade Guide
Chapter 13. Upgrading a plug-in for Web servers

To upgrade a Web Server plug-in, complete the following instructions: Attention: Upgrade the session management server before upgrading WebSEAL and Web Plug-in servers. See Chapter 10, Upgrading the session management server, on page 217 for more information. 1. Log in as root or as an administrative user. 2. Install all of the operating system patches that are required by Tivoli Access Manager 6.1.1. For required operating system patches, see the IBM Tivoli Access Manager for e-business: Release Notes. 3. Ensure that the policy server for the secure domain is upgraded to version 6.1.1. For instructions, see Chapter 3, Upgrading the policy server, on page 17. 4. Confirm that the policy server is running:
pd_start status
5. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run the following commands:
If you cannot log in, do not proceed with the upgrade of the Web Server plug-in. Resolve the login problem before continuing. 6. Stop the Web server and any Tivoli Access Manager services that are running on the system. On Linux and UNIX operating systems, enter the following command:
pd_start stop
Or on Windows: For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and stop the services. 7. Confirm that all Tivoli Access Manager services and applications are stopped. On Linux and UNIX operating systems, enter the following command:
pd_start status
Or on Windows: For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and verify that the services are stopped. 8. Use the pdbackup utility to back up critical Tivoli Access Manager information. For UNIX or Linux:
Or for Windows:
253
"C:\Program Files\Tivoli\Policy Director\bin\pdbackup" -action backup -list C:\Program Files\Tivoli\Policy Director\etc\pdbackup.lst -path path -file filename
where: path path Specifies the path where you want the backed up files to be stored. For UNIX or Linux:
For Windows:
file filename Specifies a file name other than the list_date.time [.tar] or [.zip] default file name. For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 9. Install the Web Server plug-in and other prerequisite components using either the installation wizard or a native installation utility. Configuration of Tivoli Access Manager components during the upgrade process is not necessary. For installation instructions, see the IBM Tivoli Access Manager for e-business: Installation Guide. The prerequisite components include: v Global Security Kit v IBM Tivoli Directory Server (depending on the user registry used) v Tivoli Security Utilities v Access Manager License v v v v v Access Manager Runtime Access Manager Web Security Runtime Access Manager WebSEAL Access Manager Plug-in for Web Servers One of the following plug-ins (depending on the Web server used):
Access Manager Plug-in for Apache Web Server Access Manager Plug-in for HTTP Server Access Manager Plug-in for Internet Information Services Access Manager Plug-in for Sun Java System Web Server 10. If the two-system upgrade option was used for the policy server, the master-host record must be updated to point to the new policy server. Note: The two-system upgrade option can only be used if the registry server is an LDAP server. Edit the master-host entry in each of the following configuration files: v Access Manager Runtime
install_path/etc/pd.conf
v Access Manager Plug-in for Web Servers

install_path/etc/pdwebpi.conf
11. Start the Web server plug-in process. On Linux and UNIX operating systems, enter the following command:
pd_start start
Or on Windows:
254
Upgrade Guide
For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and start the service. 12. Confirm that the Web server is running. On Linux and UNIX operating systems, enter the following command:
pd_start status
Or on Windows: For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and verify that the service is running. 13. Make sure that you can contact the policy server. For example, log in to the pdadmin interface and run a command:
The upgrade of the Web server plug-in is now complete. Ensure that you perform any necessary application-specific tasks before starting Tivoli Access Manager applications.
Chapter 13. Upgrading a plug-in for Web servers
255
256
Upgrade Guide
Chapter 14. Upgrading Web Portal Manager

Upgrade of a previous Web Portal Manager system is not supported. You must install Web Portal Manager 6.1.1. For instructions, see the IBM Tivoli Access Manager for e-business: Installation Guide.
257
258
Upgrade Guide
Chapter 15. Restoring a system to its prior level

If problems occur when upgrading to Tivoli Access Manager 6.1.1 from a previous version, this section describes how to restore these types of Tivoli Access Manager systems: v Policy server v WebSEAL
Restoring the policy server

The following platform-specific instructions are provided: v AIX: Restoring the policy server v HP-UX: Restoring the policy server on page 260 v HP-UX on Integrity: Restoring the policy server on page 261 v Linux on x86: Restoring the policy server on page 262 v Linux on POWER: Restoring the policy server on page 264 v v v v Linux on System z: Restoring the policy server on page 263 Solaris: Restoring the policy server on page 265 Solaris on x86_64: Restoring the policy server on page 266 Windows: Restoring the policy server on page 267
AIX: Restoring the policy server

If you encounter a problem when migrating to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore the policy server on AIX, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
Caution: If your backup file is in the opt or var directory, move it out of the directory or it will be deleted when you perform step 3 on page 260.
259
3. Remove (do not unconfigure) the Access Manager Policy Director 6.1.1 component and prerequisite packages. Follow these steps: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: installp -u -g packages Note: Use the g option only if you want dependent software for the specified package removed. where packages are the following: v Access Manager Policy Server (PD.Mgr) v Access Manager Runtime (PD.RTE) v Access Manager License (PD.lic) v Tivoli Security Utilities (TivSec.Utl) 4. Use your previous version CDs and install the policy server system, which includes the prerequisite components such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime. For instructions, see the IBM Tivoli Access Manager for e-business: Installation Guide for your particular version. 5. Apply any Tivoli Access Manager fix pack that was on the system prior to the upgrade to version 6.1.1. 6. To restore your previous data, issue the pdbackup -action restore option using the archive from the pdbackup that you used originally to back up your data. Note: For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 7. Start the policy server daemon (pdmgrd):
pd_start start
HP-UX: Restoring the policy server

If you encounter a problem when migrating to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore the policy server on HP-UX, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
260
Upgrade Guide
Caution: If your backup file is in the opt or var directory, move it out of the directory or it will be deleted when you perform step 3. 3. Remove (do not unconfigure) the Access Manager 6.1.1 component and prerequisite packages. Follow these steps: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: swremove -x enforce_dependencies=false packages where packages are the following Tivoli Access Manager 6.1.1 packages: v Access Manager Policy Server (PDMgr) v Access Manager Runtime (PDRTE) v Access Manager License (PDlic) v Tivoli Security Utilities (TivSecUtl) A prompt is displayed indicating the pre-remove script is being run. Each file is listed as it is removed. 4. Use your previous version CDs and install the prerequisite components for the policy server, such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime. For instructions, see the IBM Tivoli Access Manager for e-business: Installation Guide for your particular version. 5. Apply any Tivoli Access Manager fix pack that was on the system prior to the upgrade to version 6.1.1. 6. To restore your previous data, issue the pdbackup -action restore option using the archive from the pdbackup you used originally to back up your data. Note: For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 7. Start the policy server daemon (pdmgrd):
pd_start start
HP-UX on Integrity: Restoring the policy server

If you encounter a problem when migrating to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore the policy server on HP-UX on Integrity, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
261
Caution: If your backup file is in the opt or var directory, move it out of the directory or it will be deleted when you perform step 3. 3. Remove (do not unconfigure) the Access Manager 6.1.1 component and prerequisite packages. Follow these steps: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: swremove -x enforce_dependencies=false packages where packages are the following Tivoli Access Manager 6.1.1 packages: v Access Manager Policy Server (PDMgr) v Access Manager Runtime (PDRTE) v Access Manager License (PDlic) v Tivoli Security Utilities (TivSecUtl) A prompt is displayed indicating the pre-remove script is being run. Each file is listed as it is removed. 4. Use your previous version CDs and install the prerequisite components for the policy server, such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime. For instructions, see the IBM Tivoli Access Manager for e-business: Installation Guide for your particular version. 5. Apply any Tivoli Access Manager fix pack that was on the system prior to the upgrade to version 6.1.1. 6. To restore your previous data, issue the pdbackup -action restore option using the archive from the pdbackup you used to originally back up your data. Note: For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 7. Start the policy server daemon (pdmgrd):
pd_start start
Linux on x86: Restoring the policy server

If you encounter a problem when migrating to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore the policy server for Linux on x86, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
262
Upgrade Guide
Caution: If your backup file is in the opt or var directory, move it out of the directory or it will be deleted when you perform step 3. 3. Remove (do not unconfigure) the Access Manager Policy Director 6.1.1 component and prerequisite packages. To do so, from the command line: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: rpm -e packages where packages are the following v Access Manager Policy Server (PDMgr-PD-6.1.1-0) v Access Manager Runtime (PDRTE-PD-6.1.1-0) v Access Manager License (PDlic-PD-6.1.1-0) v Tivoli Security Utilities (TivSecUtl-TivSec-6.1.1-0) 4. Use your previous version CDs and install the prerequisite components for the policy server, such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime. For instructions, see the IBM Tivoli Access Manager for e-business: Installation Guide for your particular version. 5. Apply any Tivoli Access Manager fix pack that was on the system prior to the upgrade to version 6.1.1. 6. To restore your previous data, issue the pdbackup -action restore option using the archive from the pdbackup you used to originally back up your data. Note: For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 7. Start the policy server daemon (pdmgrd):
pd_start start
Linux on System z: Restoring the policy server

If you encounter a problem when migrating to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore the policy server for Linux on System z, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
263
Caution: If your backup file is in the opt or var directory, move it out of the directory or it will be deleted when you perform step 3. 3. Remove (do not unconfigure) the Access Manager 6.1.1 component and prerequisite packages. To do so, from the command line: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: rpm -e --noscripts packages where packages are the following v Access Manager Policy Server (PDMgr-PD-6.1.1-0) v Access Manager Runtime (PDRTE-PD-6.1.1-0) v Access Manager License (PDlic-PD-6.1.1-0) v Tivoli Security Utilities (TivSecUtl-TivSec-6.1.1-0) 4. Use your previous version CDs and install the policy server system, which includes the prerequisite components such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime. For instructions, see the IBM Tivoli Access Manager for e-business: Installation Guide for your particular version. 5. Apply any Tivoli Access Manager fix pack that was on the system prior to the upgrade to version 6.1.1. 6. To restore your previous data, issue the pdbackup -action restore option using the archive from the pdbackup you used to originally back up your data. 7. Start the policy server daemon (pdmgrd):
pd_start start
Linux on POWER: Restoring the policy server

If you encounter a problem when migrating to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore the policy server for Linux on POWER, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
264
Upgrade Guide
Caution: If your backup file is in the opt or var directory, move it out of the directory or it will be deleted when you perform step 3. 3. Remove (do not unconfigure) the Access Manager Policy Director 6.1.1 component and prerequisite packages. To do so, from the command line: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: rpm -e packages where packages are the following v Access Manager Policy Server (PDMgr-PD-6.1.1-0) v Access Manager Runtime (PDRTE-PD-6.1.1-0) v Access Manager License (PDlic-PD-6.1.1-0) v Tivoli Security Utilities (TivSecUtl-TivSec-6.1.1-0) 4. Use your previous version CDs and install the prerequisite components for the policy server, such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime. For instructions, see the IBM Tivoli Access Manager for e-business: Installation Guide for your particular version. 5. Apply any Tivoli Access Manager fix pack that was on the system prior to the upgrade to version 6.1.1. 6. To restore your previous data, issue the pdbackup -action restore option using the archive from the pdbackup you used to originally back up your data. Note: For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 7. Start the policy server daemon (pdmgrd):
pd_start start
Solaris: Restoring the policy server

If you encounter a problem when migrating to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore the policy server on Solaris, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
265
Caution: If your backup file is in the opt or var directory, move it out of the directory or it will be deleted when you perform step 3. 3. Remove (do not unconfigure) the Access Manager Policy Server 6.1.1 component and prerequisite packages. To do so, from the command line: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: pkgrm packages where packages are the following v Access Manager Policy Server (PDMgr) v Access Manager Runtime (PDRTE) v Access Manager License (PDlic) v Tivoli Security Utilities (TivSecUtl) Note: When prompted to confirm the removal of these components, enter y. 4. Use your previous version CDs and install the policy server system, which includes the prerequisite components such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime. For instructions, see the IBM Tivoli Access Manager for e-business: Installation Guide for your particular version. 5. Apply any Tivoli Access Manager fix pack that was on the system prior to the upgrade to version 6.1.1. 6. To restore your previous data, issue the pdbackup -action restore option using the archive from the pdbackup you used to originally back up your data. Note: For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 7. Start the policy server daemon (pdmgrd):
pd_start start
Solaris on x86_64: Restoring the policy server

If you encounter a problem when migrating to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore the policy server on Solaris on x86_64, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
pd_start status
266
Upgrade Guide
Caution: If your backup file is in the opt or var directory, move it out of the directory or it will be deleted when you perform step 3. 3. Remove (do not unconfigure) the Access Manager Policy Server 6.1.1 component and prerequisite packages. To do so, from the command line: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: pkgrm packages where packages are the following v Access Manager Policy Server (PDMgr) v Access Manager Runtime (PDRTE) v Access Manager License (PDlic) v Tivoli Security Utilities (TivSecUtl) Note: When prompted to confirm the removal of these components, enter y. 4. Use your previous version CDs and install the policy server system, which includes the prerequisite components such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime. For instructions, see the IBM Tivoli Access Manager for e-business: Installation Guide for your particular version. 5. Apply any Tivoli Access Manager fix pack that was on the system prior to the upgrade to version 6.1.1. 6. To restore your previous data, issue the pdbackup -action restore option using the archive from the pdbackup you used to originally back up your data. Note: For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 7. Start the policy server daemon (pdmgrd):
pd_start start
Windows: Restoring the policy server

If you encounter a problem when migrating to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore the policy server on Windows, follow these steps. 1. Stop all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and stop all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Disabled.
267
Caution: If your backup file is in the Tivoli Access Manager installation directory, move it out of the directory or it will be deleted when you perform step 2. 2. Use the following procedure to remove (do not unconfigure) the following Access Manager Policy Server 6.1.1 components and prerequisite packages: a. Select Start Run, type regedit in the entry field, and then click OK to open the registry. b. Click My Computer HKEY_LOCAL_MACHINE Tivoli Policy Director Runtime 6.1.1. c. Change the configuration value from Yes to No. d. Click My Computer HKEY_LOCAL_MACHINE Tivoli Policy Director Management Server 6.1.1. e. Change the configuration value from Yes to No. f. Delete the pd.conf file from the install_path\etc directory. For example:
C:\Program Files\Tivoli\Policy Director\etc\pd.conf
g. Log in as a Windows user with administrator privilege. h. Remove the following components. For example, for Windows 2003, click Start Control Panel and double-click the Add/Remove Programs icon. v Access Manager Policy Server v Access Manager Runtime v Access Manager License v Tivoli Security Utilities i. Select another component from the list and continue the process until all the components have been removed. j. Click OK to exit the program. 3. Use your previous version CDs and install the policy server system, which includes the prerequisite components such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime. For instructions, see the IBM Tivoli Access Manager for e-business: Installation Guide for your particular version. Install by running the setup.exe script in the \windows\PolicyDirector\Disk Images\Disk1 directory. Select the components, and then follow the online instructions to complete the installation in order. 4. Apply any Tivoli Access Manager fix pack that was on the system prior to the upgrade to version 6.1.1. 5. To restore your previous data, issue the pdbackup -action restore option using the archive from the pdbackup you used to originally back up your data. Note: For more information about the pdbackup utility, see Appendix A, Upgrade utilities, on page 281. 6. Start all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools, and then double-click the Services icon. Start all Tivoli Access Manager services running on the local system, including applications, such as WebSEAL. From Services, find the Access Manager Auto-Start Service. Double-click this service and change the startup type to Automatic.
268
Upgrade Guide
Restoring WebSEAL
Use this procedure for all supported versions of LDAP, Domino, and Active Directory registries. The following platform-specific instructions are provided: v AIX: Restoring WebSEAL v HP-UX: Restoring WebSEAL on page 270 v HP-UX on Integrity: Restoring WebSEAL on page 271 v Linux on x86 Restoring WebSEAL on page 272 v Linux on System z: Restoring WebSEAL on page 274 v Solaris: Restoring WebSEAL on page 275 v Solaris on x86_64: Restoring WebSEAL on page 276 v Windows: Restoring WebSEAL on page 277
AIX: Restoring WebSEAL

If you encounter a problem when migrating WebSEAL to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. These steps apply to LDAP, Domino, and Active Directory registries for all supported upgrade versions of Tivoli Access Manager. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore WebSEAL on AIX, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
2. Remove (do not unconfigure) the Access Manager WebSEAL 6.1.1 component and prerequisite packages. To do so, from the command line: a. b. c. d. Enter: Enter: Enter: Enter: rm rf /opt/PolicyDirector/.configure/* rm /opt/PolicyDirector/etc/pd.conf rm -rf /opt/pdweb/.configure installp -u -g packages
Note: Use the g option only if you want dependent software for the specified package removed. where packages are the following: v Access Manager WebSEAL (PDWeb.Web) v Access Manager Web Security Runtime (PDWeb.RTE) v Access Manager Runtime (PD.RTE) v Access Manager License (PD.lic) v Tivoli Security Utilities (TivSec.Utl) 3. Use your previous version CDs and install the prerequisite components for WebSEAL, such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime. 4. Use the pdbackup action restore option to restore the base files that you backed up before upgrading.
269
On Linux and UNIX operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.tar. For example, for Access Manager Runtime:
/opt/PolicyDirector/bin/pdbackup action restore file /var/PolicyDirector/pdbackup/51to61rtebackup.lst_17oct2005.10_27.tar
5. Use pdadmin to verify that your previous version of the runtime environment is restored successfully. For example:
6. Install the previous version of Access Manager WebSEAL and WebSEAL instance servers (PDWeb.Web). 7. Use the pdbackup action restore option to restore the WebSEAL files that you backed up before upgrading. On Linux and UNIX operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.tar. For example, for default WebSEAL and WebSEAL instance files:
/opt/PolicyDirector/bin/pdbackup action restore file /var/PolicyDirector/pdbackup/51to61websealbackup.lst_17oct2005.11_48.tar
8. Start WebSEAL and the WebSEAL instances. For example, to start the default WebSEAL:
Or, to start a WebSEAL instance:

This completes the restoration of your previous WebSEAL version.
HP-UX: Restoring WebSEAL

If you encounter a problem when migrating WebSEAL to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. These steps apply to LDAP, Domino, and Active Directory registries for all supported upgrade versions of Tivoli Access Manager. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore WebSEAL on HP-UX, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
2. Remove (do not unconfigure) the Access Manager WebSEAL 6.1.1 component and prerequisite packages. To do so, from the command line: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: rm -rf /opt/pdweb/.configure d. Enter: swremove -x enforce_dependencies=false packages where packages are the following Tivoli Access Manager 6.1.1 packages: v Access Manager WebSEAL (PDWeb) v Access Manager Web Security Runtime (PDWebRTE)
270
Upgrade Guide
v Access Manager Runtime (PDRTE) v Access Manager License (PDlic) v Tivoli Security Utilities (TivSecUtl) A prompt is displayed indicating the pre-remove script is being run. Each file is listed as it is removed. 3. Use your previous version CDs and install the prerequisite components for WebSEAL, such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime (PDRTE). 4. Use the pdbackup action restore option to restore the base files that you backed up before upgrading. On Linux and UNIX operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.tar. For example, for Access Manager Runtime:
6. Install the previous version of Access Manager WebSEAL and WebSEAL instance servers (PDWeb). 7. Use the pdbackup action restore option to restore the WebSEAL files that you backed up before upgrading. On Linux and UNIX operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.tar. For example, for default WebSEAL and WebSEAL instance files:
pdweb start default

HP-UX on Integrity: Restoring WebSEAL

If you encounter a problem when migrating WebSEAL to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. These steps apply to LDAP, Domino, and Active Directory registries for all supported upgrade versions of Tivoli Access Manager. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore WebSEAL on HP-UX on Integrity, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
271
2. Remove (do not unconfigure) the Access Manager WebSEAL 6.1.1 component and prerequisite packages. To do so, from the command line: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: rm -rf /opt/pdweb/.configure d. Enter: swremove -x enforce_dependencies=false packages where packages are the following Tivoli Access Manager 6.1.1 packages: v Access Manager WebSEAL (PDWeb) v Access Manager Web Security Runtime (PDWebRTE) v Access Manager Runtime (PDRTE) v Access Manager License (PDlic) v Tivoli Security Utilities (TivSecUtl) A prompt is displayed indicating the pre-remove script is being run. Each file is listed as it is removed. 3. Use your previous version CDs and install the prerequisite components for WebSEAL, such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime (PDRTE). 4. Use the pdbackup action restore option to restore the files that you backed up before upgrading. On Linux and UNIX operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.tar. For example, for Access Manager Runtime:
pdweb start default

Linux on x86 Restoring WebSEAL

If you encounter a problem when migrating WebSEAL to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. These steps apply to LDAP, Domino, and Active Directory registries for all supported upgrade versions of Tivoli Access Manager.
272
Upgrade Guide
Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore WebSEAL for Linux on x86, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
2. Remove (do not unconfigure) the Access Manager WebSEAL 6.1.1 component and prerequisite packages. To do so, from the command line: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: rm -rf /opt/pdweb/.configure/* d. Enter: rpm -e packages where packages are the following v Access Manager WebSEAL (PDWeb-PD-6.1.1-0) v Access Manager Web Security Runtime (PDWebRTE-PD-6.1.1-0) v Access Manager Runtime (PDRTE-PD-6.1.1-0) v Access Manager License (PDlic-PD-6.1.1-0) v Tivoli Security Utilities (TivSecUtl-TivSec-6.1.1-0) 3. Use your previous version CDs and install the prerequisite components for WebSEAL, such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime. 4. Use the pdbackup action restore option to restore the files that you backed up before upgrading. On Linux and UNIX operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.tar. For example, for Access Manager Runtime:
6. Install the previous version of Access Manager WebSEAL. and WebSEAL instance servers (PDWeb). 7. Use the pdbackup action restore option to restore the WebSEAL files that you backed up before upgrading. On Linux and UNIX operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.tar. For example, for default WebSEAL and WebSEAL instance files:

273
Linux on System z: Restoring WebSEAL

If you encounter a problem when migrating WebSEAL to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. These steps apply to LDAP, Domino, and Active Directory registries for all supported upgrade versions of Tivoli Access Manager. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore WebSEAL for Linux on System z, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
2. Remove (do not unconfigure) the Access Manager WebSEAL 6.1.1 component and prerequisite packages. To do so, from the command line: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: rm -rf /opt/pdweb/.configure/* d. Enter: rpm -e --noscripts packages where packages are the following v Access Manager WebSEAL (PDWeb-PD-6.1.1-0) v Access Manager Web Security Runtime (PDWebRTE-PD-6.1.1-0) v Access Manager Runtime (PDRTE-PD-6.1.1-0) v Access Manager License (PDlic-PD-6.1.1-0) v Tivoli Security Utilities (TivSecUtl-TivSec-6.1.1-0) 3. Use your previous version CDs and install the prerequisite components for WebSEAL, such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime. 4. Use the pdbackup action restore option to restore the base files that you backed up before upgrading. On Linux and UNIX operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.tar. For example, for Access Manager Runtime:
274
Upgrade Guide
/opt/PolicyDirector/bin/pdbackup action restore file /rev/PolicyDirector/pdbackup/51to61websealbackup.lst_17oct2005.11_48.tar

Solaris: Restoring WebSEAL

If you encounter a problem when migrating WebSEAL to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. These steps apply to LDAP, Domino, and Active Directory registries for all supported upgrade versions of Tivoli Access Manager. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore WebSEAL on Solaris, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
2. Remove (do not unconfigure) the Access Manager WebSEAL 6.1.1 component and prerequisite packages. To do so, from the command line: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: rm -rf /opt/pdweb/.configure d. Enter: pkgrm packages where packages are the following v Access Manager WebSEAL (PDWeb) v Access Manager Web Security Runtime (PDWebRTE) v Access Manager Runtime (PDRTE) v Access Manager License (PDlic) v Tivoli Security Utilities (TivSecUtl) Note: When prompted to confirm the removal of these components, enter y. 3. Use your previous version CDs and install the prerequisite components for WebSEAL, such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime (PDRTE). 4. Use the pdbackup action restore option to restore the base files that you backed up before upgrading. On Linux and UNIX operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.tar. For example, for Access Manager Runtime:
275
6. Install the previous version of Access Manager WebSEAL (PDWeb) and WebSEAL instance servers (PDWeb.Web). 7. Use the pdbackup action restore option to restore the WebSEAL files that you backed up before upgrading. On Linux and UNIX operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.tar. For example, for default WebSEAL and WebSEAL instance files:

Solaris on x86_64: Restoring WebSEAL

If you encounter a problem when migrating WebSEAL to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. These steps apply to LDAP, Domino, and Active Directory registries for all supported upgrade versions of Tivoli Access Manager. Notes: v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore WebSEAL on Solaris on x86_64, follow these steps. 1. Stop all Tivoli Access Manager applications and services:
pd_start stop
2. Remove (do not unconfigure) the Access Manager WebSEAL 6.1.1 component and prerequisite packages. To do so, from the command line: a. Enter: rm rf /opt/PolicyDirector/.configure/* b. Enter: rm /opt/PolicyDirector/etc/pd.conf c. Enter: rm -rf /opt/pdweb/.configure d. Enter: pkgrm packages where packages are the following v Access Manager WebSEAL (PDWeb) v Access Manager Web Security Runtime (PDWebRTE) v Access Manager Runtime (PDRTE) v Access Manager License (PDlic) v Tivoli Security Utilities (TivSecUtl) Note: When prompted to confirm the removal of these components, enter y.
276
Upgrade Guide
3. Use your previous version CDs and install the prerequisite components for WebSEAL, such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime (PDRTE). 4. Use the pdbackup action restore option to restore the base files that you backed up before upgrading. On Linux and UNIX operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.tar. For example, for Access Manager Runtime:
6. Install the previous version of Access Manager WebSEAL (PDWeb) and WebSEAL instance servers (PDWeb.Web). 7. Use the pdbackup action restore option to restore the WebSEAL files that you backed up before upgrading. On Linux and UNIX operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.tar. For example, for default WebSEAL and WebSEAL instance files:
pdweb start default

Windows: Restoring WebSEAL

If you encounter a problem when migrating WebSEAL to Tivoli Access Manager 6.1.1, you might need to restore the system to its prior level. These steps apply to LDAP, Domino, and Active Directory registries for all supported upgrade versions of Tivoli Access Manager. Notes: v Stop all Tivoli Access Manager applications and services. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and stop all Tivoli Access Manager services running on the local system, including applications. v If you encounter a problem during the backup of existing data, contact Tivoli Support for assistance before continuing with the upgrade process. v For supported operating system information, required patches and fix pack information for Tivoli Access Manager 6.1.1, see the IBM Tivoli Access Manager for e-business: Release Notes. To restore WebSEAL on Windows, follow these steps. 1. Remove (do not unconfigure) the Access Manager WebSEAL 6.1.1 component and prerequisite packages. v Access Manager WebSEAL
277
v Access Manager Web Security Runtime v Access Manager Runtime v Tivoli Security Utilities v Access Manager License Follow these steps: a. Select Start Run, type regedit in the entry field, and then click OK to open the registry. b. Click My Computer HKEY_LOCAL_MACHINE Tivoli Policy Director Runtime 6.1.1. c. Change the configuration value from Yes to No. d. Click My Computer HKEY_LOCAL_MACHINE Tivoli Access Manager WebSEAL 6.1.1. e. Change the configuration value from Yes to No. f. Delete the pd.conf file from the install_path\etc directory. For example:
C:\Program Files\Tivoli\Policy Director\etc\pd.conf
g. Log in as a Windows user with administrator privilege. h. Remove the components. For example, for Windows 2003, click Start Control Panel and double-click the Add/Remove Programs icon. i. Select another component from the list and continue the process until all the components have been removed. j. Click OK to exit the program. 2. Use your previous version CDs and install the prerequisite components for WebSEAL, such as the Global Security Kit, Tivoli Directory Server client, and Access Manager Runtime. Install by running the setup.exe script in the \windows\PolicyDirector\Disk Images\Disk1 directory. Select the components, and then follow the online instructions to complete the installation in order. 3. Use the pdbackup action restore option to restore the base files that you backed up before upgrading. On Windows operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.dar. For example, for Access Manager Runtime:
C:\Program Files\Tivoli\Policy Director\bin\pdbackup action restore file C:\Program Files\Tivoli\Policy Director\pdbackup\51to61rtebackup.lst_17oct2005.10_27.dar
5. Install by running the setup.exe script in the \windows\PolicyDirector\Disk Images\Disk1 directory. Select to install the following components: v Access Manager WebSEAL and WebSEAL instance servers Follow the online instructions to complete the installation. 6. Use the pdbackup action restore option to restore the Access Manager WebSEAL component from the dir file that you backed up before upgrading. On Windows operating systems, the default backup file name is list_file_ddmmmyyyy.hh_mm.dar. For example, for Access Manager WebSEAL:
pdbackup60 action restore file C:\Program Files\Tivoli\Policy Director\pdbackup\60to61websealbackup.lst_17oct2005.10_27.dar
278
Upgrade Guide
7. Start WebSEAL and the WebSEAL instances. For example, on Windows 2003 systems, select Start Control Panel Administrative Tools. Double-click the Services icon, and start the services. This completes the restoration of your previous WebSEAL version.
279
280
Upgrade Guide
Appendix A. Upgrade utilities

Reading syntax statements
The reference documentation uses the following special characters to define syntax: [] ... | Identifies optional parameters. Parameters not enclosed in brackets are required. Indicates that you can specify multiple values for the previous option. Indicates mutually exclusive information. You can use the option to the left of the separator or the option to the right of the separator. You cannot use both parameters in a single use of the command. Delimits a set of mutually exclusive parameters when one of the parameters is required. If the parameters are optional, they are enclosed in brackets ([ ]). Indicates that the command line wraps to the next line. It is a continuation character.
{}
The parameters for each command or utility are listed alphabetically in the Options section or Parameters section, respectively. When the order of the options or parameters must be used in a specific order, this order is shown in the syntax statements.
281
adschema_update
Modifies the Microsoft Active Directory schema.
Syntax
adschema_update [f schema_file] u active_directory_administrator_id p active_directory_administrator_pwd
Description
Use the adschema_update utility to modify the Microsoft Active Directory schema for the current version of Tivoli Access Manager. Run this utility on the Active Directory domain controller against which the policy server is configured after upgrading to IBM Tivoli Access Manager, version 6.1.
Parameters
f schema_file Specifies the name of the Active Directory schema file. By default, the adschema.def file is in installation_directory\etc directory. p active_directory_administrator_pwd Specifies the password for the Active Directory administrator. u active_directory_administrator_id Specifies the Active Directory administrator ID.
Availability
This utility is located in the following default installation directory:
C:\Program Files\Tivoli\Policy Director\sbin
Notes
Run this utility on the system where the Tivoli Access Manager policy server is installed and configured.
Return Codes
0 1 The utility completed successfully. The utility failed. When a utility fails, a description of the error and an error status code in hexadecimal format is provided (for example, 0x15c3a00c). Refer to the IBM Tivoli Access Manager for e-business: Error Message Reference. This reference provides a list of the Tivoli Access Manager error messages by decimal or hexadecimal codes.
282
Upgrade Guide
idsimigr
Migrates the schema and configuration files from an earlier release of Tivoli Directory Server to version 6.1 and creates a directory server instance with the migrated information.
Syntax
idsimigr [I instancename] [-t dbinstance] [-u backupdir] [-e encryptseed] [-g encryptsalt][-p port] [-s secureport] [-a admport] [-c admsecureport] [-i ipaddress] [-r description] [-b outputfile] [-d debuglevel] [-l instlocation] [q] [-n] | [-v] | [-?]
Description
The idsimigr migration utility migrates the schema and configuration files from an earlier release to IBM Tivoli Directory Server 6.1 versions of these files and creates a directory server instance with the migrated information. This directory server instance is the upgraded version of your previous server. If required, can use the Instance Administration Tool, specifying that you want to migrate from a previous release. For more information about Instance Administration Tool, see the IBM Tivoli Directory Server Version 6.1 Installation and Configuration Guide. Attention: When you create a new directory server instance, be aware of the information that follows. 1. If you want to use replication, use a distributed directory, or import and export LDIF data between server instances, you must cryptographically synchronize the server instances to obtain the best performance. If you are creating a directory server instance that must be cryptographically synchronized with an existing directory server instance, you must synchronize the server instances before you do any of the following: v Start the second server instance v Run the idsbulkload command from the second server instance v Run the idsldif2db command from the second server instance You can synchronize the server instances by ensuring that the encryption salt value for the server instance you are creating is the same as that of the existing server instance. You can obtain the destination server's salt value by searching for the ibm-slapdCryptoSalt attribute value (using the idsldapsearch utility) in the destination server's 'cn=crypto,cn=localhost' entry. 2. After you create a directory server instance and configure the database, use the idsdbback utility to create a backup of the directory server instance. The configuration and directory key stash files are archived along with the associated configuration and directory data. You can then use the idsdbrestore utility to restore the key stash files if necessary. (You can also use the idsdbback utility after you load data into the database. See the IBM Tivoli Directory Server Version 6.1 Installation and Configuration Guide for information about backing up the database.)
Parameters
-? Displays usage help for the command. -a admport Specifies the port on which the administration daemon for the directory server instance will listen.
283
idsimigr
Note: If you have two or more directory server instances listening on the same IP address (or set of IP addresses), be sure that those directory server instances do not use any of the same port numbers. -b outputfile Specifies the full path of a file to redirect output into. If used in conjunction with the -q option, only errors are written to the file. If debugging is turned on, debugging information is also sent to the file. -c admsecureport Specifies the secure port on which the administration daemon for the directory server instance listens. Specify a positive number that is greater than 0 and less than or equal to 65535. The port specified must not cause a conflict with ports being used by any other directory server instance that is bound to a particular hostname or IP address. -d debuglevel Sets the LDAP debugging level to <debuglevel>. This option causes the utility to generate debug output to stdout. The <debuglevel> is a bit mask that controls which output is generated with values up to 65535. This parameter is for use by IBM service personnel. -e encryptseed Specifies the seed to be used to create the key stash files for the directory server instance. This option is required if you use the -n option. If it is not specified, you will be prompted for an encryption seed. The encryption seed must contain only printable ISO-8859-1 ASCII characters with values in the range of 33 to 126, and must be a minimum of 12 and a maximum of 1016 characters in length. For information about the characters that can be used. This encryption seed is used to generate a set of Advanced Encryption Standard (AES) secret key values. These values are stored in a directory stash file and used to encrypt and decrypt directory stored password and secretkey attributes. There is one encryption seed string for each directory server instance. Record the encryption seed in a secure location; you might need it if you export data to an LDIF file (the idsdb2ldif command) or regenerate the key stash file (the idsgendirksf command.) -g encryptsalt Specifies the encryption salt value. Providing an encryption salt value is useful if you want to use replication, use a distributed directory, or import and export LDIF data between server instances. You can obtain better performance if the two directory server instances have the same encryption salt value. Therefore, if the directory server instance you are migrating will be used in one of these ways, set the encryption salt value to the encryption salt value of the directory server instances with which it will be involved in these activities. If you do not specify an encryption salt, the command randomly generates one. The encryption salt must have exactly 12 characters and can contain only printable ISO-8859-1 ASCII characters in the range from 33 to 126 inclusive. -i ipaddress Specifies the IP address that the directory server instance binds to. If more than one IP address is specified, a comma separator is required with no
284
Upgrade Guide
idsimigr
spaces. Spaces are allowed only if the entire argument is enclosed in quotation marks (). Use the key word "all" to specify that you want to use all available IP addresses. If you do not specify the -i option, all available IP addresses is the default setting. -I instancename Specifies the name of the directory server instance to be created or migrated. The instance name must be an existing user ID on the computer and must be no greater than 8 characters in length. If there is no corresponding user ID for the directory server instance name, the command fails. -l instlocation Specifies the location in which to store the configuration files and logs for the directory server instance. On Windows systems, this option is required and a drive letter must be specified. The location must have at least 30 MB of free disk space. Additional disk space must be available to accommodate growth as directory server log files increase in size. -n Specifies that you want the command to run without prompting. All output is generated except for messages that require user interaction.
-p port Specifies the port on which the directory server instance listens. Specify a positive number that is greater than 0 and less than or equal to 65535. The port specified must not cause a conflict with ports being used by any other directory server instance that is bound to a particular hostname or IP address. -q Specifies to run in quiet mode. All output is suppressed except error messages. If the -d option is also specified, trace output is not suppressed.
-r description Specifies a description of the directory server instance. -s secureport Specifies the secure port that the directory server instance listens on. Specify a positive number that is greater than 0 and less than or equal to 65535. The port specified must not cause a conflict with ports being used by any other directory server instance that is bound to a particular hostname or IP address. -t dbinstance Specifies the DB2 database instance name. The database instance name is also the DB2 instance owner ID. By default, the database instance name is assumed to be the same as the directory server instance owner ID. -u backupdir Specifies the name of the directory in which the schema and configuration files to be migrated have been saved. If all the necessary files are not found in the specified directory, the command will fail. These files include the server configuration file and the following schema files: V3.ibm.at, V3.ibm.oc, V3.system.at, V3.system.oc, V3.user.at, V3.user.oc, and V3.modifiedschema. -v Prints version information about the command.
Examples
The following example assumes you want to migrate from IBM Tivoli Directory Server 5.2 to IBM Tivoli Directory Server 6.1 and:
285
idsimigr
v You saved the configuration and schema files in a directory named /tmp/ITDS52 v You want to create an instance called myinst with an encryption seed of my_secret_key! and an encryption salt of mysecretsalt Use the following command to migrate from IBM Tivoli Directory Server 5.2 to IBM Tivoli Directory Server 6.1:
idsimigr I myinst u /tmp/ITDS52 e my_secret_key! -g mysecretsalt
On Windows, you must specify a location for the directory server instance using the -l option. The following example creates a c:\idsslapd-myinst directory for the directory server instance being migrated.
idsimigr I myinst u c:\temp l c: -e my_secret_key!
286
Upgrade Guide
ivrgy_tool
Updates the Tivoli Access Manager schema on the specified LDAP server or applies the required ACLs to suffixes that were added to the LDAP server after the policy server was configured. This utility is not supported with the Active Directory Application Mode (ADAM) user registry. See IBM Tivoli Access Manager for e-business: Installation Guide for information about updating the ADAM schema for use with Tivoli Access Manager.
Syntax
ivrgy_tool h host_name p port D admin_dn w admin_password d add-acls domain_name ivrgy_tool h host_name p port D admin_dn w admin_password d Z K keyfile P keyfile_password [N keyfile_label] add-acls domain_name ivrgy_tool h host_name p port D admin_dn w admin_password d schema ivrgy_tool h host_name p port D admin_dn w admin_password d Z K keyfile P keyfile_password [N keyfile_label] schema
Description
The ivrgy_tool utility with the add-acls parameter can be used to apply the required ACLs to suffixes that were added to the LDAP server after the policy server was configured or to apply ACLs to the back-end servers in an Tivoli Directory Server proxy environment. In the proxy environment, the back-end server enforces access control. You need to ensure that the proper ACLs are created on each back-end server if the ACLs exist on the top-level object of the partition split. To set the necessary ACLs on the back-end servers to allow Tivoli Access Manager to manage the partition suffix, use the add-acls parameter. The ivrgy_tool utility with the schema parameter updates the Tivoli Access Manager schema on the specified supported LDAP server. The schema is defined in a set of files. The files relate to the type of LDAP server that is being used. These files are installed during the installation of the Tivoli Access Manager runtime and are used as input to the automatic schema update process when you configure the policy server. Normally, the schema is updated when the policy server is configured. When migrating an existing installation of Tivoli Access Manager, the schema on the LDAP server must be upgraded to the current version using the ivrgy_tool utility. The following files contain the LDAP-specific schema: secschema.def Used for Tivoli Directory Server nsschema.def Used for Sun Java System Directory Server or Sun ONE Directory Server novschema.def Used for Novell eDirectory Server
287
ivrgy_tool
An administrator can also apply and update the schema by using one of these files as the LDAP Data Interchange Format (LDIF) input to the Tivoli Directory Server ldapmodify utility.
Parameters
d Indicates verbose mode. D admin_dn Specifies the distinguished name of the LDAP administrator. The format for a distinguished name is similar to cn=root. h host_name Specifies the IP address or host name of the LDAP server. Valid values include any valid IP host name; for examples:
host = libra host = libra.dallas.ibm.com
When used in an Tivoli Directory Server proxy environment, the value is the IP address or host name of the back-end server on which to set the ACLs. K keyfile Specifies the fully qualified path and file name of the SSL key database. This parameter is required only when the Z parameter is specified. Use the SSL key file to handle certificates that are used in LDAP communication. The file type can be anything, but the extension, as shown in the following example for the policy server, is usually .kdb. Policy server on Windows C:\Program Files\Tivoli\Policy Director\keytab\ivmgrd.kdb Policy server on Linux or UNIX /opt/PolicyDirector/keytab/ivmgrd.kdb N keyfile_label Specifies the label name of the client certificate in the SSL key database that is sent to the LDAP server if the LDAP server is configured to perform both server and client authentication during SSL establishment. This parameter is valid only when SSL is being used (indicated by using the Z parameter) and when the LDAP server has been configured to require client authentication. If the installation wizard was used, the default client certificate label is PDLDAP. p port Specifies the port number of the LDAP server. Use the LDAP server-configured port number. The default port number is 636 if Secure Sockets Layer (SSL) is used and 389 if SSL is not used. When used in an Tivoli Directory Server proxy environment, the value is the port number of the back-end server. P keyfile_password Specifies the password for the SSL key database. This parameter is required only if the Z parameter is specified. w admin_password Specifies the password of the LDAP administrator. Z Indicates that SSL is used.
288
Upgrade Guide
ivrgy_tool
add-acls domain_name Indicates that the required access control lists (ACLs) should be applied to all suffixes that were defined on the LDAP server for the specified domain. When the policy server is configured, the management domain (Default) domain is created. When using the add-acls parameters in a Tivoli Directory Server proxy environment, at a minimum, always apply the ACLs to the management domain. This option is useful for adding access control to suffixes that were added to the LDAP server after the policy server is configured. schema Updates the Tivoli Access Manager schema. Use this parameter when: v You are using a version of Tivoli Directory Server prior to version 6.0. For example, you are using Tivoli Directory Server version 5.2. v You are using an LDAP server other than Tivoli Directory Server. For example, you are using Novell eDirectory Server.
Return Codes
0 1 The utility completed successfully. The utility failed. When a utility fails, a description of the error and an error is provided.
289
pdbackup
Backs up, restores, and extracts Tivoli Access Manager data.
Syntax
pdbackup action backup list list_file [path path] [file filename] pdbackup action restore file filename [path path] pdbackup action extract file filename path path pdbackup usage pdbackup ?
Description
Use the pdbackup utility to back up and restore Tivoli Access Manager data. As an alternative to a restore action, you can extract all archived files into a single directory. This utility is most commonly used for backing up, restoring, and extracting Tivoli Access Manager component files.
Parameters
Note that you can shorten a parameter name, but the abbreviation must be unambiguous. For example, you can type a for action or l for list. However, values for parameters cannot be shortened. ? Displays the syntax and an example for this utility.
action [backup|restore|extract] Specifies to action to be performed. This parameter supports one of the following values: backup Backs up the data, service information, or migration information to an archive file. The archive file has a tar extension on Linux and UNIX operating systems and a dar extension on Windows operating systems. extract Extracts the data from an archive file to a specified directory. This action is used during a two-machine migration only. restore Restores the data from the archive file. file filename Specifies the name of the archive file. When this parameter is required, its value must be the fully qualified name of the archive file. When this parameter is optional, its value must be the name of the archive file only. For the extract and restore actions, this parameter is required. For the backup action, this parameter is optional. When using the backup action, specify a file name other than the default name. However, do not specify the file name extension. The file name extension is generated automatically. The default name is the name of the service list file with a date and time of the file creation. On Linux and UNIX operating systems, the default file name is list_file_ddmmmyyyy.hh_mm.tar. On Windows operating systems, the default file name is list_file_ddmmmyyyy.hh_mm.dar.
290
Upgrade Guide
pdbackup
list list_file Specifies the fully qualified name of the list file. The list file is an ASCII file that contains the information about the various files and data to backup. These files are located in the /etc directory under the component-specific installation directory. The following list contains the default file name and location of each component-specific list file by operating system (assuming that the default installation directory was used during installation): Tivoli Access Manager data On Linux and UNIX operating systems: /opt/PolicyDirector/etc/pdbackup.lst On Windows operating systems: "C:\Program Files\tivoli\Policy Director\etc\pdbackup.lst" Tivoli Access Manager service information On Linux and UNIX operating systems: /opt/PolicyDirector/etc/pdinfo.lst On Windows operating systems: "C:\Program Files\tivoli\Policy Director\etc\pdinfo.lst" WebSEAL data On Linux and UNIX operating systems: /opt/pdweb/etc/amwebbackup-instance.lst On Windows operating systems: "C:\Program Files\tivoli\pdweb\etc\amwebbackup-instance.lst" Where instance is the name of the instance. WebSEAL service information On Linux and UNIX operating systems: /opt/pdweb/etc/pdinfo-amwebbackup-instance.lst On Windows operating systems: "C:\Program Files\tivoli\pdweb\etc\pdinfo-amwebbackupinstance.lst" Where instance is the name of the instance. Plug-in for Web Servers data On Linux and UNIX operating systems: /opt/pdwebpi/etc/pdwebpi.lst On Windows operating systems: c:\program files\tivoli\pdwebpi\etc\pdwebpi.lst Plug-in for Web Servers service information On Linux and UNIX operating systems: /opt/pdwebpi/etc/pdinfo-pdwebpi.lst On Windows operating systems: c:\program files\tivoli\pdwebpi\etc\pdinfo-pdwebpi.lst path path Specifies the target directory for the specified action. This parameter is required with the extract action, but is optional with the backup and restore actions. When specified with the backup action, specifies the target directory for the archive file. When not specified, the command uses the default directory for the component. The following list contains the default directory for each component by operating system: On Linux and UNIX operating systems /var/PolicyDirector/pdbackup/ On Windows operating systems: c:\program files\tivoli\policy director\pdbackup\
291
pdbackup
With the extract action, specifies the directory where the files that are extracted from the archive file are stored. There is no default value for the path parameter when used for an extract action. v On Linux and UNIX operating systems only, when specified with the restore action, specifies the directory where the files from the archive file are restored. By default, this path is one used during the backup process. On Windows operating systems, the restore process does not support the path parameter. On Windows operating systems, the files are restored to their original directory. usage Displays the syntax and an example for this utility.
Availability
This utility is located in one of the following default installation directories: On Linux and UNIX operating systems:
/opt/PolicyDirector/bin
On Windows operating systems:

c:\Program Files\Tivoli\Policy Director\bin
When an installation directory other than the default is selected, this utility is located in the /bin directory under the installation directory (for example, installation_directory/bin).
Return Codes
Examples
v The following example backs up the Tivoli Access Manager data on a Windows operating system using default values for the archive files:
pdbackup -a backup -list \ c:\program files\tivoli\policy director\etc\pdbackup.lst
If the command is run on December 22, 2005 at 10:22 AM, the pdbackup.lst_22dec2005.10_22.dar archive file is created and stored in the c:\program files\tivoli\policy director\pdbackup\ directory. v The following example backs up the WebSEAL service information on a UNIX operating system and stores the archive in the /var/backup directory:
pdbackup -a backup -list \ /opt/pdweb/etc/pdinfo-amwebbackup.lst \ -path /var/backup
If the command is run on December 22, 2005 at 10:22 AM, the pdinfo-amwebbackup.lst_22dec2005.10_22.tar archive file is created and stored in the /var/pdbackup directory. v The following example backs up the Plug-in for Web Servers files on a Linux operating system and creates the webpi.tar file in the /var/pdback directory:
292
Upgrade Guide
pdbackup
pdbackup -a backup -list \ /opt/pdwebpi/etc/pdwebpi.lst \ -f webpi -p /var/pdback
Independent of when the command is run, the webpi.tar file is created in the /var/pdback directory. The .tar file extension is added to file name during the backup process. v The following example restores the pdbackup.lst_22dec2005.10_22.dar archive file on a Windows operating system from the default location.
pdbackup -a restore -f c:\program files\tivoli\policy \ director\pdbackup\pdbackup.lst_22dec2005.10_22.dar
The file is restored to its original location. On Windows operating systems, files cannot be restored to another location. v The following example restores the amwebbackup.lst_22dec2005.10_22.tar archive file that is stored in the /var/pdbackup directory to the /amwebtest directory:
pdbackup -a restore -f \ /var/pdbackup/amwebbackup.lst_22dec2005.10_22.tar \ -p /amwebtest
v The following example extracts the amwebbackup.lst_22dec2005.10_22.tar archive file that is stored in the /var/pdbackup directory to the /amwebextracttest directory:
pdbackup -a extract -f \ /var/pdbackup/amwebbackup.lst_22dec2005.10_22.tar \ -p /amwebextracttest
293
pdconfig
Configures and unconfigures Tivoli Access Manager components except Tivoli Access Manager Runtime for Java. See the IBM Tivoli Access Manager for e-business: Installation Guide for step-by-step instructions on how to use this utility.
Syntax
pdconfig
Parameters
None.
Availability
This utility is located in one of the following default installation directories: v On Linux and UNIX operating systems:
/opt/PolicyDirector/bin
v On Windows operating systems:

c:\Program Files\Tivoli\Policy Director\bin
Return Codes
294
Upgrade Guide
pdjrtecfg
Configures or unconfigures Tivoli Access Manager Runtime for Java. This component enables Java applications to manage and use Tivoli Access Manager security.
Syntax
pdjrtecfg action config host policy_server_host [port policy_server_port] [java_home jre_home] [domain domain_name] [config_type full] [enable_tcd [tcd path]] pdjrtecfg action config config_type standalone pdjrtecfg action config interactive pdjrtecfg action config rspfile response_file pdjrtecfg action name pdjrtecfg action status [java_home jre_home] pdjrtecfg action unconfig [java_home {jre_home|all}] pdjrtecfg action unconfig interactive pdjrtecfg operations pdjrtecfg help [options] pdjrtecfg usage pdjrtecfg ?
Description
This utility copies Tivoli Access Manager Java libraries to a library extensions directory that exists for a Java runtime that has already been installed on the system. Using this utility does not overwrite JAR files that already exist in the jre_home\lib\ext directory, except the PD.jar file that is overwritten if the file exists. You can install more than one Java runtime on a given machine. The pdjrtecfg utility can be used to configure the Tivoli Access Manager Runtime for Java independently to each of the JREs. Note: Make sure that you use the pdjrtecfg utility and not the PdJrteCfg Java class directly.
Parameters
? Displays the syntax and an example for this utility. action {config|name|status|unconfig} Specifies the action to be performed that is one of the following values:
295
pdjrtecfg
config Configures the Tivoli Access Manager Runtime for Java component. name Retrieves the Tivoli Access Manager Runtime for Java component package name and returns the name value to the pdconfig utility. This parameter is used only by pdconfig. Do not use this parameter from the command line.
status Determines and returns the Tivoli Access Manager Runtime for Java component configuration status information to the pdconfig utility. This parameter is used only by pdconfig. Do not use this parameter from the command line. unconfig Unconfigures the Tivoli Access Manager Runtime for Java component. config_type {full|standalone} Specifies the configuration mode. The default value is full. full Performs all of the required configuration steps, including the generation of the server-side certificate for the policy server.
standalone Performs all of the required configuration steps, except for the generation of the server-side certificate for the policy server. With this configuration, you can use the Tivoli Access Manager Java APIs without requiring a policy server. Typically, this configuration is used during the configuration of a Tivoli Access Manager development environment. Without this server-side certificate, the Java client cannot communicate with the policy server. That is, all of the Tivoli Access Manager administration commands, which are based on C APIs, will fail. Applications that use only the Java classes should not be affected. domain domain Specifies the local domain name for the Java runtime component being configured. A local domain is a Tivoli Access Manager secure domain that is used by programs when no explicit domain is specified. If this parameter is not specified, the local domain will default to the management domain. enable_tcd [tcd path] Enables Tivoli Common Directory (TCD) logging, if not already enabled, and specifies the fully qualified path location to use for common logging. When TCD is enabled, all Tivoli Access Manager message log files will be placed in this common location. help [options] Provides online help for one or more utility options by displaying descriptions of the valid command line options. Alternatively, provides online help about a specific command line parameter. host policy_server_host Specifies the Tivoli Access Manager policy server host name. Valid values include any valid IP host name. Examples:
host = libra host = libra.dallas.ibm.com
296
Upgrade Guide
pdjrtecfg
interactive Specifies the interactive mode, in which the user is prompted for configuration information to configure the Tivoli Access Manager Runtime for Java component. If not specified, the configuration program will run in non-interactive (silent) mode. Configuration of a Sun JRE will fail. java_home jre_path Specifies the fully qualified path to the Java runtime component (such as the directory ending in JRE). If this parameter is not specified, the home directory for the JRE in the PATH statement will be used. If the home directory for the JRE is not in the PATH statement, this utility fails. During unconfiguration, you can specify the all parameter that unconfigures all configured JREs. operations Prints out all the valid command line options. port policy_server_port Specifies the Tivoli Access Manager policy server port number. The default value is 7135. rspfile response_file Specifies the fully qualified path and file name of the response file to use during silent configuration. A response file can be used for configuration. There is no default response file name. The response file contains stanzas and parameter=value pairs. To use response files, see the procedures in the IBM Tivoli Access Manager for e-business: Installation Guide. usage Displays the syntax and an example for this utility.
Availability
/opt/PolicyDirector/sbin

c:\Program Files\Tivoli\Policy Director\sbin
When an installation directory other than the default is selected, this utility is located in the /sbin directory under the installation directory (for example, installation_directory/sbin).
Return Codes
Examples
v The following example configures Access Manager Runtime for Java:
297
pdjrtecfg
pdjrtecfg -action config -host sys123.acme.com -port 7135 -java_home e:\apps\IBM\java142sr2\jre
v The following example unconfigures Access Manager Runtime for Java:

pdjrtecfg -action unconfig -java_home e:\apps\IBM\java142sr2\jre
298
Upgrade Guide
smscfg
Deploys and configures the session management server.
Syntax
smscfg action {config|unconfig|deploy|undeploy|extract|upgrade|revert|} Configuration smscfg action config [interactive {yes|no}] [rsp_file file_name] [record file_name] [was_port port] [was_enable_security {yes|no}] [was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] [session_realm realm:max_login=replica_set1_name,replica_set2_name,...] [session_realm_remove realm_name] [enable_tcd {yes|no}] [tcd fully_qualified_directory_name] [enable_tam_integration {yes|no}] [policysvr_host host_name] [policysvr_port port] [admin_id administrator_id] [admin_pwd password] [domain domain] [authzsvr host_name:port:rank] [cred_refresh_rule rule] [enable_last_login {yes|no}][enable_last_login_database {yes|no}] [last_login_table last_login_database_table_name] [last_login_max_entries max_number_memory_entries] [last_login_jsp_file file_name] [last_login_jsp server_jsp_name][enable_database_session_storage {yes|no}][enable_auditing {yes|no}][auditing_properties file_name][key_lifetime key_lifetime] [client_idle_timeout timeout] Configuration with response file smscfg action config rspfile file_name Configuration, interactive smscfg action config interactive Unconfiguration smscfg action unconfig [interactive {yes|no}] [rspfile file_name] [record file_name] [was_port port] [was_enable_security {yes|no}] [was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] [admin_id administrator_id] [admin_pwd password] [remove_last_login_db {yes|no}] Unconfiguration, response file smscfg action unconfig rspfile file_name Unconfiguration, interactive smscfg action unconfig interactive Deployment smscfg action deploy [interactive {yes|no}] [rspfile file_name] [record file_name] [was_port port] [was_enable_security {yes|no}] [was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] [enable_database_storage {yes|no}][database_name database_name][virtual_host host_name] [clustered {yes|no}] [was_node node_name] [was_server server_name] [was_cluster cluster_name] Undeployment smscfg action undeploy [interactive {yes|no}] [rspfile file_name] [record file_name] [was_port port] [was_enable_security {yes|no}]
299
smscfg
[was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] Extract smscfg action extract [interactive {yes|no}] [rspfile file_name] [record file_name] [was_port port] [was_enable_security {yes|no}] [was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] Upgrade smscfg action upgrade [interactive {yes|no}] [rspfile file_name] [record file_name] [was_port port] [was_enable_security {yes|no}] [was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] Revert smscfg action revert [interactive {yes|no}] [rspfile file_name] [record file_name] [was_port port] [was_enable_security {yes|no}] [was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] Utility help smscfg help option smscfg usage smscfg ?
Description
The smscfg utility deploys, configures or unconfigures session management server instances. It can also be used to extract the session management server configuration, or to install and remove fixpack upgrades. A log of the configuration progress is written to msg_smscfg.log log file that is located in the /var/pdsms/log directory on Linux and UNIX operating systems and in the installation_directory\log directory on Windows operating systems. This utility can be run either interactively, where the user is prompted to provide configuration information, or silently, where the utility accepts input from a response file.
Parameters
? Displays the syntax and an example for this utility. action {deploy|config|unconfig|undeploy|extract} Specifies the action to be performed that is one of the following values: deploy Deploys the session management server instance to a WebSphere Application Server. undeploy Removes a session management server instance from a WebSphere Application Server.
300
Upgrade Guide
smscfg
config Configures or reconfigures a deployed session management server instance. unconfig Unconfigures a session management server instance. extract Extracts the configuration information from a session management server instance. upgrade Upgrades to a new session management server fixpack. revert Reverts to the previous session management server fixpack. admin_id administrator_id Specifies the Tivoli Access Manager administration ID. The default value is sec_master. This parameter is required when enable_tam_integration is set to yes. admin_pwd password Specifies the password for the Tivoli Access Manager administrator. This parameter is required when you specify the admin_id parameter. auditing_properties file_name Specifies the path to the properties file which contains the configuration of the auditing component. authzsvr host_name:port:rank Specifies the host name, port number, and rank of the Tivoli Access Manager authorization server. This optional parameter can be specified multiple times. A Tivoli Access Manager authorization server is required to use these session refresh capabilities or to use certificates that are issued by the Tivoli Access Manager policy server to authenticate session management clients. The default value is localhost:7136:1. client_idle_timeout timeout Specifies the client idle timeout in seconds after which a client is considered idle. A client is considered idle if it is not actively requesting updates from the session management server. This parameter is optional. clustered {yes|no} Whether the application will be deployed to a WebSphere cluster. The default value is no. cred_refresh_rule rule Specifies rules to preserve when a user's credential is refreshed. The default credential refresh rule set is preserve=tagvalue_*. database_name database Specifies the name of the of the WebSphere JDBC data source that the session management server uses to access the database that it uses to store its data. There is no default value. domain domain Specifies the name of the Tivoli Access Manager policy domain. This parameter is required when enable_tam_integration is set to yes. The default value is Default. enable_auditing {yes|no} Indicates whether or not auditing is required. The default value is no.
301
smscfg
enable_database_storage {yes|no} Indicates whether database storage is required. The parameter is only meaningful in the context of WebSphere Application Server single server deployments. If the application is deployed to a cluster, this parameter is redundant. The default value is no. Setting this parameter to no sets the database configuration to the WebSphere default resource reference, normally jdbc/DataSource. enable_database_session_storage {yes|no} Indicates whether storage of session data to a database is required. The default value is no. enable_last_login {yes|no} Indicates whether last login information is stored. When set to yes, you must specify the following parameters or accept their default values: v last_login_jsp_file v last_login_max_entries v last_login_table The default value is no (not to enable the recording of last login information). The enable_last_login field is only required if installing into a stand alone application server. When installing into a cluster this field is not required. enable_last_login_database {yes|no} Indicates whether last login information is stored to a database. The default value is no. enable_tam_integration {yes|no} Indicates whether to enable integration with Tivoli Access Manager or to change enablement. When set to yes, you must specify the following parameters or accept their default values, where applicable: v policysvr_host v policysvr_port v authzsvr v admin_id v admin_pwd v domain The default value is no. enable_tcd {yes|no} Indicates whether Tivoli Common Directory logging is required. When set to yes, you must specify the tcd parameter. The default value is no. help [options] Lists the name of the utility parameter and a short description. If one or more options are specified, it lists each parameter and a short description. instance instance_name Specifies the name of the instance to be administered. The default value is DSess. interactive {yes|no} Indicates whether the configuration is interactive. The default value is yes. key_lifetime lifecycle Specifies the lifetime in seconds of the key for the session management server. After the defined lifecycle completes, a new key is generated. If this value is set to zero, keys are not automatically generated. This parameter is optional.
302
Upgrade Guide
smscfg
key_pwd password Specifies the password to access the server-side certificates. This parameter is required when you specify the keyfile parameter. Otherwise, this parameter is optional. keyfile file_name Specifies the fully qualified name for the key store when making a secure connection to WebSphere Application Server. The key store holds the server-side certificates. This parameter is required when you specify the was_admin_id parameter. Otherwise, this parameter is optional. last_login_jsp server_jsp_name The server-side path for the last login JSP file. This is an optional argument. last_login_jsp_file file_name Specifies the fully qualified name of the last login JSP file to use for recording last login information. This parameter is required when the enable_last_login parameter is set to yes. The default value is installation_directory/etc/lastLogin.jsp Note: Configuration of the lastLogin.jsp file can produce a long Web browser URL, which could exceed the limits imposed by some proxy servers. To avoid this, access the WebSphere ISC using a direct connection to the Internet. last_login_max_entries maximum_entries Specifies the maximum number of entries to be stored in the memory cache for recording last login information. This parameter is required when the enable_last_login parameter is set to yes. The default value is 0. The last_login_max_entries field is only required if installing into a stand alone application server. When installing into a cluster this field is not required. last_login_table table_name Specifies the name of the database table to use for recording last login information. This parameter is required when the enable_last_login parameter is set to yes. The default value is AMSMSUSERINFOTABLE. operations Lists each of the parameter names, one after another, without a description. policysvr_host host_name Specifies the host name of the Tivoli Access Manager policy server. This parameter is required when enable_tam_integration is set to yes. policysvr_port port Specifies the port of the Tivoli Access Manager policy server. This parameter is required when you specify the host parameter. record file_name Specifies the name of the response file to which configuration parameters will be recorded. remove_last_login_db {yes|no} Indicates whether the last login database should be removed. The default value is no. rspfile response_file Specifies the fully qualified path and file name of the response file to use during silent configuration. A response file can be used for configuration.
303
smscfg
There is no default response file name. The response file contains stanzas and parameter=value pairs. To use response files, see the procedures in the IBM Tivoli Access Manager for e-business: Installation Guide. session_realm [realm[:max_logins]=replica_set1, replica_set2,...] A session realm to add to the configuration. If the session realm name or any of the replica set names contain spaces, the entire argument must be specified within quotes. The max_logins parameter is used to specify the maximum number of concurrent logins which are permitted for the session realm. If the max_logins parameter is not supplied there will be an unlimited number of concurrent logins allowed for the session realm. Replica set names must be separated by commas. session_realm_remove realm=set_name[,...][;realm=set_name[,...]...] The name of a session realm which is to be removed. If the session realm name contain spaces, the entire argument must be specified within quotes. tcd path_name Specifies the fully qualified directory to be used for Tivoli Common Directory logging. This parameter is required when enable_tcd is set to yes. If the Tivoli common directory has already been configured on the target system, this option will be ignored. trust_store file_name Specifies the fully qualified name for the trust store when making a secure connection to WebSphere Application Server. The trust store holds the client-side certificates. This parameter is required when you specify the was_admin_id parameter. trust_store_pwd password Specifies the password to access the client-side certificates. This parameter is required when you specify the trust_store parameter. usage Displays the syntax and an example for this utility. virtual_host host_name Specifies the name of the WebSphere virtual host to which to deploy the session management server application. If not specified, the application is deployed on the default virtual host. was_admin_id administrator_id Specifies the name of the administrator to use when making a secure connection to WebSphere Application Server. In interactive mode, this parameter is optional unless you are making a secure connection. When you use this parameter, you must specify the was_admin_pwd parameter. When not making a secure connection, this parameter is optional. was_admin_pwd password Specifies the administrator's password to use when making a secure connection to WebSphere Application Server. was_cluster cluster_name Specifies the name of the WebSphere cluster to which to deploy the session management server application. This parameter is mutually exclusive with the was_server parameter. When using WebSphere Network Deployment and was_cluster is specified and there is only one cluster, the application is deployed to that cluster.
304
Upgrade Guide
smscfg
When using WebSphere Network Deployment and was_cluster is specified and there is no cluster but there is only one server, the application is deployed to that server. was_enable_security {yes|no} Indicates whether the communication with the WebSphere server uses a secure connection. When set to yes, you must specify the following parameters: v was_admin_id v was_admin_pwd v trust_store v trust_store_pwd v keyfile v key_pwd The default value is no. was_node node_name Specifies the name of the WebSphere node. This parameter is optional. was_port port Specifies the simple object access protocol (SOAP) port to use on the WebSphere server. This parameter is always required unless the interactive parameter is set to yes. was_server server_name Specifies the name of the WebSphere server to which to deploy the session management server application. This parameter is mutually exclusive with the was_cluster parameter. When using WebSphere Application Server (a single server deployment) and was_server is not specified, the application is deployed to the server to which this configuration utility is connected.
Availability
/opt/pdsms/bin

c:\Program Files\Tivoli\PDSMS\bin
Return Codes
0 The utility completed successfully. non-zero The utility failed. When a utility fails, a description of the error and an error status code in hexadecimal format is provided (for example, 0x15c3a00c). Refer to the IBM Tivoli Access Manager for e-business: Error Message Reference. This reference provides a list of the Tivoli Access Manager error messages by decimal or hexadecimal codes.
305
306
Upgrade Guide
Appendix B. Support information

This section describes the following options for obtaining support for IBM products: v Searching knowledge bases v Obtaining fixes v Registering with IBM Software Support on page 308 v Receiving weekly software updates on page 308 v Contacting IBM Software Support on page 309
Searching knowledge bases

If you encounter a problem, you want it resolved quickly. You can search the available knowledge bases to determine whether the resolution to your problem was already encountered and is already documented.
Searching information centers

IBM provides extensive documentation in an information center that can be installed on your local computer or on an intranet server. You can use the search function of this information center to query conceptual information, instructions for completing tasks, reference information, and support documents.
Searching the Internet

If you cannot find an answer to your question in the information center, search the Internet for the latest, most complete information that might help you resolve your problem. To search multiple Internet resources for your product, perform the following steps: 1. 2. 3. 4. Expand the product folder in the navigation frame on the left. Expand Troubleshooting and support. Expand Searching knowledge bases. Click Web search.
From this topic, you can search a variety of resources, which includes the following resources: v IBM Technotes v v v v v IBM downloads IBM Redbooks IBM developerWorks Forums and news groups Google
Obtaining fixes
A product fix might be available to resolve your problem. To determine what fixes are available for your IBM software product, check the product support site by performing the following steps: 1. Go to the IBM Software Support site at the following Web address:
307
http://www.ibm.com/software/support 2. Under Products A - Z, click the letter with which your product starts to open a Software Product List. 3. Click your product name to open the product-specific support page. 4. Under Self help, follow the link to All Updates, where you will find a list of fixes, fix packs, and other service updates for your product. For tips on refining your search, click Search tips. 5. Click the name of a fix to read the description. 6. Optional, download the fix.
Registering with IBM Software Support

Before you can receive weekly e-mail updates about fixes and other news about IBM products, you need to register with IBM Software Support. To register with IBM Software Support, follow these steps: 1. Go to the IBM Software Support site at the following Web address: http://www.ibm.com/software/support 2. Click Register in the upper right-hand corner of the support page to establish your user ID and password. 3. Complete the form, and click Submit.
Receiving weekly software updates

After registering with IBM Software Support, you can receive weekly e-mail updates about fixes and other news about IBM products. To receive weekly notifications, follow these steps: 1. Go to the IBM Software Support site at the following Web address http://www.ibm.com/software/support 2. Click the My support link to open the Sign in page. 3. Provide your sign in information, and click Submit to open your support page. 4. Click the Edit profile tab. 5. For each product about which you want to receive updates, use the filters to choose your exact interests, and click Add products. 6. Repeat step 5 for each additional product. 7. After choosing all your products, click the Subscribe to email link. 8. For each product category, use the filters and choose which updates you want to receive, and click Update. 9. Repeat step 8 for each additional product category. For more information about the types of fixes that are available, see the IBM Software Support Handbook at the following Web address: http://techsupport.services.ibm.com/guides/handbook.html
308
Upgrade Guide
Contacting IBM Software Support

IBM Software Support provides assistance with product defects. Before contacting IBM Software Support, the following criteria must be met: v Your company has an active IBM software maintenance contract. v You are authorized to submit problems to IBM Software Support. The type of software maintenance contract that you need depends on the type of product that you have. Product types are one of the following categories: v For IBM distributed software products (including, but not limited to, Tivoli, Lotus, and Rational products, as well as DB2 and WebSphere products that run on Windows, Linux, or UNIX operating systems), enroll in Passport Advantage in one of the following ways: Online Go to the IBM Software Passport Advantage site at the following Web address and click How to Enroll: http://www.lotus.com/services/passport.nsf/ WebDocs/Passport_Advantage_Home By phone For the phone number to call in your country, go to the IBM Software Support site at the following Web address and click the name of your geographic region: http://techsupport.services.ibm.com/guides/contacts.html v For IBM eServer software products (including, but not limited to, DB2 and WebSphere products that run in System z, pSeries, and iSeries environments), you can purchase a software maintenance agreement by working directly with an IBM sales representative or an IBM Business Partner. For more information about support for eServer software products, go to the IBM eServer Technical Support Advantage site at the following Web address: http://www.ibm.com/servers/eserver/techsupport.html If you are not sure what type of software maintenance contract you need, call 1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to the contacts page of the IBM Software Support Handbook at the following Web address and click the name of your geographic region for phone numbers of people who provide support for your location: http://techsupport.services.ibm.com/guides/contacts.html To 1. 2. 3. contact IBM Software support, follow these steps: Determining the business impact Describing problems and gathering information on page 310 Submitting problems on page 310
Determining the business impact

When you report a problem to IBM, you are asked to supply a severity level. Therefore, you need to understand and assess the business impact of the problem that you are reporting. Use the following severity criteria:
309
Severity 1 The problem has a critical business impact. You are unable to use the program, resulting in a critical impact on operations. This condition requires an immediate solution. Severity 2 The problem has a significant business impact. The program is usable, but it is severely limited. Severity 3 The problem has some business impact. The program is usable, but less significant features that are not critical are unavailable. Severity 4 The problem has minimal business impact. The problem causes little impact on operations, or a reasonable circumvention to the problem was implemented.
Describing problems and gathering information

When explaining a problem to IBM, be as specific as possible. Include all relevant background information so that IBM Software Support specialists can help you solve the problem efficiently. To save time, know the answers to these questions: v What software versions were you running when the problem occurred? v Do you have logs, traces, and messages that are related to the problem symptoms? IBM Software Support is likely to ask for this information. v Can you create the problem again? If so, what steps were performed to encounter the problem? v Was any change made to the system? For example, were there changes to the hardware, operating system, networking software, and so on. v Are you currently using a workaround for this problem? If so, please be prepared to explain it when you report the problem.
Submitting problems
You can submit your problem to IBM Software Support in one of two ways: Online Go to the Submit and track problems page on the IBM Software Support site at the following address, and provide your information into the appropriate problem submission tool: http://www.ibm.com/software/support/probsub.html By phone For the phone number to call in your country, go to the contacts page of the IBM Software Support Handbook at the following Web address and click the name of your geographic region: http://techsupport.services.ibm.com/guides/contacts.html If the problem you submit is for a software defect or for missing or inaccurate documentation, IBM Software Support creates an Authorized Program Analysis Report (APAR). The APAR describes the problem in detail. Whenever possible, IBM Software Support provides a workaround that you can implement until the APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the IBM product support Web pages daily, so that other users who experience the same problem can benefit from the same resolution.
310
Upgrade Guide
For more information about problem resolution, see Searching knowledge bases on page 307 and Obtaining fixes on page 307.
311
312
Upgrade Guide
Appendix C. Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. However, it is the user responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
313
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements, or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not
314
Upgrade Guide
been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBMs application programming interfaces. Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows: (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. Copyright IBM Corp. _enter the year or years_. All rights reserved. If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed.
Trademarks
IBM, the IBM logo, AIX, DB2, IBMLink, Tivoli, Tivoli Enterprise Console, and TME are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Adobe, the Adobe logo, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Appendix C. Notices
315
UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others.
316
Upgrade Guide
Glossary
This glossary defines the technical terms and abbreviations that are used in Tivoli Access Manager. If you do not find the term or abbreviation for which you are looking, refer to the IBM Terminology Web site at the following Web address: http://www.ibm.com/ibm/terminology The following cross-references are used among terms: Contrast with Refers the reader to a term that has an opposed or substantively different meaning. See Refers the reader to a term that is the expanded form of an abbreviation or acronym or to a synonym or more preferred term.
ACL entry. Data in an access control list that specifies a set of permissions. ACL policy. Part of the security policy that contains ACL entries that control who can access which domain resources and perform which actions. See also authorization rule and protected object policy. action. An access control list (ACL) permission attribute. See also access control list. action group. A set of actions that are explicitly associated with a resource or set of resources. ADI. See access decision information. ADK. See application development kit administration service. An authorization API runtime plug-in that can be used to perform administration requests on a Tivoli Access Manager resource manager application. The administration service responds to remote requests from the pdadmin command to perform tasks, such as listing the objects under a particular node in the protected object tree. Customers may develop these services using the authorization ADK. application development kit (ADK). A set of tools, APIs, and documentation to assist with the development of software in a specific computer language or for a particular operating environment. attribute. A characteristic or trait of an entity that describes the entity. An attribute can have a type, which indicates the range of information given by the attribute, and a value, which is within a range. In XML, for example, an attribute consists of a name-value pair within a tagged element and modifies a feature of an element. attribute list. A linked list that contains extended information that is used to make authorization decisions. Attribute lists consist of a set of name-value pairs. audit event. A record of an operation in the audit log or change history; for example, an audit entry is created when a resource is modified. audit level. The types of user actions that are currently being audited for the entire system or for specific users on the system. Actions that can be audited include authority failures and restoring objects. A record of each action is written to the audit journal. audit trail. A chronological record of events that enables the user to examine and reconstruct a sequence
See also Refers the reader to a related term. Obsolete Indicates that the term should not be used and refers the reader to the preferred term.
A
access control. In computer security, the process of ensuring that only authorized users can access the resources of a computer system in authorized ways. access control list (ACL). In computer security, a list with an object that identifies all the subjects that can access the object and their access rights. For example, an access control list is a list that is associated with a file that identifies the users who can access the file and identifies the users' access rights to that file. access decision information (ADI). The data and attributes that are used by the authorization engine to evaluate a rule. Authorization API attributes are name-value pairs, form the basis of all ADI that can be referenced in a rule or presented to the authorization engine. access permission. The access privilege that applies to the entire object. account. Information about an identity. ACL. See access control list.
317
of events. Audit trails are useful for managing security and for recovering lost transactions. audit trail file. The file that contains the audit trail. authentication. In computer security, the process that verifies identity. Authentication is distinct from authorization; authorization is concerned with granting and denying access to resources. See also multi-factor authentication, network-based authentication, and step-up authentication. authorization. In computer security, the process that grants or denies access to resources. Security uses a two-step process: after authentication has verified the identity, authorization allows the resource or process access to various resources based on its identity. authorization API. The Tivoli Access Manager component that passes requests for authorization decisions from the resource manager to the authorization evaluator. See also authorization server and authorization service. authorization evaluator. The decision-making process that determines whether a client can access a protected resource based on the security policy. The evaluator makes its recommendation to the resource manager, which, in turn, responds accordingly. authorization rule. Part of the security policy that define conditions that are contained in authorization policy. An authorization rule is used to make access decisions based on attributes such as user, application, and environment context. See also ACL policy and protected object policy. authorization server. The Tivoli Access Manager component that runs the authorization service. See also authorization service. authorization service. A dynamic or shared library that can be loaded by the authorization API runtime client at initialization time to perform operations that extend a service interface in the Authorization API.
one are the only two values that can be returned; a value of zero represents false while a value of one represents true. business entitlement. The supplemental attribute of a user credential that describes the fine-grained conditions that can be used in the authorization process.
C
CA. See certificate authority. CDAS. Obsolete. See external authentication C API. CDMF. See cross domain mapping framework. certificate. In computer security, a digital document that binds a public key to the identity of the certificate owner, thereby enabling the certificate owner to be authenticated. A certificate is issued by a certificate authority. certificate authority (CA). An organization that issues certificates. A CA creates digital signatures and public-private key pairs. The CA guarantees the identity of the individual who is granted the unique certificate and guarantees the services that the owner is authorized to use, to issue new certificates, and to revoke certificates that belong to users and organizations who are no longer authorized to use the services. The role of the CA s to authenticate the entities (users and organizations) involved in electronic transactions. Because the CA guarantees that the two parties that are exchanging information are really who they claim to be, the CA is a critical component in data security and electronic commerce. CGI. See common gateway interface. cipher. A cryptographic algorithm that is used to encrypt data that is unreadable until it is converted into plain data (decrypted) with a predefined key. common gateway interface (CGI). An Internet standard for defining scripts that pass information from a Web server to an application program, through an HTTP request, and vice versa. A CGI script is a CGI program that is written in a scripting language, such as Perl. configuration. The manner in which the hardware and software of a system, subsystem, or network are organized and interconnected. connection. (1) In data communication, an association established between functional units for conveying information. (2) In TCP/IP, the path between two protocol applications that provides reliable data stream delivery service. In the Internet, a connection extends from a TCP application on one system to a TCP application on another system. (3) In system
B
BA. See basic authentication. basic authentication. An authentication method that verifies identity using a user name and password. bind. To relate an identifier to another object in a program; for example, to relate an identifier to a value, to an address, or to another identifier or to associate formal parameters to actual parameters. blade. A component that provides application-specific services and components. Boolean. A binary numbering system that is named after mathematician George Boole in which zero and
318
Upgrade Guide
communication, a line over which data can be passed between two systems or between a system and a device. console log agent. A log agent that writes events to standard error or standard output. See also file log agent, pipe log agent, and remote log agent. container object. A structural designation that organizes the object space into distinct functional regions. cookie. Information that a server stores on a client machine and accesses during subsequent sessions. Cookies allow servers to remember specific information about clients. credentials. Detailed information, acquired during authentication, that describes the user, any group associations, and other security-related identity attributes. Credentials can be used to perform a multitude of services, such as authorization, auditing, and delegation. credentials modification service. An authorization API runtime plug-in which can be used to modify a Tivoli Access Manager credential. Credentials modification services developed externally by customers are limited to performing operation to add and remove from the credentials attribute list and only to those attributes that are considered modifiable. cross domain authentication service (CDAS). Obsolete. See external authentication C API. cross domain mapping framework (CDMF). A programming interface that allows a developer to customize the mapping of user identities and the handling of user attributes when WebSEAL e-Community SSO function are used.
digital signature. Information that is encrypted with a private key and is appended to a message to assure the recipient of the authenticity and integrity of the message. The digital signature proves that the message was signed by the entity that owns, or has access to, the private key or shared secret symmetric key. directory schema. The valid attribute types and object classes that can appear in a directory. The attribute types and object classes define the syntax of the attribute values, which attributes are required, and which attributes are optional. distinguished name (DN). (1) The name that uniquely identifies an entry in a directory. A distinguished name is made up of an attribute-value pairs, separated by commas. (2) A set of name-value pairs (such as cn=common name and c=country) that uniquely identifies an entry in a digital certificate. DMZ. See demilitarized zone. DN. See distinguished name. domain. (1) A logical grouping of resources in a network that share common administration and management. (2) A part of a network that is administered with a common protocol. See also domain name. domain administrator. The administrator for a domain who can assign any of the roles in that domain to subdomains. After assigning roles to subdomains, administrators in that subdomain can assign subdomain users these roles. domain name. In the Internet suite of protocols, the name of a host system. A domain name consists of a sequence of subnames that are separated by a delimiter character. For example, if austin.ibm.com is the fully qualified domain name (FQDN) of a host system, both austin.ibm.com and ibm.com are domain names. dynamic group. A group that is defined using a search expression. When an attribute is added to a directory entry that causes it to match the search expression, the entry automatically becomes a member of the group.
D
daemon. A system process that runs unattended to perform continuous or periodic system-wide functions, such as network control. See also service. data store. A storage area for data, such as a database system, directory, or file. delegate. A user who is authorized to work for another user. The authorization can be made by a user or by an administrator. demilitarized zone (DMZ). In network security, a computer or network that uses a firewall to be isolated from, and to serve as a neutral zone between, a trusted network (for example, a private intranet) and an untrusted network (for example, the Internet). One or more secure gateways usually control access to the DMZ from the trusted or the untrusted network.
E
EAS. See external authorization service. encryption. In computer security, the process of transforming data into a cipher. entitlement. A data structure that contains externalized security policy information. Entitlements contain policy data or capabilities that are formatted in a way that is understandable to a specific application. entitlement service. An authorization API runtime plug-in which can be used to return entitlements from
Glossary
319
an external source for a principal or set of conditions. Entitlements are normally application specific data that will be consumed by the resource manager application in some way or added to the principal's credentials for use further on in the authorization process. Customers may develop these services using the authorization ADK. entity. In object-oriented design, an item that can be treated as a unit and, often, as a member of a particular category or type. An entity can be concrete or abstract. event. Any significant change in the state of a system resource, network resource, or network application. An event can be generated for a problem, for the resolution to a problem, or for the successful completion of a task. event pool. A set of events recognized by an activity. Each activity has its own event pool. The event pool is initialized when the activity is created and is deleted when the activity is deleted. extended attribute. Additional information that the system or a program associates with an object. An extended attribute can be any format, such as text, a bitmap, or binary data. external authentication C API. A C API that enables you to write custom authentication modules that replace or extend the functionality of the builtin authentication process. The identity information is returned through the authentication module interface. Contrast with external authentication HTTP interface. external authentication HTTP interface. An interface that enables you to extend the functionality of the built-in authentication process to allow a remote service to handle the authentication process. The identity information in the HTTP response headers is used to generate user credentials. Contrast with external authentication C API. external authorization service (EAS). An authorization API runtime plug-in that can be used to make application- or environment-specific authorization decisions as part of the authorization decision chain. Customers can develop these services using the authorization ADK. Extensible Markup Language (XML). A standard meta-language for defining markup languages that is based on Standard Generalized Markup Language (SGML). Extensible Stylesheet Language (XSL). A language for specifying style sheets for XML documents. XSL Transformation (XSLT) is used with XSL to describe how an XML document is transformed into another document. See also Extensible Stylesheet Language Transformation.
Extensible Stylesheet Language Transformation (XSLT). An XML processing language that is used to convert an XML document into another document in XML, PDF, HTML, or other format. See also Extensible Stylesheet Language.
F
file log agent. A log agent that writes events to a file. See also console log agent, pipe log agent, and remote log agent. file transfer protocol (FTP). In the Internet suite of protocols, a protocol that can use Transmission Control Protocol (TCP) and Telnet services to transfer files between machines. FTP. See file transfer protocol
G
global sign-on (GSO). A flexible single sign-on solution that enables the user to provide alternative user names and passwords to the back-end Web application server. Through a single login, global sign-on grants users access to the computing resources they are authorized to use. Designed for large enterprises consisting of multiple systems and applications within heterogeneous, distributed computing environments, GSO eliminates the need for users to manage multiple user names and passwords. See also single sign-on. group. A named list of users by which access levels to corporate directories, databases, and servers are assigned. Two or more individual users who are categorized for the purpose of assigning database security settings; for example, administrators must assign individuals to groups before assigning roles. GSO. See global sign-on.
H
host. A computer that is connected to a network and provides an access point to that network. The host can be a client, a server, or both a client and a server simultaneously. HTTP. See hypertext transfer protocol. hypertext transfer protocol (HTTP). In the Internet suite of protocols, the protocol that is used to transfer and display documents.
I
inheritance. An object-oriented programming technique that allows the use of existing classes as a basis for creating other classes.
320
Upgrade Guide
Internet protocol (IP). In the Internet suite of protocols, a connectionless protocol that routes data through a network or interconnected networks. IP acts as an intermediary between the higher protocol layers and the physical network. Internet suite of protocols. A set of protocols developed for use on the Internet and published through the Internet Engineering Task Force (IETF). interprocess communication (IPC). (1) The process by which programs communicate data to each other and synchronize their activities. Semaphores, signals, and internal message queues are common methods of interprocess communication. (2) A mechanism of an operating system that allows processes to communicate with each other within the same computer or over a network. IP. See Internet protocol. IPC. See interprocess communication.
the sender uses the public key to encrypt the message, and the recipient uses the private key to decrypt the message. When the key pair is used for signing, the signer uses the private key to encrypt a representation of the message, and the recipient uses the public key to decrypt the representation of the message for signature verification. Because the private key holds more of the encryption pattern than the public key, the key pair is called asymmetric. key ring. See key file. keystore file. A key file that contains both public keys stored as signer certificates and private keys stored in personal certificates. keytab file. See key table. key table. In the Kerberos protocol, a file that contains service principal names and secret keys. The secret keys should be known only to the services that use the key table file and the key distribution center (KDC). key-value pair. Information that is expressed as a paired set.
J
junction. A logical connection that is created to establish a path from one server to another.
L
LDAP. See lightweight directory access protocol. leaf node. A node that has no children before it in the directory tree. lightweight directory access protocol (LDAP). An open protocol that uses TCP/IP to provide access to directories that support an X.500 model and that does not incur the resource requirements of the more complex X.500 Directory Access Protocol (DAP). For example, LDAP can be used to locate people, organizations, and other resources in an Internet or intranet directory. lightweight third party authentication (LTPA). An authentication protocol that users cryptography to support security across a set of Web servers in a distributed environment. LTPA. See lightweight third party authentication.
K
KDC. See key distribution center. Kerberos. An authentication system that enables two parties to exchange private information over an otherwise open network. It works by assigning a unique key, called a ticket, to each user that logs on to the network. The ticket is then embedded in messages that are sent over the network. The receiver of a message uses the ticket to authenticate the sender. Kerberos ticket. A transparent application mechanism that transmits the identity of an initiating principal to its target. A simple ticket contains the identity, a session key, a timestamp, and other information that is sealed using a secret key. key. In computer security, a sequence of symbols that is used with a cryptographic algorithm for encrypting or decrypting data. See private key and public key. key database file (KDC). See key file. key distribution center. In the Kerberos protocol, the central server, which includes the authentication server and the ticket-granting server. The KDC is sometimes referred to as the Kerberos server. key file. In computer security, a file that contains public keys, private keys, trusted roots, and certificates. key pair. In computer security, a public key and a private key. When the key pair is used for encryption,
M
management domain. The default domain in which Tivoli Access Manager enforces security policies for authentication, authorization, and access control. This domain is created when the policy server is configured. See also domain. management interface. The interface that a domain administrator can use to manage security policy. In Tivoli Access Manager, an administrator can use Web Portal Manager or the pdadmin commands to apply security policy to resources.
Glossary
321
management server. Obsolete. See policy server. master server. In a network environment, the server that has permissions to run commands on all other machines in the environment. The master server is designed to manage the network, clients, and resource objects in the network database. Contrast with replica server metadata. Data that describes the characteristics of stored data. migration. The installation of a new version or release of a program to replace an earlier version or release. MPA. See multiplexing proxy agent. multi-factor authentication. A protected object policy (POP) that forces a user to authenticate using two or more levels of authentication. For example, the access control on a protected resource can require that the users authenticate with both user name/password and user name/token passcode. multiple tenancy server. A server that permits the hosting of multiple customers on a single server instead of multiple client machines. See also protected object policy. multiplexing proxy agent (MPA). A gateway that accommodates multiple client access. These gateways are sometimes known as Wireless Access Protocol (WAP) gateways when clients access a secure domain using a WAP. Gateways establish a single authenticated channel to the originating server and tunnel all client requests and responses through this channel.
user can manipulate as a single unit and perform a task. An object can appear as text, an icon, or both. (3) A named storage space that consists of a set of characteristics that describe the space and, in some cases, data. An object is anything that occupies space in storage, can be located in a library or directory, can be secured, and on which defined operations can be performed. Some examples of objects are programs, files, libraries, and stream files. object space. A virtual representation of the resources to be protected. See also namespace. object type. A categorization or group of object instances that share similar behavior and characteristics.
P
PAC. See privilege attribute certificate. PDCA. See Policy Director Certificate Authority permission. The ability to access a protected object, such as a file or directory. The number and meaning of permissions for an object are defined by the access control list (ACL). See also access control list. pipe log agent. A log agent that writes events as standard input to another program. See also console log agent, file log agent, and remote log agent. policy. A set of rules that are applied to managed resources. policy database. The database that contains the security policy information for all resources in the domain. Each domain has its own policy database. Policy Director Certificate Authority (PDCA). A trusted certificate that is created during the configuration of the policy server and that is used to sign all other Tivoli Access Manager certificates. A PDCA certificate is stored in the master policy database. policy enforcer. A component of a resource manager that directs requests to the authorization service for processing after authorization is granted. Traditional applications bundle the policy enforcer and the resource manager as one process. policy server. The Tivoli Access Manager component that maintains the master policy database, replicates this policy information throughout the secure domain, and updates database replicas whenever a change is made to the master policy database. The policy server also maintains location information about other Tivoli Access Manager and non-Tivoli Access Manager resource managers that are operating in the secure domain.
N
namespace. (1) In XML, a uniform resource identifier (URI) that provides a unique name to associate with all the elements and type definitions in a schema. (2) Space reserved by a file system to contain the names of its objects. network-based authentication. A protected object policy (POP) that controls access to objects based on the Internet protocol (IP) address of the user. See also protected object policy. notification thread. The synchronization mechanism that the policy server uses to inform all database replicas of a change to the master policy database.
O
object. (1) In object-oriented design or programming, a concrete realization (instance) of a class that consists of data and the operations associated with that data. An object contains the instance data that is defined by the class, but the class owns the operations that are associated with the data. (2) Any digital content that a
322
Upgrade Guide
polling. The process by which databases are interrogated at regular intervals to determine if data needs to be transmitted. POP. See protected object policy. portal. A single point of access to diverse information and applications. Users can customize and personalize a portal. principal. (1) An entity that can communicate securely with another entity. (2) An authenticated user. A principal is identified by its associated security context, which defines its access rights. private key. In computer security, a key that is known only to its owner. Contrast with public key. privilege attribute certificate (PAC). A digital document that contains a principal's authentication and authorization attributes and a principal's capabilities. privilege attribute certificate service. An authorization API runtime client plug-in which translates a PAC of a predetermined format in to a Tivoli Access Manager credential, and vice-versa. These services could also be used to package or marshall a Tivoli Access Manager credential for transmission to other members of the secure domain. Customers may develop these services using the authorization ADK. See also privilege attribute certificate. protected object. The logical representation of an actual system resource that is used for applying ACLs and POPs and for authorizing user access. See also protected object policy and protected object space. protected object policy (POP). A type of security policy that imposes additional conditions on the operation permitted by the ACL policy to access a protected object. It is the responsibility of the resource manager to enforce the POP conditions. See also ACL policy, authorization rule, protected object, and protected object space. protected object space. The virtual object representation of actual system resources that is used for applying ACLs and POPs and for authorizing user access. See also protected object and protected object policy. proxy server. A server that receives requests intended for another server and that acts on behalf of a client to obtain the requested service. A proxy server is often used when the client and the server are incompatible for direct connection. For example, a client cannot meet the security authentication requirements of the server but should be permitted some services. public key. In computer security, a key that is made available to everyone. Contrast with private key.
Q
quality of protection. The level of data security, determined by a combination of authentication, integrity, and privacy conditions.
R
record. (1) The storage representation of a single row of a table or other data in a database. (2) A group of related data, words, or fields treated as a unit. registry. The datastore that contains access and configuration information for users, systems, and software. remote cache mode. An operational mode in which a resource manager uses the functions that are provided by the authorization API to communicate to the remote authorization server. remote log agent. A log agent that sends events to a remote server for recording. See also console log agent, file log agent, and pipe log agent. replica server. A server that contains a copy of the directory or directories of another server. Replicas back up master servers or other replica servers to enhance performance or response times and to ensure data integrity. Contrast with master server. resource. A hardware, software, or data entity that is managed. resource group. A group of resources that can include business objects such as contracts or a set of related commands. In access control policies, resource groups specify the resource to which the policy authorizes access. resource manager. (1) An application, program, or transaction that manages and controls access to shared resources, such as memory buffers and data sets. (2) Any server or application that uses the authorization API to process client requests for access to resources. resource object. The representation of an actual network resource, such as a service, file, and program. response file. An ASCII file that can be customized with the setup and configuration data that automates an installation. The setup and configuration data has to be entered during an interactive installation, but with the response file, the installation can proceed without user interaction. See also silent installation. role. A definition of the access permissions that a user or process has and the specific resources that the user or process can modify at those levels. Users and processes are limited in how they can access resources when that user or process does not have the appropriate role.
Glossary
323
role activation. The process of applying access permissions to a role. role assignment. The process of assigning a role to a user, such that the user has the appropriate access permissions for the object defined for that role. root container object. The top-level container object in the hierarchy or resource objects. root domain. Name servers that have authoritative control of all the top-level domains. routing file. An ASCII file that contains commands that control the configuration of messages. routing table. A collection of path information through which hosts or networks can communicate with each other. RSA. A public-key encryption technology that was developed by RSA Data Security, Inc., and used by GSKit. The acronym stands for Rivest, Shamir, and Adleman, the inventors of this encryption technique. RSA encryption. A system for public-key cryptography used for encryption and authentication. The security of the system depends on the difficulty of factoring the product of two large prime numbers. rule. A set of logical statements that enable a server to recognize relationships among events and to perform automated responses accordingly. rules evaluator. The component responsible for evaluating an authorization rule. run time. The time period during which a computer program is running. runtime environment. A subset of an application development kit (ADK) that contains the executable files and other supporting files that comprise the operational environment of the platform.
security context. The digitally signed token that identifies a principal, lists the roles and access rights for the principal, and contains information about when the token expires. security management. The software discipline that addresses how an organization can control access to mission critical applications and data. security policy. (1) A written document that defines the security controls that you institute for your computer systems. A security policy describes the risks that you intend to minimize and the actions that should be taken if someone breaches your security controls. (2) In Tivoli Access Manager, the combination of ACL policies, authorization rules, and protected object policies attached to objects to make them protected objects. See also ACL policy, authorization rule, and protected object policy. self-registration. The process by which a user can enter required data and become a registered user without the involvement of an administrator. service. Work performed by a server. A service can be a simple request for data to be sent or stored (as with file servers, HTTP servers, or e-mail servers), or it can be for more complex requests (as with print servers or process servers). See also daemon. session. A series of requests to a server or application that originate from the same user at the same browser. silent installation. An installation that does not send messages to the console but instead stores messages and errors in log files. Also, a silent installation can use response files for data input. See also response file. single sign-on (SSO). The mechanism that allows a user to logon once and access multiple applications through a single authorization challenge. Using SSO, a user does not need to log on to each application separately. See also global sign-on. SSL. See Secure Socket Layer. SSO. See single sign-on. stanza. A group of lines in an ASCII file that together have a common function or define a part of a system. Stanzas are usually separated by blank lines or colons, and each stanza has a name. stash file. The local copy of the master key file that resides in an encrypted format on the local disk. step-up authentication. A protected object policy (POP) that relies on a preconfigured hierarchy of authentication levels and enforces a specific level of authentication according to the policy set on a resource. The step-up authentication POP does not force the user to authenticate using multiple levels of authentication to access any given resource, but it requires the user to
S
scalability. The ability of hardware, software, or a distributed system to maintain performance levels as it increases in size and increases in the number of users who access resources. schema. The set of statements, expressed in a data definition language, that completely describes the structure of data that is stored in a database, directory, or file. Secure Sockets Layer (SSL). A security protocol that provides communication privacy. SSL enables client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery.
324
Upgrade Guide
authenticate at a level at least as high as that required by the policy protecting a resource. See also protected object policy. suffix. A distinguished name that identifies the top entry in a locally held directory hierarchy. Because of the relative naming scheme used in Lightweight Directory Access Protocol (LDAP), this suffix applies to every other entry within that directory hierarchy. A directory server can have multiple suffixes, each identifying a locally held directory hierarchy.
W
Web Portal Manager (WPM). A Web-based graphical application used to manage Tivoli Access Manager security policy in a secure domain. An alternative to the pdadmin command line interface, this GUI enables remote administrator access and enables administrators to create delegated user domains and assign delegate administrators to these domains. Web resource. Any one of the resources that are created during the development of a Web application; for example, Web projects, HTML pages, JSP files, servlets, custom tag libraries, and archive files. WebSEAL. A high performance, multi-threaded Web server that applies a security policy to a protected object space. WebSEAL can provide single sign-on solutions and incorporate back-end Web application server resources into its security policy. Web session. See session. WPM. See Web Portal Manager.
T
ticket. See Kerberos ticket. token. A sequence of bits (symbol of authority) that is passed successively along a transmission medium from one device to another to indicate the device that is temporarily in control of the transmission medium. Each device can acquire and use the token to control the medium. trusted root. In the Secure Sockets Layer (SSL), the public key and associated distinguished name of a certificate authority (CA). See also Secure Socket Layer.
X
XML. See Extensible Markup Language. XML transform. A standard that uses XSL stylesheets to transform XML documents into other XML documents or fragments or to transform XML documents into HTML documents. XSL. See Extensible Stylesheet Language. XSL stylesheet. Code that describes how an XML document should be rendered (displayed or printed). XSLT. See Extensible Stylesheet Language Transformation.
U
uniform resource identifier (URI). The character string used to identify an abstract or physical resource on the Internet. A URI typically describes how to access the resource, the computer that contains the resource, and the name of the resource. The most common form of URI is the Web page address, which is a particular subset or URI called uniform resource locator (URL). See also uniform resource locator. uniform resource locator (URL). A character string that represent resources on a computer or in a network, such as the Internet. The URL includes the abbreviated name of the protocol used to access the information resource and the information used by the protocol to locate the resource. URI. See uniform resource identifier. URL. See uniform resource locator. user. Any person, organization, process, device, program, protocol, or system that uses a service provided by others. user registry. See registry.
V
virtual hosting. The capability of a Web server that allows it to appear as more than one host to the Internet.
Glossary
325
326
Upgrade Guide
Index A
Access Manager ADK upgrading Linux on Solaris 129, 134 upgrading Linux on System z 124 upgrading Linux on Windows 139 upgrading Linux on x86 119 upgrading on AIX 105 upgrading on HP-UX 110 upgrading on HP-UX on Integrity 115 accessibility xi ADK, upgrading AIX 198 Linux on POWER 207 Linux on System z 205 Linux on x86 203, 242 Solaris 209 Solaris on x86_64 212 Windows 213 adschema_update utility 282 AIX upgrading Access Manager Runtime for Java 159 upgrading Access Manager Runtime system 142 upgrading ADK system 198 upgrading an authorization server 80 upgrading the policy proxy server 176 upgrading the policy server 18 Upgrading the session management command line upgrading WebSEAL 101 authorization server, upgrading for Linux on POWER 90 for Linux on System z 88 for Linux on x86 86 on AIX 80 on HP-UX 82 on HP-UX on Integrity 84 on Solaris 92 on Solaris on x86_64 94 on Windows 96 considerations (continued) Access Manager WebSEAL 99 development (ADK) system 197 policy proxy server 175 conventions typeface xii customer support contacting 309 obtaining fixes 307 receiving updates from 308 registering with 308 searching information centers 307 searching knowledge bases 307 searching the Internet 307 submitting problems 310
D
development (ADK) system, upgrading development system, upgrading AIX 198 HP-UX 200, 240 HP-UX on Integrity 201 Linux on System z 205 Linux on x86 203, 242 POWER on System z 207 Solaris 209 Solaris on x86_64 212 Windows 213 directory names, notation xiii Directory Server See Tivoli Directory Server 197
237
E
education see Tivoli technical training xi encryption salt specifying 284 encryption seed specifying 284 environment variables PATH 103 TMP 71 environment variables, notation xiii
B
books see publications vii, x
C
common problems reporting describing problem 310 determining business impact 309 gathering information 310 submitting problems 310 configure smscfg utility 299 considerations Access Manager Authorization Server 79 Access Manager Policy Server, UNIX and Linux Access Manager Policy Server, Windows 70 Access Manager Runtime 141 Access Manager Runtime for Java 159 Copyright IBM Corp. 2003, 2010
F
fixes, obtaining 307
H
17 HP-UX upgrading Access Manager Runtime for Java 161 upgrading Access Manager Runtime system 143 upgrading ADK system 200, 240 upgrading an authorization server 82 upgrading the policy proxy server 178 upgrading the policy server 24
327
HP-UX (continued) upgrading WebSEAL 106 HP-UX on Integrity upgrading Access Manager Runtime for Java 163 upgrading Access Manager Runtime system 145 upgrading ADK system 201 upgrading an authorization server 84 upgrading the policy proxy server 180 upgrading the policy server 31 upgrading WebSEAL 110
I
IBM Directory Server See Tivoli Directory Server idsimigr utility 283 idswmigr utility 9 using 14 information centers, searching installation InstallShield Windows 11 Internet, searching 307 introduction i ivrgy_tool utility 287
Linux on System z (continued) upgrading WebSEAL 120 Linux on x86 restoring WebSEAL 272 upgrading Access Manager Runtime for Java 164 upgrading Access Manager Runtime system 147 upgrading ADK system 203, 242 upgrading an authorization server 86 upgrading session management command line 243 upgrading the policy proxy server 182 upgrading the policy server 38 upgrading WebSEAL 115
M
307 manuals see publications vii, x migration client information 9
N
notation environment variables path names xiii typeface xiii xiii
J
Java runtime component 295 Java runtime environment, upgrading for Linux on POWER 167 for Linux on System z 166 for Linux on x86 164 on HP-UX 161 on HP-UX on Integrity 163 on Solaris 169 on Solaris on x86_64 170 on Windows 172 Java runtime system, upgrading on AIX 159
O
online publications accessing x ordering publications xi
P
path names, notation xiii PATH variable 103 pdbackup utility 290 pdconfig utility 294 pdinfo utility (deprecated) See pdbackup pdjrtecfg utility 295 plug-in for Web Servers, upgrading policy proxy server, upgrading for Linux on POWER 186 for Linux on System z 184 for Linux on x86 182 on AIX 176 on HP-UX 178 on HP-UX on Integrity 180 on Solaris 189 on Solaris on x86_64 191 on Windows 193 policy server, upgrading 17 for Linux on POWER 51 for Linux on System z 44 for Linux on x86 38 on AIX 18 on HP-UX 24 on HP-UX on Integrity 31 on Solaris 57 on Solaris on x86_64 63 on Windows 70 publications vii accessing online x
K
knowledge bases information centers searching 307 the Internet 307 307
253
L
large user base scenario 1 Linux on POWER upgrading Access Manager Runtime for Java 167 upgrading Access Manager Runtime system 151 upgrading ADK system 207 upgrading an authorization server 90 upgrading the policy proxy server 186 upgrading the policy server 51 Linux on System z upgrading Access Manager Runtime for Java 166 upgrading Access Manager Runtime system 149 upgrading ADK system 205 upgrading an authorization server 88 upgrading the policy proxy server 184 upgrading the policy server 44
328
Upgrade Guide
publications (continued) ordering xi
T
Tivoli Directory Server high-level step 9 migbkup utility 9 migration utilities location 9 upgrading from 5.1 5.2 or 6.0 HP-UX 13 Linux 13 Solaris 13 Windows 11, 13 upgrading from 5.2 AIX 13 HP-UX 13 Linux 13 Solaris 13 Windows 11, 13 Tivoli Information Center x Tivoli technical training xi Tivoli user groups xi TMP variable 71 training, Tivoli technical xi typeface conventions xii
R
restore data backing up 290 extracting 290 restoring 290 restoring a system to its prior level 259 policy server 259 WebSEAL 269 runtime system, upgrading for Linux on POWER 151 for Linux on System z 149 for Linux on x86 147 on AIX 142 on HP-UX 143 on HP-UX on Integrity 145 on Solaris 153 on Solaris on x86_64 155 on Windows 157
S
scenarios i large user base 1 small user base 4 user registry other than Tivoli Directory Server 6 session management command line, upgrading Linux on x86 243 Solaris 245 Windows 248 Session management command line, upgrading AIX 237 session management server , upgrading 217 session management server command line, upgrading 237 session management server Web interface, upgrading 251 Session management server, upgrading 217 small user base scenario 4 smscfg utility 299 software updates, receiving 308 Solaris upgrading Access Manager Runtime for Java 169 upgrading Access Manager Runtime system 153 upgrading ADK system 209 upgrading an authorization server 92 upgrading session management command line 245 upgrading the policy proxy server 189 upgrading the policy server 57 upgrading WebSEAL 124 Solaris on x86_64 upgrading Access Manager Runtime for Java 170 upgrading Access Manager Runtime system 155 upgrading ADK system 212 upgrading an authorization server 94 upgrading the policy proxy server 191 upgrading the policy server 63 upgrading WebSEAL 130 support See customer support
U
upgrade utilities idswmigr 14 upgrading Access Manager Runtime for Java 159 Access Manager Runtime system 141 authorization server 79 development (ADK) system 197 plug-in for Web Servers 253 policy server 17 session management server 217 Session management server 217 session management server command line 237 session management server Web interface 251 Web Portal Manager 257 WebSEAL 99 user groups, Tivoli xi user registry other than Tivoli Directory Server scenario utilities adschema_update 282 command line idswmigr 14 idsimigr 283 idswmigr 9 ivrgy_tool 287 migbkup 9 pdbackup 290 pdconfig 294 pdinfo (deprecated) 290 pdjrtecfg 295 smscfg 299
V
variables, notation for xiii
W
Web Administration Tool upgrading using idswmigr 14 Index
329
Web Portal Manager, upgrading 257 Web Security ADK upgrading for Linux on System z 124 upgrading for Linux on x86 119 upgrading on AIX 105 upgrading on HP-UX 110 upgrading on HP-UX on Integrity 115 upgrading on Solaris 129, 134 upgrading on Windows 139 WebSEAL, upgrading 99 for Linux on System z 120 for Linux on x86 115 on AIX 101 on HP-UX 106 on HP-UX on Integrity 110 on Solaris 124 on Solaris on x86_64 130 on Windows 135 WebSphere Application Server upgrading using idswmigr 14 Windows upgrading Access Manager Runtime for Java 172 upgrading Access Manager Runtime system 157 upgrading ADK system 213 upgrading an authorization server 96 upgrading session management command line 248 upgrading the policy proxy server 193 upgrading the policy server 70 upgrading WebSEAL 135
330
Upgrade Guide
Printed in USA
SC23-6503-01

Tam611 Upgrade

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Tam611 Upgrade

Transféré par

Droits d'auteur :

Formats disponibles

Tivoli Access Manager for e-business

Tivoli Access Manager for e-business

Chapter 2. Upgrading IBM Tivoli Directory Server . . . . . . . . . . . 9

Chapter 3. Upgrading the policy server

Chapter 4. Upgrading the authorization server . . . . . . . . . . . . . . . 79

Chapter 5. Upgrading WebSEAL . . . . 99

180 182 184 186 189 191 193

Chapter 9. Upgrading the development system . . . . . . . . 197

Chapter 6. Upgrading the runtime

Chapter 10. Upgrading the session management server . . . . . . . . 217

Chapter 7. Upgrading the runtime for Java . . . . . . . . . . . . . . . 159

Chapter 11. Upgrading the session management command line . . . . . 237

Chapter 8. Upgrading the policy proxy server . . . . . . . . . . . . . . 175

. 243 . 245 . 248

274 275 276 277

Appendix A. Upgrade utilities . . . . 281

Appendix B. Support information . . . 307

Appendix C. Notices . . . . . . . . 313

Glossary . . . . . . . . . . . . . 317 Index . . . . . . . . . . . . . . . 327

About this publication

IBM Tivoli Access Manager for e-business library

Copyright IBM Corp. 2003, 2010

Related products and publications

IBM Global Security Kit

IBM Tivoli Directory Server

IBM Tivoli Directory Integrator

IBM DB2 Universal Database

About this publication

IBM WebSphere Application Server

Accessing terminology online

Accessing publications online

Tivoli technical training

Tivoli user groups

Conventions used in this publication

Operating system-dependent variables and paths

About this publication

Copyright IBM Corp. 2003, 2010

LDAP primary server Policy server

LDAP server peer

LDAP server peer

LDAP server Policy server

IIS with Access Manager plug-in

Scenario 3: Using a registry other than Tivoli Directory Server

Chapter 2. Upgrading IBM Tivoli Directory Server

About the client

Location of migration utilities

Copyright IBM Corp. 2003, 2010

where platform is the operating system.

Before you upgrade

v For AIX, Linux, Solaris, and HP-UX systems:

Upgrading using the native (InstallShield) utilities on Windows systems

Chapter 2. Upgrading IBM Tivoli Directory Server

Upgrading using the command line and operating system utilities

Migrating WebSphere Application Server and the Web Administration Tool

Chapter 3. Upgrading the policy server

v Solaris on x86_64 on page 63 v Windows on page 70

UNIX and Linux: Upgrade considerations

Copyright IBM Corp. 2003, 2010

Chapter 3. Upgrading the policy server

17. Confirm that the policy server is running:

AIX: Upgrading the policy server using two systems

Chapter 3. Upgrading the policy server

Chapter 3. Upgrading the policy server